the new cyber threat

8/8/2019 The New Cyber Threat

1/10

032


2/10

the new

cyber

threat

RobeRtLLeweLLyn/JupiteRimages

033

in depth

By Bra Grow, K es, a C-Cu tscag

illusraos by Joao Ros

how sa ar our scrs? Mor a mor

ra ros ar brakg o Amrcas

mos ssv comur works

The e-mail message addressed to a Booz Allen Hamilton execu-

tive was mundanea list sent over by the Pentagon o weaponry

on order by India. But the missive turned out to be a brilliant

ake. Lurking beneath the description o aircrat, engines,

and radar equipment was an insidious piece o computer code

known as Poison Ivy designed to suck sensitive and classifed

data out o the $4 billion consulting frms computer network.

It turns out the Pentagon hadnt sent the e-mail at allthe ma-licious code was launched rom network servers in a nondescript

building on the banks o Chinas Yangtze River. Whoever authoredthe e-mail knew enough about the sender and recipient to cra a

message that was unlikely to arouse suspicion. Had the Booz Allenexecutive clicked on the attachment, the ull orce o the virus would

have been unleashed and his every keystroke reported back to a mys-terious master at the Internet address cybersyndrome.3222.org.

The U.S. government, and its sprawl o deense contractors, havebeen the target o an unprecedented rash o similar cyberattacks

over the last two years. Its espionage on a massive scale, says PaulB. Kurtz, a ormer high-ranking national security ocial. Govern-

ment agencies reported 12,986 cybersecurity incidents to the U.S.

APRIL 21, 2008 I BUSineSSWeeK


3/10

the U.S. government on the overhaul o its computer security

strategy. Now theyre saying, Oh, s--t.Adding to Washingtons anxiety, U.S. intelligence oi-

cials say many o the new attackers are trained proession-als backed by oreign governments. The new breed o threat

that has evolved is nation-state-sponsored stu, says AmitYoran, a ormer director o Homeland Securitys National

Cyber Security Div. Adds one o the nations most senior mil-itary ocers: Weve got to gure out how to get at it beore

our regrets exceed our ability to react.The military and intelligence communities have ngered the V e

e R

034

BUSineSSWeeK I APRIL 21, 2008

Homeland Security Dept. last scal year,

triple the number rom two years earlier.Incursions on the militarys networks were

up 55% last year, says Lieutenant GeneralCharles E. Croom, head o the Pentagons

Joint Task Force or Global Network Op-erations. Private rms like Booz Allen are

just as vulnerableand pose just as muchsecurity risk. They have our inormation

on their networks. Theyre building ourweapon systems. You wouldnt want that in

enemy hands, Croom says. Cyberattackersare not denying, disrupting, or destroy-

ing operationsyet. But that doesnt meanthey dont have the capability.

shutting down ports

When the deluge began in 2006, ocialsscurried to come up with soware patch-

es, wraps, and other bits o triage. The

eort got serious last summer when topmilitary brass quietly summoned the chieexecutives or their representatives rom

the 20 largest U.S. deense contracts tothe Pentagon or a threat brieng. Since

then, BusinessWeek has learned, the U.S.government has launched a classied op-

eration called Byzantine Foothold to detect,track, and disarm intrusions on the governments most criti-

cal networks. And President George W. Bush on Jan. 8 quietlysigned an order to overhaul U.S. cyberdeenses, establishing

12 distinct goals, according to people brieed on its contents.One goal in particular illustrates the urgency and scope o

the problem: By June all government agencies must cut thenumber o tiny communication channels, or ports, through

which their networks connect to the Internet rom more than4,000 to ewer than 100. On Apr. 9, Homeland Security Dept.

Secretary Michael Cherto called the Presidents order a cy-bersecurity Manhattan Project. First, he said, the U.S. must

get our own house in order.But many security experts worry the

Internet has become too unwieldy to betamed. New viruses appear every day, each

seemingly more sophisticated than the pre-vious one. The Deense Dept., whose Ad-

vanced Research Projects Agency (DARPA)developed the Internet in the 1960s, is be-

ginning to think it created a monster. Youdont need an Army, a Navy, an Air Force

to beat the U.S., says General William T.Lord, commander o the Air Force Cyber

Command, a unit ormed in October, 2006,to upgrade Air Force computer deenses.

