Future Crimes
Page 4
As a result, we are increasingly connected to computer systems in ways we don’t understand. Moreover, these connections are wholly untrustworthy and vulnerable—a poor foundation upon which to build the information society of the twenty-first century. Yet that is exactly what we are doing. Not only are our personal and work computers deeply enmeshed with the Internet, but so too are all of the critical infrastructures upon which our modern society depends. The electricity grid, gas pipelines, 911 dispatch systems, air traffic control, the stock market, our drinking water, streetlights, hospitals, and sanitation systems are all dependent on technology and the Internet to function. In this brave new world, we’ve taken the human being out of the loop and have entrusted the backbone of civilization to machines.
The credit card transactions, point-of-sale payment terminals, and ATMs that keep the global flow of commerce and capitalism humming would come to a screeching halt without the computers to run the network. Computers decide how, where, and when to route electricity to ensure the power grid’s stability. Computer-aided dispatch systems keep track of police cars, ambulances, and fire trucks so dispatchers know who is available and closest to respond in case of emergency. For a sneak peek of what this dystopian world without computers and electricity looks like, one need only turn on the television for a taste of techno-Armageddon-cum-zombie apocalypse from shows such as The Walking Dead or from films like Planet of the Apes and Live Free or Die Hard. Hollywood machinations aside, our computer-based critical information infrastructures are increasingly under attack and deeply vulnerable to systemic failure—the impact from which could be truly catastrophic.
Much of the world’s critical infrastructures utilize supervisory control and data acquisition (SCADA) systems to function. SCADA systems “automatically monitor and adjust switching, manufacturing, and other process control activities, based on digitized feedback data gathered by sensors.” These are specialized, and often older, computer systems that control physical pieces of equipment that do everything from route trains along their tracks to distribute power throughout a city. Increasingly, SCADA systems are being connected to the broader Internet, with significant implications for our common security. Unfortunately, these systems were not designed with security in mind and were not engineered to be resistant to an Internet-connected world. The problem is worse than you think: in a July 2014 study of critical infrastructure companies across multiple sectors, nearly 70 percent of them had suffered at least one security breach that led to the loss of confidential information or the actual disruption of operations during the preceding twelve months.
What might a hacker do with access to these systems? Take, for example, the complex information technology systems regulating the local water treatment facility. The SCADA system consistently measures and adjusts the appropriate mix of chemicals to clean our water and make it safe to drink. But what if such a system were hacked? Could the wrong amount of chemicals be mixed in, poisoning our water rather than purifying it? It may sound like fantasy, but hackers have already reportedly carried out an attack against the South Houston, Texas, Water and Sewer Department, according to a BBC report from 2011. The Internet protocol address of the attacker was traced to Russia, and the hackers involved were said to have repeatedly turned on and off a pump, quickly causing it to fail. While nobody fell ill in the attack, the proof of concept has been demonstrated.
What other infrastructure hacks might be possible? As it turns out, the sky’s the limit, as the Federal Aviation Administration’s control tower in Worcester, Massachusetts, found out all the way back in 1998. There a local teenager used his knowledge of computing to sever communications between inbound aircraft and the tower and even turned off the runway lights for approaching aircraft. While nobody was killed in the incident, the potential for disaster is obvious. Of course there have been many more attacks against critical information infrastructures around the world. One of the earliest occurred in Maroochy Shire, Queensland, Australia, in 2001 wherein a hacker attacked a sewage treatment plant. He gained control of the facility’s industrial control systems and “caused millions of litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel.” The attack destroyed significant amounts of local marine life and flora alike, to say nothing of the environmental threat to local residents.
Perhaps one of the most critical systems vulnerable to attack is our national electricity grid. Without electricity, all the fineries of our modern world cease functioning:—no lights, elevators, ATMs, traffic control, subways, garage doors opening, refrigerators, and pumping gas. And when the backup batteries and emergency generators inevitably die, no cell phones and no Internet. Despite our vital dependence on electricity as the technological infrastructure most central to our contemporary lives, the former U.S. secretary of defense Leon Panetta noted, “the next Pearl Harbor that we confront could very well be a cyberattack that cripples” our power systems and our grid.
Panetta’s concerns seemed validated and further bolstered by a report by the U.S. Department of Energy which noted that the American energy grid—often called the most complex machine in the world—connects fifty-eight hundred individual power plants and has more than 450,000 miles of high-voltage transmission lines. Yet 70 percent of the grid’s key components are more than twenty-five years old. Each of these components uses much older SCADA technologies that are readily attackable and persistently targeted.
An investigation by the House Energy and Commerce Committee revealed that “more than a dozen American utility companies reported ‘daily,’ ‘constant,’ or ‘frequent’ attempted cyber-attacks ranging from phishing to malware infection to unfriendly probes. One utility reported that it had been the target of more than 10,000 attempted cyber attacks each month.” The report concluded that foreign governments, criminals, and random hackers were all hard at work either planning or attempting to take down the grid. The findings build upon prior statements by intelligence officials to the Wall Street Journal confirming that cyber spies had “penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system.” The same officials went on to say that spies from Russia and China have allegedly mapped the American grid so that in times of crisis or war with the United States its entire electrical network “could be taken out.”
