Russia's Greatest Weapon May Be Its
Hackers- 蘇俄駭客 (1)
In hacker
jargon, it’s called a “cyber-to-physical
effect.” It’s when a
hacker reaches out from the virtual world into the real one—often with
catastrophic consequences. The Americans and Israelis pioneered the technique
back in 2009 when the Stuxnet program infiltrated Iranian computer systems and
wrecked thousands of uranium-enriching centrifuges. But now other
players—especially the Russians and Chinese—are getting into the game of
remotely using computer networks to destroy infrastructure and threaten human
lives. Last year, according to a report by Germany’s Federal Office for
Information Security, a blast furnace melted down in an unnamed industrial city
in Germany after a digital attack on its control systems, causing “massive damage.”
It nearly
happened in the United States too, when unknown hackers succeeded in
penetrating U.S. electrical, water and fuel distribution systems early in 2014.
While old-fashioned, relatively low-tech data hacks make headlines—for
instance, high-profile break-ins over the last 12 months to the email systems
and databases of the White House, State Department, Department of Homeland
Security, Department of Defense and Sony Pictures Inc.—what has security
officials seriously worried is the new and dangerous world of cyber-to-physical infrastructure attacks.
“This is not theoretical,”
National Security Agency Director Admiral Michael Rogers told the U.S. House of
Representatives’ Intelligence Committee recently. Hacking attacks on the U.S.
and its allies are “costing us hundreds of billions of dollars,” Rogers warned,
and will result in “truly significant, almost catastrophic failures if we don’t
take action.”
According to
Alexander Klimburg, an affiliate of the Harvard Kennedy School of Government’s
Belfer Center and senior research fellow at the Hague Centre for Strategic
Studies, “cyberspace today is like Europe in 1914, before World War I.
Governments are like sleepwalkers. They do not comprehend the power of new
technology and the consequences of misunderstanding each other’s activities.”
According to the
U.S. Intelligence Community’s 2015 “Worldwide Threat Assessment” report, Russia
and China are the "most sophisticated
nation-state actors” in the new
generation of cyberwarfare, and Russian hackers lead in terms of sophistication, programming power and
inventiveness. “The threat
from China is overinflated, while the threat from Russia is underestimated,” says Jeffrey Carr, head of Web security
consultancy Taia Global and author of the book Inside Cyber Warfare.
“The Russians are the most technically proficient. For instance, we believe that Russian
hackers-for-hire were responsible for the Sony attack.”
Last year
hackers gained access to thousands of Sony company emails and threatened
further damage unless a film lampooning North Korean leader Kim Jong Un was
withdrawn from cinemas. “We spoke to [one of the hackers] via an intermediary,”
says Carr. “Even after Sony lost 80 percent of its network capability, the
hackers were still operating. That shows an incredibly
high level of technical ability.”
The Moscow
connection is worrying because Russia is the only country to date to have
combined cyberwarfare with assaults by conventional guns and tanks. “The
Russia-Georgia war of 2008 was a perfect example of a combined kinetic and
cyber operation,” says Carr. “Nobody else has ever done anything like that.”
Similarly, in
the wake of Russia’s annexation of Crimea in April 2014, ground assaults were
accompanied by a deluge of mostly low-tech cyberassaults on over a hundred
government and industrial organizations in Poland and Ukraine, as well as
attacks on the European Parliament and the European Commission. Many of these
attacks featured a modified version of “BlackEnergy,” a kind of malware
program known as a Trojan horse that is designed to remotely take over
computers. A network of such infected computers, or “bots,” is known as a
“botnet.” This can be mobilized to overwhelm a target server with requests for
information and crash it—an attack known as Distributed
Denial of Service, or DDoS.
“The BlackEnergy
malware was authored by a Russian hacker and originally used for DDoS attacks,
bank frauds and spam distribution,” says Pierluigi Paganini, founder of
the Security Affairs blog and a member of a European Union Agency
for Network and Information Security working group. “But the new variant was
used in targeted attacks on government entities and private companies across a
range of industries.”
One of the
biggest mysteries of the latest generation of cyberattacks—known in the U.S.
government as Offensive Cyber Effects Operations—is working out who is behind
them and whether they are being launched with political or criminal intent.
What’s not in
doubt is that Russian hackers have long been kings of the cybercrime world. A group of Russians
and Ukrainians were named by U.S. federal prosecutors as being behind the
biggest cybercrime case in U.S. history, a bank-card fraud spree from 2010 to
2013 that cost companies including J.C. Penney, JetBlue and French retailer Carrefour
more than $300 million. A group of Russian “click-jackers” were convicted in
the U.S. last year for hijacking users of Apple's iTunes store, Netflix, the
U.S. Internal Revenue Service,Amazon.com, ESPN.com and the Wall Street
Journal website—as well as computers at NASA.
