The US, China and Iran are firing the first shots in a new type of warfare being fought from the keyboard instead of the battlefield, writes John Hearne
THE evidence had been trickling in for years. As far back as 2007, hackers penetrated the Pentagon’s defences and stole plans for the F-35 Lightning II fighter, a combination stealth bomber and fighter jet that remains under development by a consortium of defence and aerospace companies.
Determining the source of attacks like these is notoriously difficult. Determining anything in relation to international cyber crime is notoriously difficult, but Pentagon officials amassed sufficient evidence to conclude that the hack originated in China.
At the time, nobody — publicly at least — connected the incursion with the Chinese military; to do so without conclusive evidence would have created a diplomatic storm. Privately however, speculation was mounting.
The intruders had copied several terabytes of data relating to the design and electronics system of the fighter, which officials said at the time could make it easier to defend against the craft. While the US military played down the attack, saying that the most sensitive data was stored on machines unconnected to the internet, the question left hanging was who might benefit from this information? A hacktivist group? None claimed responsibility.
Two years later, a Pentagon report noted that the Chinese military had made “steady progress” developing cyber warfare techniques. It said China hoped its computer skills might help compensate for the fact that its conventional military capabilities were under-developed. Though far from an accusation, the Chinese Embassy in the US reacted angrily, saying in a statement that China “opposes and forbids all forms of cyber-crimes”. It accused the Pentagon of stirring up “China threat sensations” and said that the report was “a product of the Cold War mentality”.
Cyber security firm Mandiant is at the forefront of the war against cyber espionage. It characterises identifiable groups behind attacks such as the theft of the warplane’s plans as ‘Advanced Persistent Threat’ groups, or APT groups. In 2010, a report from the company said that while the Chinese government may authorise much of the hacking activity, there was no way to determine the extent of its involvement.
What are the Chinese interested in exactly? The answer, it would appear, is everything. The Washington Post carried a story in February in which web security experts asserted that Chinese hackers had infiltrated almost every Washington agency in the last few years: law firms, think tanks, news organisations, human rights groups, etc. The aim, we are told, is to understand more clearly how power is brokered in the US capital.
But it’s not all about eavesdropping on Washington. Companies as diverse as Lockheed Martin and Coca-Cola have reported that the Chinese have infiltrated their systems.
As the evidence mounted, the rhetoric began to heat up. In October 2011, Republican Congressman Mike Rogers said that China’s economic espionage had reached an intolerable level. “Beijing is waging a massive trade war on us all, and we should band together to pressure them to stop. Combined, the United States and our allies in Europe and Asia have significant diplomatic and economic leverage over China, and we should use this to our advantage to put an end to this scourge.”
In February, a new Mandiant report not only fingered the Chinese government, but actually identified the building from which most of the attacks emanated. Newspapers around the world carried a picture of a dreary 12-storey office block outside Shanghai, featureless apart from the red star emblazoned above the entrance foyer. This, we were told, was the HQ of the People’s Liberation Army hacking group.
Mandiant focused its report on APT1, the billing it gives to the most prolific of the many advanced persistent threat groups that it monitors. The report says: “The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analysed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai.”
It goes on: “Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”
Then on May 6, the Pentagon came right out and said it. The Department of Defence annual report to Congress stated that last year, numerous computer systems around the world, including those owned by the US government “continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military”.
The worry for the US military is not alone that the Chinese are watching them. “The access and skills required for these intrusions are similar to those necessary to conduct computer network attacks.”
Computer network attacks may not sound like much, but former US defence secretary Leon Panetta wants us to understand that we’re not talking simply about a website going down for a couple of hours. Last October he said that a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. “Such a destructive cyber terrorist attack could paralyse the nation,” he claimed.
At a Business Executives for National Security gathering, Panetta warned that attackers are targeting computer control systems that operate chemical, electricity and water infrastructure, and those that guide transportation.
He said: “An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Then in March, the US intelligence community’s annual review of world threats stated that cyber attacks and cyber espionage presented a greater threat to US national security than al Qaeda. Appearing before the Senate Intelligence Committee, James R Clapper, director of national intelligence, said that it was hard to over-estimate the significance of the cyber threat.
Trying to process all of this information is fraught with difficulty. In the first instance, malware deployed for espionage purposes is exceptionally sophisticated and can roam across networks and IP addresses, exploiting security gaps in software, working undetected for years. Not only that, but the moment cyber espionage is uncovered, it becomes classified information. Almost all of the reports we have are mediated through agencies whose motives aren’t exactly clear. The essence of cyberwarfare is its inscrutability.