You can be a peer orce or the price o thePC on my desk. Military ocials have long

believed that its cheaper, and we kill stuaster, when we use the Internet to enable

high-tech warare, says a top adviser to

an eVOLVInG threatMajor aacks o U.S. govrm as usry ovr yars

SOLar SunrISe

Fa, 1998. Ar Forc a navycomurs ar by malcous coa s ou a ol Su Mcro-sysms Solars orag sysm,ac s ow ry o og. Som aacks arrou roug U Arabemras wl U.S. s rargor mlary aco iraq. turs ou aacks wr lauc by woagrs Clovral, Cal., aa isral accomlc wo callmsl Aalyzr.

MOOnLIGht Maze

Mac, 1998, 1999. A-ackrs us scrs o ga accsso Wb ss a ds d.,nASA, ergy d., a wa-os labs across coury. Largacks o uclassf aa arsol. A ms, o [or aa] was s Russa, says asourc amlar w vsga-o. t sosor o aack asvr b f. t Russagovrm ay volv-m.

D: BusinessWeek


4/10

nas military policy is deensive in nature.

China would never do anything to harmsovereignty or security o other countries.

He added that China also alls victim tohacking and urged the U.S. to present

compelling evidence or its accusation.Some computer security specialists

doubt that Chinas government is involvedin cyberattacks on U.S. deense targets.

Peter Sommer, an inormation systems se-curity specialist at the London School o

Economics who helps companies securenetworks, says: I suspect i its an oi-

cial part o the Chinese government, youwouldnt be spotting it. Indeed, because

the Internet allows digital spies and thievesto mask their identities, conceal their phys-

ical locations, and bounce malicious code toand ro, its requently impossible to pin-

point specic attackers. Network security

proessionals call this digital masqueradeball the attribution problem.

In written responses to questions romBusinessWeek, oicials in the oice oNational Intelligence Director J. Michael

McConnell, a leading proponent o boost-ing the governments cybersecurity e-

orts, would not comment on speciiccode-word programs such as Byzantine Foothold, nor on

specic intrusions or possible victims. But the departmentadds that computer intrusions have been successul against

a wide range o government and corporate networks acrossthe critical inrastructure and deense industrial base. The

White House declined to address the contents o the CyberInitiative, citing its classied nature.

A Credible MessAge

The Booz Allen e-mail, obtained byBusinessWeek and tracedback to China, paints a vivid picture o the alarming new ca-

pabilities o Americas cyberenemies. OnSept. 5, 2007, at 08:22:21 Eastern time, an

e-mail message appeared to be sent to JohnF. Jack Mulhern, vice-president or in-

ternational military assistance programs atBooz Allen. In the high-tech world o weap-

ons sales, Mulherns specialty, the e-maillooked authentic enough. Integrate U.S.,

Russian, and Indian weapons and avion-ics, the e-mail noted, describing the Indian

governments expectations or its ghterjets. Source code given to India or indig-

enous computer upgrade capability. Suchlingo could easily be understood by Mul-

hern. The 62-year-old ormer U.S. Navalocer and 33-year veteran o Booz Allens

military and deense consulting business isan expert in helping to sell U.S. weapons to

oreign governments.

Peoples Republic o China as the U.S.s biggest cybermenace.

In the past year, numerous computer networks around theworld, including those owned by the U.S. government, were

subject to intrusions that appear to have originated withinthe PRC, reads the Pentagons annual report to Congress on

Chinese military power, released on Mar. 3. The preamble oBushs Cyber Initiative ocuses attention on China as well.

Those are groundless accusations and unwarranted alle-gations, says Wang Baodong, a spokesman or the Chinese

embassy in Washington. Qin Gang, a spokesman or ChinasForeign Ministry, told reporters in Beijing on Mar. 4 that Chi-

035

in depth


tItan raIn

2003. hackrs blv o b Ca accss classf aa soro comur works o scoracor Lock Mar, Sa-a naoal Labs, a nASA. trusos ar f by SaCarr, a cybr scury aalysa Saa Labs. Ar rors bracs o U.S. Army a FBi,Saa frs m. Carr larsus Saa or wrogul rma-o. i Fbruary, 2007, a jury awarsm $4.7 mllo.

byzantIne FOOthOLd

2007. A w orm o aack, usgsosca cology, lugsoufs rom Sa d. o Bo-g. Mlary cybrscury scalssf rsourcs o a ao-sab a call y o aacka avac rss ra. tbracs ar al a classfocum kow as a illgcCommuy Assssm. tsourc o may o aacks, sayU.S. mlary a govrm o-fcals, s Ca.


