Hacking efforts which originate in foreign countries, such as China, have multiple government and civilian targets -- and aims. Attacks tend to fall into four broad categories: Targeting trade secrets; targeting government secrets; targeting critical infrastructure; and manipulating IT services for financial gain. We know of the tools being used, and the patterns of such attacks. But these events also raise the question about whether government agencies are spending enough on overall IT security and employee training.
Is the U.S. federal government spending enough on IT Security? That's an important question given this week's news - the headlines have been stunning. But this type of hacking news wasn't exactly unexpected.
- A secretive Chinese military unit, known as People's Liberation Army Unit 61398, has been accused by U.S. Security Firm Mandiant Corp. of mounting large-scale cyber attacks on American companies. Published statements by U.S. intelligence officials essentially confirm the findings. Mandiant's full report is available online.
- Also this week, the hacker collective known as Anonymous announced that it had broken into a U.S. State Department server, posting data that the group says came from the department's database. The group previously has broken into other government servers.
Prior to these high-profile events, we've heard years of complaints about suspicious Internet traffic from China and other locations, and about Asia-based hacking attempts targeting multiple government agencies and even government-related commercial Websites.
The idea that federal agencies aren't spending enough on IT security is troubling. In fiscal year 2012, federal agencies earmarked an average of 8% of their total information technology budgets on security-related solutions. Those percentages range from 2% at the Department of the Treasury to 13% at the National Science Foundation (NSF). We don't have recent survey numbers to reflect security spending across all other industries, but we do have such numbers from 2007. That year, security spending for all industries hovered around 19%. That puts other industries ahead of what the federal agencies spend. Most of these other organizations have not significantly cut their security efforts since that time.
What They're Looking For
Hacking efforts which originate in foreign countries can have multiple targets and aims. But most such efforts fall into one of four categories: Targeting trade secrets; targeting government secrets; targeting critical infrastructure; and manipulating IT services for financial gain (this can range from illicit bank transfers, to credit card number theft, to manipulating search engine results.)
The U.S. Intelligence community collects information internationally about traffic and hacking attempts. But when such information indicates that such attempts are targeting a specific company, there can be legal gray areas which make it difficult to share information with other companies about pending cyber attacks. This can thwart the government's ability to distribute details to a broader audience.
Attacks which occur directly against government facilities are monitored by multiple government IT groups. Information related to all agencies is shared via the computer Emergency Response Team at US-CERT.gov. Defense Department specific information is handled by an information assurance support team at the Defense Information Systems Agency.
The list in the section below shows some of the tools currently being used against the United States by overseas hackers.
Current Tools and Techniques
- Gh0st RAT - A Trojan horse for windows. It serves as a stealthy Remote Administration Tool (RAT) and can be used to distribute malware, allowing additional computers to become infected. Once hackers establish administrative privileges on a computer, they can access most information on that system and its connected devices, and in some cases they can turn on the computer's microphone and camera.
- Lightbolt - A tool used to forge connections and associated certificates in a way that lets the hacker view and download files that would normally not be viewable.
- WEB C-2 - A command and control server which functions similar to Gh0st RAT, but which is command-line driven, rather controlled by a graphical user interface.
- HTran - This is an old program that's being used in some new ways. HTran is a basic connection bouncer, capable of redirecting Internet packets destined for one machine to another machine. When using WEB C-2, and other programs, HTRAN can be used the hide the hacker's true location. It's a double-edge sword though. If there are connection difficulties between the machine hosting the HTran installation and the user of the command and control machine, HTran may trigger an error message which can show the IP address of the other machine. But by installing HTran on multiple hosts a hacker could theoretically create a chain of connections which make discovering the hacker's true origin very difficult.
Older Hacking Tricks Which Are Still in Use
Some of the more classic, and still common, government hacking exploits include the following.
- SQL injection. This is a technique used to manipulate certain applications that interact with databases by including portions of SQL statements in a data entry field or a Web URL. In some cases an attacker can tamper with an SQL command to instruct a database to dump its full contents. There are ways to shut this down, but some systems may remain vulnerable if they are not properly configured against an SQL injection attack.
- Cross-site Scripting (XSS). This is a way of taking advantage of a security vulnerability found in some Web applications. It allows attackers to inject client-side scripts into Web pages viewed by other users. This approach can be used to bypass some types of access controls. Improvements to browsers have shut down some types of cross-site scripting, but the exploits still exist.
- Cross-site request forgery (CSRF/XSRF). This approach attempts to exploit a user's trust in a site. It can be designed to submit requests which a site may interpret as coming from an authenticated user.
What You Can Do
It can be difficult for federal agencies to shut down hacking attempts. But a lot can be done by monitoring activity and by training employees.
- Monitor network devices to look for unusual traffic. The two protocols most often used for this are Syslog and SNMP. There are multiple analysis tools for machine logs - which are most often reviewed by evaluating records created by the Syslog function and the Simple Network Management Protocol (SNMP). Such tools include Wallwatcher, SNMP Trap Watcher, SNMPLog, LinkLogger, and Kiwi Log Viewer. There are also general log analysis tools such as LogViewer Pro and BareTail
- Train your employees to recognize attempts a social engineering. Opening the wrong email or clicking on the wrong link can have very negative consequences. All employees should understand the basics of how people try to fool them, and what to look for when it comes to suspicious attachments, links or well-crafted attempts to get them to share information.
- If worker PCs seem to have more security issues than the servers in your work group, then try to keep proprietary information off PCs. This can be done by enabling virtual desktop solutions, or by setting rules for where business information can be stored, such as always on a network drive rather than on a local PC drive.
- Encryption is your friend. It won't solve all problems, but it will slow down many hackers and it will stop the less skilful ones in their tracks. It can make stored information less vulnerable and it can protect the information flow within many types of network connections.
Hacking attempts against government computers and against national infrastructure are bound to increase. But understanding how these intrusions are happing, what tools are being used, and how to fight against them, can certainly help slow down the progress of such blatant intrusions.