Because all that we are allowed to learn of cyber espionage is unverifiable, it’s difficult not to be sceptical about what does get out. Throughout the Obama administration, officials have cited the kinds of existential threats which Leon Panetta catalogued to justify increasingly tighter control of the internet.
Which brings us to CISPA — the Cyber Intelligence Sharing and Protection Act. The bill, sponsored by the aforementioned Mike Rogers, was approved by the House of Representatives in April. Now it’s before the Senate. In essence, the bill allows for voluntary information sharing between private companies and government in the event of a cyber attack. The fear for privacy campaigners is the prospect of CISPA overriding other privacy laws and giving government open door access to ordinary citizens’ information.
But defending against cyber attacks is only one side of the story. In those vitriolic rebuttals of their hacking exploits, China has frequently maintained that the US is guilty of cyber intrusions every bit as serious as those that they have been accused of.
There’s little doubt that the capability is there. If there is a US equivalent of the nondescript building in Shanghai, it is to be found inside Fort Meade, Maryland. There, tens of thousands of operatives occupy over 50 buildings in a secret city complete with its own fire department and police force. It’s protected by anti-tank barriers, electrified fences, cameras, motion sensors and guards who are armed to the teeth. This is US Cyber Command, the expansive domain of four star general Keith Alexander.
If that name sounds familiar, it’s because he’s also head of the National Security Agency, now at the centre of a storm of controversy following the recent revelations that it maintains an expansive, covert surveillance operation both on the American people and foreign nationals overseas — ie us.
In his four year tenure as head of Cyber Command, Alexander has overseen a massive expansion in its capabilities. In that time, it has been allocated huge resources while other intelligence agencies are seeing their budgets relentlessly squeezed.
While the work of Alexander’s command is of course cloaked in the blackest secrecy, it is still possible to see its fingerprints in a range of theatres around the world.
An 18-page presidential policy directive, leaked to the Guardian newspaper in January said that what it terms ‘Offensive Cyber Effects Operations’ or (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”.
The document goes on to say that the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.
But to imagine that the US is on the point of embarking on a cyber offensive for the first time would be wrong. The truth is that a cyber war is up and running, and has been for years. And China is just one front.
Saudi Aramco, the state owned natural gas and oil company in Saudi Arabia was valued at $10 trillion by the Financial Times in 2010, making it the most valuable company in the world. Last August, data on three quarters of the computers on Aramco’s main network was summarily deleted by hackers. In marked contrast to the denial and bluff that’s endemic to Sino-US cyber espionage, the perpetrators of the Aramco intrusion did nothing to hide their identities — on the face of it at least. The hackers were Islamists, calling themselves the Cutting Sword of Justice. According to reports, they managed to wipe the hard drives of 30,000 computers inside the company. As the data disappeared into the void, each screen was illuminated with an image of an American flag on fire.
As investigators began to get to grips with the disaster, questions began to form around who exactly the Cutting Sword of Justice was. Their stated intention was revenge against “crimes and atrocities” taking place in various countries around the world, including Syria and Bahrain. Saudi Arabia, which is lead by a Sunni elite, sent troops to Bahrain in 2011 to back the Sunni regime against Shiite-led protesters, while Saudi is also sympathetic to rebels in Syria. The west, however, didn’t buy it. Reports in both local and Western press first centred on an inside job, but in December, a new narrative began to emerge.
Unnamed US intelligence sources began attributing the attack to Iran. Though no evidence was ever published to back this up, the logic runs like this: Israel, fearing Iran’s nuclear capability, began petitioning the US to sanction a military strike against what they regarded as a dire threat. The US, however, was unwilling to endorse so incendiary an action in such a volatile region. So Israel was offered a third way. A concerted cyber-offensive against Iran’s nuclear capability, with the aim, at the very least, of buying some time.
Earlier this year, Vanity Fair carried a lengthy piece by author Michael Joseph Gross, detailing what amounts to a silent war raging between Iran and the US. No shots are ever fired, and scant detail of what happens ever emerges into the public domain, but here, it would appear, is the world’s first cyber war.
Though Cyber Command was established four years ago, the US military has been active in this space for at least the last decade. As far back as 2003, during the second Gulf War, the Pentagon proposed an online offensive that would freeze Saddam Hussein’s bank accounts. The suggestion was vetoed by the Treasury Department on the grounds that tinkering with international banking could set a dangerous precedent and prompt a reprisal that could destabilise the global economy.
Reprisal is a very real danger here, because cyber warfare is cheap warfare, well within the gift of the most poorly-resourced state. The F-35 Lightning II fighter, the one whose plans were allegedly swiped by the Chinese, has so far cost the US taxpayer $391bn. Yet the tools required to deliver the kind of devastation that the US Secretary of Defense has prophesied (derailed trains, contaminated water, wrecked power grids) are almost free by comparison.