5/10

browsers while users sur the Web.

Then it phones home to its mas-ter at an Internet address cur-

rently registered under the namecybersyndrome.3322.org.

The digital trail to cyber-syndrome.3322.org, ollowed by

analysts atBusinessWeeks request,leads to one o Chinas largest ree

domain-name-registration ande-mail services. Called 3322.org,

it is registered to a company calledBentium in the city o Changzhou, a technology industry

hub outside Shanghai. A range o security experts say that3322.org hosts computers and servers that act as the com-

mand and control centers or more than 10,000 pieces o ma-licious code launched at government and corporate networks

in recent years. Many o those PCs are in China; the rest couldbe anywhere.

The ounder o 3322.org, a 37-year-old technology entre-

preneur named Peng Yong, says his company merely allowsusers to register domain names. As or what our users do, wecannot completely control it, says Peng. The bottom line: I

Poison Ivy inected Jack Mulherns computer at Booz Allen,any secrets inside could be seen in China. And i it spread to

other computers, as malware oen does, the inection openswindows on potentially sensitive inormation there, too.

Its not clear whether Mulhern received the e-mail, but theaddress was accurate. Inormed byBusinessWeek on Mar. 20

o the ake message, Booz Allen spokesman George Farrar saysthe company launched a search to nd it. As o Apr. 8, says

Farrar, the company had not discovered the e-mail or PoisonIvy in Booz Allens networks, but the investigation is ongo-

ing. Farrar says Booz Allen computer security executives areexamining the computers o Mulhern and an assistant who

received his e-mail. We take this very seriously, says Farrar.(Mulhern, who retired in March, did not respond to e-mailed

requests or comment and declined a request, through BoozAllen, or an interview.)

Air Force ocials reerred requests or comment to U.S.Deense Secretary Robert M. Gates oce. In an e-mailed

response toBusinessWeek, Gates oceacknowledges being the target o cyber-

attacks rom a variety o state and non-state-sponsored organizations to gain

unauthorized access to, or otherwisedegrade, [Deense Dept.] inormation

systems. But the Pentagon declined todiscuss the attempted Booz Allen break-

in. The Air Force, meanwhile, declinedto make Stephen Moree available or comment.

The e-mail, however, seemed to cause a stir inside the AirForce, correspondence reviewed by BusinessWeek shows.

On Sept. 4, James Mulvenon also received the message withMoree and Mulherns names on it. Security experts believe

Mulvenons e-mail address was secretly included in theblind copy line o a version o the message. Mulvenon is

director o the Center or Intelligence Analysis & Research,

The e-mail was more convinc-

ing because o its apparent sender:Stephen J. Moree, a civilian who

works or a group that reports tothe oce o Air Force Secretary Mi-

chael W. Wynne. Among its duties,Morees unit evaluates the security

o selling U.S. military aircra toother countries. There would be

little reason to suspect anythingseriously amiss in Moree passing

along the highly technical docu-ment with India MRCA Request or Proposal in the subject

line. The Indian government had just released the requesta week earlier, on Aug. 28. And the language in the e-mail

tracked the request. Making the message appear more cred-ible still: It reerred to upcoming Air Force communiqus and

a Teaming Meeting to discuss the deal.

An e-MAils journey

But the missive rom Steve Moree to Jack Mulhern was aake, Booz Allen later discovered. An analysis o the e-mailspath and attachment, conducted orBusinessWeek by three

cybersecurity specialists, shows it was sent by an unknownattacker, bounced through an Internet address in South

Korea, was relayed through a Yahoo! server in New York, andnally made its way toward Mulherns Booz Allen in-box.

The analysis also shows that the codeknown as malware,or malicious sowaretracks keystrokes on the computers

o people who open it. A separate program disables securitymeasures such as password protection on Microso Access

database les, a program requently used by large organi-zations such as the U.S. deense industry to manage large

batches o data.While hardly the most sophisticated technique employed

by electronic thieves these days, i you have any kind o sen-sitive documents on Access databases, this [virus] is getting

in there and getting them out, says a senior executive at aleading cybersecurity rm that conducted an analysis o the

e-mail. (The person requested anonymity because his rmprovides security consulting to U.S. military departments,

deense contractors, and nancial institutions.) Commer-

cial computer security rms have dubbed the malicious codePoison Ivy.

