The New E-spionage Threat

The New E-spionage Threat
The New E-spionage Threat

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Brian Grow, Keith Epstein and Chi-Chu Tschang
Cover Story
April 10, 2008

The e-mail message addressed to a Booz Allen Hamilton executive was 
mundane=E2=80=94a shopping list sent over by the Pentagon of weaponry India 
wanted to buy. But the missive turned out to be a brilliant fake. 
Lurking beneath the description of aircraft, engines, and radar 
equipment was an insidious piece of computer code known as "Poison Ivy" 
designed to suck sensitive data out of the $4 billion consulting firm's 
computer network.

The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but 
the message traveled through Korea on its way to Booz Allen. Its authors 
knew enough about the "sender" and "recipient" to craft a message 
unlikely to arouse suspicion. Had the Booz Allen executive clicked on 
the attachment, his every keystroke would have been reported back to a 
mysterious master at the Internet address, which 
is registered through an obscure company headquartered on the banks of 
China's Yangtze River.

The U.S. government, and its sprawl of defense contractors, have been 
the victims of an unprecedented rash of similar cyber attacks over the 
last two years, say current and former U.S. government officials. "It's 
espionage on a massive scale," says Paul B. Kurtz, a former high-ranking 
national security official. Government agencies reported 12,986 cyber 
security incidents to the U.S. Homeland Security Dept. last fiscal year, 
triple the number from two years earlier. Incursions on the military's 
networks were up 55% last year, says Lieutenant General Charles E. 
Croom, head of the Pentagon's Joint Task Force for Global Network 
Operations. Private targets like Booz Allen are just as vulnerable and 
pose just as much potential security risk. "They have our information on 
their networks. They're building our weapon systems. You wouldn't want 
that in enemy hands," Croom says. Cyber attackers "are not denying, 
disrupting, or destroying operations=E2=80=94yet. But that doesn't mean they 
don't have the capability."


When the deluge began in 2006, officials scurried to come up with 
software "patches," "wraps," and other bits of triage. The effort got 
serious last summer when top military brass discreetly summoned the 
chief executives or their representatives from the 20 largest U.S. 
defense contractors to the Pentagon for a "threat briefing." 
BusinessWeek has learned the U.S. government has launched a classified 
operation called Byzantine Foothold to detect, track, and disarm 
intrusions on the government's most critical networks. And President 
George W. Bush on Jan. 8 quietly signed an order known as the Cyber 
Initiative to overhaul U.S. cyber defenses, at an eventual cost in the 
tens of billions of dollars, and establishing 12 distinct goals, 
according to people briefed on its contents. One goal in particular 
illustrates the urgency and scope of the problem: By June all government 
agencies must cut the number of communication channels, or ports, 
through which their networks connect to the Internet from more than 
4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary 
Michael Chertoff called the President's order a cyber security 
"Manhattan Project."

But many security experts worry the Internet has become too unwieldy to 
be tamed. New exploits appear every day, each seemingly more 
sophisticated than the previous one. The Defense Dept., whose Advanced 
Research Projects Agency (DARPA) developed the Internet in the 1960s, is 
beginning to think it created a monster. "You don't need an Army, a 
Navy, an Air Force to beat the U.S.," says General William T. Lord, 
commander of the Air Force Cyber Command, a unit formed in November, 
2006, to upgrade Air Force computer defenses. "You can be a peer force 
for the price of the PC on my desk." Military officials have long 
believed that "it's cheaper, and we kill stuff faster, when we use the 
Internet to enable high-tech warfare," says a top adviser to the U.S. 
military on the overhaul of its computer security strategy. "Now they're 
saying, Oh, shit.'"

Adding to Washington's anxiety, current and former U.S. government 
officials say many of the new attackers are trained professionals backed 
by foreign governments. "The new breed of threat that has evolved is 
nation-state-sponsored stuff," says Amit Yoran, a former director of 
Homeland Security's National Cyber Security Div. Adds one of the 
nation's most senior military officers: "We've got to figure out how to 
get at it before our regrets exceed our ability to react."

