Pages

15 September 2016

*** WELCOME TO THE DARK NET, A WILDERNESS WHERE INVISIBLE WORLD WARS ARE FOUGHT AND HACKERS ROAM FREE


OCTOBER 2016

Through the eyes of a master hacker turned security expert, William Langewiesche chronicles the rise of the Dark Net—where weapons, drugs, and information are bought, sold, and hacked—and learns how high the stakes have really become. 

I. THE BACK DOOR 

His name is not Opsec, but I will call him that to guard his privacy. In webspace he is known as a grand master of the dark art of hacking. He is one of a small elite—maybe a hundred, maybe fewer—all of whom are secretive and obsessed with security. They do not talk about their work with their families. They generally do not talk to the press. Nonetheless, through friends of friends, Opsec agreed to speak and to introduce me to his perspectives. In “meatspace,” as he and others like him call the real world, Opsec lives in a metropolitan area in a little wooden house by a railroad track. He is in his mid-30s, physically imposing, and not a geek. He hangs out in a local bar, where the regulars know vaguely that he works with computers. 

He is a fast talker when he’s onto a subject. His mind seems to race most of the time. Currently he is designing an autonomous system for detecting network attacks and taking action in response. The system is based on machine learning and artificial intelligence. In a typical burst of words, he said, “But the automation itself might be hacked. Is the A.I. being gamed? Are you teaching the computer, or is it learning on its own? If it’s learning on its own, it can be gamed. If you are teaching it, then how clean is your data set? Are you pulling it off a network that has already been compromised? Because if I’m an attacker and I’m coming in against an A.I.-defended system, if I can get into the baseline and insert attacker traffic into the learning phase, then the computer begins to think that those things are normal and accepted. I’m teaching a robot that ‘It’s O.K.! I’m not really an attacker, even though I’m carrying an AK-47 and firing on the troops.’ And what happens when a machine becomes so smart it decides to betray you and switch sides?” 

Opsec lives in a hall of mirrors. He understands that webspace and meatspace, though connected, remain largely distinct. Given sufficient motivation and time, Opsec can break into almost any secure network without setting off alarms. Breaking in used to thrill him, because once inside he could roam as he liked, but success comes too easily now: with such an attack, he has to find only a single way in. By contrast, defense presents the challenge of out-thinking every aggressor. This appeals to him, and he works now on the defending side. Usually this means protecting company networks from criminal attacks, or reacting to attacks after damage has been done. Opsec does not do the routine stuff. He is the man for the serious cases. He has seen some big ones. But even he was taken aback when, late last year, he stumbled upon a hack—a sliver of alien software on American shores—which suggested that preparations were being made for a cyber-attack of unprecedented scale. 

I will call his client the Company. It is an Internet behemoth. It streams entertainment online and makes direct regular connections to more than 70 million personal computers worldwide. The Company does not charge for the connections but rather for the services it provides. It is very profitable. And it is under frequent attack from many parts of the world. Most of the attacks are drive-by shootings—spray-and-prays that succumb harmlessly to the defenses that Opsec has helped design. But some are carefully aimed and have threatened the Company’s existence. 

He first intervened six years ago, after a data center had been hacked (as Opsec puts it) in a fucking major way. The intruders had gone after key systems, including the central payment processor and the C.E.O.’s computer, and had stolen credit-card and financial data as well as the Company’s proprietary source code—the secret formula upon which the business is built. Opsec worked for nearly six months to clean up the mess. By backtracking he discovered that the hackers were a group associated with the Chinese army. They operated out of a specific building near Shanghai, which he was able to locate, and specialized in targeting entertainment companies. Eventually he was able to identify some of the individuals involved, and even to obtain pictures of them. Nominally, that was the end of it. Opsec told me that because a government was involved, and legal recourse in China was unrealistic, no further action was taken. 

