Winning: Lurking In The Shadows

Archives

May 2, 2019: In early 2019 a new family of hacker software was discovered and named TajMahal. Such collections of software are called APTs (Advanced Persistent Threats), and are often the work of governments or major criminal gangs that do very well carrying out large scale and persistent criminal activities over a long period to steal money or information. TajMahal was unique for several reasons. First, it has apparently been in use since 2013 and, until now, undetected as an APT. That was a big win for an APT because once the existence of a new APT is confirmed there is a lot of effort worldwide to improve defenses and render the newly discovered APT less effective.

The TajMahal software was apparently created from scratch and never seen used by any other hacker or APT. In other words, TajMahal was not only unique but, as yet, software researchers have been unable to figure out who created it and which nation or hacker organization was responsible for creating and using it for so long without detection. TajMahal contains at least eighty separate modules that cover a large range of malware (hacker software) tasks. In other words, TajMahal has all the known tools for secretly getting into a network and stealing data. Now that TajMahal has been identified, APT researchers can search for victims, where the stolen data ended up and who TajMahal was created for.

Hacking has gone pro since the late 1990s, and one side effect is the creation of many unique terms to describe all the things hackers can do and the growing list of tools created to do it. To explain that there is a descriptive list of hacker terms at the end of this piece, in plain English. What this all means is that nations see Cyber War weapons as major components of their military power. This evolution came into focus since the Internet and the World Wide Web became widely used and truly international after 2005. Within a decade researchers began to encounter APTs like TajMahal and before that (2017), the White Company. These major malware systems came to be called APTs and that said it all. The White Company was discovered in 2017 by computer security companies as this new APT quietly tried to hack its way into Pakistani Air Force networks. White Company was deliberate, effective and discreet. It was called the “white” company because the group placed a premium on concealing its operations as well as its origins. This sort of thing was first noted in 2010 when Stuxnet was discovered and attributed to an Israeli-American state-level effort that produced a very elaborate, professional and stealthy bit of malware that did major damage to the Iranian nuclear program. In 2018 Iran was hit with a similar attack but this Stuxnet-like malware was even more elaborate, its source is still unknown and the Iranians would rather not talk about it.

Another major revelation came in in early 2017 when one bit of Internet-based criminal activity made headlines worldwide for reasons that took a while to emerge, both to the general public and Internet security professionals. The incident began with the activation of ransomware malware called WannaCry. What made WannaCry so dangerous was that it made use of several capabilities including a hidden (but findable) backdoor program that tried to spread WannaCry to Microsoft Windows computers that had a known vulnerability but were not updated to remove the vulnerability. This automatic spread of malware is called a worm and it depends on other computers being vulnerable to allowing malware to be automatically installed. With WannaCry local PC networks run by Microsoft server software were vulnerable if the latest patches were not installed.

What made this newsworthy was that the worm depended on information stolen from the NSA (American National Security Agency) and made public by Wikileaks earlier in 2017. The NSA tool was called EternalBlue and it used a ZDE (Zero Day Exploit) stockpiled by the NSA for possible Cyber War operations. This particular ZDE exploited a flaw in Windows network software allowing the EternalBlue program to quietly insert itself into other PCs on the same network as the PC infected (probably via a spearfishing attack) with WannaCry.

All this was news for several reasons. First, the attack could have been a lot more effective than it was except for a hidden flaw (a kill switch) that was soon discovered and activated because of the efforts of an international network of White Hat hackers. Then the incident became even more mysterious. While at least a quarter million PCs in 150 countries were infected with Wannacry and had their hard drive contents encrypted, only about one in a thousand of these PCs paid the $300 (in bitcoin) ransom. But those who paid the ransom did not receive the decryption information and the bitcoin payments (worth nearly $100,000) were sent to three bitcoin “wallets” that have not been used and are apparently still being monitored.

Meanwhile, the White Hats, network security companies and intel agencies were scrutinizing WannaCry in detail. The computer code and other evidence indicated that this attack was the work of North Korean government hackers. The North Koreans do it mainly for the money because North Korea is broke and run by a ruthless but economically inept dictator. It did not make any sense for North Korea to unleash Wannacry because most of the victims were in the few countries (China and Russia) that still supported North Korea. These two countries were hard hit because both depend heavily on illegal copies of Windows and other software. Most users of the illegal Windows software don’t bother to pay for security and other software updates provided by other hackers who supply these updates for a fee. Microsoft will not upgrade illegal copies of its software. Worse, even though Microsoft regularly releases free updates via the Internet many users do not immediately apply those updates (because updates sometimes break something else). At the end of 2017, the United States announced that it considered Wannacry a product of the North Korean government hacking operation. Several Western nations agreed with the Americans. Wannacry is still in use, with an upgraded version making major attacks in mid-2018.

