The Fog of Cyberwar - NATO military strategists are waking up to the threat from online attacks.

Ghostnet sounds like something John le Carré would invent. This vast cyber-espionage operation spanned 1,295 computers worldwide, a third of them located in ministries of foreign affairs, embassies, international organizations and news media, some holding classified data. According to a report by three Canadian security think tanks in March, it included at least one unclassified computer at NATO headquarters in Mons, Belgium. Although the culprit is unidentified, some experts suspect China. Whether it exploited any of the data is hard to say. That it could obtain it so easily has raised eyebrows in the world's mightiest military alliance.

NATO is only just beginning to recognize that the Internet has become a new battleground, and that it requires a military strategy. As economic life relies more and more on the Internet, the potential for small bands of hackers to launch devastating attacks on the world economy is growing. To counter such threats, a group of NATO members, including the U.S. and Germany, last year established a kind of internal cybersecurity think tank, based in a former government building in Tallinn, Estonia. The 30 staffers at the Cooperative Cyber Defense Centre of Excellence analyze emerging viruses and other threats, and pass on alerts to sponsoring NATO governments. They are also working to bring the allies together on the elusive issues that deepen the fog of cyberwar.

Experts with backgrounds in the military, technology, law and science are wrestling with such questions as: What qualifies as a cyber "attack" on a NATO member, and so triggers the obligation of alliance members to rush to its defense? And how can the alliance defend itself in cyberspace? Already, the debate is producing strikingly different answers: as Washington moves to create a new "cybersecurity czar" and new funds for cyberdefenses, Estonia is moving much of the job into civilian hands, aiming to create a nation of citizens alert and wise to online threats.

The choice of Estonia as the home to NATO's new cyberwar brain trust is not accidental. In 2007 Estonia was in a public squabble with Russia over the fate of a Soviet-era monument when it suddenly found itself under a wave of cyberattacks. Among the targets were two of Estonia's biggest banks, whose online systems were severely degraded for several hours. The scale of the economic damage is still classified as a state secret, but the fact that this happened in "E-stonia," a proud digital society where even parking meters take payment via text messages, was eye-opening. Although the decentralized nature of cyberattacks made it hard to know whether the Kremlin ordered the attacks, clues led Estonia to a Russian suspect, whom the Kremlin refused to extradite.

One thing is clear: Russia gained from what may be the first successful invasion in the new age of cyberwar. Hillar Aarelaid, a manager at Estonia's computer emergency response team, who coordinated Estonia's defenses during the assault, told me that the attack used a nasty weapon called a "distributed denial of service," or DDOS. Cheap to organize and devastating, DDOS involves a small gang of hackers who command a cyber-army of infected PCs to overwhelm the Web sites of a bank (or other institution) with seemingly legitimate requests. Yet Aarelaid believes that the attackers who came after Estonia aimed to flaunt the range and power of their arsenal. If the orders came from the Kremlin, the message to former Soviet satellites was clear: defy us at your own risk. Estonia, courageously, went ahead and moved the Soviet monument anyway.

The attack revealed the vulnerability of a NATO member to external pressure. If a group in Russia could wreak so much havoc over a statue, imagine what a state-sponsored effort could do? Attackers could infect and gain control of thousands of computers—much like GhostNet did—and go after banks all across Europe, leading to digital chaos—online banking would go down, credit-card purchases couldn't be verified. Factor in electricity grids, dams and airport navigation systems, which are connected to the Internet, and it begins to sound like a Hollywood movie.

The trick, from NATO's standpoint, is figuring out when an attack is hacker mischief and when it's a military matter. Back in 2007, Estonia's minister of defense stated that "the attacks cannot be treated as hooliganism, but have to be treated as an attack against the state." But no troops crossed Estonia's borders, and there was almost nothing that we associate with a conventional conflict. How to respond, and against whom? The first step, say scientists at the center, is to identify when a threat warrants a military response. "In the absence of a clear legal framework for dealing with cyberattacks, it's very hard to decide whether to treat them as the beginning of armed conflict," says Rain Ottis, one of the center's senior scientists.

The United States is clearly leaning toward a military strategy. In March the U.S. Senate took up a bill that would bring cybersecurity work at the NSA, Air Force, DHS and a dozen other agencies under a "cybersecurity czar," who would also become a "national cybersecurity adviser." It would arm this person with unprecedented powers, including the right to shut off federal networks if they are found to be vulnerable. If passed, the bill might result in even further militarization of cyberspace; today, virtually all major security contractors—from Lockheed Martin to Boeing—have already set up cybersecurity divisions, fighting for government funds. U.S. government spending on secure computer networks is forecast to rise from $7.4 billion in 2008 to $10.7 billion in 2013. Most of NATO's biggest members, including France, Britain and Germany, appear to be following the U.S. lead.

