With the US and Israel accused of sending Stuxnet to sabotage Iran's nuclear capability, and China and Russia implicated in cyber attacks on the West – as well as censoring their own citizens – have we entered a new Cold War? Asavin Wattanajantra investigates.
In May, the UN's International Telecommunication Union came knocking at the door of Russian security firm Kaspersky Lab, looking to find information on a virus called Wiper – which was believed to be deleting sensitive data in the Middle East, including computers belonging to the Iranian oil industry.
Kaspersky worked hard on the case, but wasn't able to find the virus. Very little data was recoverable from the affected disk drives – the malware was complex and sophisticated enough to wipe hard drives clean, including traces of its own code. That in itself was noteworthy: what kind of backing would be able to come up with the technology to do this? It was certainly not an amateur job.
Kaspersky's security team was at a dead end. But the Russian firm has a huge reporting archive built from its 15 or so years in the anti-virus space. It started to do a bit of digging, and discovered an MD5 hash and file name on computers located in Iran and other parts of the Middle East.
The team delved further and found other components affecting equipment in the region. Piecing the puzzle together, it then stumbled upon something – something big. The malware was of a complexity it had never seen before: Flame.
“Flame is a huge package of modules almost 20MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyse,” Kaspersky Lab researcher Alexander Gostev said at the time of discovery. “Overall, we can say Flame is one of the most complex threats ever discovered. In addition, the geography of the targets (certain states are in the Middle East) and the complexity of the threat leave no doubt about it being a nation state that sponsored the research behind it.”
Rival security firm Symantec agreed: “This code was not likely to have been written by a single individual but by an organised, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian oil ministry.”
Big bang theory
Security firms disagree over when exactly Flame was created, but suggestions are that it originated no earlier than 2010. Kaspersky Lab stated it was built to systematically collect information on the operations of certain nation states in the Middle East, including hotspots such as Iran, Lebanon and Syria. The authors remain unknown, but there are claims it was a joint effort, developed by the US and Israel to slow down Iran's nuclear programme. Experts said the malware was able to replicate across highly secure networks, control everyday computer functions and send secrets back to whoever created it. It avoided detection by disguising itself as a routine Microsoft update and cracking an encryption algorithm.
It was believed able to collect secrets by turning on computer microphones and cameras, as well as log keyboard strokes. Other features included LUA scripting, harvesting AutoCAD projects, taking GPS tracking information from photos and Bluetooth beaconing to identify mobile devices in the proximity. For the victims of Flame, it was like having a spy with direct control of their computer.
But what of Wiper, the unknown code the researchers were originally looking for? They didn't think a connection with Flame was likely, but there was some evidence that Wiper was connected to Stuxnet – malware believed to be state-sponsored and designed to check the nuclear programme of Iran.
Stuxnet was a worm directly sent to attack Iran's uranium enrichment activities in 2010, with many believing the US and Israel to be the perpetrators. Though less sophisticated than Flame, again it was apparently too advanced not to be the work of a nation state. It soon became a huge talking point for the security industry, as well as those interested in international espionage.
Mikko Hypponen, chief security researcher at F-Secure, was involved in classified briefings on the threat. “I think Stuxnet is a new phenomenon, the first example of its kind, and will be something we will look back at in years to come,” he said at the time.
Stuxnet was a Windows worm that propagated on USB sticks and private networks. But it had one feature that was unique – it didn't replicate. Generally, malware is designed to spread as far as possible because cyber criminals aren't bothered who they infect. Stuxnet was different. It wanted to reach places disconnected from the internet – such as Iran's nuclear operations. The malware was programmed to do absolutely nothing until it reached the appropriate facility.
Once inside, Stuxnet was advanced enough to record traffic for two or three days. Then it started to do its work. Its key functionality is best described as being like a heist movie where a criminal fiddles with a security camera so a guard sees a recorded film rather than what's happening in the present.
Stuxnet was able to flood back the traffic it recorded to the factory's monitoring system. Anyone watching would have seen normal operation, but operation from the past. It proceeded to change the spinning speed of Iran's centrifuges, causing them to break down, or at least produce poor quality uranium. As a result, Iran brought 984 centrifuges offline in 2010.
