by Misha Glenny
These hosts have also proved invaluable for people distributing spam email, as these operations require huge, secure capacity in order to spew forth their billions of dubious adverts and viruses. Nigerian 419 scams, counterfeit medicines, the now-fabled penis enlargers and many other products (real or imaginary) are dumped on the world from bulletproof hosts. Many spam messages conceal viruses or links to infected websites, which, if activated, may turn a computer into a single footsoldier in a botnet army.
As the Russian Business Network was booming in 2006 and 2007, Spamhaus, the secretive anti-spam operation in Cardiff, listed it as controlling 2,048 Internet addresses. It described the RBN as ‘among the world’s worst spammers’ and home to vast ‘child pornography, malware, phishing and cybercrime-hosting networks’.
The RBN’s primary significance lies in the profitability of such bulletproof hosting organisations, which are able to charge $600 or more a month. For legitimate websites, the cost would be one-tenth of this.
But its secondary role is, in many respects, the more interesting one. The attacks on Estonia began with millions of spam emails swooping down on the computer networks of the Estonian government. Subsequently François Paget, who works for the US computer-security giant McAfee, analysed the content of the spam to discover that they were identical to the standard RBN mailouts. Furthermore, Andy Auld, the head of cyber intelligence at Britain’s Serious Organised Crime Agency, reported that in their brief field-observation of the RBN in St Petersburg, British police were able to establish that the RBN could operate in part because it bribed local law enforcement and the judiciary.
It is possible that the RBN instigated the attacks on Estonia but highly unlikely. More probably it was either paid to launch them or the authorities leaned on them to participate in this act of patriotism. This connection between a complex of St Petersburg-based Internet Service Providers that specialised in criminal activity and the cyber attack on Estonia highlights one of the greatest conundrums at the heart of computer crime and computer security.
There are three main ‘threats’ on the Internet, each manifesting themselves in a variety of guises. First, there is cybercrime. In its most basic form, cybercrime consists of ‘carding’, the theft and cloning of credit-card data for financial gain. Beyond carding, there are all manner of other scams. One of the most lucrative, for example, is called ‘scareware’, which was perfected by a Ukrainian-based company called Innovative Marketing. IM employed dozens of young people in Kiev, the Ukrainian capital, most of whom believed they were involved in a start-up company that was selling legitimate security products. Except they weren’t.
The company was sending out rogue adware, which, once installed on an individual’s computer, would trigger a pop-up on the browser warning the user that their machine had been compromised by a virus. The only way, the advert explained, to rid their computer of the electronic critters now crawling all over their hard disk and RAM was to click on a link and purchase ‘Malware Destroyer 2009’, to name but one of their countless products.
Once you had downloaded Malware Destroyer (for i40), IM would instruct you to remove your existing anti-virus system, such as Norton, and install their product. Once installed, however, it did precisely nothing – it was an empty piece of software, although now of course you were open to infection by any passing virus and you had paid for that dubious privilege.
A researcher for McAfee in Hamburg, Dirk Kolberg, began to monitor this operation. He followed the scareware back to its source in East Asia and found that the administrator of IM’s servers had left some ports wide open, so Kolberg was at liberty to wander into the server and peruse it at will. What he uncovered was quite breathtaking. Innovative Marketing was making so much money that it had established three call centres – one for English speakers, one for German and one for French – to assist baffled customers who were trying to install their non-functioning products. Kolberg worked out from trawling through the receipts he also found on the server that the scareware scam had generated tens of millions of dollars in revenue for the management, in one of the most theatrical examples of Internet crime.
Beyond scareware, there are pump-and-dump schemes, which involve hackers moving into financial sites and digitally inflating share prices, before selling their holdings and then allowing the stock to collapse. There are also payroll schemes, whereby criminals hack into a corporation’s computer and add phantom employees to the personnel database. However, the hackers give these employees real salaries, which are dispatched monthly to so-called ‘money mules’. For a small consideration, these are instructed to pass on the money to a bank far away from where the crime is actually committed.
Just as the Web offers boundless possibilities to the creative mind in the licit world, so criminals can let their fantasies run free on the Internet.
The second major area of malfeasance on the Web is cyber industrial espionage. According to the annual threat report published by the American telecommunications giant, Verizon, this accounts for roughly 34 per cent of criminal activity on the Web and is almost certainly the most lucrative. Communications technology has made the theft of industrial secrets much easier than in the past. Until computers became widespread, stealing material involved physically breaking into a company or, if it were an inside job, finding ways of actually removing and distributing the data being sought.
No such difficulties now: industrial thieves can hack into a corporate system and then sniff around for blueprints, marketing strategies, payrolls or whatever else they are seeking, before downloading it. When Max Vision was not yet the fabled Iceman, he worked across the West Coast as a penetration tester – companies would pay him to attempt a digital break-in. Speaking to me in the orange jumpsuit that is his prison uniform, Vision said, ‘In those years, there was only one company which I failed to break into, and that was a major American pharmaceutical company.’ This is understandable – the value of pharmaceutical companies resides in their research, and the loss of formulae for new treatments can result in the loss of hundreds of millions of dollars and the collapse of share prices.
