Elevated Threat
Page 15
June 9, 2015
Washington, DC
03:05 PM EST
An almost audible gasp could be heard from coast to coast when the President finished his second press conference in the last two days from the White House. Despite his attempt to show resolve, the now standard mantra of, “We will find who did this and make them accountable,” and “We are strong and will overcome this,” was ringing hollow to the listening audience. Their money was gone. No longer was it only the right-wing activists lusting for blood. Americans everywhere were commenting on TV, in newspapers, blogs, and explaining to radio shows that they had had enough with the war on terror. A collective anger was arising all across the country demanding that it was time for America to go on the offensive. It was time to start preventing these attacks, rather than weakly responding to them after the fact. Americans everywhere were quickly reaching the tipping point where it was time for someone, somewhere to pay, and pay dearly.
June 9, 2015
Tampa, Florida
07:00 PM EST
When the FBI tactical team burst through the doors of the AntiMay Corporate offices in Tampa, the creators of the SEDR software, the offices were abandoned. A commercial cleaner had been hired to scrub the offices from top to bottom. The agents in the bright blazers had little more to do than wander around and complain about the bugs in Florida. The only thing the SEDR creators left behind was found in a small side office. There, they discovered a single fold-up card table with a laptop computer sitting on it. When the agents turned on the computer and looked through the browser’s history, the last site listed was in Russian. When they opened the site, they found it was ОАО Московская Биржа, the largest stock exchange in Russia.
THE INTERNET NEVER LIES
Name: Sattar Kunanbaiuly
Age: 28
Nationality: Kazakhstan
Education: Stanford University. Majored in Computer Science.
Professional History: No known employment. Believed to have been living on funds from stolen Russian identities. Currently wanted by Interpol.
Family history: Parents Father (Ultarak), Mother (Asel). No known professional history. Mother believed to be maternal cousin of Zhibek Zhumbayev.
Current whereabouts: Unknown
Current watch-list status: Red
June 8, 2015
Shanghai, China
10:30 PM
In a nondescript 12-story building off Datong Road in Shanghai, known to the world as Unit 61398, is the Chinese People’s Liberation Army Advanced Persistent Threat Team. From this building they run their nefarious business of using the internet to steal all they can from everywhere they can. Unit 61398 was identified by the US in 2013 as being the pawn the Chinese government used to steal US military secrets, weapon and strategic product blueprints, as well as, private and public companies’ product plans. No target has been too small or too large for the round-the-clock teams of computer hackers in Unit 61398. For a salary of 2,638 Yuan ($405), state sponsored cadets routinely steal design secrets worth hundreds of millions of dollars. All for the good of the motherland.
Despite numerous attempts by the US and western allies to control the one-way street of information being stolen or copied, the Chinese have only increased the effort to steal their way into becoming relevant in the political world of the big boys.
Less known to the world is that the second floor of Unit 61398, teams of equally dedicated cadets monitor and try to protect the security of China’s own secrets and government transactions. Like an old Chinese proverb suggests, “What good is it to steal all the rest of the world’s secrets, if others can just steal them back from you?”
In a dingy corner on the second floor of Unit 61398 was Officer Cadet Deshi Zoeng’s desk. It was there that Cadet Zoeng watched his monitors intently for any indication that the systems under his watch were being compromised. While he scanned his reports, his computer screen started flashing. This was the first indication that the great People’s Army were not the only ones ready to use the internet to spy and steal secrets.
Cadet Zoeng saw that a denial-of-service attack had just been unleashed on the Agricultural Development Bank of China (ADBC). ADBC provides funds for agricultural development projects in the country’s rural areas and was one of only three banks that provided government-directed spending functions for the four state-owned commercial banks. ADBC was a rather big fish in the banking pond. Unfortunately, that fish was currently swimming blind as its commercial internet services were being blasted by spamming BOTs.
These types of attacks are unfortunately getting rather routine, and they often fall into the nuisance category for the world’s security agencies, rather than a security breach. When Cadet Zoeng noticed that two more DOS attacks were starting up that were targeting the other two government-directed spending banks, (China Development Bank (CDB), and the Export-Import Bank of China), things really started to get interesting.
In a matter of minutes those websites were also unusable and the entire second floor of Unit 61398 was starting to get agitated. The floor supervisor wanted to know the source of the attacks and he wanted an analysis run of every detail about the attack. Officer Cadet Zoeng was already running IP traces and packet captures to try and understand the details of the attack before his boss even asked. It didn’t take him very long to trace back all of the IP addresses to one place - the United States.
Cadet Zoeng was not yet alarmed. He well knew that IP addresses can be spoofed to look like they came from one place, when they actually come from another. They can also be redirected through servers in a remote place so that they pick up those addresses along the way. He also knew it was possible that the attack was originating from the US, but was being generated by some crazy college student trying to make a name for himself in the computer hacking underworld.