Like others, Hypponen believes Stuxnet was part of a multi-million pound operation with the state involvement of the US and Israel. “It's very clear that this was a major wake-up call to other interested parties. Lots of other countries now realise they can do this – target systems that are running critical infrastructure,” he says.
Up in arms
When most people think of the Cold War, they envisage a battle between two superpowers with the potential to destroy each other. The situation is different now: more nations, including volatile countries such as North Korea and Iran, are either working on nuclear technology or already have it. And rather than use James Bond-style field agents, it is much simpler and more efficient for nations to use technology to spy on each other – and it looks like the US discovered some time ago that malware was a powerful way to do this.
Darien Kindlund, senior staff scientist at FireEye, says: “During the Cold War, intelligence organisations focused their efforts on identifying tradecraft, tactics and techniques in order to identify foreign agents working in the country. Similarly now, victim organisations are having to better understand their adversaries, including their motives and how they operate, in order to successfully identify, defend against and deter attacks.”
Udi Mokady, founder and chief executive of Cyber-Ark, adds: “During the Cold War, countries had their own spy tactics, including sending spies to other countries where they set them up with new identities and backgrounds. These individuals assimilated themselves into the culture and passed along secrets. Today, with cyber espionage, there are some close parallels to Cold War-era spy tactics. If you look at recent attacks and data breaches, we see the exploitation of privileged accounts as a primary attack vector.
“In its most simplistic definition, this means that the attacker is assuming the identity of a high-ranking official who is authorised to access the organisation's most sensitive information. The attacker can therefore go unnoticed for quite some time, as did spies during the Cold War. A major difference, however, is that today an attacker can do this from an undisclosed, remote location, with less risk of exposure and, crucially, can remain undetected for years.”
Denis Edgar-Nevill, chairman of cyber crime forensics at BCS, is more circumspect. “I don't think the analogy should spread that far because the world is a very different place today. The internet blurs and confuses the situation between the actions of a nation state, organisation or individual working to promote their interests, or the actions of unsanctioned people and groups working within or outside a nation state. Of course, nation states are still keen to learn things about their citizens and other nations – but a whole range of others now have the opportunity also.”
Mark as Red?
Certainly, the US isn't the world's only superpower, thanks to China, which is rapidly growing its influence and financial and military might. And suspicions are that it has been involved in global cyber espionage.
Many attacks originate in China, but it is unclear if they are government-sponsored due to the difficulties of tracking the identities of the original culprits. For example, in 2010, Google alleged that the Chinese government was using its Gmail service to spy on human rights activists. In contrast with Flame and Stuxnet, the attackers took advantage of a zero-day vulnerability, a much simpler technique criminals use around the world to gain access to machines. There was no ‘smoking gun' linking the Chinese state to the attack, but there was suspicion.
Harry Sverdlove, CTO at Bit9, says: “The attack targeted dozens of companies, including Google, Adobe, Juniper Networks and Dow Chemical. The disclosure by a public and well-known company, coupled with attribution to a nation state, immediately sent shock waves into the community at large. The message was clear: cyber espionage is real and no one is too big or too small to be a victim.”
In 2009, the Information Warfare Monitor found evidence of a large-scale cyber spying operation originating in China and infiltrating sensitive locations such as embassies, foreign ministries and government offices. Given the name Ghostnet, among its targets were offices used by the Tibetan independence movement in London, India and New York City.
Hypponen says businesses and public sector organisations frequently suffer attacks similar to those targeting non-profit organisations related to China.
“Charities and NGOs in the UK and US that have a very strong connection to China – for example, liberation for Tibet, independence for Taiwan, support for Chinese minorities, forbidden religions – are getting hit by the same kind of attack: targeted attacks, spoof emails from trusted parties, PDF attachments,” he explains. “That makes you wonder: who else could be behind these attacks? Who else would have the motive? There's no money to be made in hacking a pro-Tibet group.
“There's no smoking gun, no proof, but I believe these attacks are being sponsored by the Chinese government. Not directly, but with independent Chinese hackers to do the dirty work for them, getting rewarded for results. The [government] might be providing them with targets, contacts and projects. But whenever one of these hackers is caught, it's a hacker in their 20s who has no real connection with anything.”