What do you do when there is no law? Counter-hacking is a temptation, but can be dangerous. The Russian mob, for instance, has a poor sense of humor, and Colombian drug cartels are not much fun, either. Also, among independent hackers there is no small number of psychopaths. Over the years the Company has endured death threats, rape threats, and bomb scares. It gets personal. In a world without privacy, home addresses as well as the names of spouses and children are easily found. As the Democratic National Committee recently discovered, it is better not to get hacked in the first place. 

VIDEO: Hacking 101: A History of Data Breaches 

After the original breach by the Chinese, Opsec had urged the company’s management to establish a vigorous information-security program, which it did by building three NASA-like control rooms scattered in data centers around the world. Collectively, they are staffed around the clock. The sole purpose is to catch intruders, and to catch them as quickly as possible. The average industry delay in detecting a malicious hack is 188 days. For the Company, Opsec was hoping to reduce the delay to minutes or even seconds. But late last year, when the operations manager called him at home and urgently requested his presence at the Company’s high-tech campus, about 20 miles away, he knew that those defenses had failed. Almost as disturbing, the alarm had been raised not by the security team but by an ordinary technician, a system administrator doing the drudgery of a routine review. 

When Opsec got to the campus, the details filled in. The system administrator—a friend of his—had been going through event logs of the previous week. Event logs are lines on a screen showing summaries of each new task given to a computer network, with a time stamp and a green or red dot indicating success or failure. Seeing a red dot, the administrator had zoomed in for more information. The failed task turned out to be an attempt from within the Company to deploy a piece of software companywide. Deployment of software throughout the entire network did sometimes occur—for instance, to install updates—but it was rare, and sufficiently important that the sender did not often make a mistake. In this case, the sender had omitted a single letter in the domain name to which the job was addressed—hence the failure. The associated software package was unlike anything the system administrator had seen before. He alerted the operations manager. 

Opsec knew immediately that the package was suspicious. In lieu of a coherent naming scheme—for instance, a numbered update—there were random characters, followed by “.exe,” for an executable program. He ran the content through a piece of reverse-engineering software, called a disassembler, and quickly confirmed that his client had been hit with a malicious hack. Within an hour he understood that the purpose had been to permeate the Company’s networks, steal and encrypt all of its data, and demand payment for the data’s return. The numbers for an overseas bank account were included in the program. Opsec would not tell me where that bank account was, or how much had been demanded. He said only that it was an aggressive piece of ransomware, and that often in such cases the data is never returned. Ransom attacks have become an epidemic on the Internet. Most are widely dispersed. They lock down a victim’s computers and ask for relatively small amounts, payable in hard-to-trace Bitcoins, in exchange for returning the victim’s life to normal. The biggest attacks—against corporations—have netted millions of dollars. Little is known about them because the victims are tight-mouthed. The massive hack of Sony Pictures in 2014 was a ransom attack, though by whom is still in question. Presumably Sony did not pay, because its internal e-mails and other information were released onto the Internet. Last February, hackers seized medical records from the Hollywood Presbyterian Medical Center, in Los Angeles. The hospital paid to get the records back. Now, through sheer luck—a missing letter—the attempt to extort Opsec’s client had failed. But big concerns remained: the Company’s network was clearly compromised. 

Here was the situation Opsec faced. The package no longer mattered, but the hack most certainly did. Someone had emerged from the Internet, slithered into the Company’s heart, and then disappeared. The specific vulnerability the attacker had exploited was still unknown, and was likely to be used again: he had established a back door, a way in. Some back doors are permanent, but most are short-lived. Possibly this one was already for sale on the black markets that exist for such information in obscure recesses of the Internet. Until Opsec could find and lock it, the back door constituted a serious threat. Opsec reviewed the basics with the Company’s managers. He said, Look, we’re in the Internet business. We know we’re going to get hacked. We have to assume, always, that our network is already owned. It is important to go slowly and stay calm. We will soon know how and when to lock the door. We will have to decide later if we should do more. 