But the malware attached to the ake Air Force e-mail hasa more deviousand worrisomecapability. Known as a re-

mote administration tool, or RAT, it gives the attacker con-trol over the host PC, capturing screen shots and perusing

les. It lurks in the background o Microso Internet Explorer

036


POISOn IVy IS Part OF a new tyPe OF dIGItaL

Intruder renderInG tradItIOnaL deFenSeS LIke

FIrewaLLS VIrtuaLLy uSeLeSS


6/10

o at least eight agenciesincluding the departments o De-

ense, State, Energy, Commerce, Health & Human Services,Agriculture, and Treasuryand also deense contractors

Boeing, Lockheed Martin, General Electric, Raytheon, andGeneral Dynamics, say current and ormer government se-

curity experts.Laura Keehner, a spokeswoman or the Homeland Se-

curity Dept., which coordinates protection o government

computers, declined to comment on specic intrusions. In

written responses to questions romBusinessWeek, Keehnersays: We are aware o and have deended against malicious

cyberactivity directed at the U.S. Government over the pastew years. We take these threats seriously and continue to

remain concerned that this activity is growing more sophis-ticated, more targeted, and more prevalent. Spokesmen or

Lockheed Martin, Boeing, Raytheon, General Dynamics, and

a unit o Deense Group, a leading consultant to U.S. deense

and intelligence agencies on Chinas military and cyber strat-egy. He maintains an Excel spreadsheet o suspect e-mails,

malicious code, and hacker groups and passes them alongto the authorities. Suspicious o the note when he received

it, Mulvenon replied to Moree the next day. Was the e-mailIndia spam? Mulvenon asked.

I apologizethis e-mail was sent in errorpleasedelete, Moree responded a ew

hours later.No worries, typed Mulve-

non. I have been getting a lot otrojaned Access databases rom

China lately and just wanted tomake sure.

Interestingour network olksare looking into some kind o ma-

licious intent behind this e-mailsnau, wrote Moree. Neither the

Air Force nor the Deense Dept.

would conrm withBusinessWeekwhether an investigation was con-ducted. A Pentagon spokesman

says its procedure is to reer attacksto law enorcement or counterin-

telligence agencies. He would notdisclose which, i any, is investi-

gating the Air Force e-mail.

digitAl intruders

By itsel, the bid to steal digital se-

crets rom Booz Allen might notbe deeply troubling. But Poison

Ivy is part o a new type o digi-tal intruder rendering traditional

deensesirewalls and updatedantivirus sowarevirtually use-

less. Sophisticated hackers, sayPentagon oicials, are develop-

ing new ways to creep into com-puter networks sometimes beore

those vulnerabilities are known.The oense has a big advantage

over the deense right now, saysColonel Ward E. Heinke, director

o the Air Force Network Opera-tions Center at Barksdale Air Force

Base. Only 10 o the top 35 antivi-rus soware programs identied

Poison Ivy when it was rst testedon behal oBusinessWeek in February. Malware-sning

soware rom several top security rms ound no virus inthe India ghter-jet RFP, the analysis showed.

Over the past two years thousands o highly customizede-mails akin to Stephen Morees have landed in the laptops

and PCs o U.S. government employees and deense contract-ing executives. According to sources amiliar with the matter,

the attacks targeted sensitive inormation on the networks

037

in depth


t bogus -mal am a Booz All hamloa brILLIant Fake

sr,

th rg (28 ag) rcvd h 211 g id ml-Rl C arcr(mRCa) Rq r prl (RFp). th jr RFp r:

- 126 rcr (86 gl /40 dl); 18 l y oem, 108 c-rdcd id- 1 r 2 g; 14k-30k kg (30.9k-66.1k l) x gh- acv aesa rdr cl rgg 5 2 130k (80.8 l)- 24 h fxd rc vldy r; r 63 rcr gd r 3 yr (fxdrc)- 50% o rqr- arcr dlvry g 36 h r crc, c-rdc g 48h r crc- tch rr rk 5 cgr, 60% h hgh rcg- prrc bd Lgc (L Cycl c) r ddrd, id y/y fl drr

- igr us, R, d id d vc- src cd gv id r dg cr grd clyiaw h tg Drcv iv chd cy h cl RFp; hvr, ll rvd r dld ry r r tg mg. wll cld hdvl h saF/ia ud d Frdy CsaF ud ld.

vrsv

sh J. mrnrh a brch ChsaF/ia pcfc DvCOnFidentiALitY nOtiCe: th lcrc r Fr ofcl uoly d y c r rcd r dclr dr h Frd ir ac, 5 usC 552. D rl d DD chl hrr hrz r h dr.