Terrorists also have designs on digitally attacking America’s infrastructure. In the summer of 2012, a video from al-Qaeda’s As-Sahab media wing was uncovered by the FBI. In the video, the terrorist organization called for its “ ‘covert mujahidin’ to carry out waves of cyber attacks against the U.S. networks of both government and critical infrastructures, including the electric grid.” Earlier FBI investigations revealed numerous instances of al-Qaeda’s conducting online target research and surveillance on emergency telephone systems, electric generation plants, water distribution facilities, nuclear power plants, and gas storage networks in the United States.
The terrorist organization had even completed elaborate targeting packages on potential critical infrastructures to be attacked, including photographs of intended targets, detailed notes, and online research.
Hackers too are working to understand, expose, and exploit vulnerabilities of SCADA and other critical information infrastructures. At the Chaos Communication Congress, an annual hacker gathering held in Germany, analysts at Positive Research demonstrated how to get full control of industrial infrastructures in the gas, chemical, oil, and energy industries. Equally troubling is the fact that hackers share this information with each other and have even created fully searchable public databases of known exploits that can be used to commandeer critical infrastructures. One well-known hacker database, Shodan, provides tips on how to exploit everything from power plants to wind turbines, searchable by country, company, or device, providing detailed how-tos and greatly lowering the technical bar and knowledge for any rogue individual to hack our critical infrastructures. In effect, for attackers interest
ed in gaining control of our connected world, Shodan has become their Google—one that is near impossible to shut down because Shodan is hosted on multiple servers in foreign countries around the world and publishing vulnerabilities is not currently a crime in most of these places.
Organized crime groups are also turning their attention to infrastructure attacks as a logical means of extorting money from utility companies and governments. Several such incidents reportedly occurred in Brazil between 2005 and 2007, when a wave of cyber attacks was carried out north of Rio de Janeiro and in the state of Espírito Santo. In that incident, nearly three million people were stuck in the dark when the local electricity provider failed to meet the extortion demands of a local crime syndicate. As a result, the city of Vitória, one of the world’s largest iron ore producers, had numerous plants forced off-line, costing the company nearly $7 million. The attacks were confirmed by U.S. intelligence officials, security researchers, and even obliquely by President Obama when he noted, “We know that cyber intruders … in other countries … have plunged entire cities into darkness.”
WHOIS It?
The famous Chinese general Sun Tzu, author of The Art of War, cleverly observed twenty-five hundred years before the creation of the Internet that “if you know thy enemy and know thyself, you will not be imperiled in a hundred battles.” Accordingly, in order to understand the vast technological threats before us, we must understand our enemies. Each has different means and motives, but what they have in common is the risk each poses to our profoundly interconnected world.
The cast of characters responsible for cyber malfeasance is vast and includes nation-states, neighborhood thugs, transnational organized crime groups, foreign intelligence services, hacktivists, military personnel, cyber warriors, state-sponsored proxy fighters, script kiddies, garden-variety hackers, phreakers, carders, crackers, disgruntled insiders, and industrial spies. Each plays its role in what the U.S. military has declared to be the “fifth domain” of battle: cyberspace (following the militarization of land, sea, air, and space of generations past).
These parties frequently use similar tactics, albeit with varying degrees of sophistication. Yet all attackers benefit from the asymmetric nature of the technology: the defender must build a perfect wall to keep out all intruders, while the offense need find only one chink in the armor through which to attack. Among the factions battling in the cyber underground, there is cooperation, witting and unwitting, as the players often learn from and imitate the operational success of one another. For example, transnational organized crime groups use highly sophisticated reconnaissance operations to plan their attacks but often rely on neighborhood thugs to carry out elements of their plots, such as the placement of ATM skimmers, money laundering, or the fencing of stolen goods on eBay. Terrorist organizations learn from cyber criminals and hack for financial gain to fund real-world operations. Patriotic bands of citizens are often formed into cyber posses by their state-sponsored benefactors in nations such as China, Russia, and Iran and receive tacit approval, funding, and training. In doing so, they share some of the same techniques and tools with their government patrons. There is a symbiosis in the cyber underground and a commonality of methodologies across the full spectrum of threat actors.
Perhaps the first vision to come to mind when thinking of a hacker is the stereotypical image of a teenage male living in his mom’s basement, pounding away at the keyboard, surrounded by empty bags of Fritos and discarded Coke cans, trying to change his grades on his high school’s computers (as did Matthew Broderick in the 1983 film WarGames). In the early days of hacking, it was the telephone system that was the target of hackers’ attention as so-called phone phreaks manipulated the network to avoid the sky-high costs of long-distance calls. Let’s not forget two hackers who spent part of their youth back in 1971 building “blue boxes,” devices capable of hacking the phone network and making free calls: Steve Wozniak and Steve Jobs. The pair sold blue boxes to students at UC Berkeley as a means of making money that would effectively help fund their other small start-up, the Apple computer company.
As time passed, other notable hackers emerged, such as Kevin Mitnick and Kevin Poulsen. Mitnick famously broke into the Digital Equipment Corporation’s computers at the age of sixteen and went on to a string of such cyber intrusions, earning him the FBI’s ire and the distinction of being “America’s most wanted hacker.” Poulsen’s ingenious 1990 hack allowed him to commandeer all of the telephone lines of a local Los Angeles radio station to ensure he would be the 102nd caller, thereby securing the top prize of a $50,000 Porsche 944 S2.
These hacks from the 1970s, 1980s, and 1990s would seem benign by today’s standards. In the intervening years, hackers have gone on to become highly organized and have formed global online crime syndicates. They commit identity theft, credit card fraud, health-care fraud, welfare fraud, and tax fraud. Organized crime groups are now going after bigger and more sophisticated targets as well, including the vast amounts of intellectual property created by businesses around the world, from a company’s product plans to its computer source code. For example, in October 2013, criminal hackers targeted Silicon Valley’s Adobe Systems, stealing thirty-eight million account log-ins and passwords as well as millions of credit card numbers (nothing new there). But what changed in that attack was that the criminals also stole more than forty gigabytes of computer source code for Adobe’s flagship products, including Photoshop, ColdFusion, and Acrobat.
As a result, not only can criminals now freely sell Adobe products, but they could also alter the code and insert untold numbers of hidden back doors, malware, and additional exploits into the product, causing Adobe’s legitimate and unsuspecting customers to suffer widespread hacking attacks and identity theft—a troubling development indeed given Adobe’s massive global footprint among computer users. Even Symantec, the maker of pcAnywhere and Norton AntiVirus, has had its source code stolen. Yep, the company that is selling you antivirus software to protect you from being hacked was itself compromised when a hacker stole 1.27 gigabytes of its security software source code and demanded a relatively paltry $50,000 in exchange for not posting the data on the well-known hacker Web site The Pirate Bay.
Traditional organized crime groups, such as the Italian Mafia, Japanese Yakuza, Chinese triads, and Colombian drug cartels, have all diverted efforts and resources from their usual criminal activities to take advantage of the easy profits, greater anonymity, and limited police scrutiny afforded in cyberspace. Moreover, they do not have to worry about the draconian sentencing minimums often associated with their former economic activities, such as narcotics smuggling and trafficking in human beings. Organized crime groups in cyberspace are responsible for spam, phishing, fake pharmaceutical ads, the dissemination of child sexual abuse images, denial-of-service attacks, and extortion, to name but a few of their favored activities.
In addition to the stalwart old guard of organized crime, a more nimble class of pure-play cyber-crime organizations are exploding onto the scene. These newly emerging and professionally organized criminal hacking groups are highly profitable and truly global, with heavy concentrations in China, Indonesia, the United States, Taiwan, Russia, Romania, Bulgaria, Brazil, India, and Ukraine. New syndicates, such as the Russian Business Network (RBN) in St. Petersburg, have even made names for themselves as multi-product-line, full-service cyber-crime organizations.
RBN famously provides “bulletproof” Web site hosting services for all manner of other criminal enterprises and takes a completely hands-off approach to hosted content, freely welcoming anything from child pornography to malware exploit exchanges on its servers. Other professional criminal hacking groups, such as the ShadowCrew, offer online havens for “carders,” who specialize in the murky world of stolen personally identifiable information, including forged passports and driver’s licenses, and stolen credit cards—key ingredients to the world’s growing identity-theft economy. ShadowCrew operated the now-defunct Web site CarderPlanet
.com, where over four thousand criminals from around the world could freely gather to buy and sell stolen and hacked identities, documents, and account numbers. Founded by the notorious criminal hacker Albert Gonzalez, ShadowCrew offered fellow criminals tutorials on everything from cryptography to card-cloning techniques, and Gonzalez’s organization was reportedly responsible for stealing and reselling more than 180 million credit and ATM cards. The number and reach of these highly profitable transnational organized cyber-crime rings have grown, and the security intelligence firm CrowdStrike was actively tracking more than fifty such major organizations globally.
Besides transnational organized crime syndicates, hacktivists—politically motivated cyber attackers—represent one of the most influential and powerful groups in cyberspace. Anonymous, LulzSec, AntiSec, WikiLeaks, and the Syrian Electronic Army fall into this group and launch their attacks in retaliation for perceived injustices. Personalities such as Julian Assange, Chelsea (Bradley) Manning, and Edward Snowden have become household names for challenging some of the world’s most powerful institutions and for releasing data that others would most certainly have preferred remain hidden. While Assange, Manning, and Snowden have been propelled onto the covers of newspapers around the world, other hacktivist groups prefer that their individual members remain discreetly hidden in subordination to the organization itself and its broader agenda. One such notable example is Anonymous, a self-described leaderless organization whose members have become recognizable in public for wearing Guy Fawkes masks.