Sunday, April 24, 2011

Forbidden Knowledge, Forbidden City, Part 1

We begin with excerpts from Lab halts Web access after cyber attack, April 19, 2011, about a cyber attack on Oak Ridge National Laboratory (ORNL):


OAK RIDGE — A highly sophisticated cyber attack — known as Advanced Persistent Threat [APT] — forced Oak Ridge National Laboratory to shut down all Internet access and email systems over the weekend.

Those restrictions will remain in place until lab officials and others investigating the attack are sure the situation is well controlled and manageable, ORNL Director Thom Mason said Monday [April 18].

[snip]

"In this case, it was initiated with phishing email, which led to the download of some software that took advantage of a 'zero day exploit,' a vulnerability for which there is no patch yet issued," he said. The vulnerability involved Internet Explorer, he said.

[snip]

Mason confirmed that some computers were confiscated and quarantined. He also confirmed that the phishing email messages in this case were disguised as coming from the lab's human resource department.

He said that some lessons learned from the 2007 attack helped lab officials with the current situation, but he said this is a much more advanced attack than the event four years ago.

"Well, if you look at this APT, it is much more sophisticated than what was being used a few years ago," he said. "Certainly what we've seen is very consistent with the RSA attack. ...Whoever is doing this attempts to get a foothold in the network system, works patiently and relatively quietly to try to expand that and is looking for specific types of information."

Director Mason mentions "the RSA attack" - perhaps some background about it might help. RSA At a Glance tells us what RSA is:

Corporate Overview

RSA, The Security Division of EMC, is the premier provider of security, risk and compliance solutions, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.

Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated.
In other words, RSA is an industry leader in cyber security.

About the attack on RSA, RSA Executive Chairman Art Coviello had this to say:

Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

So, an APT attack hits a cyber security industry leader. For more background, we consider Hacker Spies Hit Security Firm RSA, dated March 17, 2011, by Kim Zetter:

The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

So, the attackers sought information about a complex cyber security system where the right person has to be at the right computer, and with the right controlled cryptographic device, to be able to log on.


ORNL has plenty of activities that would warrant that level of security.


Skipping down in Hacker Spies Hit Security Firm RSA:

RSA categorized the attack as an advanced persistent threat, or APT. APT attacks are distinctive in the kinds of data the attackers target. Unlike most intrusions that go after financial and identity data, APT attacks tend to go after source code and other intellectual property and often involve extensive work to map a company's infrastructure.

APT attacks often use zero-day vulnerabilities to breach a company and are therefore rarely detected by antivirus and intrusion programs. The intrusions are known for grabbing a foothold into a company's network, sometimes for years, even after a company has discovered them and taken corrective measures.

Last year's hack into Google was considered an APT attack, and, like many intrusions in this category, was linked to China.

So, this is an advanced persistent threat.

Depending on whose article you read, an APT might just be a miscellaneous category for anything the IT firm doesn't know how to deal with.

But, when a major IT company like Google gets hit, then a year later an industry leader in cyber security gets hit, and they're calling it an APT, that makes me suspect it is something serious.

It seems the RSA attack was after the source code that would allow the hacker access to ORNL's data.

Did the hacker succeed, and via the APT phishing get information from one of ORNL's many critical programs?

Regarding the Google attack, we get some background from Google charge highlights China-based hacking by Joe McDonald, dated February 3, 2010:

BEIJING — Google's accusation that its e-mail accounts were hacked from China landed like a bombshell because it cast light on a problem that few companies will discuss: the pervasive threat from China-based cyberattacks.

The hacking that angered Google Inc. and hit dozens of other businesses adds to growing concern that China is a center for a global explosion of Internet crimes, part of a rash of attacks aimed at a wide array of targets, from a British military contractor to banks and chemical companies to a California software maker.

The government denies it is involved. But experts say the highly skilled attacks suggest the military, which is a leader in cyberwarfare research, or other government agencies might be breaking into computers to steal technology and trade secrets to help state companies.

"Chinese hacking activity is significant in quantity and quality," said Sami Saydjari, president of the consulting firm Cyber Defense Agency and a former U.S. National Security Agency official.

I don't see that anyone has publicly accused China of being behind the APT attacks on RSA and ORNL, but it sure seems to me that might have been the case.


As I dig, I find the trail leads from these major advanced persistent threat cyberattacks on key US-based targets to cyberintelligence officers of Communist China's People's Liberation Army (PLA). From there, a trail leads back to PLA front companies in the United States. From there, via the front companies' associated political action committees (PACs), a trail leads via campaign contributions to important US politicians. And, these PLA front companies are not the only hosts for Communist Chinese intelligence operations in the US - which have been ongoing and enjoying success for decades.


More to follow.

No comments:

Post a Comment