The Internet these days is often compared to the Wild West. It, too, is a wide open frontier with endless possibilities, loose rules, limited government controls and not a few rustlers and bandits lurking along its trails. But unlike other frontiers, the Net seems to steadily becoming more dangerous, not less. And there are now armies on the move.
Hackers aren’t just computer whiz kids, online scam artists, or even criminal networks any more. Hacking has become a weapon of war. Stunning accusations in a recent report by Mandiant, a US online security firm, provide insights of just how persistent threats from government hackers working for certain enemy states have grown.
The company has been investigating security breaches at hundreds of organizations around the world since 2004. Their tracking of threats has allowed them to identify more than 20 hacking groups within China. The largest of these, which they called APT1, for “Advanced Persistent Threat” has conducted vast hauls of information from hundreds of organizations since 2006.
Madiant’s detective work on over 150 corporate victims for over 7 years paid off. They were able to identify APT1 as a unit of the People’s Liberation Army of China with a code designation of Unit 61398, precisely located its facilities in the middle of Shanghai, and even named three key developers. They watched APT1 compromise 141 companies in 20 industries, and studied in detail APT1’s sophisticated methodology – in one case, as the hackers maintained vampiric access to one firm for nearly 5 years.
The scale of the hackers’ activities was staggering. APT1 stole 6.5 terabytes of compressed data from just one company over 10 months. Target categories ranged from blueprints, proprietary processes, test results, business and pricing plans, agreements, and of course, email. They controlled tens of thousands of systems, over 900 command servers (109 in the US alone), and used over 2500 domains.
The method of APT1’s attack is extremely sophisticated, depending mainly on social engineering to open the first tiny crack. The initial compromise is usually accomplished by phishing, either sending an email with a malicious attachment (usually an infected ZIP file with an innocent name) or a link to a bad page. Instead of panicking people into rash action, they preferred to have their victims click without a second thought, so their phishing emails were usually very bland and innocuous. They are known to have even created webmail accounts using real executives’ names in order to lure the unsuspecting.
Once opened, the file or link installs a custom backdoor. Using this, the hackers establish a broader foothold, gain privileged status, and begin to reconnoiter their surroundings, expanding throughout the enterprise and if possible, to other entities. Every now and then, they would pack up all the information, compress it, and send it home.
Due to the extensive logistical support, intellectual talents, and facilities required, as well as the targets, there can be little doubt that the Chinese government is fully aware of and running Unit 61398. Of course, strident face-saving denials were not long in coming.
Mandiant says it struggled over whether it should release such detailed information, particularly establishing a solid connection to the Chinese government. They realized that publishing the numerous threat indicators, techniques, domains and other information alerts the bad guys, and they actively expect reprisals from the Chinese. Still, the report says, “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals.”
So far, APT1 has apparently been concerned solely with espionage. But such intrusions could also serve as launch points for the “cyber-Pearl Harbor” that outgoing Secretary of Defense Leon Panetta has warned about. And there could be other units secretly laying groundwork for such a scenario.
Some foreign policy and technical experts doubt it could happen. They argue that the Internet is too broad and diverse – that there is no single point of failure. After all, the Net was designed to withstand nuclear war. Such complacent thinkers argue merely for stronger firewalls and encryption.
Perhaps – or perhaps the metaphor’s wrong. Maybe it’s not cyber-Pearl Harbor we should worry about but a cyber-Maginot Line. The Maginot Line was a superb, impervious line of forts built by the French in the 1930s to deter German aggression. But when war came, it failed: the Germans couldn’t beat it, so they simply went around it. It is not inconceivable that controlling a hidden army of zombie computers, some hostile power with enough sophistication and daring could do the same thing in cyberspace.
Then what happens? How are cyber attacks even identified when the assault comes from an unexpected direction (or likely many) and every millisecond counts? How can one be sure who the enemy is? Beyond self-defense, how does one respond? Are reprisals acceptable? What kind? There are no cyber drones, after all, to zap enemies in their lairs. So what about widespread collateral and civilian damage? If somebody takes down our banks, do we take down their air traffic controls?
It is frightening to ponder such implications. Yet there is already a trade war going on the shadows, partly simply because it can without any governing authority in place. The Internet as a frontier is much like outer space: new arenas require new norms of behavior. Rules of cyberwarfare, like the Geneva Conventions or nuclear arms limitation treaties, need to be written, agreed on, and a global means of enforcement implemented.
Since at this stage it is still a trade war, the US will use economic and commercial means to fight back. The US Attorney General, Eric Holder, announced plans to work with other governments to punish offenders by using trade sanctions and criminal prosecutions, and would review current policies to see what more is needed. President Obama has taken slightly stronger action with an executive cybersecurity order during the State of the Union in January.
It’s a start. But taming the cyber frontier is absolutely necessary, for the Internet has already become vital to modern society. Sooner or later, just like in the old Westerns, a sheriff is going to ride into town and clean up the feuding gangs. And before the smoke clears, there may well be blood, real blood, spilled.
In any case, the President has again issued a warning, even though CISPA, his proposed bill failed as too burdensome to companies for the second time late last year. Time and again in American history, warnings have been ignored for just such reasons. Let’s hope that history is not about to repeat itself again.