To me he said, “Also, relax. In the long run, the chance of survival always drops to zero anyway.” He did not say this to his client. It was not an insight the Company would have valued at the time. Even in the short run, as it turned out, the news would be alarming enough. 
II. ANARCHIST AT HEART 

Definitions. A vulnerability is a weakness in a network’s defenses. An exploit is a piece of software that takes advantage of a vulnerability. A zero-day exploit is a piece of software that takes advantage of a vulnerability that is known to a small group of aggressors and generally not to the defenders. “Back door” is another name for much the same. There are variations. Infinite invention is at play. Welcome to the Dark Net, a wilderness where wars are fought and hackers roam. More definitions. The Dark Net exists within the deep web, which lies beneath the surface net, which is familiar to everyone. The surface net can be roughly defined as “anything you can find through Google” or that is otherwise publicly indexed for all to see. The deep web is deep because it cannot be accessed through ordinary search engines. Its size is uncertain, but it is believed to be larger than the surface net above it. And it is mostly legitimate. It includes everything from I.R.S. and Social Security data to the internal communications of Sony and the content management system at The New York Times. It includes Hillary Clinton’s e-mails and text messages, along with everyone else’s. Almost all of it is utterly mundane. 

The Dark Net occupies the basement. Its users employ anonymizing software and encryption to hide themselves as they move around. Such tools offer a measure of privacy. Whistle-blowers and political dissidents have good reason to resort to them. Criminals do, too. White fades quickly through gray and then to black in the Dark Net. Furtive sites there offer all manner of contraband for sale—narcotics, automatic weapons, contract killings, child pornography. The most famous of these sites was Silk Road—the brainchild of Ross Ulbricht, a libertarian entrepreneur who was arrested by the F.B.I. in San Francisco in 2013 and sentenced last year to life in prison without parole. New and even larger marketplaces have opened, including the current leader, AlphaBay, which is owned by a man who has been quoted as saying he resides in an “off-shore country where I am safe,” gives interviews to the press, and openly defies attempts by the authorities to shut him down. There are twists: illegal narcotics sold over the Dark Net tend to be purer, and therefore safer, than those sold on the street—this because of the importance to the sellers of online customer ratings. By comparison, it is hard to see the bright side of missile launchers or child pornography. 

However noxious the illicit Web sites may be, they are merely the e-commerce versions of conventional black markets that exist in meatspace. The real action on the Dark Net is in the trade of information. Stolen credit cards and identities, industrial secrets, military secrets, and especially the fuel of the hacking trade: the zero days and back doors that give access to closed networks. A short-lived back door to the iPhone operating system may sell for a million dollars. In 2015 a black-market site called TheRealDeal, the first one to specialize exclusively in cyber-weaponry, opened for business. Several others have followed. There is something strangely circular about all this—the Dark Net chasing its tail through the Dark Net—but the stakes have turned out to be high. 

HE CAN BREAK INTO ALMOST ANY SECURE NETWORK WITHOUT SETTING OFF ALARMS. 

And the trade is new. So new that when Opsec looks back on recent history he can sound like an old man remembering the onset of World War II. He was born to a middle-class family in the orbit of Washington, D.C., and by the time he was in kindergarten it was obvious that he was a bright if stubborn child. This was toward the end of the 1980s, in the pre-dawn before the Internet as we know it. His mother owned an early personal computer—a big box with a keyboard, a black screen, and white letters. It had a dial-up modem for point-to-point connections to other computers. When Opsec was six, he discovered that he could play games on it. The first was a Japanese action game called Thexder, in which he could transform a robot into an airplane and bomb things on the ground. This was so gratifying that on weekends he would wake up his mother at five A.M. and get her to go through the necessary keyboard commands to access it. She grew so weary of this that she wrote out the commands for him to use. He then figured out how to write a simple program to automate the log-in. 

That was the start of the path he remains on today. By the age of seven he had become a regular on electronic bulletin boards where gamers exchanged information and posted downloadable games. The bulletin boards were precursors of the Dark Net: you could not search for them on a computer; you had to have a specific phone number and reach it point-to-point with a dial-up modem. After you found the first one, you were in and could find others. The users had pseudonyms and remained largely anonymous. Age and location did not matter. Social awkwardness did not matter. Some of the information the bulletin boards contained included pirated property and advice on how to break the law. 

