Two “Aurora” events. Two examples of Computer Network Operations.

Last Updated on Saturday, 16 January 2010 12:04 Written by Jeffreycarr Saturday, 16 January 2010 12:04

Courtesy of the Praetorian Prefect blog

1. Google and a few dozen other companies get pwned by a targeted 0day attack presumably from the PRC named “Aurora“. These attacks demonstrate how State hackers frequently engage in cyber espionage (aka Computer Network Exploitation).

U.S. Homeland Security photo

2. The Aurora Generator test conducted at Idaho National Labs in March 2007 demonstrated  how a State hacker could exploit a vulnerability in a SCADA network to gain remote access over an electrical generator.

How interesting that two events over 2 1/2 years apart are both connected to PRC cyber operations and are both named Aurora. The name is probably a coincidence but the connection serves to underscore three key understandings:

1. Google’s Aurora is a classic demonstration of how States engage in cyber espionage. Targets are selected based on State interests and a zero day exploit is created using State resources which will present as “sophisticated” technology only when compared to the more common open source malware that most Non-state actors rely on.
2. INL’s Aurora graphically depicts one of the many weaknesses in U.S. Critical Infrastructure that Chinese military leaders plan to exploit in the event of an imminent U.S. attack on the PRC.
3. A new model for assigning attribution of cyber attacks to a State entity is needed. “Smoking guns” rarely exist when States engage in cyber conflict or cyber espionage. Instead, an attribution case can be built with disparate sets of facts combined with Means, Motive, and Opportunity (or Method). In fact, I’m drafting a paper on this topic which I hope will be accepted for inclusion in this year’s CCDCOE Conference on Cyber Warfare.

Aurora, the Roman goddess of the dawn, is an appropriate name for both of these events since sunrise is symbolic of an awakening and a cyber wake-up call is definitely needed right now.

The non-state hackers that worry me the most are …

Last Updated on Friday, 20 November 2009 09:26 Written by Jeffreycarr Friday, 20 November 2009 09:26

… religious extremists with the technical chops to target critical infrastructure and the companies that support it.

Every other motivation (politics, money, greed, ego, patriotism, etc.) is manageable in some way, but not when an adversary believes that he is empowered to perform heinous acts by a Supreme being, whether its Allah, Jehovah, Jesus, or the Flying Spaghetti Monster. If you add to that the following hacker typology, you’ve got a serious problem to deal with:

• Advanced degree in Computer Science or Engineering
• Affiliated with a medium-sized organization
• Disciplined and patient enough to adhere to a long-term plan

There are lots of threats in cyberspace that deserve investigation and monitoring, but if I had to choose just one group to focus on, it would be these guys and others like them.

Is the government of Turkey leveraging its hacker population to build a regional power base?

Last Updated on Tuesday, 10 November 2009 05:26 Written by Jeffreycarr Tuesday, 10 November 2009 05:26

This is the topic for this week’s IntelFusion FLASH Traffic weekly brief. An abstract follows:

The increasing frequency of Turkish hacker crews attacking SCADA-related systems is seen by GreyLogic investigators as an emerging global threat, particularly when combined with two geopolitical events:

One. On October 10, 2009, Turkish Foreign Minister Ahmet Davutoglu signs a historic agreement to work towards restoring diplomatic ties with Armenia. Such an action, according to Henri Barkey of the Carnegie Endowment for International Peace in Washington DC, is necessary if Turkey wants to become an important player in the region.

“With their strong military and economy they have the hard power, but what they are trying to do now is build up their soft power.”

Two. In July, 2009 the World Bank agreed to fund Turkey’s Smart Grid project; the World Bank’s first advent into clean energy; thereby elevating Turkey’s status in the region.

Turkey has the second largest Army in NATO and has 8 countries on its borders creating a strategic presence for itself that hasn’t been seen since the Ottoman Empire. The one thing that Turkish military generals are not speaking about is a Turkish cyber warfare or Information Operations program. The absence of such a component in Turkey’s military arsenal is suspicious at best considering its leadership role in the region. In 2003, Turkey launched its Information Security initiatives to protect its networks. In November, 2008, it was considering a membership in NATO’s Cooperative Cyber Defense Council of Excellence (CCDCOE). A logical extension of both of those facts would suggest that the Turkish Armed Forces (TAF), as part of its ongoing modernization, is certainly exploring some type of Computer Network Operations or other Information Warfare capabilities.

If Turkey is keeping its plans for a military cyber capability a secret, its hacker crews are busy breaching Department of Energy Service Provider websites.

The full briefing is available to subscribers of IntelFusion FLASH Traffic.  Contact me for subscription rates for your company or agency.