7/10

that a classied document called an intelligence community

assessment, or ICA, details the Byzantine intrusions and as-signs each a unique Byzantine-related name. The ICA has

circulated in recent months among selected ocials at U.S.intelligence agencies, the Pentagon, and cybersecurity con-

sultants acting as outside reviewers. Until December theICAs contents had not even been shared with congressional

intelligence committees.Now, Senate Intelligence Committee Chairman John D.

General Electric declined to comment. Several cited policies

o not discussing security-related matters.The rash o computer inections is the subject o Byzan-

tine Foothold, the classied operation designed to root outthe perpetrators and protect systems in the uture, accord-

ing to three people amiliar with the matter. In some cases,the governments own cybersecurity experts are engaged in

hack-backsollowing the malicious code to peer into thehackers own computer systems.BusinessWeek has learned

m a R k L e n n i h a n / a p p h o t o

038


anatOMy OF a SPear-PhISh t r sags o a succssul sar-sg aack

net recOnnaISSance

Aackrs scour Wbsuy-g ublc ocums, ca rooms,a blogso bul gal ossrsabou jobs, rsosbls, arsoal works o args.

cOnStructInG the SPear-PhISh

Aackrs bul a -mal w a Wblk or aacm o a subjc lkly orck vcm o clckg o . Com-mo sar-s ocs clu wsvs, args rsuls, a Wor apowrpo ocums coag ralo. t -mal arss s ma olook lk coms rom a logcal sr.

harVeStInG the data

W vcm os aac-m or clcks o Wb lk,malcous co s combsocum fls, sals asswors,a ss aa o a commaa corol srvr, o a orgcoury, wc collcs aa orsuy.


8/10

tionproved so nettlesome that the White House shut o

aides access to the Web site or more than six months, says acybersecurity specialist amiliar with the incident. The De-

ense Dept. shut the door or even longer. Computer securityinvestigators, one o whom spoke withBusinessWeek, identi-

ed the culprit: a ew lines o Java script buried in AEIs homepage, www.aei.org, that activated as soon as someone visited

the site. The script secretly redirected the users computer toanother server that attempted to load malware. The malware,

in turn, sent inormation rom the visitors hard drive to a

server in China. But the security specialist says cybersleuthscouldnt get rid o the intruder. Aer each deletion, the ur-tive code would reappear. AEI says that except or a brie ac-

cidental recurrence caused by its own network personnel inAugust, 2007, the devious Java script did not return and was

not dicult to eradicate.The government has yet to disclose the breaches related to

Byzantine Foothold.BusinessWeek has learned that intrudersmanaged to wend their way into the State Dept.s highly sensi-

tive Bureau o Intelligence & Researchan important chan-nel between the work o intelligence agencies and the rest o

the government. The intrusion posed a risk to CIA operativesin embassies around the globe, say several network security

specialists amiliar with the eort to cope with what became

regarded as an internal crisis. Teams worked around-the-clock in search o malware, they say, calling the White House

regularly with updates.The attack began in May, 2006, when an unwitting em-

ployee in the State Dept.s East Asia Pacic region clickedon an attachment in a seemingly authentic e-mail. Mali-

cious code embedded in the Word document, a congressionalspeech, opened a Trojan back door or the codes creators

to peer inside the State Dept.s innermost networks. Soon,cybersecurity engineers began spotting more intrusions in

State Dept. computers across the globe. The malware tookadvantage o previously unknown vulnerabilities in the Mi-

croso operating system. Unable to develop a patch quicklyenough, engineers watched helplessly as streams o State