Vision was absolutely livid that he was unable to crack this one system. ‘Of course, I then launched a phishing attack on them and I was inside within five minutes, but it’s just not the same.’ What he means by that is that he sent infected emails to company email addresses, and it was but a matter of minutes before one of its many thousands of employees had fallen for the trap. So even if you have an unbreachable digital fortress, you have only overcome one of several major security challenges.
Similarly, these days it is much easier to perpetrate an inside job in a company because of the ease with which data can be collected and stored. We know that Bradley Manning, the man accused of having removed the US diplomatic cables that were subsequently published on WikiLeaks’ website, managed to download all the material onto a CD marked as a Lady Gaga album.
We also know that Stuxnet – to date the world’s most sophisticated virus – must have been planted on its apparent target in Iran’s nuclear facilities by somebody (wittingly or otherwise) infecting the computer systems with a memory stick or CD. Iran’s nuclear operating systems are not connected to the Internet. But they are still networks, and their infection by Stuxnet proved that they were within reach of a professional intelligence agency.
Stuxnet represented a significant escalation in the third major threat: cyber warfare. This piece of malware was so complicated that researchers estimated it must have taken in the region of several man-years to develop, which means that a dedicated team of coding engineers must have been working on it for an extended period. Organised crime does not operate in this fashion. The only entity capable of developing Stuxnet was a nation state with a lot of resources to devote to the design and manufacture of both defensive and offensive cyber weapons. Nonetheless, whoever designed Stuxnet borrowed huge amounts of computer code and techniques
from the many tens of thousands of blackhat or greyhat hackers out in cyberspace. Criminal hackers are a great driver of creativity in all areas of the Web’s darkside. Military, private-sector, police and intelligence agencies are always quick to adopt the tools that crackers and hackers are developing.
When Stuxnet was successfully infiltrated into the control system of several nuclear facilities in Iran, the authorities admitted that it led to a major breakdown in the operation of a highly sensitive station. It could have resulted in an explosion. Its existence proves that the doomsday scenarios proposed by the so-called cyber warriors are no longer only theoretically possible. Serious though it was at the time, the attack on Estonia was the equivalent of a playful pre-match kick-about, compared to what Stuxnet heralds.
The cyber warriors are also referred to as cyber securocrats – these are the prophets who warn that the sky is about to fall on our heads. Among the most articulate of this breed is Richard Clarke, who describes the following scenario in his book Cyber War:
By the time you get to the Situation Room, the Director of the Defense Information Systems Agency is waiting on the secure phone for you.
FEMA, the Federal Emergency Management Agency, has reported large refinery fires and explosions in Philadelphia and Houston, as well as lethal clouds of chlorine gas being released from several chemical plants in New Jersey and Delaware.
The National Air Traffic Control Center in Herndon, Virginia, has experienced a total collapse of its systems . . .
Most securocrats continue by arguing that the only way we can prevent a digital Pearl Harbor or Cybergeddon is to put money into their think-tanks and companies in order to step up research into the threat.
In fact, this is already happening. The Estonian events accelerated the move towards the militarisation of cyberspace. NATO first agreed to create the majestically titled Cooperative Cyber Defence Centre of Excellence in Tallinn in 2005. Despite an enthusiastic reception for the idea of a cyber-war operational institute, member states proved reluctant to put any money on the table (with the understandable exception of the host country, Estonia). The project wasn’t mothballed, but it struggled to advance much beyond the stage of some attractively designed headed notepaper.
‘As soon as the attack happened, however,’ noted Peeter Lorents, an eminent Estonian mathematician and one of the Centre’s co-founders, ‘the atmosphere changed and we started getting real support from both Brussels and Washington. Indeed, my first reaction on hearing about the attack was to call France and order two cases of Cristal Champagne to be delivered to Mr Putin. By launching this attack, the Russians had surely secured the future of our centre.’
Alarm bells were certainly ringing in Washington. A number of events immediately preceded or followed on from the Estonian incident, and together these convinced the incoming Obama administration in 2009 that cyber defence needed to be strengthened at all costs. In particular, a few months after Estonia, it dawned on America’s huge global surveillance operation, the National Security Agency (NSA), just how serious the loss in April 2001 of an EP-3E Aries reconnaissance plane to the Chinese Air Force really was. Although the pilot had succeeded in destroying the software before it went down, the hardware was intact and, as soon as it fell into Chinese hands, they began to reverse-engineer the state-of-the-art technology that would enable them to monitor and decode encrypted communications. Soon after Obama’s election to the White House the Chinese started testing their new toy, and their new capability at intercepting communications was observed by the NSA. The Chinese, it seems, wanted to indicate to Washington that it had successfully cracked the technology.
The United States government did not stop at putting its weight behind the cyber-defence centre in Tallinn, which, since 2008, has been conducting major research, including complex cyber military exercises. Computing networks had become so critical a part, both of the Defense Department’s infrastructure and of its offensive and defensive operational capability, that Robert Gates, the Secretary of Defense, made the momentous decision to create a new military domain – cyberspace.