Opsec was just a kid, and at first he was only after the games. His problem was that they were often locked and required payment. With hints from the bulletin boards, he began to reverse-engineer the games, identify the lines of code associated with security, and modify the programs to bypass the payment requirements. He then posted his solutions on bulletin boards so that others could do the same. Though he did not know it at the time, he was creating zero-day exploits. 

By the sixth grade, Opsec had started hacking into universities and phone companies. His parents saw him sitting hour after hour at the keyboard, but were so unaware of his activities that they bought him a laptop for schoolwork because his handwriting was bad. The effect was to pour fuel on the fire. His grades plummeted from A’s to D’s. I asked him what the attraction of hacking was. He said, “The whole idea of being able to exert your will on systems that were designed to exert the will of others—the designers. It was a powerful and addictive feeling.” 

When he was 12, Opsec began to attend the local chapter meetings of a notorious hackers’ group, named 2600 for the 2600-hertz tone that gave access to the analog phone systems of the time. The meetings were held in the food court of the Pentagon City shopping mall. He had a friend, a like-minded Persian kid who attended the meetings with him and was extraordinarily capable but a bit malicious: he later published papers on how to destroy hard disks remotely and how to cause computers to catch on fire by shutting down their fans. Although also an anarchist at heart, Opsec was more interested in expanding his skills than in wreaking havoc. 

But the two friends had technical goals in common. They became regulars at the food-court gatherings and eventually met a man there who worked for an unnamed government agency but was willing to explain certain concepts clearly. Such exchanges are characteristic of the larger hacker gatherings that have followed, with natural adversaries such as F.B.I. agents and Eastern European cyber-criminals temporarily setting aside their differences to share information. 
III. CHINESE NETWORKS 

Opsec took what he learned and acted on it. In most cases, success was defined as access to the administrative console of an operating system. That position is sometimes known as a root shell. For Opsec it was the holy grail, because from within the root shell, as an illicit administrator, he could do as he pleased, including using one computer to attack another, and from there yet another, in daisy chains that spanned the globe. This was tricky stuff, and also risky, because much of Opsec’s hacking was in violation of increasingly vigorous federal law, and the F.B.I. was cracking down. The most famous case at the time was that of Kevin Mitnick, a young Californian who had been repeatedly jailed for hacking. After violating the terms of a supervised release, Mitnick went on the run for several years, earning a place on the F.B.I.’s most-wanted list before being caught in 1995 and hauled off to prison for five years. With several of his friends in detention, Opsec grew nervous about being identified. 

It was 1996. The commercial Internet had barely arrived. Opsec was a scrawny adolescent. He was still using dial-up modems to break point-to-point directly into mainframes, particularly those that were part of the global telecommunications infrastructure. From an illicit bulletin board he obtained a master list of the default passwords used for many of the manufacturers, then went on a spray-and-pray hunt through the phone system, looking for vulnerable computers. To do this he wrote a program that would call every 1–800 number possible, for a total of roughly 7.9 million combinations. He chose 1–800 numbers because the calls were free. If computers answered, the program would distinguish between them, respond with factory-default passwords, and register the successful penetrations. Once the program had mapped the vulnerabilities, and Opsec had taken possession of some computers, he intended to use them to go after other computers, in order to hide his traces as he approached the final targets. The problem was how to make millions of automated phone calls, because even a 14-year-old has limits on his time. 