Wannacry is one of those mysteries that took a while to understand and may never be “solved” because there are so many black hat hackers involved, operating at different skill levels and with different objectives. It later turned out that WannaCry was first used in late April 2017 and perhaps even earlier. Based on past experience with malware we can expect numerous WannaCry variants to show up, for a few months at least, until enough users are made aware of the threat and enough Internet security software is updated to recognize and defeat the various tools WannaCry employs. North Korea never admitted it created WannaCry but someone subsequently released improved versions and so far WannaCry has inflicted damage costing victims over four billion dollars.

There have been many revelations in the last decade. For example, there is North Korea as a major APT producer. Long believed to be nonexistent, North Korean cyberwarriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues since the early 1990s, and their Mirim College program quietly trained several Internet engineers and hackers. North Korea has a unit devoted to Internet-based warfare and this unit is increasingly active. North Korea is now considered a major player.

What most of these large-scale attacks have in common is the exploitation of human error. Case in point is the continued success of attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. For the last few years an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. This is what the White Company used on a large, and detailed, scale against the Pakistani Air Force.

Another recent example of the continued effectiveness of these deceptive techniques can be seen in the repeated use of spearfishing by a group of Iranian backed Syrian hackers, calling themselves the Syrian Electronic Army (SEA). This group began as a small group of hackers loyal to the Assad dictatorship in Syria. The SEA has been using spearfishing to hack into media sites. Despite most media companies having in place software and personnel rules to block spearfishing attacks, there are so many email accounts to attack and you only have to get one victim to respond for the SEA to get in (using the login data from the compromised account). The automated defenses are supposed to block the actions of the hacker software that is triggered when the victim clicks on the email attachment, but hackers keep finding exploitable vulnerabilities in the defenses and these make the defenses vulnerable, at least until the vulnerability is detected and patched. The SEA evolved over the last five years into a major Iranian APT.

China has been a major user of spearfishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spearfishing payloads. This has led to China becoming the home of nearly half the APTs known to exist. The methods, and source, of many spearfishing attacks, have been traced back to China. In 2010, Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers and all movement of command and stolen data led back to servers in China. Since China is an ally of the Assad government, the SEA has access to the best spearfishing tools.  

China's Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human-readable text that programmers create and then turn into smaller binary code for computers to use), and techniques for using it, in hacking software used against Tibetan independence groups and commercial software sold by some firms in China and known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this. The White Company is a good example of that.

It's also been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect (when they are breaking in) and much more difficult to track down. Thus the East Europeans go after more difficult (and lucrative) targets. The Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents who often slip over to the dark side and scam Chinese. This is forbidden by the government and these hackers are sometimes caught and punished, or simply disappear. The Chinese hackers are, compared to the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision (or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly).

For Chinese hackers that behave (don't do cybercrimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can't handle. This was seen recently when a group of hackers were caught trying to get into a high-security network in the White House (the one dealing with emergency communications with the military and nuclear forces). These amateurs are often caught and prosecuted. But the pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

Glossary of Cyber War Terms

APT – Advanced Persistent Threat. This is what long-term hacking operations are called. These are now usually government created or supported organizations. Most of the known ones are Chinese, followed by Russia and Iran. Israel, North Korea and the United States tend to have one main APT operation plus a few much smaller ones.

Backdoor – A secret command that will enable anyone with it to use a computer program.

Bitcoin- A “cryptocurrency” or currency based on software, not physical (paper and coins) media. Bitcoin is one of the first and most widely used. There are online markets for buying and selling bitcoins. Anyone can establish an online account (a bitcoin wallet) that others can send bitcoin to without knowing who controls (has the password) for the bitcoin wallet. It takes a lot of effort to find out who owns a bitcoin wallet and even governments don’t (yet) have the resources to monitor all bitcoin wallets. Apparently, bitcoin wallet owners can be discovered if the owner is not very careful.

Black hat hacker- Someone who uses their programming skills to create or modify software for criminal purposes.

Computer code- Software, a computer application the user (or the computer itself) employs to perform a task. What most users encounter is “executable code.” The “execuatables” makes no sense if you look it because in a word processor it is seemingly random digits, letters and symbols. But the “source code” (that a programmer writes) is in something that is readable and makes sense depending on how much you know about programming.

Cyber War – Attacking someone else (or defending) via computers (usually via the Internet). In peacetime, Cyber War is usually about espionage or, in the case of North Korea, financing a failed dictatorship.

Decryption – The process by which special software turns encrypted (not usable) computer data back into its original form. The user sometimes employs a password (decryption key) to make decryption happen.

Encryption- The process by which special software turns computer data from its original form into something unusable until converted back (decrypted). The user sometimes employs a password (encryption key) to make encrypt a file or program.

EternalBlue – A bit of malware developed by the NSA that exploits a ZDE in Microsoft local network software. EternalBlue was stolen and distributed by Wikileaks.

Fishing- Sending a message (usually email) to someone that has a file attacked which, if opened secretly installs malware on your computer.

Five Eyes- The countries (Israel, Iran, China, Russia, and North Korea) most active in organized hacking for information, Cyber War weapons development or cash. The use of the term “Five Eyes” for the source of most APTs is a play on the earlier use of Five Eyes to designate the post-World War II alliance of Australia, Canada, New Zealand, Britain and the United States to collect and share electronic intelligence.

Hackers- Programmers who are particularly skilled and eager to create new code or improve existing stuff. The term “hack” has been used for centuries for tinkering with something.

Illegal software- Software that is protected (games, major applications, operating systems) but has those protections disabled and then sold, or distributed for free.

Kill switch – A capability (usually kept secret) built into software that enables anyone to turn the program off (usually via the Internet).

Malware – Software created to do something harmful (usually illegal and secretly.)

NSA (American National Security Agency) a post-World War II U.S. government agency for creating new secret codes (encryption) and better methods to decrypting encryption used by others. NSA became the lead agency for Internet matters.

Phishing- See Fishing.

Programmer- Someone who can create an app (application). For most it is a job, do some (hackers) it is a passion.

Source code – The readable software that is turned into unreadable but useful “executables” that users refer to as apps. Programmers create, modify and, when investigating malware, scrutinize source code.

Ransomware – Malware that secretly encrypts a hard drive and then offers the user the decryption key for $300 to $600 (or more). The relatively low ($300) demand was found the most profitable (for the black hat) ransom because most victims would rather pay that amount, or less, than permanently lose access to their data.

Security software- Programs that usually run automatically on your PC to detect malware and deal with it. Black hats must continually update their malware to cope with constantly updated security software.

Social Engineering- Exploiting human nature to get malware onto a system. This is what fishing and spearfishing attacks depend on.

Spearfishing- a fishing operation where targets are carefully chosen and researched before putting together the attack. Despite having software and user rules in place to block spearfishing attacks there are so many email accounts to attack and you only have to get one victim to respond to a bogus email with a “vital attachment” that must be “opened immediately”. Among the favored targets for these attacks are anyone providing access to something worth stealing via an Internet connection. This often means business executives as well as senior civilian officials in the government and the Internet security industry.

TajMahal-A sophisticated and scary new APT that went undetected for five years until it was identified in early 2019. Who or what (nation) created TajMahal is still unknown.

Updates- Modifications to apps and operating systems that are usually sent out and installed automatically these days.

WannaCry- A ransomware app recently distributed using fishing and a ZDE stolen from the NSA.

White Hat hacker- Someone who uses their programming skills to create or modify software to protect it from Black Hats (criminal programmers).

Wikileaks- An organization that accepts stolen documents and distributes them on the Internet. This organization is doing a public service or a criminal act depending on who is being hurt by the leaked software. Most nations consider Wikileaks a criminal group.

ZDE (Zero Day Exploit) – A previously unknown flaw in software that allows the first user to get into other networks and PCs secretly. ZDEs have become very expensive because in the right hands these vulnerabilities/flaws can enable criminals to pull off a large online heist or simply maintain secret control over thousands of computers. ZDEs have also become the very expensive and highly perishable ammunition for any future Cyber War. The most successful hackers use high-quality ZDEs. Not surprisingly ZDEs are difficult to find and can be sold on the black (or legitimate) market for hundreds of thousands of dollars. Their value declines when the publisher becomes aware of the flaw and patches it. But not every user applies the patch right away, if ever.