The military and intelligence communities have alleged that the People's 
Republic of China is the U.S.'s biggest cyber menace. "In the past year, 
numerous computer networks around the world, including those owned by 
the U.S. government, were subject to intrusions that appear to have 
originated within the PRC," reads the Pentagon's annual report to 
Congress on Chinese military power, released on Mar. 3. The preamble of 
Bush's Cyber Initiative focuses attention on China as well.

Wang Baodong, a spokesman for the Chinese government at its embassy in 
Washington, says "anti-China forces" are behind the allegations. 
Assertions by U.S. officials and others of cyber intrusions sponsored or 
encouraged by China are unwarranted, he wrote in an Apr. 9 e-mail 
response to questions from BusinessWeek. "The Chinese government always 
opposes and forbids any cyber crimes including hacking' that undermine 
the security of computer networks," says Wang. China itself, he adds, is 
a victim, "frequently intruded and attacked by hackers from certain 

Because the Web allows digital spies and thieves to mask their 
identities, conceal their physical locations, and bounce malicious code 
to and fro, it's frequently impossible to pinpoint specific attackers. 
Network security professionals call this digital masquerade ball "the 
attribution problem."


In written responses to questions from BusinessWeek, officials in the 
office of National Intelligence Director J. Michael McConnell, a leading 
proponent of boosting government cyber security, would not comment "on 
specific code-word programs" such as Byzantine Foothold, nor on 
"specific intrusions or possible victims." But the department says that 
"computer intrusions have been successful against a wide range of 
government and corporate networks across the critical infrastructure and 
defense industrial base." The White House declined to address the 
contents of the Cyber Initiative, citing its classified nature.

The e-mail aimed at Booz Allen, obtained by BusinessWeek and traced back 
to an Internet address in China, paints a vivid picture of the alarming 
new capabilities of America's cyber enemies. On Sept. 5, 2007, at 
08:22:21 Eastern time, an e-mail message appeared to be sent to John F. 
"Jack" Mulhern, vice-president for international military assistance 
programs at Booz Allen. In the high-tech world of weapons sales, 
Mulhern's specialty, the e-mail looked authentic enough. "Integrate 
U.S., Russian, and Indian weapons and avionics," the e-mail noted, 
describing the Indian government's expectations for its fighter jets. 
"Source code given to India for indigenous computer upgrade capability." 
Such lingo could easily be understood by Mulhern. The 62-year-old former 
U.S. Naval officer and 33-year veteran of Booz Allen's military 
consulting business is an expert in helping to sell U.S. weapons to 
foreign governments.

The e-mail was more convincing because of its apparent sender: Stephen 
J. Moree, a civilian who works for a group that reports to the office of 
Air Force Secretary Michael W. Wynne. Among its duties, Moree's unit 
evaluates the security of selling U.S. military aircraft to other 
countries. There would be little reason to suspect anything seriously 
amiss in Moree's passing along the highly technical document with "India 
MRCA Request for Proposal" in the subject line. The Indian government 
had just released the request a week earlier, on Aug. 28, and the 
language in the e-mail closely tracked the request. Making the message 
appear more credible still: It referred to upcoming Air Force 
communiqu=C3=A9s and a "Teaming Meeting" to discuss the deal.

But the missive from Moree to Jack Mulhern was a fake. An analysis of 
the e-mail's path and attachment, conducted for BusinessWeek by three 
cyber security specialists, shows it was sent by an unknown attacker, 
bounced through an Internet address in South Korea, was relayed through 
a Yahoo! (YHOO) server in New York, and finally made its way toward 
Mulhern's Booz Allen in-box. The analysis also shows the code=E2=80=94known as 
"malware," for malicious software=E2=80=94tracks keystrokes on the computers of 
people who open it. A separate program disables security measures such 
as password protection on Microsoft (MSFT) Access database files, a 
program often used by large organizations such as the U.S. defense 
industry to manage big batches of data.


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods