Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Appendix C Illustrative Criminal Cyberattacks The Invita Case In 2001, the FBI arrested two Russians, Alexey Ivanov, 21, and Vasily Gorshkov, 25, who were accused of breaking into dozens of sites ranging from Internet service providers to banks. Where they found financial records they could steal, they stole financial records. Where they couldn’t, they contacted the sites saying they knew about a recent break-in and offered their services to remediate the problems or they threatened to release other information stolen from the site to damage the victim’s public reputation. The FBI took advantage of the solicitations for work to lure the two suspects to the United States on the pretext of a job inter- view, where the interviewees were arrested. Approximately 2.3 gigabytes (compressed) of evidentiary data was remotely seized from the suspects’ server in Russia before it was taken offline by others still in Russia. Both were convicted in separate U.S. district courts. Gorshkov was charged with damages in excess of $2.5 million and ordered to both serve jail time and pay a combined total of nearly $1.5 million in restitution. When analyzed, the evidence—lists of credit cards numbers, Perl scripts for manipulating e-mail and auction accounts, and other hacking tools—showed a complex scheme involving the creation of fake anony- mous e-mail accounts and fake eBay seller and PayPal customer accounts, all fueled by the stolen financial information they possessed. They would  Department of Justice, “Russian Computer Hacker Sentenced to Three Years in Prison,” 2002, available at http://www.usdoj.gov/criminal/cybercrime/gorshkovSent.htm. 350 

APPENDIX C 351 create a fake auction item with a value less than $500 to avoid triggering fraud alarms. They would use other fake accounts to bid on the item, and they knew how to rig the bidding so they would always win (thus not defrauding any real bidders who might report the activity). The fake PayPal accounts would be used to clear the transaction, and they even used the fake bidder accounts to “rate the seller,” inflating the credibility of the fake accounts. One very interesting aspect of this case is the automation of all pro- cesses related to e-mail account creation and management, online pay- ment account creation and management, web-based transaction process- ing, and electronic funds transfer. Tens of thousands of stolen credit card numbers were carefully used in ways that limited the losses to less than a few hundred dollars per card. The automation allowed the group to focus on the intrusions, data exfiltration and sorting, and other aspects of their activity that brought in money. This was all done by a small group of per- haps a half-dozen individuals, skilled programmers who could not find jobs locally that paid anything near what their skills were worth. Ivanov was described by U.S. District Court Judge Thompson as a “manager or supervisor,” while Gorshkov claimed he was “the boss.” (Both statements could be true if there are six or more individuals involved.) They claim to have worked up to 16 hours per day over about 1 year and to have generated $150,000 in 6 months. This is enough to pay the salaries of 20 (unemployed) Russian rocket scientists at 2003 salary rates.  The Israeli Trojan Horse Industrial Espionage Case In 2005, a couple were arrested in Britain on charges of creating a T ­ rojan horse key logger and installing it on systems at dozens of sites by way of CD-ROMs containing what was purported to be a business proposal. This has been described as the largest industrial espionage case in Israeli history. The espionage activity was primarily targeted at competitors to the clients of three private investigation firms, at a cost  Philip Attfield, “United States v Gorshkov Detailed Forensics and Case Study; Expert Witness Perspective,” in Proceedings of the First International Workshop on Systematic Ap- proaches to Digital Forensic Engineering (SADFE05), 2005, available at http://ieeexplore.ieee. org/iel5/10612/33521/01592518.pdf?arnumber=1592518.  Art Jahnke, “Russian Roulette,” 2005, available at http://www.csoonline.com/ read/010105/russian.html.  Stephanie Overby, “Big Ideas 2003: Passages Beyond India,” 2003, available at http:// www.cio.com/article/31589/Big_Ideas_Passages_Beyond_India/1.  See, for example, Avi Cohen, “Scandal Shocks Business World,” 2005, available at http://www.ynetnews.com/articles/0,7340,L-3091900,00.html. See also Bob Sullivan, “ ­ Israel Espionage Case Points to New Net Threat,” June 9, 2005, available at http://www. msnbc.msn.com/id/8145520/. 

352 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES of approximately $4,000 per compromised computer. Eighteen people were arrested and questioned in the case; however, it was primarily just a couple and their 17-year-old son who were responsible for software production, distribution, and data collection services. It was reported that about a hundred pieces of computer equipment were seized by authori- ties at the time of arrest. The espionage activity was believed to have gone on for a year and a half, partly because the Trojan was highly targeted. The suspects were identified because of a personal vendetta having to do with a bitter divorce trial, and not because they were detected in the acts of computer intrusion or data exfiltration from the corporate victims. In this case, the goal was to compromise the confidentiality of busi- ness records by means of unauthorized access and data exfiltration from compromised computers. The 100 items of equipment seized by authori- ties were probably development hosts, file servers that received exfiltrated files, and perhaps processing hosts that would assist in sifting through the files collected by the Trojan horse malware. It is not publicly known how sophisticated the operation was, but the number of arrests suggests that a significant amount of high-level intellectual property theft had taken place as part of this operation. Operations “Cyberslam,” “Botmaster Underground,” and other Botnet Cases The computer security news media are full of stories of botnets—huge numbers of compromised personal computers running Internet Relay Chat (IRC) robot programs, or “bots” for short—being used to automate many types of criminal activity, from delivery of spam, to theft of software license keys, to distributed denial-of-service (DDOS) attacks for extor- tion or other financial gain, to click fraud. Four prominent incidents that received attention were these: • In one of the first cases of DDOS-for-hire, Saad “Jay” Echouafni, the owner of a satellite TV equipment sales company, hired someone known for running large DDOS attack botnets, paying him or her $150,000 per year. This person, in turn, subcontracted the work to four other indi- viduals who managed their own botnets. The purpose was to carry out extended DDOS attacks against Echouafni’s business competitors. Spe- cific new attack mechanisms were coded into Agobot, the bot software being used by several of the subcontractors, in order to defeat DDOS  For a description of bots and botnets, see “What Is a Botnet?,” available at http:// www.techfaq.com/botnet.shtml. 

APPENDIX C 353 mitigation techniques employed to protect the targeted sites. The result was an estimated $2 million in lost revenue and cost of cleanup.  • Jeanson James Ancheta entered a plea of guilty to taking control of approximately 400,000 personal computers (including computers at the Naval Warfare Center at China Lake and the Defense Information Systems Agency in Virginia) for criminal purposes, including selling access to DDOS botnets and performing click fraud. Ancheta maintained a series of servers that coordinated the bot activity, including operating private channels for command and control of the bots that were sold to third par- ties wishing to use them for their own criminal purposes (e.g., denial of service attacks and spam transmission), as well as for supporting these “customers.” He admitted to collecting more than $107,000 in advertising affiliate proceeds from directing the bots on compromised computers into referring him and another unindicted co-conspirator to the adware sites (known as “click fraud.”) The income from these operations funded the servers and hosting costs and allowed Ancheta to purchase a new BMW with cash, all of which was returned as part of the plea agreement.  • Prosecutors in the Netherlands stated publicly that they believe three teenage suspects, two of whom were convicted and sentenced in February 2007, controlled as many as 1.5 million personal computers worldwide using a variant of the ToxBot program. The three were accused of using these botnets to steal credit card numbers and other personal data and to blackmail online businesses. • In June 2007, the FBI reported an event of similar size in the United States, part of “Operation Bot Roast,” involving over 1 million personal computers. Arrested were three individuals, two accused of performing DDOS attacks and one reported to be one of the most prolific spammers at the time.10 In all of these cases, small groups of relatively young people with skills in programming and computer system administration were able to successfully compromise and control over a million personal comput-  Department of Justice, “Criminal Complaint: United States of America v. Paul G. A ­ shley, Jonathan David Hall, Joshua James Schichtel, Richard Roby and Lee Graham Walker,” 2004, available at http://www.reverse.net/operationcyberslam.pdf.  Department of Justice, “Computer Virus Broker Arrested for Selling Armies of ­Infected Computers to Hackers and Spammers,” 2005, available at http://www.cybercrime.gov/­ anchetaArrest.htm.  Joris Evers, “‘Bot Herders’ May Have Controlled 1.5 million PCs,” 2005, available at http://news.com.com/Bot+herders+may+have+controlled+1.5+million+PCs/2100-7350 3-5906896.html. 10 Department of Justice, “Over One Million Potential Victims of Botnet Cyber Crime,” 2007, available at http://www.ic3.gov/media/initiatives/BotRoast.pdf. 

