Sunday, April 4, 2010

BotNets: Sophisticated attacks likely Corporate, Government Espionage

After some articles are put to bed at FilterBlogs they get a Posthumous Longtail Aperitif (PLA) - links to related articles published after my original post.

PLA April 16 2010. Update on this Published here at FilterBlogs: Citizen Lab describes "Espionage 2.0" around GhostNet Investigation.

PLA April 06 2010. "Hackers not linked to China's government: researcher

Governments exist in a world of laws and treaties. Appearing to act with-in these agreements has a high value for them. Corporations exist with-in similar matrices.

In the attacks described below the public should be aware that a 'false flag' attack (an attack vertice that is meant to distract you from the real target) can be worked into these complex programmes in order to obscure the real target of the attack. When governments and corporations conduct cyber warfare (*which they do not*) maintenance of plausible deniability is very important to them.

We've seen several examples of sophisticated attacks in the last three years;

Google-Gate (2010)

(From a search of the term Google-Gate on both Google and Bing the term seems to be monopolized by right wing conspiracy nutters afraid of the future. These 'fraidy cats' think Google is the "Beast", a reference to the Bible's Book of Revelations that predicts an end times. The Republican allied "tea-potters" think this is coming in 2012. As the original reference is the Republican wiretapping of the Democratic Party headquarters at the Watergate Hotel in 1972, I'm re-appropriating it here for the moderates.)

Most news sources have assumed China tried to access Google's corporate secretes in an attack in December 2009. But a read of Google's original blog post on the matter makes it clear that the sophisticated attack had many vectors. The only thing that appears certain, which is interesting in itself, is that the attack originated in China (a false flag?).

From the Google Blog:

A new approach to China
1/12/2010 03:00:00 PM

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

The next day (12/13/09) CNET reported several sources in the intelligence community made the Chinese Government link appear more solid by saying they had information that the route of the attack was definitely (sort of) the Chinese government.

(my emphasis)
Google did not specify how it knows the attacks originated in China and did not outright blame the Chinese government. Sources said it is typically difficult to find evidence specifically leading back to Chinese officials in computer attacks. Google must have some solid evidence for it to take such drastic action and risk losing millions of dollars in revenue from the Internet's largest market.
Researchers who have investigated these attacks said they were traced to China several ways and that they share characteristics with previous attacks linked to the Chinese government. The attacks used command-and-control servers based in Taiwan that are commonly used by or on the behalf of the Chinese government, according to iDefense. "The IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past," said Eli Jellenc, head of international cyberintelligence at iDefense.

It seems to me that the popular press is laying the blame at the feet of the Chinese Government was precipitous, perhaps propelled by Google's decision to get out of the censorship agreement they have with the Chinese, and now the news that they are moving their Search offices to Hong Kong (CNet news, March 22 2010).

One has to ask though if they we're going to do this anyway. Google is in last place in the search engine market in China and it doesn't look like that's about to change.

Tricia Wang, a Ph.D. student in the Sociology Department at UC San Diego writing in her blog, Cultural Bytes, offers a unique look at Google's failings in China, from her position as an ethnography reasurcher in China. The piece is titled, "My Suggestions for Making Google’s Services More Relevant for Non-Elite Chinese Users (involves some ethnography!)"

There are, however, other explanations that do lie within Google’s control in which they have failed to execute. The 3 main factors are: achieving brand recognition, creating a successful marketing campaign, and understanding usage contexts of non-elite internet users. Google should hold themselves accountable for these factors.

Google has failed at brand recognition. They have not been successful at making their services relevant for the average Chinese internet user nor have they made it easy for people to recognize, say, or even type in their name on a keyboard.

Read the rest...

I think there are forces in America ranging from isolationist to empirist - and the military industrial complex (a special interest group that crosses political boandries, it's systemic - see Eisenhower MIC speech) - who have vested interests in demonizing China at the moment. Since these forces have nothing to lose (there's no downside as most of the facts will remain unknown), felt they could chime in here against China with no comeupance.

