Information Warfare: Russia Scams Iranian Hackers

Archives

November 10, 2019: British (GCHQ) and American (NSA) intelligence agencies recently announced that they had discovered a Russian hacker group called Turla. This outfit worked for the successor to the KGB, called the FSB. Turla had secretly infiltrated the networks of Iranian hacker group APT34. Thus disguised, for the last 18 months Turla carried out attacks in over twenty countries, mostly in the Middle East. This enabled Turla to appear, if detected, to be APT34. Apparently the Iranians were not aware that the Russians had gained access to their network of infected computers. Turla used APT34 hacking tools and went to great lengths to appear as another Iranian hacker team belonging to APT34.

The Turla/APT34 link was first discovered by Estonian and Czech internet security teams. As members of NATO, these two nations shared their discovery with Britain and the U.S., which have the largest Internet security operations and take the lead in developing offensive and defensive tools for use on those waging Cyber War against NATO members. This cooperation began in 2007 when NATO was called on by Estonia, one of its members, to declare Cyber War on Russia. That was because Russia had recently carried out a major hacking campaign that caused great financial harm to Estonia which wanted this sort of thing declared terrorism, and dealt with.

Cyber Wars have been going on for over a decade now, and they are getting worse. It started in the 1990s, as individuals attacked the web sites in other nations because of diplomatic disputes. As a result of the Estonian experience in 2008, NATO established the Cyber Defense Center in Estonia to study Cyber War techniques and incidents, and attempt to coordinate efforts with other NATO members to create Cyber War defenses, as well as offensive weapons. This effort has been successful, but the Cyber Defense Center does not usually publicize its discoveries unless there is a public service aspect to it. As a result of this cooperation, NATO nations have acquired a lot more information about the major hacker threats, most of which come from Russia, China, North Korea and Iran.

GCHQ and NSA pointed out that they, and NATO, have developed better tools for detecting and identifying who is making attacks. Apparently U.S. Department of Defense is using its newly acquired authority to conduct counterattacks against nations that are caught hacking American targets. Other NATO members have also quietly adopted this policy well, and not issued any press releases about it. In addition, there have been a growing number of press announcements to alert everyone to new Cyber War dangers. For example in early 2019 a new family of hacker software was discovered and named TajMahal. Such collections of software are called APTs (Advanced Persistent Threats) and are often the work of governments or major criminal gangs. This elaborate and expensive (to create and maintain) software can carry out large scale and persistent criminal activities over a long period to steal money or information. TajMahal was unique for several reasons. First, it has apparently been in use since 2013 and, until now, undetected as an APT. That was a big win for an APT because once the existence of a new APT is confirmed there is a lot of effort worldwide to improve defenses and render the newly discovered APT less effective.

The TajMahal software was apparently created from scratch as it was never previously seen used by any other hacker or APT. In other words, TajMahal was not only unique but was eventually discovered to be something created for the Russian government. Russia sought and built an APT that could operate for a long time without detection. TajMahal contains at least eighty separate modules that cover a large range of malware (hacker software) tasks. In other words, TajMahal has all the known tools for secretly getting into a network and stealing data. Now that TajMahal has been identified, APT researchers can search for victims, where the stolen data ended up and who TajMahal was created for.

Hacking has gone pro since the late 1990s and national governments now see Cyber War weapons as major components of their military power. This evolution came into focus since the Internet and the World Wide Web became widely used and truly international after 2005. Within a decade researchers began to encounter APTs like TajMahal and before that (2017), the White Company. These major malware systems came to be called APTs and that said it all. The White Company was discovered in 2017 by computer security companies as this new APT quietly tried to hack its way into Pakistani Air Force networks. White Company was deliberate, effective and discreet. It was called the “white” company because the group placed a premium on concealing its operations as well as its origins. This sort of thing was first noted in 2010 when Stuxnet was discovered and attributed to an Israeli-American state-level effort that produced a very elaborate, professional and stealthy bit of malware that did major damage to the Iranian nuclear program. In 2018 Iran was hit with a similar attack but this Stuxnet-like malware was even more elaborate, its source is still unknown and the Iranians would rather not talk about it.

Another major revelation came in in early 2017 when one bit of Internet-based criminal activity made headlines worldwide for reasons that took a while to emerge, both to the general public and Internet security professionals. The incident began with the activation of ransomware malware called WannaCry. What made WannaCry so dangerous was that it made use of several capabilities including a hidden (but findable) backdoor program that tried to spread WannaCry to Microsoft Windows computers that had a known vulnerability but were not updated to remove the vulnerability. This automatic spread of malware is called a worm and it depends on other computers being vulnerable to allowing malware to be automatically installed. With WannaCry local PC networks run by Microsoft server software were vulnerable if the latest patches were not installed.