Late one night, working alone, he threw a rubber mat over a barbed-wire fence protecting a phone-company yard, and climbed up and over. Once inside he broke into two vans and stole everything he could: technical manuals, linemen’s handsets, utility belts, uniforms, helmets, pay-phone keys, and, most important, a master key to neighborhood trunk boxes—the junctions through which hundreds of phone lines run. With parts from a RadioShack he built a small device that allowed him to seize every one of those lines simultaneously. He connected the device to a small laptop that he had stolen from a Staples, and set to work. Dressed in an oversize lineman’s uniform and hard hat, with a utility belt dangling equipment from his waist, he slipped away from his house and every night for several weeks probed the 1–800 network with thousands of computerized calls. On the final night of the endeavor, at two A.M., he had opened a trunk box situated on the front lawn of a church, when an old woman—a member of the congregation—spotted him from her window and, noticing that his uniform did not seem to fit him, called the police. Opsec still wonders what she was doing up so late. When he was arrested, the police had so little idea of what he was doing that they returned the laptop computer to his father without having it examined. The local prosecutors charged him with illicit wiretapping, as if he had been eavesdropping. His parents hired an expensive lawyer. Opsec copped a plea to a misdemeanor to avoid having to explain himself, and was sentenced to several weeks in a juvenile-detention center, to be followed by years of probation. 

Then came the Internet, which for hackers was a dream come true. Suddenly they had access to millions of computers that until then they had needed to address one by one. Opsec invested in a high-speed DSL modem and set up a business in his Persian friend’s basement, renting out the connection to other hackers, who sent their computers to him because of the access he offered for relatively rapid downloads, often of stolen content, and the fast execution of complex attacks. He learned a lot by servicing those clients. As he gained experience he graduated from indiscriminate hunts for low-hanging fruit to more focused attacks, known as deep dives, against well-defended networks. The dives required careful planning. Opsec said, “You start with recon, studying the target network, but also doing research on employees, building psychological profiles, trying to assess the culture of security, and looking for the ‘social engineering’ possibilities—can you trick someone into divulging a password? You create a map of all the possible avenues you can use to get in.” 

HIS CLIENT, AN INTERNET BEHEMOTH, IS UNDER CYBER-ATTACK FROM ALL OVER. 

Opsec got into the Colombian government’s networks without setting off alarms, and spent six months there, undetected, moving around. Then he dived into Chinese-government sites and military networks, and into the domain of specific Chinese hacking teams. He was 16 now. In yet another lapse of understanding his parents allowed him to take a job in an electronics store, where his main purpose was to steal more “burner” laptops to discard after use, to avoid detection. A regular customer there learned of his unusual knowledge of Chinese networks and offered him some work on the side: the man handed him a list of about 20 Chinese servers and asked Opsec to look into them. This turned into a regular thing. The man sent a bank transfer to him every month. Opsec guessed that he worked for the N.S.A. or the C.I.A. 

Opsec’s parents, meanwhile, kept shipping their son from one school to another, in the vain hope of getting him to return to conventional studies. They sent him off to a military school with the idea that boot camp might bring him to heel. He hacked into the school’s network, encrypted the data on a classmate’s personal computer, and taunted him with the loss. The school found out and gave Opsec the choice of helping to shore up its defenses or being expelled. He chose to be expelled. When he called his mother to give her the good news, she was livid. She said, “How did you manage to get kicked out of a bad-kid school?” She exiled him to live with his uncle in a faraway place. He kept hacking. 
IV. “MAFIABOY” 

Opsec describes the public’s awareness of the Dark Net as a slow awakening. It started at the dawn of the new millennium, around the year 2000. With Internet connections proliferating, e-commerce expanding, and the dot-com boom fully under way, the surface Web looked much as it looks today except for this: attacks were not pervasive and computer security was not a big concern. The problem with security is that it slows operations down, and the new and ambitious Internet entrepreneurs were locked into competitive races that allowed no room for interference. The interference came anyway. In February 2000 a 15-year-old French Canadian who went by the name Mafiaboy launched a series of denial-of-service attacks that took down a progression of important Web sites, starting with the then dominant search engine, Yahoo, and moving on to Amazon, eBay, Dell, and CNN, among others. Such denial-of-service attacks, which overwhelm Web sites by hitting them with massive traffic, are the most primitive form of hack. They require only the hijacking of undefended computers, not the penetration of the target networks, and they do not result in the loss of data. In Opsec’s view, Mafiaboy was a talentless “script kiddie” who used off-the-shelf components written by others, and needed little knowledge to pull off his stunt. He was so naïve that he bragged about his exploits in Internet chat rooms. He was arrested, and sentenced as a juvenile to eight months of house arrest and a year of probation. But Mafiaboy’s attacks surprised the industry, caused losses estimated at more than a billion dollars, and made international news. Internet companies realized that they were going to have to improve their resiliency. The magnitude of the cited losses also got the attention of the underground. Anarchists were attracted by the opportunities to cause disruption. Others were attracted by the opportunities to make money. Organized crime soon got involved. Identity theft, credit-card fraud, and electronic extortion expanded rapidly. The public remained largely unaware, but with monetization the evolution of the Dark Net suddenly accelerated. In the United States alone, nearly every company larger than small is getting hit on a regular basis, usually from abroad. The Pentagon has said it fends off several million attempts at cyber-intrusion every day. 