Dept. data slipped through the back door and into the Inter-

Rockeeller (D-W. Va.) is said to be discreetly inorming el-

low senators o the Byzantine operation, in part to win theirsupport or needed appropriations, many o which are part o

classied black budgets kept o ocial government books.Rockeeller declined to comment. In January a Senate Intelli-

gence Committee staer urged his boss, Missouri RepublicanChristopher Kit Bond, the committees vice-chairman, to

supplement closed-door testimony and classied documentswith a viewing o the movieDie Hard 4 on a fight the sena-

tor made to New Zealand. In the lm, cyberterrorists breachFBI networks, purloin nancial data, and bring car trac to a

halt in Washington. Hollywood, says Bond, doesnt exagger-ate as much as people might think. I cant discuss classied

matters, he cautions. But the movie illustrates the potentialimpact o a cyberconfict. Except or a ew things, let me just

tell you: Its credible.

go phish

The technique used in the attacks, known as phishing, is a

method o stealing inormation by posing as a trustworthy

entity in an online communication. The term started in themid-1990s when hackers began shing or inormation(and tweaked the spelling). The e-mail attacks in the gov-

ernment agency and deense contractor intrusions, calledspear-phish because they target speciic individuals,

are the Web version o laser-guided missiles. Spear-phishcreators gather inormation about peoples jobs and social

networks, oen rom publicly available inormation and datastolen rom other inected computers, and then trick them

into opening an e-mail.Spear-phish tap into a cyberespionage tactic that Internet

security experts call net reconnaissance. In the spear-phishattack on Booz Allen, attackers had a wealth o inormation

about Stephen J. Moree: his ull name, title (Northeast AsiaBranch Chie), job responsibilities, and

e-mail address. Net reconnaissance canbe surprisingly simple, oen starting

with a Google search. (A lookup o theAir Forces Pentagon e-mail address, or

instance, generated 8,680 hits or cur-rent or ormer Air Force personnel and

departments on Apr. 8.) The inorma-tion is woven into a ake e-mail, along

with a link to an inected Web site, or an attached document.All attackers have to do is hit their send button. Once the

e-mail is opened, intruders are automatically ushered insidethe walled perimeter o computer networksand malicious

code such as Poison Ivy can take over.By mid-2007 analysts at the National Security Agency

began to discern a pattern: personalized e-mails with cor-rupted attachments such as PowerPoint presentations, Word

documents, and Access database les had been turning up oncomputers connected to the networks o numerous agencies

and deense contractors.A previously undisclosed breach in the autumn o 2005

at the American Enterprise Institutea conservative thinktank whose ormer ocials and corporate executive board

members are closely connected to the Bush Administra-

039

in depth


the breach OF a hIGhLy SenSItIVe State dePt.

bureau POSed a rISk tO cIa OPeratIVeS In

eMbaSSIeS arOund the GLObe

For mor o s sory, clug a rvw

w wrr Bra Grow, wac BusssWk

tV. to s vo cls or f your local sao a arm by Z Co go

o BussswktV.com.

BUSineSSWeeK tV

Vw a vo scrbg g-saks

cybrwar wag agas U.S., govrm

ocums warg o cybr aacks agas ublc a rva su-

os, a sarg o Ar. 14, our srs o cybrsoag.

BUSineSSWeeK.COM


9/10

djari: We have to look at this as equivalent to the launch o

a Chinese Sputnik.Hints o the perils perceived within Americas corridors

o power have been slipping out in recent months. In Feb. 27testimony beore the U.S. Senate Armed Services Committee,

National Intelligence Director McConnell echoed the viewthat the threat comes rom China. He told Congress he wor-

ries less about another country capturing inormation thanaltering it. I someone has the ability to enter inormation in

systems, they can destroy data. And the destroyed data couldbe something like money supply, electric power distribution,

transportation sequencing, and that sort o thing. His con-clusion: The ederal government is not well-protected and

the private sector is not well-protected.Worries about China-

sponsored Internet attacksspread last year to Ger-

many, France, and Britain.British domestic intelli-

gence agency MI5 had seen

enough evidence o intru-sion and the o corporatesecrets by Chinese hackers

by November, 2007, thatthe agencys director gen-

eral, Jonathan Evans, sentan unusual letter o warn-

ing to 300 corporations,accounting rms, and law

rmsalong with a list onetwork security special-

ists to help block computerintrusions. Some recipi-

ents o the MI5 letter hiredPeter Yapp, a leading secu-

rity consultant with Lon-don-based Control Risks.