Then, just as fast as the attacks started, they stopped. LAN traffic loads dropped to normal and the web traffic was unblocked. Everything seemingly had gone back to normal. Unfortunately for Cadet Zoeng, reams of traces would still be expected to be analyzed before his boss would let him go home. Even though Cadet Zoeng worked the night shift, he knew that tonight’s shift might stretch well into the next day. Resigned to that fact, he methodically began breaking down the traces. He would start by collecting the aggregate information about them and then start working his way down to the packet details.
One odd characteristic about the traces stood out rather quickly to Cadet Zoeng as he methodically worked his way down into the detailed parts of the transmissions. Most of the text fields in the transmissions were filled with the usual repeated strings of garbage characters generated just to fill the IP pipe with traffic. But then he discovered a series of incoming transmissions that were not just random chatter, but were, in fact, some sophisticated code. Each of the packets he found with code were the exact same number of bytes. Even though Cadet Zoeng couldn’t recognize what the code did, he could tell they were sending some kind of replacement Java objects to the banks’ computers. He sent copies of the code up to the third floor personnel to analyze.
The other big surprise in the traces was not what had come as inbound traffic, but what Cadet Zoeng had found in the outbound traffic after the inbound coded packets had been acknowledged. Specifically, the traces included large money transfers. Since these were very large banks that routinely transferred large amounts of money, the size of the transactions was not what caught Cadet Zoeng’s attention. It was where the money had been transferred to that peaked his interest. The GSX HVT Partner Group in Chicago. Cadet Zoeng had never heard of these banks transferring money directly to an American stock brokerage before.
Within Unit 61398, information given to superiors goes on a one-way street. When Cadet Zoeng had completed his report and sent it up the chain of command, he knew he would never get a response explaining what had come of it. Why the money had been sent to Chicago and whatever happened to the money after it got there would fo
rever remain a mystery for Cadet Zoeng. Worse, Officer Cadet Zoeng would never be aware of how his investigation into a simple DOS attack had started a fundamental change to the direction of US-China relations.
June 8, 2015
Tehran, Iran
6:00 PM
In Iran, the Ministry of Intelligence and Security has had much more experience with protecting its governmental sites from intrusion than China’s Unit 61398. It’s also much harder than it is in China for an operative to get inside access to an Iranian government’s computer. The same cannot be said for access to certain Iranian business computers that have to routinely work with the outside world. The National Iranian Oil Company is a government-owned corporation which is completely under the direction of the Ministry of Petroleum of Iran, but it operates in many ways as a private company. And fortunately for someone trying to break into its computer system, has the same level of security as any other private company’s system. As it is in China though, orders from superiors are expected to be followed, no matter how risky they sound. That fact turned out to be the Achilles’ heel for the National Iranian Oil Company.
When Afareen Jalili, the chief IT manager for the NIOC’s billing computers, was asked by a senior finance minister to upload a new security patch to the system, she was anxious. The minister had never been involved with mundane things like software patches before. However, in Iran questioning or refusing a direct order from a finance minister is at best a career-limiting move, at worst it could get you an eight-by-ten room to live in for a while. Since the request for the patch upload had come from a secure channel and had included the correct logo and daily security insignia, she dutifully installed the patch and ran a smoke test on the software. Everything appeared normal.
6:30 PM
When the denial-of-service attack was launched against the website for NIOC, Afareen was quickly alerted and she started monitoring the situation. Unfortunately for Afareen, a few minutes after the start of the DOS attack the entire server became unresponsive. The servers CPU’s were all pegged at 100% utilization. Other than very small bursts of activity from some process she had not seen before, all corrective action she attempted was being locked out. Even after the DOS attack had subsided, the activity on her server was not abating. The trigger for the burst of activity seemed to be coinciding with the DOS attack, but now the runaway service on her server was coming from an internal source. She tried every corrective action she could think of, short of rebooting, but she could not break into the process to kill it.
Within nine minutes after the DOS attack, the runaway process stopped, and all regular system processes dropped back to normal loads. Even the CPU activity for the server dropped to expected values. Afareen ran some diagnostic checks on the system and everything was normal. Since the system was now working properly she turned her attention to figuring out what had just happened. Her first step was to try and find out what that mysterious process that locked her out was.
Digging into the system logs, she discovered that the mysterious process was named digDeep.exe and that it had run for a total of 8 minutes. The logs also showed that when digDeep.exe started executing, it had generated system calls to a program called Updater1, exclusively. She then traced the Updater1 program and discovered it had been installed with the security patch the finance minister had sent her. Afareen had a real bad feeling in the pit of her stomach. Perhaps this time she should have questioned her superiors.
Before Afareen had time to figure out her next course of action, the red phone on her desk started screeching its ungainly ring tone. Since this phone was only used when secure communications to her superiors were required, and typically meant they were at the other end with bad news, Afareen took a deep breath before answering.
“IT Department, this is Afareen.”