What made this newsworthy was that the worm depended on information stolen from the NSA (American National Security Agency) and made public by Wikileaks earlier in 2017. The NSA tool was called EternalBlue and it used a ZDE (Zero Day Exploit) stockpiled by the NSA for possible Cyber War operations. This particular ZDE exploited a flaw in Windows network software allowing the EternalBlue program to quietly insert itself into other PCs on the same network as the PC infected (probably via a spearfishing attack) with WannaCry.

All this was news for several reasons. First, the attack could have been a lot more effective than it was except for a hidden flaw (a kill switch) that was soon discovered and activated because of the efforts of an international network of White Hat hackers. Then the incident became even more mysterious. While at least a quarter million PCs in 150 countries were infected with Wannacry and had their hard drive contents encrypted, only about one in a thousand of these PCs paid the $300 (in bitcoin) ransom. But those who paid the ransom did not receive the decryption information and the bitcoin payments (worth nearly $100,000) were sent to three bitcoin “wallets” that had apparently been abandoned.

Meanwhile, the White Hats, network security companies and intel agencies were scrutinizing WannaCry in detail. The computer code and other evidence indicated that this attack was the work of North Korean government hackers. The North Koreans do it mainly for the money because North Korea is broke and run by a ruthless but economically inept dictator. It did not make any sense for North Korea to unleash Wannacry because most of the victims were in the few countries (China and Russia) that still supported North Korea. These two countries were hard hit because both depend heavily on illegal copies of Windows and other software. Most users of the illegal Windows software don’t bother to pay for security and other software updates provided by other hackers who supply these updates for a fee. Microsoft will not upgrade illegal copies of its software. Worse, even though Microsoft regularly releases free updates via the Internet many users do not immediately apply those updates because updates sometimes break something else. At the end of 2017, the United States announced that it considered Wannacry a product of the North Korean government hacking operation. Several Western nations agreed with the Americans. Wannacry is still in use, with an upgraded version making major attacks in mid-2018.

Wannacry is one of those mysteries that took a while to understand and may never be “solved” because there are so many black hat hackers involved, operating at different skill levels and with different objectives. It later turned out that WannaCry was first used in late April 2017 and perhaps even earlier. Based on past experience with malware we can expect numerous WannaCry variants to show up, for a few months at least, until enough users are made aware of the threat and enough Internet security software is updated to recognize and defeat the various tools WannaCry employs. North Korea never admitted it created WannaCry but someone subsequently released improved versions and so far WannaCry has inflicted damage costing victims over four billion dollars.

There have been many revelations in the last decade. For example, there is North Korea as a major APT producer. Long believed to be nonexistent, North Korean cyber warriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues since the early 1990s, and their Mirim College program quietly trained several Internet engineers and hackers. North Korea has a unit devoted to Internet-based warfare and this unit is increasingly active. North Korea is now considered a major player.

What most of these large-scale attacks have in common is the exploitation of human error. Case in point is the continued success of attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spearfishing" (or "phishing"), which is a Cyber War technique that sends official-looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. For the last few years an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. This is what the White Company used on a large, and detailed, scale against the Pakistani Air Force.

Another recent example of the continued effectiveness of these deceptive techniques can be seen in the repeated use of spearfishing by a group of Iranian backed Syrian hackers, calling themselves the Syrian Electronic Army (SEA). This group began as a small group of hackers loyal to the Assad dictatorship in Syria. The SEA has been using spearfishing to hack into media sites. Despite most media companies having in place software and personnel rules to block spearfishing attacks, there are so many email accounts to attack and you only have to get one victim to respond for the SEA to get in (using the login data from the compromised account). The automated defenses are supposed to block the actions of the hacker software that is triggered when the victim clicks on the email attachment, but hackers keep finding exploitable vulnerabilities in the defenses and these make the defenses vulnerable, at least until the vulnerability is detected and patched. The SEA evolved over the last five years into a major Iranian APT.

China has been a major user of spearfishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spearfishing payloads. This has led to China becoming the home of nearly half the APTs known to exist. The methods, and source, of many spearfishing attacks, have been traced back to China. In 2010, Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers and all movement of command and stolen data led back to servers in China. Since China is an ally of the Assad government, the SEA has access to the best spearfishing tools.

China's Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human-readable text that programmers create and then turn into smaller binary code for computers to use), and techniques for using it, in hacking software used against Tibetan independence groups and commercial software sold by some firms in China and known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this. The White Company is a good example of that.

It's also been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect (when they are breaking in) and much more difficult to track down. Thus the East Europeans go after more difficult (and lucrative) targets. The Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents who often slip over to the dark side and scam Chinese. This is forbidden by the government and these hackers are sometimes caught and punished, or simply disappear. The Chinese hackers are, compared to the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision (or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly).

For Chinese hackers that behave (don't do cybercrimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data are taken from the West. This encourages some unqualified hackers to take on targets they can't handle. This was seen recently when a group of hackers were caught trying to get into a high-security network in the White House (the one dealing with emergency communications with the military and nuclear forces). These amateurs are often caught and prosecuted. But the pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.