The latest issue
Hackers are stealing trade secrets, proprietary technologies, business strategies
The exploitation of computer networks for espionage and other hostile activities is a growing menace to businesses and governments in North America. Commonly called cyber attacks, these electronic intrusions typically rely on one or two of several types of malicious software known as malware—including viruses, worms, Trojans, bots, back doors—to steal information or money, destroy data or commit acts of sabotage like disabling systems and networks.
Often, the attacks are designed to gather confidential information on corporate strategy and plans, government policy or proprietary technologies. Reports suggest that this type of spying, as well as the potential for digital era–style acts of sabotage, has been growing by leaps and bounds lately.
At the World Petroleum Congress in Doha, Qatar, in 2011, oil company executives said that cyber attacks were becoming more frequent and better planned, according to a Reuters story last December. An IT expert at the conference warned that the Stuxnet computer worm, which was specifically designed to subvert industrial systems and surfaced in 2010, changed the world of international oil companies because it was the first such attack to directly impact process control. In the computer-controlled, automated global energy sector, this type of malware could wreak havoc by subverting controls on equipment. The misuse of valves, for instance, could cause “huge damage,” the expert said.
The Stuxnet worm also demonstrated that innovative malware could be introduced into a system that was isolated from any external network, like the Internet. Believed to have been developed with the support of the U.S. and Israeli governments, the worm, which affected controls, wound up causing damage to centrifuges at a nuclear facility in Iran. It was delivered by a memory stick.
Iran, which is under international trade sanctions arising from its nuclear program and a dispute over its real nature, has had other major malware-related headaches. Last April, a virus infected the country’s oil ministry and national oil company networks, forcing the disconnection of control systems including those at Kharg Island, the location of a key export facility.
Although a wide range of sources point to significant growth in cyber attacks, with one recent report from Symantec Corporation indicating an annual increase of about 25 per cent, getting a handle on the true level of cyber mayhem targeting businesses and governments around the world can be difficult. For one thing, companies that discover their networks have been hijacked tend to keep quiet about it, often leaving shareholders and clients in the dark. Sometimes, they are unaware of the problem at all.
Bloomberg News published a story last summer, which was widely circulated, on a gang of so-called “patriotic hackers,” with IP addresses in Shanghai strongly suspected by experts of ties to the Chinese government. When reporters working on the story contacted 10 victims of the Shanghai-based Comment Group, they found that those that had learned of the hacks had not disclosed them publicly. Three of the 10 had been unaware of any cyber attack at all until reporters contacted them.
Some sectors are perhaps getting targeted at a far more rapidly increasing rate than Symantec’s 25 per cent, which is based on global averages. Intrusions against computers that run essential infrastructure in the United States increased seventeenfold in the period of 2009-11, according to General Keith Alexander, chief of U.S. Cyber Command and director of the National Security Agency. He called the loss of industrial information and intellectual property through cyber-espionage “the greatest transfer of wealth in history,” reported the New York Times last summer.
Reliable estimates on the economic cost of these attacks are hard to come by, as one would expect. Last spring, the U.S. Federal Bureau of Investigation (FBI) said that cyber espionage had cost U.S.-owned businesses $14 billion over a six-month period. But, given the under-reporting and other factors, experts have said that the figure probably represents a fraction of the problem.
Although perhaps more aggressive than most, the hacking activities of the Comment Group are indicative of a trend in which cyber espionage appears to be tied to government agendas, or areas of interest, in the view of some experts. The Bloomberg story said that in case after case “the hackers’ trails criss-crossed with geopolitical events and global headlines.”
In short, some governments have apparently embraced network hacking and cyber-spying with gusto.
A couple of examples: When European Union (EU) leaders were negotiating on the Greek financial crisis, it was found that the cyber equivalent of a wiretap had hacked into the EU president’s office with the apparent objective of gathering vast amounts of intelligence over weeks, or perhaps months. Closer to home, in July 2011, hackers accessed the network of the Immigration and Refugee Board of Canada.
Starting with computers in Toronto, the logs from Cyber Squared Inc., an Arlington, Virginia–based cyber-security firm that monitors Comment Group activities, show that hackers busted into the board’s network across Canada, grabbing and decrypting passwords, and finally gained access to the computer of a Vancouver-based adjudicator, Leeann King, who had made headlines less than a week earlier after temporarily freeing a Chinese national near the end of a long extradition fight, which he eventually lost. The whole hacking operation took only five hours.
Cyber Squared, on its website, says that oil and gas is one of several sectors, including telecommunications, financial services, law firms, public relations firms with dealings in China, think tanks, research organizations and the health-care industry, that are being increasingly targeted.
Various government agencies and organizations are also raising the alarm. The Canadian Security Intelligence Service (CSIS) report for 2010-11 said that attackers targeted networks of two federal government departments in January 2011—finance and the treasury board. The federal government, it added, was seeing “serious attempts to penetrate its networks on a daily basis.”