“Afareen, this is Mr. Kashani. I just received a purchase agreement confirmation from Kala Naft Ltd. in Canada, and I have received seven purchase orders from them within the last few minutes. Each purchase order was for 399 million Canadian dollars. Kala Naft Ltd. are in charge of carrying out North American procurements for us; however, these orders should have been held for payment authorization by me. Instead, the payments for them were sent immediately. We tried to stop the transfers but we couldn’t get any response from the computers. While we work to get our money back from Kala Naft, I need you to find out what happened, and I need you to make sure it doesn’t happen again.”
The first thing Afareen did after hanging up the phone was to make copies of the emails and orders from the finance minister asking for her to install the patch. She knew she was going to be blamed, and that all records from her computers would soon magically disappear. If she could get copies out to friends, she may have a chance at not disappearing along with them.
June 9, 2015
Washington, DC
1:30 PM EST
Despite the closed-channel discussions with the Chinese and Iranians from the US State Department assuring them that the US did not have anything to do with the web attacks on their companies, the Chinese and Iranians were irate and, at best, skeptical of the US claims. With the US mired in its own crisis with the stock market, the US diplomats were clearly not willing to bend over backwards to appease the Chinese or Iranians. Some in the US intelligence community were still harboring the idea that our stock market meltdown was, in fact, initiated by one of these two long time antagonists. Considering the amount of state-sponsored hacking from the Chinese over the last couple of years, the theory of their involvement was easy to believe.
In China, there was an equal amount of speculation among the political and intelligence teams that the US may have decided to retaliate for all those years that they had been dipping their hand in the US business IP.
The Iranians were equally suspicious. The US already had a history of hacking into Iran’s critical infrastructure. The Stuxnet worm-attack on their nuclear centrifuges won’t be forgotten anytime soon by the Iranian political elite. Surely a hack designed to steal money directly from their national oil company by the US wouldn’t be out of the question. To say that the distrust between these three countries and their cyber-espionage was at an all-time high would not be an understatement.
Adding to the distrust in China and Iran was the issue of where their money went, and the lack of guarantees from the US on getting it back. The US diplomats had a hard time explaining to them how so much money could have been withdrawn from Chinese and Iranian accounts and then be immediately comingled into investment properties. Investment properties that somehow lost 80% of their value in one day. The explanation given about a rogue HFT computer in Chicago causing the stock crash, and their money with it, did not seem plausible. And since the money had disappeared into that same black hole as all the legitimate monies, the US had no intention of giving them their lost money back anytime soon.
June 10, 2015
Tehran, Iran
8:30 PM
The Iranian Ministry of Intelligence and Security went into action when they started intercepting a flood of tweets and emails, all with US origins, calling for political rallies against the recently elected Iranian President. While losing money was one thing, overt meddling in the religious or political arenas would not be tolerated.
At the same time the Iranians were starting to intercept politically-charged communications from the US, Chinese officials were intercepting their own first wave of damaging communications. It all started when china.org.cn, one of China’s main news outlets had its website hacked. Their front page was rewritten with false stories on how dangerously high levels of melamine in milk and baby formula products from the top four Chinese milk producing companies had once again been found throughout the country. The articles urged everyone to throw all milk products away immediately and not to purchase any more. The articles went on to say that anyone who had drunk any milk or milk products in the last week and had developed an upset stomach should immediately go to the nearest hospital.
/>
The Xinhuanet.com news service website was also hacked, and it had a front page column added that not only corroborated the milk ban but expanded the warning to include drinkers of a common version of Chinese tea. The article stated that “Shu Tao” tea, produced by Chengdu Shutao Tea Company - the biggest supplier in China, had introduced new preservatives to make the tea last longer on the shelf. But medical testing found that the preservatives could cause a form of throat lesions which were a precursor to throat cancer. The article advised anyone who had a sore throat after drinking this tea should immediately go to the hospital for treatment.
Despite the strong denials to the public of the false reports by the Chinese political officials and the Chengdu Shutao Tea Company’s president, there was severe skepticism among the Chinese population. The citizens of China had before seen how the Chinese government attempted to cover up previous scandals. Later in the day, several Chinese social media sites started running stories claiming that dead and dying individuals were piling up at numerous hospitals after drinking tainted milk. These new stories provided testimonials from “reliable government sources” explaining how the business communities and the government were once again lying in an effort to hide the truth from the public. Panic quickly set in among the populace.
By the next day, milk and tea sales all across China plunged and hospitals were being overrun by people with claims of sore throats and upset stomachs.
Every IP trace for all the internet mayhem the People’s Liberation Army Advanced Persistent Threat Team could find led them straight back to servers in the United States. US State Department official’s claims of having no involvement in these events went unheeded. As one Chinese diplomat said:
“What better way for the US to create deniability of the attacks than by making the information easy to trace back to the US, then claiming to us that, if you were behind them, you wouldn’t use your own servers to do it. What kind of fools do you take us for?”