Another
as-yet-unidentified hacking ring, based in a small city in south-central
Russia, stole some 1.2 billion Internet logins and passwords and more than 500
million email addresses last year by plundering data from more than 400,000
websites, according to U.S. cybersecurity firm Hold Security. And in February
the Moscow-based Internet security company Kaspersky Labs revealed details of
the biggest Internet heist of all time—a raid on over 100 banks in Russia,
Ukraine, Japan, the United States and Europe from 2013 to 2014. Kaspersky
reported seeing evidence of $300 million in losses just from the banks that had
hired it to clean up the mess—and estimated that the total amount stolen was
likely to be around $900 million.
“This is
cybercrime on an industrial scale,” says one Moscow-based Western Internet
security consultant, who helped overhaul several Russian banks’ defenses in the
wake of the attack. “In one case in Kiev, they made the bank’s ATMs spew out
money, which was collected by people walking by.” The techniques used to break
into the bank’s electronic systems via flaws in Adobe and Microsoft programs
“were not particularly sophisticated,” says the consultant, “but it was amazing
how careful they were not to alert the victims and to keep their backdoor into
their systems a secret.”
The exact nature of the links between these criminal hackers and
the Russian government remains murky. “Cybercrime, cyberterrorism and
cyberwarfare share a common technological basis, tools, logistics and
operational methods,” says Klimburg. “They can also share the same social
networks and have comparable goals. The differences between these categories of
cyberactivity are often razor–thin. It’s hard to distinguish in cyberspace
between financial and political motivation.”
In particular, the methods of delivering malware into a target
computer are identical. Hackers seek vulnerabilities in popular programs that
allow them to introduce alien code, in particular a weak spot in the code known
as a “zero-day,” meaning it remains unpatched and can be used for an attack
before it is discovered by everyone else, so there are zero-days between an
attack and the discovery of the vulnerability. A good zero-day vulnerability
can be sold for $200,000, says Klimburg, but there are many examples of Russian
hackers “lending” their zero-day hacks to the government for espionage
purposes, then using them for crime later.
“Hundreds of ‘black-hat’ Russian hackers are doing this for a
living—whether it’s at the order of Swiss bankers or Ukrainian oligarchs,” says
Carr. “Russian hackers who are caught are given the choice to work for the FSB
[Federal Security Service] or to go to jail. The FSB also has some on contract
hire.”
There is strong evidence, going back to cyberattacks on Estonia as
early as 2007, that Russian cybercriminals were working either with or for the
Russian state. But now, it seems, the Kremlin is getting directly involved.
U.S. Director of National Intelligence James Clapper told the Senate Armed
Services Committee in March that Russia’s Ministry of Defense is “establishing
its own cybercommand” responsible for “conducting offensive cyberactivities.”
And the Russian government appears to be stepping up funding for the research
and development of cybertechnology at world-class computer science centers such
as the prestigious St. Petersburg Polytechnic University and Samara State
University, according to information gathered by Seattle-based Taia Global.
Possible evidence linking recent hacking attacks on the U.S.
government to the Russian state includes the digital signatures of a hacker
group known as Advanced
Persistent Threat 28 (or
APT28, identified by the U.S.-based Internet security company FireEye) and a
family of hackers labeled CozyDuke, CosmicDuke, MiniDuke and OnionDuke (spotted
by Kaspersky Labs). These groups, which may or may not be related, have some
giveaway signatures that tie them to Russia. “Indicators in APT28’s malware
suggest that the group consists of Russian speakers operating during business
hours in Russia’s major cities,” says a recent FireEye report. “More than half
of the malware samples...attributed to APT28 included Russian-language
settings.”
But the real giveaway is not the forensics of the APT28 codes but
their targets over the past five years, which have included Georgia’s
ministries of internal affairs and defense, the Polish and Hungarian
governments, NATO, the Organization for Security and Co-operation in Europe,
the Norwegian army and U.S. defense contractors. The APT28 hacking crew
"does not appear to conduct widespread intellectual property theft for
economic gain, but instead is focused on collecting intelligence,” says
FireEye. “That would be most useful to a government.”
Though there is evidence that the development teams of APT28 and
the CosmicDuke, MiniDuke and OnionDuke “worked together and shared same
knowledge and coding techniques,” and that they all have Russian origins, it’s
likely they are separate groups, says Paganini. “All these groups are
state-sponsored hackers, probably backed by the Russian government, though it
is likely that they operate under different divisions of the same cyberarmy.”
Was APT28—and the Kremlin—behind hacking attacks on the White
House and State Department this year, which cracked open confidential email
records (though not, according to a spokesman, the president’s personal email)?
The Kremlin strongly denies it. “We know that blaming Russia for everything has
turned into a sport,” Kremlin spokesman Dmitry Peskov joked to journalists. “At
least they haven't looked for Russian submarines in [Washington's] Potomac
River, as has been the case in a few other countries.”
KIRILL KUDRYAVTSEV/AFP/GETTY
(未完)-
11/19/2015
No comments:
Post a Comment