In tracing the history of the US military cyber operations, two words reappear again and again: Flame and Stuxnet. In 2007, a piece of malware beset thousands of computers in the Middle East in general, and Iran in particular. Flame, as it became known, wasn’t quite like anything that had been seen before. It included modules that could be remotely reprogrammed, that were capable of a variety of covert operations; one could turn on the microphone of the infected computer and record conversations. Another collected architectural plans, another took screenshots of the computer, another logged keystrokes, another recorded Skype conversations. Another directed infected computers to connect via Bluetooth to any nearby enabled devices, like mobile phones, then pilfer any data found on them.
In 2010, another new computer worm emerged, this one designed not to collect data but to actually physically sabotage machinery. Described by Michael Joseph Gross as “one of the most resilient, sophisticated and noxious pieces of malware ever seen”, the worm appeared to come from either the US or Israel. It was named Stuxnet and it is credited with the destruction of uranium-enrichment centrifuges at Iran’s nuclear facility in Natanz.
A private sector security firm conducted a series of autopsies on both the Flame and Stuxnet attacks, concluding that they shared elements of code, indicating a common source. Moreover, when this piece of information was made public, Flame’s operators deployed a self-destruct module and its command and control infrastructure went down. Experts pointed out that malware that is merely criminal doesn’t delete itself so neatly. The circumstantial evidence once again pointed to a state source, while the targets — all Middle Eastern — seemed to level the accusation at the US.
The US has never acknowledged that it was the behind the Stuxnet attack, but the usual series of leaks and unofficial statements amounted to winking acknowledgement of responsibility. Last June, the New York Times carried a story which said that Stuxnet is part of a joint US/Israeli operation called Operation Olympic Games, begun under George W Bush and expanded under Barack Obama.
It is now believed that the Aramco attack was not the work of a new Islamist organisation. It was Iran, taking revenge on a US ally (Saudi Arabia) for the destruction of its centrifuges.
Nor was the Stuxnet attack an isolated incident. In September 2011, a new piece of malware, named Gauss, stole information from banks in Lebanon, an Iranian ally. The same year, another piece of spyware was discovered on more than 800 computers, most of them in Iran. This one — named Mahdi — was significant for the fact that in many cases, it used Microsoft applications as cover. A email bearing an MS Word or Powerpoint file would land in the inbox of the targeted individual. The Word file would contain a news article about a secret Israeli plan to attack Iran’s national grid, the Powerpoint slide invariably contained religious images. Once clicked, the malware allowed remote monitoring of the victim’s emails and instant messages.
As the attacks mounted, Tehran organised itself to strike back. In March 2011, Iranian officials indicated that the Iranian Revolutionary Guard had created a cyber unit to co-ordinate offensive attacks. A year later, Ayatollah Ali Khamenei was said to have set up something called the High Council of Cyberspace.
Last September, a spate of cyber attacks against US banks appeared to open up a new front in the war. The incursions largely took the form of what are known as distributed denial of service (or DDoS) attacks. The idea is that the hacker inundates the target network with requests for connections, thereby collapsing it. Compared to Stuxnet and its precursors, the technique is hopelessly primitive. But the sheer size of the attack was overwhelming, said to dwarf the second biggest DDoS attack by a factor of 10. Almost all US banks were hit, and at least five had their websites forced offline. This time around, a Sunni jihadist group, calling itself Qassam claimed responsibility. Middle East watchers didn’t buy it, however, suggesting once again that it was an Iranian finger on the trigger.
There are few major conflicts left in the world that do not now have a cyber dimension. A series of online attacks in South Korea in March took down computer networks at three TV stations and halted operations at three banks. Seoul didn’t take long to report that North Korea’s military-run Reconnaissance General Bureau was to blame.
The Israeli government reported that since the beginning of its military offensive in Gaza in December, cyber attackers have launched in excess of 44m attempts to disrupt government websites. Nor is China confining its cyber espionage to the US. In February, both the European Aeronautic Defense & Space Co and German steelmaker, ThyssenKrupp, were allegedly attacked by Chinese hackers. And it was also Chinese hackers who, it was reported, made off last month with floor plans of the Australian intelligence agency’s new building in Canberra.
Like all military conflicts, there is a civil cost. Perhaps one of the most insidious features of Flame was the fact that it frequently disguised itself as a Windows Update. Moreover, Stuxnet itself succeeded by exploiting vulnerabilities in Microsoft Windows. If the malware was, as is now generally believed, of US origin, the implication is that the US government is not above sabotaging civil organisations to achieve military aims.