This fifth military domain – a sibling to land, sea, air and space – is the first-ever man-made sphere of military operations, and the rules surrounding combat in it are almost entirely opaque. Along with the domain, the Pentagon has set up USCYBERCOMMAND to monitor hostile activity in cyberspace and, if necessary, plan to deploy offensive weapons like Stuxnet. For the moment, the US is the acknowledged leader in the cyber offensive capability.
‘Cyber offensive capability’ should not be mistaken for an ability to deploy conventional weapons that are enhanced by computer systems. The best examples from this latter arsenal are the drones (which the US has regularly deployed in Afghanistan and Pakistan) that can undertake surveillance and fighting missions while being piloted by a computer operator in Nevada.
Cyber weapons are the hacking tools that enable a cyber soldier to penetrate the computer systems of an enemy’s CNI (Critical National Infrastructure), such as their energy and water grids. Once in control of the system, the military doctrine goes, the cyber commander can order their shutdown (or, as we know from Stuxnet, trigger a very damaging explosion) so that within a matter of days the affected society will be reduced to Stone Age technology.
That, at least, is the idea. For the moment, the United States is the acknowledged front-runner as developer of offensive cyber weapons. But the Chinese, the French and the Israelis are snapping at their heels, with the Indians and British not far behind.
The militarisation of cyberspace was foreseeable. Where this is leading us is, by contrast, understood by nobody. Writing in The New Yorker, the ever-perceptive Seymour Hersh teased out the implications of the Chinese having nicked the secrets from the reconnaissance plane’s hard drive:
The EP-3E debacle fuelled a long-standing debate within the military and in the Obama Administration. Many military leaders view the Chinese penetration as a warning about present and future vulnerabilities – about the possibility that China, or some other nation, could use its expanding cyber skills to attack America’s civilian infrastructure and military complex. On the other side are those who argue for a civilian response to the threat, focussed on a wider use of encryption. They fear that an overreliance on the military will have adverse consequence for privacy and civil liberties.
The urge for the military to establish itself as the chief arbiter of cyber security appears widespread. In October 2010 President Obama charged the National Security Agency, which is part of the Pentagon, with assisting the Department of Homeland Security and the private sector in domestic cyber security. In China the People’s Liberation Army is the primary institution governing foreign and domestic cyber security, while in the Middle East the Israeli Defence Force is the inspiration for the extraordinary research into computer warfare, which allows Israel to punch high above its weight in this field.
But what, one may legitimately ask, has any of this to do with cybercrime?
The threats in cyberspace are real and dangerous. Ideally, a democratic state would ensure that this critical technology should benefit, not ruin, the lives of its citizens. Equally, the state should resist the temptation to infringe our rights and privacy. Allowing the military to assume a lead role in defence of civilian networks is most unwise. Yet given that cyber weapons have the potential to cripple a country’s Critical National Infrastructure (and ruin people’s lives in the process), there must be provision for the military to intervene in extreme situations. Those circumstances should be both exceptional and verifiable.
Separate agencies should be responsible for policing the three separate threats – cybercrime, cyber industrial espionage and cyber warfare. Recognised police agencies like the FBI or the US Secret Service should assume responsibility for cybercrime. Corporations and companies should either develop their own network security system or pay a company specialising in cyber s
ecurity to do it. Civilian government should establish its own network defence, while the military should protect its systems.
On the surface that seems straightforward enough. But in the real world the edges are already blurred, encouraged by the interconnectivity of the Web. Then there is the hitherto insoluble two-part conundrum at the heart of the cyber security: what does a cyber attack look like?
To answer this, a cyber defender requires two vital pieces of knowledge. From where does this attack originate? And what is the attacker’s motive? Faced with a skilled cyber aggressor, not even the best defender can answer these questions. One may only calculate and – acting on a supposition – this can lead to wrong decisions, misunderstandings and, eventually, conflict.
Let us assume that our police agency, the corporate sector and the military dutifully stick to their task of protecting the state against their designated perils. There are still two actors who are ever present across the spectrum of threats: the spook and the hacker. The former seeks to crack the conundrum (although not necessarily to share the resulting knowledge); the latter is actually responsible for formulating the conundrum precisely in such a way as to render it insoluble.
The intelligence agency sniffs around the Web like a black cat against a dark background, never making a sound and socialising only when its team seeks to dissemble, recruit or confuse. This phantom-like behaviour is part of the spook’s DNA, but it is also explained by the intelligence service’s fascination with, and even admiration for, its primary opponent in cyber: the hacker.
Until recently, network defenders were confident that when an attack was under way there was a hacker masterminding it. This has changed in the last five years with the emergence of ‘off-the-shelf’ malware. Many criminal hackers now make their money not by compromising credit cards, bank accounts or similar cunning scams, but simply by selling trojans, viruses and worms that they have developed. They are user-friendly programs that do not require specialist knowledge to deploy them. The most common form is the botnet. Hackers will hire out botnets to be used in DDoS attacks for purposes such as extortion or revenge for a day or two, or maybe for a week or a month. Naturally, hackers selling a botnet or virus have the technical ability to control the length of hire because they can simply programme in its obsolescence, about which their clients – presumably petty jobbing criminals – can do nothing.