People treat this like itsjust another hacker story,

and it is almost unbeliev-able, says Yapp. Theres

a James Bond element toit. Too many people think,

Its not going to happen tome. But it has.

Identiying the thieves slipping their malware throughthe digital gates can be a tricky task. But a range o attacks

in the past two years on U.S. and oreign government enti-ties, U.S. deense contractors, and corporate networks have

been traced to Internet addresses registered through Chi-nese domain services such as 3322.org, run by Peng Yong.

In early March,BusinessWeek interviewed Peng in an apart-ment on the 14th foor o the gray-tiled residential building

that houses the ve-person oce or 3322.org in Changzhou.Peng says he started 3322.org in 2001 with $14,000 o his own

money so the growing ranks o Chinas Internet surers couldregister Web sites and distribute inormation. We elt that

this business would be very popular, especially as broadband,

net ether. Although they were unable to x the vulnerability,

specialists came up with a temporary x to block urther in-ections. They also yanked connections rom the Internet.

One member o the emergency team summoned to thescene recalls that each time cybersecurity proessionals

thought they had eliminated the source o a beacon report-ing back to its master, another popped up. He compared the

eort to the arcade game Whack-A-Mole. The State Dept.now says it has eradicated the inection, but only aer sani-

tizing scores o inected computers and servers and changingpasswords. Microsos own patch, meanwhile, was not de-

ployed until August, 2006, three months aer the inection.Microso declined to comment on the episode.

There is little doubt among senior U.S. oicials about

where the trail o the recent wave o attacks leads. The Byz-antine series tracks back to China, says Air Force Colonel

Heinke. More than a dozen U.S. military, cybersecurity, andintelligence ocials interviewed byBusinessWeek say China

is the biggest emerging adversaryand not just clubs orogue or enterprising hackers who happen to be Chinese. O.

Sami Saydjari, a ormer National Security Agency executiveand now president o computer security rm Cyber Deense

Agency, says the Chinese Peoples Liberation Army, one othe worlds largest military orces, with an annual budget o

$57 billion, has tens o thousands o trainees launching cy-berattacks on U.S. computer networks. Those gures could

not be independently conrmed byBusinessWeek. Says Say-

040


the GOVernMentS reSPOnSeKy lms o o-scrCybr iav, sg Ja. 8

cut cOnnectIOnSAms o cu umbr oorals bw govr-m works a ir rom mor a4,000 o wr a 100.

PaSSIVe IntruSIOnPreVentIOnRqurs a la o yw uauorz -s av ga accss ocomur works.

actIVe IntruSIOn

PreVentIOnRqurs a rogram orac cybrrusos backo r sourc, bo cou-rs a ol.

cOunterInteLLIGenceStrateGyRqurs a la o ra rv uur com-ur work bracs.

cOunterInteLLIGencetOOLSLaucs a rogram ovlo cology orcybrorsc aalyss.

educatIOnCras rag rogramso vlo ccal skllso mrov cybrscury.

FuSInGOPeratIOnSCombs comurcomma oss kow

as work oraoscrs o a ukowumbr o agcs.

cyber r&dLaucs a la ovlo osv a -sv cybrcaabls,clug os vloby coracors.

LeaP-aheadtechnOLOGIeSAms o v kllr aso w cybr arms rac.

crItIcaLInFraStructurePrOtectIOnCalls or a la o work w rva scor, wcows a oras mos o ir.

reVISItPrOject SOLarIuMLk esowrrojc o r uclarwar, ams o rv acybrwar.

IMPrOVe FederaLacquISItIOnSSars rogram o surgovrm it roucsa srvcs ar scur.

D: BusinessWeek


10/10

ber-optic cables, [data transmis-

sion technology] ADSL, these wayso getting on the Internet took o,

says Peng (whose MandarinCKwas translated by BusinessWeek),

who wears hal-rimmed glassesand drives a black Lexus IS300

bought last year.His 3322.org has indeed be-

come a hit. Peng says the servicehas registered more than 1 million

domain names, charging $14 peryear or top-level names ending in .com, .org, or .net. But

cybersecurity experts and the Homeland Security Dept.sU.S. Computer Emergency Readiness Team (CERT) say that

3322.org is a hit with another group: hackers. Thats because3322.org and ve sister sites controlled by Peng are dynam-

ic DNS providers. Like an Internet phone book, dynamicDNS assigns names or the digits that mark a computers

location on the Web. For example, 3322.org is the registrar

or the n ame cybersyndrome.3322.org at Internet address61.234.4.28, the China-based computer that was contactedby the malicious code in the Booz Allen attack, according to

analyses reviewed byBusinessWeek. Hackers started usingsites like 3322.org so that the malware phones home to the

specic name. The reason? It is relatively dicult to have[Internet addresses] taken down in China, says Maarten van

Hoorenbeeck, a Belgium-based cybersleuth or the SANSInternet Storm Center.