Opsec had just turned 18 when Mafiaboy struck. Nominally he was a senior in high school. As an adult now, he arranged to have authority over his probation transferred from where he lived with his uncle back to the Washington area, and he returned from his exile soon afterward. That spring he fell in love with a beautiful Asian girl who was all about drugs and sex, and he moved in with her. During his next visit to his new probation officer, he reported the change of address, and she busted him for it because he was supposed to have informed her in advance. He was sent to jail for several months to contemplate the error. In prison he found a mentor who was a doctor convicted of selling the identities of dead babies on the Dark Net for use in providing criminals with new identities. Opsec was released in 2000, becoming a free man without restrictions for the first time in four years. 

He swore off hacking, and went to work at an espresso bar on the ground floor of an office building. Through a chance encounter with a customer there, he found himself with a computer job upstairs. The company was in the data-transmission business, largely through fiber-optic cables laid long-distance along 19th-century railroad rights-of-way. Opsec was assigned to the company’s control center to give general assistance to customers, who were mainly Internet-service providers. Given his talents, he soon gravitated to the security side. To his surprise, Opsec found himself back in the underground from which he had just emerged. 

Opsec moved on to a series of small jobs, then landed a position at a network-security company. That company was a surface reflection of the Dark Net. One division was straightforward: it mined the Dark Net for known vulnerabilities and compiled them into an encyclopedia for its clients. Another division was grayer in character. It offered bespoke intelligence gathering, often under cover of the Dark Net. Opsec once stumbled across one of its products—behind a door that should have been locked, in a large room, on a circular table 20 feet across on which al-Qaeda’s electronic connections were physically mapped out. And then there was the third division, a part of the company that was rarely mentioned. It was the moneymaker, an exploit broker for the U.S. government—much like those that exist for criminals on the black market—that did original zero-day research and sold the hacking opportunities to NATO allies. 
V. HIRED GUN 

We are now approaching the mid-2000s. Most of the attackers were not skilled hackers; they were incapable of examining software or a secured network and discovering vulnerabilities. They knew only how to acquire tools on the Dark Net and put them to use. Opsec was different, one of the few who could have made a living as a researcher whether by selling zero days to the target companies (who after years of reluctance had wised up and begun paying bounties for them), by peddling them to brokers, or by offering them for sale on the black market. But he did none of that. He went to work for a computer-security company as a “penetration tester,” and for the next five years traveled extensively, performing security audits and hacking into corporate networks to explore their weaknesses. Some of Opsec’s clients were serious about security. But many were just going through the motions. All too often Opsec would hack into a network, submit a report recommending fixes, and come back the next year only to find that nothing had been done. He said, “Mostly it was just check-box security. And a lot of the penetration testers are really bad. They don’t have the background or mind-set. They don’t have the skills. They have a scanner with a database of all the different vulnerabilities, and it checks the network for those things. There’s no creative process there. They’re not looking for things that are not in the knowledge base. They push some button, then come back and say, ‘You’re clean!’ ” 