Canada’s auditor general, in his latest report to Parliament, highlighted concerns among senior civil servants that “the cyber-threat environment is evolving more rapidly than the government’s ability to keep pace.”
THE USUAL SUSPECT(S)
Aside from government, other sectors being targeted are aerospace, high-tech, oil and gas, and universities doing research. “In addition to stealing intellectual property, state-sponsored attackers are also seeking any information which will give their domestic companies a competitive edge over Canadian firms: an example would be inside knowledge of upcoming negotiations—personalities involved, their likes and dislikes, and so on,” said the CSIS report.
A couple of years ago, CSIS director Dick Fadden made headlines after saying that some provincial cabinet ministers were under foreign influence. He was indirect about the precise source of foreign interference, but indicated that China posed concerns.
Although U.S. reports sometimes target Russia, China is likely a greater focus for the American cyber-security community. A report prepared by Northrup Grumman Corporation for the U.S.-China Economic and Security Review Commission would appear to underscore worries about threats to cyber-security emanating from China. Designed as an open-source reference for policy makers, China specialists and “information operations professionals,” The Report on the Capability of the People’s Republic of China to conduct Cyber Warfare and Computer Network Exploitation, released in 2009, said that China was “a decade into a sweeping military modernization program that has fundamentally transformed its ability to fight high-tech wars.”
One of the priorities of this modernization effort is computer network exploitation which, ideally, would mean achieving state-of-the-art intelligence-gathering capabilities conducted through the use of computer networks to scoop data from target or adversary automated information systems or networks.
For a recruitment drive in support of its burgeoning information warfare capabilities, the Chinese military has been casting the net wide for people with specialist skills, across the commercial and industrial sectors, academe and “possibly select elements of China’s hacker community,” according to the 88-page report.
It says that many aspects of the modernization effort are based on the view of Chinese military strategists who see information dominance as the precursor to overall success in a contest or conflict.
U.S. Congressman Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, in early October urged Canadian companies not to do business with Chinese telecommunications giant Huawei Technologies Co. Ltd. The intelligence committee had just released a report describing the company as a threat to U.S. national security.
Although the warnings about Huawei have been dismissed as “politics” by some, the United States, India and Australia have banned Huawei from bidding on supplying equipment for networks considered part of critical infrastructure—oil and gas pipelines or the electricity grid, for example.
In Canada, Huawei is a supplier of networks to Bell, Telus, SaskTel and Wind Mobile, owned by Egypt’s Orascom Group.
Clients of telecommunications suppliers need to be sure that the equipment they buy does not include some malware that “phones home” and relays the data running through a supposedly secure network back to some hostile “mother-ship.” Also, a so-called back door within a switch’s software could enable unauthorized third parties to listen in, participate or even control a network. Experts note that both methods can be used with network switches. “The problem is that everything on a network goes through switches. You want to scrutinize companies that sell you them,” says David Skillicorn, a computer science professor at Queen’s University who has testified about cyber security before Parliament. He says it is even more important for switches to be free of such malware than it is for laptops.
Certainly, there have been questions about Huawei’s practices over the years since the Chinese company was founded in 1987. In 2003, Cisco Systems launched a suit against Huawei for copyright infringement. Although Cisco eventually dropped its lawsuit, that didn’t happen until independent confirmation that Huawei, as a result of the legal action, had stopped selling disputed switches and routers, and changed its manuals and software.
Also, Brian Shields, a former senior security adviser with Nortel Networks Inc., a telecommunications and network equipment manufacturer that filed for bankruptcy protection in 2009, has gone public in the last year with allegations that the company was targeted by hackers based in China. He says that the attacks continued for years, likely compromising everything from proprietary technologies to confidential financial data and strategic plans. Experts interviewed for this article consider these charges credible. “Evidence points very strongly that Nortel was hacked,” Skillicorn says. Shields has also been publicly warning against buying from Huawei, which he alleges was involved in some of the Nortel hacks, although he says he cannot prove it. Nortel once accounted for a third of the total market value of the Toronto Stock Exchange.
The tools for the Nortel raids have been around for a long time, well before they began, likely around 2000. But a dozen or more years ago, network defences were thinner on the ground than they are today—although the term firewall (for network security) was coined in the 1983 movie War Games, which featured a hacker.
OIL AND GAS MAJORS HACKED
Despite better overall protection, however, and although the oil and gas industry is regarded by experts as relatively diligent about security, some weak links have been exposed in a series of cyber attacks over the last two years.
The U.S. natural gas pipeline system was targeted in a series of cyber raids likely beginning sometime in 2011. Pipeline operators were hit with “spear-phishing” attempts—correspondence that masquerades as an internal message or coming from some other reliable source in order to gain information like usernames and passwords.
Last August, Saudi Aramco was targeted and 30,000 workstations were infected with a virus. Data was destroyed and replaced with an image of a burning American flag. The isolated networks for production were not affected, according to the company. Days after the Saudi Aramco incident, Qatar-based RasGas was forced to shut down its website and email systems because of an attack. Saudi Aramco was probably hit by a virus called “Shamoon” or “Disstrack” that attacks computers running Windows NT, and is being used for cyber-espionage in the energy sector.