Pengs 3322.org and sister sites have become a source oconcern to the U.S. government and private rms. Cyberse-

curity rm Team Cymru sent a condential report, reviewedby BusinessWeek, to clients on Mar. 7 that illustrates how

3322.org has enabled many recent attacks. In early March,the report says, Team Cymru received a spooed e-mail mes-

sage rom a U.S. military entity, and the PowerPoint attach-ment had a malware widget embedded

in it. The e-mail was a spear-phish.The computer that controlled the ma-

licious code in the PowerPoint? Cyber-syndrome.3322.orgthe same China-

registered computer in the attackon Booz Allen. Although the cyber-

syndrome Internet address may not belocated in China, the top ve comput-

ers communicating directly with it wereand our were reg-istered with ChinaNet, a large state-owned Internet service

provider, according to the report.

tArget: privAte seCtor

A person amiliar with Team Cymrus research says the

company has 10,710 distinct malware samples hosted by3322.org. Other groups that have reported attacks rom com-

puters hosted by 3322.org include activist group Studentsor a Free Tibet, the European Parliament, and U.S. Bancorp,

according to security reports. Team Cymru declined to com-ment. The U.S. government has pinpointed Pengs services

as a problem, too. In a Nov. 28, 2007, conidential report

rom Homeland Securitys U.S.

CERT obtained by BusinessWeek,titled Cyber Incidents Suspected

o Impacting Private Sector Net-works, the ederal cyberwatchdog

warned U.S. corporate inormationtechnology sta to update security

sotware to block Internet traicrom a dozen Web addresses aer

spear-phishing attacks. The levelo sophistication and scope o these

cybersecurity incidents indicatethey are coordinated and targeted at private-sector systems,

says the report. Among the sites named: Pengs 3322.org, aswell as 8800.org, 9966.org, and 8866.org. Homeland Secu-

rity and U.S. CERT declined to discuss the report.Peng says he has no idea hackers are using his service to

send and control malicious code. Are there a lot? he sayswhen asked why so many hackers use 3322.org. He says his

business is not responsible or cyberattacks on U.S. comput-

ers. Its like we have paved a road and what sort o car [users]drive on it is their own business, says Peng, who adds that hespends most o his time these days developing Internet te-

lephony or his new soware rm, Bitcomm Soware TechCo. Peng says he was not aware that several o his Web sites

and Internet addresses registered through them were namedin the U.S. CERT report. On Apr. 7, he said he planned to shut

the sites down and contact the U.S. agency. Asked byBusi-

nessWeek to check his database or the person who registered

the computer at the domain name cybersyndrome.3322.org,Peng says it is registered to Gansu Railway Communications,

a regional telecom subsidiary o Chinas Railways Ministry.He declined to provide the name o the registrant, citing a

condentiality agreement. You can go through the police tond out the user inormation, says Peng.

U.S. cybersecurity experts say its doubtul the Chinese

government would allow the high volume o attacks on U.S.entities rom China-based computers i it didnt want them

to happen. China has one o the best-controlled Internets inthe world. Anything that happens on their Internet requires

permission, says Cyber Deense Groups O. Sami Saydjari. AChinese government spokesman says TK about 3322.org.

But Peng says there is little he can do i hackers exploit hisgoodwilland there has been little incentive rom the Chi-

nese government to get tough. Normally, we take care othese problems by shutting them down, says Peng. Because

our laws do not have an extremely clear method to handle thisproblem, sometimes we are helpless to stop their services.

And so, it seems, is the U.S. government. ^

041

in depth


brItaInS MI5 InteLLIGence aGency Sent a

warnInG In 2007 tO 300 cOMPanIeS abOut theFtS

OF cOrPOrate SecretS by chIneSe hackerS

the new cyber threat

Documents