The CNE Model favored by State actors in attacks against Google and others
Last Updated on Tuesday, 19 January 2010 08:34 Written by Jeffreycarr Tuesday, 19 January 2010 08:34
Computer Network Exploitation (CNE) is the latest iteration of the age-old game of espionage. Technology has changed the methods used, but the goal remains the same: covert discovery of information of value to the attacker.
One of many things that GreyLogic/Project Grey Goose investigators look at for determining attribution in politically motivated attacks is methodology. Chapter 10 of “Inside Cyber Warfare” provides a detailed explanation of how these types of attacks are planned and executed, the main points of which are listed below in blue. Facts related to the Aurora operation are provided for each in red.
Create a Zero day vulnerability for a popular Client-side application, such as a Web browser, .pdf file, or Word document.
A Zero day vulnerability impacting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Microsoft Security Advisory
Use Open Source Intelligence to create an operational picture of the target, then create a plausible scenario that will attract the target’s interest.
“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.” McAfee Security Insights blog
Encrypt the stolen data before exfiltrating it from the compromised network.
“The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch. “The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.” Wired.com/Threatlevel blog
Use multiple staging servers to exfiltrate the data.
“Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan.” Wired.com/Threatlevel blog
Yet another component is the use of insiders. This is not a universal attribute but it is a common strategy that we’ve seen used in foreign research labs operating inside both China and Russia, who employ highly skilled scientists or engineers from the host country. Apparently, Google suspects that such was the case with Operation Aurora.
Had Google not gone public with the details of this attack, we would not be able to add this case to the growing body of evidence that helps governments understand the defining characteristics of State versus Non-state cyber attacks. Companies who continue to hide the fact that they’ve been attacked need to reconsider their justification for such a position and decide which is more important: protecting their stock price or helping their country build a more informed defensive and offensive cyber security strategy.
* the graphic used at the top of this post comes from the 2009 U.S. China Economic and Security Review Commission study on Chinese Information Warfare capabilities.
Use Open Source Intelligence to create an operational picture of the target, then create a plausible scenario that will attract the target’s interest.
“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.” McAfee Security Insights blog
Encrypt the stolen data before exfiltrating it from the compromised network.
“The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch. “The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.” Wired.com/Threatlevel blog
Use multiple staging servers to exfiltrate the data.
“Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan.” Wired.com/Threatlevel blog
Yet another component is the use of insiders. This is not a universal attribute but it is a common strategy that we’ve seen used in foreign research labs operating inside both China and Russia, who employ highly skilled scientists or engineers from the host country. Apparently, Google suspects that such was the case with Operation Aurora.
Had Google not gone public with the details of this attack, we would not be able to add this case to the growing body of evidence that helps governments understand the defining characteristics of State versus Non-state cyber attacks. Companies who continue to hide the fact that they’ve been attacked need to reconsider their justification for such a position and decide which is more important: protecting their stock price or helping their country build a more informed defensive and offensive cyber security strategy.
[...] IntelFusion – [...]