The same goes for the Obama Administration that is trying to straddle the two interests. When Secretary of State Hillary Clinton read the riot act to China (Link: "Remarks on Internet Freedom", January 21, 2010.) her speech was full of rhetoric about the open web but no included no action. It was an opportunity for the administration to look good to key parts of their support demographic by doing something - with out having to actually do anything at all.

GhostNet 2008

1) The so called "GhostNet" (Citizen Lab at the University of Toronto link) that seemed to target email accounts of Tibetan Dissident's. From March 21, 2008 by Staff Writer Brian Krebs, "Cyber Attacks Target Pro-Tibet Groups":

Alison Reynolds, director of the Tibet Support Network, said organizations affiliated with her group are receiving on average 20 e-mail virus attacks daily. Increasingly, she said, the contents of the messages suggest that someone on one or more of the member groups' mailing lists has an e-mail account or computer that has already been compromised.
On March 18, as protests in Tibet intensified, a technology specialist working with Reynolds's group sent a message to members warning them to expect a sharp increase in e-mail and other cyber attacks against groups rallying the international community against China's crackdown.

(I find it interesting that the 'technology specialist' didn't take credit here but instead chose to remain anonymous. Perhaps volunteering for a non-profit is part of a job he has with one of the top cyber security groups on the planet.)

BotNet (2009)

Late last year Ottawa's Defence Intelligence uncovered a "BotNet" matrix they named "Mariposa" (referring to it's Barcelona central hub). A BotNet is a series of infected computers that, at the controllers command, can operate in tandem to compromise security on computers, and even install the hieght of snooping software a "Key Loggers" that allow the deployer to see everything you do in real time (from your online banking password to what area of a photograph you zoom in on with your photo editing software - EVERYTHING) .

I can't word it any better than Defence Intelligence's sum-up, at their site:

What is a Botnet?
A botnet is a collection of compromised computers that are directly under the control of a single malicious entity. Computers become compromised once malicious software is installed on them. This malicious software, or malware, is engineered specifically to gain access to and maintain control over the victim machine. Anti-virus companies label this malware as a virus, worm, or a trojan, but these designations are useless when considering the behaviour and capability of a botnet. Modern day malware evolves to become whatever is needed by its controller and is not limited by the boundaries of anti-virus labels.
Once the malware is on the system it seeks communication with its controlling entity. With communication established, any compromised machine can be capable of carrying out any order issued by the botnet controller and any data on the compromised machine can be extracted for use, sale or distribution by the attacker.
© 2008-2010 Network Defence Intelligence Inc.

According to an email from my ISP - sent to the manager of the account that connects me to the internet - an infected computer on our wireless connection moved 18,000 MB of data on March 23, 2010 between 4:50 and 5:00 PM (our daily average is 3,500 MB/day).

We all checked our computers for Malware and my room-mate found two Trojan horses buried on his browsers backup file.

In this time of economic and political uncertainty we're seeing an increase in Internet warfare both between states and corporations. This is also a function of the advance of the technology and as such I've decided to open up completely. This my seem counter intuitive to some people, but here's a good example of how being 'always on' works to my benefit. I can prove where I was on and what I was doing on March 23, 2010 between 4:50 and 5:00 PM.

According to my Google Dashboard application "Web History" this is what I was doing when the Trojan moved all that data.

I was composing an idea for a comment on an Andy Oram piece at O'Reilly Radar.

(click images to see O'Reilly Radar pages)

Image of Tricia Wang from her web site.



  1. Would I be wrong to assume that if the Chinese government chooses not to renew Google's licence, their next step would be to black list in their firewall.

  2. Sound about right. That'll leave Yahoo and the other one with all the American search engine market inside China (about 2% of the total).

    Important to read the updated article here at Filterblogs, written about 2 weeks after this one. It clears some things up, makes the subject less murky - in some ways, more murky in others... as is espionage and government spin doctoring - wherever it's coming from.