In early 2011, it emerged that the networks of several oil and gas companies, including some U.S. and European majors, had been hacked over a lengthy period, perhaps starting in 2008 but no later than November 2009. The purpose of the hacks appears to have been the theft of valuable or sensitive information, including deals, legal matters and financial data. Hackers had also targeted electronic topographical maps. In some instances, hackers had undetected access to company networks for more than a year, according to one investigator. A report by the security firm McAfee Inc. described some of the techniques used to hack company computers as “unsophisticated” and commonly used by Chinese hackers.
In September this year, Telvent Canada Ltd. learned of a breach of its internal firewall and security systems. In a letter mailed to customers, a copy of which was obtained by blogger Krebsonsecurity.com and quoted on the site, the Calgary-based company said that the attacker(s) had installed malicious software and stolen project files related to one of its core offerings, OASyS SCADA. Telvent makes software for remote support services in the energy sector, including pipelines.
The Krebs account of the Telvent breach referred to an accompanying image from a photocopied document on the malware and network components involved, and said that they “strongly suggest the involvement of Chinese hacker groups tied to other high-profile attacks against Fortune 500 companies over the past several years.”
Schneider Electric, a French energy conglomerate and owner of Telvent, responded to a request for an interview with a prepared statement. It said that Telvent was working with law enforcement, security specialists “and our affected customers to ensure this breach has been contained.”
NEW WAYS TO BREAK IN, GRAB INFO
It’s not just Fortune 500 companies that are targeted. An estimated 18 per cent of attacks target companies with less than 250 employees, while about 50 per cent are aimed at ones with less than 2,500. The attacks are trending up for companies with less than 250 employees and governments are the targets of about 25 per cent of all attacks worldwide, says Kevin Haley, director of security response at Symantec Corporation. One of the lures drawing hackers to small businesses (less than 250 employees) is the customer or client lists. “But it is just as likely to be intellectual property,” he says.
Smaller firms might also be hacked as a means of gathering intelligence about a large client or project. Haley says this has happened in the defence industry. “The bad guys wanted to find out about a defence program, so they got in via a small contractor.”
Some of the targets may be small companies, but the complexity and sheer volumes of data are enormous. Haley says security companies have to be able to handle these volumes as it is “a waste of smart people to have them search a haystack for a needle. You need a system that can handle huge amounts of data. We have the ability to process big data.”
Another area of risk potentially providing a vector for unauthorized data capture is the conventional operations network. “Control systems out in the field are not afforded the protection available for the enterprise environment,” says Walter Sikora, vice-president for security solutions at Industrial Defender Inc. The risk, he suggests, is that malware could move along a network from controls to the enterprise part.
The U.S.-based company, which provides automated security, compliance and change management solutions for the chemical, oil and gas, and electric utilities sectors, was in the news in September when Telvent announced it was partnering with it to improve cyber security.
Another factor potentially increasing the cyber threat could occur in the case of a company whose senior management has ties to a hostile regime overseas, says Tom Keenan, an environmental design professor and a research fellow at the Centre for Military and Strategic Studies at the University of Calgary. “Invoices, for instance, go back and forth. The level of security varies among companies. Bad code could be buried in an invoice. More interaction means more opportunity.”
Also adding to the data vectors for spies is the increasing use of mobile devices with access to networks and SCADA systems, says Douglas Gray, president of Graycon Group Inc. He makes the point that an office lunch room with a wireless hot spot could wind up being used for something more than collegial talk over laptops and lattes. The hot spot might extend to another floor or two, potentially exposing an internal discussion to an outsider.
TIPS ON LOW-COST CYBER SECURITY
The good news, as Gray and others point out, is that many types of security breach are easily preventable and at little cost. Experts say somewhere between 80 and 95 per cent can be prevented with education, training and the willingness to follow a few rules.
Take cloud computing, which involves entrusting a remote service provider across a network, typically the Internet, with a user’s data, software, etc. If Human Resources moves data to the cloud without informing IT or the legal department, data could be vulnerable. When a university recently migrated scheduling, personnel and working data to the cloud—and left others in the dark about it—the university’s IT department wound up scrambling to plug the security holes. “When people move stuff to the cloud without IT or legal checking it, you have exposed a firm to risk,” Gray says.
He says that as non-IT people have become more tech savvy, they feel able to act more autonomously on IT issues, but they’re sometimes unaware of the specific security issues related to what they do. Gray says IT has to move away from the traditional top-down model. “IT needs to be an enabler so that then things are done safely,” he says.
Trustworthy providers are a common sense part of security, says Skillicorn, the computer science professor at Queens. “The problem with Huawei is no one really understands the relationship between the company and the Chinese government. There’s a reason we don’t buy fighter jets from the Russians. It’s not just a market.”