The great firewall of China
The adoption of the internet was an unavoidable consequence in China's rise. However, one of its basic key functions is as a tool for sharing information – very worrying for the Communist Party and hence the construction of the ‘great firewall', which allows the government to control and filter any internet traffic passing through a small number of gateways.
This way, blacklisted sites can be blocked, while sites carrying language not deemed appropriate by the Chinese state can also be taken offline. Social media can be affected – posts and comments can be deleted if they contain prohibited keywords.
For some observers in the West, this echoes the way the Russian Communists previously controlled information in places such as the then East Germany, from which many artists fled in order to escape censorship and imprisonment.
Kindlund says: “It's similar, but the great firewall is much less effective than the restrictions used in the 60s and 70s, largely because technology today is much more complex, thereby making it fundamentally more difficult to control.”
The great firewall, as well as being used for censorship and to monitor political and religious trends and beliefs, also serves other important functions. Among these is the blocking of Western internet ventures and social networks, thus allowing China to deploy cloned, sanitised versions – so generating business for its own industries and cutting off this profit source from outside companies. Which isn't very socialist.
Edgar-Nevill argues: “Certainly any mechanism that restricts access to information as a deliberate policy can be said to be censorship. Unrestricted access, however, can be just as bad. Most educational establishments in the UK subscribe to services that limit access to the web.
“This is to protect students from pornography and ‘unsuitable' material. Surely this is also censorship? We ban political organisations in the UK. The key is what is restricted and for what purpose. Different nations have different ideological viewpoints.”
Like China, Russia has made moves to restrict the flow of information. In July, its parliament voted to approve a law that would give the government the right to force certain websites offline without a trial. Supporters said this would block images of child abuse and other illegal material, but opponents, including Russian-language Wikipedia, said it could lead to extra-judicial censorship of the entire Russian internet.
Philip N. Howard, professor of communication, information and international studies at the University of Washington, says: “There is a new Cold War starting. It does not involve opposing military forces but competing ideas of how political life should be organised. The battles are between broadcast and social media.
“And some of the biggest battles are in Russia, where the ruling elites that dominate broadcast media are pitted against the civil-society groups that flourish through social media.”
But it isn't just Russia – this ‘information war' has erupted around the world.
The Arab Spring in Egypt, Libya and Tunisia caught leaderships off-guard thanks to people organising themselves using platforms such as Facebook and Twitter, and there remains a constant battle to control the information coming out of Syria. In authoritarian governments, broadcast media is still the most useful tool, dominated by the ruling elite. But social media has given a new platform for the critical opposition.
However, Edgar-Nevill warns: “It's a mistake to always credit social media with being a mechanism to communicate the truth. One can point to many examples of a mob mentality, which can lead to excesses of lawlessness also – for example, the use of social media to spread and co-ordinate violence and looting in London last year.
“Since 9/11, the moves to censor and control citizens in many countries have resulted in laws that we would not have considered acceptable 15 years ago.”
In 2007 in Estonia, a former Soviet republic, a series of cyber attacks hit websites related to its government and media outlets. Coming at a time of particularly high tension between the country and its former master, NATO deployed cyber terrorism experts to Tallinn, where high-ranking figures in the Estonian government were not shy about accusing the Russians of orchestrating the attacks.
Although there is no evidence of this being an example of cyber warfare between two countries, it did persuade states around the world to make network security a significant element of their military defence.
Claudio Guarnieri, security researcher at Rapid7, says: “Computer espionage could avoid direct military conflict as much as it could empower it. In the end, in order to conduct a successful warfare operation, you need information and data – nobody engages blindly. Historically that information has been gathered through human infiltration, and using computer infiltration to achieve the same end is a natural evolution and is likely more cost-effective and scalable.”
He concludes: “Computer network espionage and surveillance is just the modern way to conduct intelligence. The move to computers is just a natural consequence of the evolution of technology, and since surveillance is necessarily empowered by technology, the recent rise and discovery of such offensive practices shouldn't surprise anyone.”