In 2007 he quit the job and set himself up as a hired gun, determined to be selective about which clients to accept. The first requirement was that they had to be serious about network security. The second requirement was that they had to be on the side of “right.” This turned out to be tricky, because the expertise he offers and the systems he puts in place are classic dual-use weapons that can be used to rob and oppress just as easily as to defend people’s lives and property. Furthermore, Opsec was politically naïve: he assumed that U.S. agencies and foreign allies were inherently on the side of right. He no longer suffers from the illusion. To me he said, “If you kick over enough rocks, you’re going to find shit, and if you piss off the military-industrial complex . . .” He hesitated. He said, “There are certain things they just don’t want you to know. And they kill people. They’ll kill you.” I asked him if paranoia is a professional hazard. He said it is, but if only for peace of mind he steers clear of those sorts of clients today. 

As a gun for hire he made some mistakes early on. He would not describe them to me. He did say that he spent a month in Pakistan with U.S.-government approval, consulting with the Pakistanis on how to establish cyber-war capabilities. Clearly that was not his proudest moment. Several years later he made a similar mistake by subcontracting to an American team in an oppressive Gulf kingdom and ally of the United States. He assumed that the project was known to the U.S. government and only later discovered that it was not. Opsec moved to the kingdom for nine months. The job was to set up a national network-security operations center, an emergency-response group, and a hacking school to teach offensive and defensive cyber-warfare techniques. The school was equipped with cyber-warfare “firing ranges”—rooms of computers where simulated attacks could be run—and had a curriculum that included intelligence gathering and the writing of malware. Additionally the team ran penetration tests and discovered vulnerabilities in the country’s radar and missile-defense systems as well as in its international telecommunications. But Opsec discovered that under the table the team was selling cell-phone interception and tracking equipment to the authorities for all the wrong reasons. The capabilities he was providing for national defense would in practice be turned against the citizenry. He left the project and returned to the United States. He settled down with a few good clients, the best of which was the Company, 20 miles from home. 
VI. ALL-OUT WAR 

The ransomware attack on the Company late last year was not just an incident. It was a serious breach. Opsec urged stealth in response. The attacker would have known that he had failed to steal the Company’s data; there could have been various reasons for that. It was important to keep him wondering whether the hack itself had been discovered. The ransomware was a generic off-the-shelf module of no great interest or complexity. It had arrived only two or three days before being identified. The question was how it had arrived. To his shock, Opsec soon determined that it had come in by piggybacking on a major intrusion, until now unknown, that had occurred fully a year before. This was the hack that really mattered. The extent of it was still unclear, but the Company’s network had been secretly “owned” ever since. There was more. Embedded in the system was strong evidence that the attackers were the same Chinese- government team that had hit the Company four years earlier. And the Chinese team’s capabilities had vastly improved. 

Here is what occurred. The Chinese first went into a subcontractor, a global offshore payment processor that handled credit-card transactions, and then, having gained possession of that network, quietly entered the Company through a legitimate back door that had been installed on the Company’s network to administer consumer accounts. The initial breach was a work of art. The Chinese wrote a piece of customized software purely for that job. It was a one-of-a-kind “callback dropper,” a Trojan horse that could be loaded with any of many malware modules, but otherwise stood empty, and regularly checked in with its masters to ask for instructions. Once inside the network, the Chinese were able to move laterally because the Company, for the sake of operational efficiency, had not compartmentalized its network, despite Opsec’s advice to do so. 

They knew exactly where they were going. First, using “bounce points” within the network to further obscure their presence, they went after the central domain controller, where they acquired their own administrative account, effectively compromising 100 million user names and passwords and gaining the ability to push software packages throughout the network. Second, and more important, the Chinese headed into the network’s “build” system, a part of the network where software changes are compiled and then uploaded to a content-distribution network for the downloading of updates to customers. In that position they acquired the ability to bundle their own software packages and insert them into the regular flow, potentially reaching 70 million personal computers or more. But, for the moment, they did none of that. Instead they installed three empty callback Trojans on three separate network computers and left them standing there to await future instructions. Opsec and his team concluded that the purpose was to lay the groundwork for the rapid construction of a giant botnet. 