354 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES ers around the world, using very little additional software above and beyond modified versions of publicly available IRC-based botnet and IRC server software. These are just the proverbial tip of the iceberg in terms of online crime using distributed intruder tool networks, including botnets. A migration is beginning to take place, away from the easier to detect and mitigate IRC botnets and toward the use of heavily encrypted peer-to- peer malicious programs for distributed command and control. The Stakkato Intrusions In 2003, a teenager in Sweden began a series of intrusions that lasted through 2005 and compromised more than 1000 hosts at supercomputer centers, national labs, universities, corporations, and military bases around the world.11 The initial target of attack was remotely exploitable vulner- abilities in Linux systems, where a rootkit named SucKIT was installed that hides itself on the system and logs all keystrokes. This allowed the attacker to steal account/password credentials of people logging into the compromised host or using that host to log in to some other host (possibly at another site). The attacker would sometimes replace the login message with a taunt about how using Linux was a great way to share accounts. One aspect of the Stakkato case that is not appreciated by many is the clever exploitation of the implicit trust relationships that exist between systems based on users having accounts on more than one system, and more than one user sharing any given system. The attacker would steal passwords to gain access to accounts, and then do sufficient mapping of login relationships between hosts to infer where these same login/pass- word combinations might work. He would then log into those systems, preferably using administrator accounts, and then repeat the process of installing the keystroke logger and further extending his reach into new systems and networks: (1) University researchers often have appoint- ments in multiple institutions, or multiple departments within an institu- tion; (2) those researchers have contractual relationships with corpora- tions in industry; (3) supercomputer centers are used by ­ researchers in academia, in business, and in the military; (4) the same business that employs a researcher in one field (who may require the services of a supercomputer center) may also be involved in software or hardware engineering and sales. Stakkato probably did not even plan on it, but dur- ing the compromise of those 1000+ systems, an account at Cisco Systems was compromised and was used to obtain a copy of part of the Cisco IOS router software base, which was later posted on a Russian website. The 11 Leif Nixon, “The Stakkato Intrusions,” 2006, available at http://www.nsc.liu.se/ nixon/stakkato.pdf. 

APPENDIX C 355 nature of the login trust relationships between sites was one reason the intrusions lasted so long: Some sites would clean up their systems, only to find them compromised again a short time later because they did not realize the extent of shared access between systems, nor did they realize what the compromise of passwords through keystroke logging means in terms of completely mitigating an attack of this nature. TJX Financial Data Thefts At various dates between July 2005 and January 2006, intruders used access to systems within the corporate network of TJX Companies, Inc., to obtain and exfiltrate 45.7 million payment card (i.e., credit or debit card) records.12 In March 2007, six suspects were arrested, with four more at large, all believed to be involved in the data theft and an elaborate scheme for using the stolen data to make an estimated $8 million in purchases of gift cards and electronics equipment.13 This is on par with the number of individuals involved in the Invita case, the first case in this appendix. However the financial damage involved in the TJX case could be orders of magnitude greater than the losses in the Invita case just 5 years earlier. Based on estimates of $50 to $250 per record, the TJX breach could cost the company in excess of $2 billion. Several pending lawsuits and a regula- tory investigation are also underway. As of the time of this writing, few details about the attack mechanism have been made public, but it would be reasonable to assume an attack methodology similar to that in the previous cases. Since the attackers were in the networks for over a year, there was a great deal of time available to quietly exploit stolen credentials and explore the network, identifying the crown jewels in terms of financial information databases. 12 The SEC Form 10-K filing by TJX claims that, in general, track 2 data—all data, in- cluding the PIN number on debit cards, necessary to clone the card—was either masked off with asterisks or stored in encrypted form. TJX does, however, state that, “despite our mask- ing and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuers’ approval process, in which data (including the track 2 data) is transmitted to payment card issuers without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.” This means there is a possibility that payment cards could be cloned by the attackers. 13 Jenn Abelson, “Breach of Data at TJX Is Called the Biggest Ever: Stolen Numbers Put at 45.7 Million,” March 29, 2007, available at http://www.boston.com/business/globe/­ articles/2007/03/29/breach_of_data_at_tjx_is_called_the_biggest_ever/.