Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, April 07, 2010

Researchers expose complex cyber espionage network

Security researchers from the Information Warfare Monitor (Citizen Lab and SecDev) and the ShadowServer Foundation, have released the findings from their eight month investigation, “Shadows in the Cloud”, detailing the inner workings of complex cyber espionage network that was systematically stealing sensitive documents/correspondence from the Indian government, the United Nations, as well as Dalai Lama’s offices, from January to November 2009.

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.  The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation.

Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”.  These documents are identified as belonging to the Indian government.  However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers.

Just like the majority of targeted malware attacks, this one was also relying on client-side exploits (Report: Malicious PDF files comprised 80 percent of all exploits for 2009) served through different file types (PDF, PPT, DOC) using a relevant topic of interest to Indian and Tibetan communities, which were then spamvertised to the victims of interest.

What’s particularly interesting about the cyber espionage facilitating network in question, is the mix of legitimate and purely malicious infrastructure in an attempt to not only increase the life cycle of the campaign, but also, to make it harder for network administrators to detect the malicious use of popular free email service providers, as well as social networks.  In fact, in 2009 cybercriminals continued demonstrating their interest in abusing legitimate services such as Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a backend.

Moreover, although the report is logically emphasizing on the actual attack vectors used in this particular cyber espionage network, there’s another attack vector that’s been trending over the past few years, having an identical cyber espionage potential to the targeted attacks in general.

Posted on 04/07