The “bot” in “botnet” is derived from “robot.” Botnets are illicit networks of infected computers, known as zombies or nodes, that appear to function normally but are secretly controlled by hackers and can be used in combination to produce enormous computing power. The largest of them have consisted of several million computers. They have been around for a long time. No one knows how many are active, but the numbers are large. A few are self-propagating, but most require active (if unintentional) downloading. Either way, they are the force multipliers of the Dark Net. Some of them are commercial, and offer services on the black market. Others are privately held. On the most simple level, hackers use them to mount denial-of-service attacks, overwhelming Web sites with the sheer volume of traffic. Beyond that, their purposes are almost limitless—identity theft, credit-card fraud, bank fraud, intelligence gathering, high-speed code cracking, corporate espionage, commercial sabotage, and attacks on national infrastructure, including industrial control networks, phone systems, and the Internet itself. Cyber-attacks that cause physical damage are extremely rare—Iranian centrifuges destroyed by Stuxnet in 2010; a steel mill hit in Germany in 2014; blackouts caused by a hack of the power grid in Ukraine in 2015—but whatever damage a single computer can do, a botnet can do it better. Botnets are so valuable—and potentially so short-lived—that their creators normally rush to use them as soon as they are built. That was the odd part about the attack on the Company. The Chinese had gone to all the effort to insert their Trojan, yet had stopped without taking further action. Why? 

The botnet it could have created would have been huge. If the Chinese had breached other large Internet companies via the same payment-center route—and it seemed likely they had—the combined effect would have been the creation of by far the largest botnet ever seen, an Internet robot consisting of perhaps 200 million computers, all controlled by one small Chinese hacking team. Opsec had stumbled onto a very big thing. And its lack of use was the key. The only possible purpose, Opsec concluded, was that of a sleeper cell, lying in wait as a pre-positioned asset to be used as a last resort, like a nuclear weapon, in the event of an all-out cyber-war. The world certainly seems to be moving in that direction. Already cyber-attacks constitute an active component of nearly every conventional military battle. They are used by the U.S. in conjunction with the air and ground war against ISIS. Some say that a global cyber-war is already under way, because everyone is getting hacked. But many states—China, Russia, Germany, France, Pakistan, Israel, and the United States—are actively preparing for something much larger to come. 

The sleeper cell would never have been discovered had it not been for the ransomware that failed to deploy. According to Opsec, a member of the Chinese government team had apparently decided to freelance and make a little money for himself, sending his extortion demand along the pathway secretly blazed by the government team a year before and inadvertently exposing the entire operation. When identified, if he has not been already, the renegade team member in China will face a very unhappy future. 

As for the future of the sleeper cell itself, Opsec could only speculate. The U.S. government had of course been informed. “Yeah, and they wouldn’t take it down. They’d surveil it, do reconnaissance and monitoring, just so they could keep tabs, and they would probably spend some time developing the capability to disrupt or hijack the botnet if they needed to. Right?,” he said. “Let the Chinese build their cyber-weapon and think they’ve got it, and when we need it, we’ll just block it or take it over.” 

I said, “What branch?” 

“Meade. The Fort.” 

How Opsec himself responds is another matter. He is not the U.S. government. He once told me he is his own mini-N.S.A. Referring to a friend of equal reputation, he said, “We write highly invasive software.” As a product of the Dark Net, he has the power to invade China, and has done so before. I asked him what an invasion would look like. He said, “We’d find their command-and-control structure, the control brain for the malware they use. Ultimately, what you’d like to do is find a way to hack into their C2 servers and (a) figure out what information they acquired from you, and (b) insert a command into their infrastructure that tells all the malware out there to delete itself. A botnet takedown, that’s what I’d like to see. We’re at least crippling their network.” And maybe, he went on, as a present, you could give them the identity of the guy whose ransomware brought the hack down. 

So is that what you’re doing?, I asked. 

Of course not, he said. It would be against Company policy. 

No comments:

Post a Comment