Estonia, on the other hand, is choosing not to play up fear of a cyberwar. Such talk in 2007 only made already strained relations with Russia worse. Instead, it prefers to demilitarize the issue by shifting the responsibility for cybersecurity from the Ministry of Defense to the Ministry of Economic Affairs and Communications, and is working to identify the services—like online banking—that are most critical to running a digital economy. The Estonians are stepping up efforts to educate citizens on how to identify risks, and creating graduate programs in cybersecurity. Heli Tiirmaa-Klaar, the senior defense adviser at Estonia's defense ministry and one of the country's leading cybersecurity officials, speaks of promoting a "culture of cybersecurity," starting with schoolchildren.

The Estonians have the right idea. Cyberattacks would be prohibitively expensive if hackers had to build their own computers, rather than hijacking idle ones. And a society of savvy citizens is the best defense, because they have every incentive to stay ahead of the hackers; industry tends to stay a step behind, because attacks create a demand for new software. That's how America's reliance on centralized military industries could backfire: they are not numerous or nimble enough to fight Internet battles. Estonia's civilian answer is both more likely to prove popular in diplomatic circles, and more likely to be successful.

By Evgeny Morozov | NEWSWEEK

Published Apr 18, 2009

From the magazine issue dated Apr 27, 2009

Russian nationalists waged a cyber war against Georgia. Fighting back is virtually impossible.

On July 20, weeks before Russia stunned Georgia with a rapid invasion, the cyber attack was already under way. While Moscow baited Georgia with troop movements on the borders of the breakaway provinces of Abkhazia and South Ossetia, the "zombie" computers were already on the attack. Russian viruses had seized hundreds of thousands of computers around the world, directing them to barrage Georgian Web sites, including the pages of the president, the parliament, the foreign ministry, news agencies and banks, which shut down their servers at the first sign of attack to pre-empt identity theft. At one point the parliament's Web site was replaced by images comparing Georgian president Mikheil Saakashvili to Adolf Hitler. This was not the first Russian cyber assault—that came against Estonia, in April of 2007—but it was the first time an Internet attack paralleled one on land.

The labyrinthine ways of the Web and the complicated interfaces between the Russian government's clandestine services and organized crime make it impossible, at this point, to say with certainty who was responsible, or how far up the chain of command it went. The Russian military certainly had the means to attack Georgia's Internet infrastructure, says Jonathan Zittrain, cofounder of Harvard's Berkman Center for Internet and Society. Moreover, the attacks were too successful to have materialized independent of one another. Bill Woodcock, the research director at Packet Clearing House, a California-based nonprofit group that tracks Internet security trends, says the attacks bear the markings of a "trained and centrally coordinated cadre of professionals."

But who? Jart Armin, who has tracked Russian cybercrime, points to the possibility that a role was played by the notorious Russian Business Network, a cybermafia that specializes in identity theft, child pornography, extortion and other dark and lucrative Internet crimes. The RBN's political agenda is vague or nonexistent, but it often contracts out its services, and Armin says there is increasing evidence that it is connected to, or at least tolerated by, the Kremlin.

Indeed the timing is such that it's hard to discount some sort of Kremlin coordination, even if it's impossible to prove, and Woodcock argues that such cyber assaults have become a tool of Russian political leadership. As the attacks' political intentions became more specific, he notes, the operations have grown more complex. In addition to targeting Georgian government and media Web sites, Russian hackers brought down the Russian newspaper Skandaly.ru, apparently for expressing some pro-Georgian sentiment. "This was the first time that they ever attacked an internal and an external target as part of the same attack," he says.

Fighting back is tough. When Russian hackers made a name for themselves last year by bringing down the Web site of the Estonian parliament along with the sites of banks, ministries and newspapers, Estonian Foreign Minister Urmas Paet immediately accused the Kremlin of backing the attacks. But he was unable to produce evidence supporting his claims. Putin eventually named a suspect, or scapegoat, within his government. As Russian hackers waged a similar assault on Georgian sites over the past few weeks, Estonia—one of Europe's most wired countries—offered its better-defended servers to host many Georgian government Web sites. Lithuania and Poland have stepped up as well, prompting some excited bloggers to suggest that this is a digital Sarajevo, akin to the events of August 1914, the start of the first Internet world war. Certainly that's exaggerated, but the mutual defense going on in cyberspace shows that these nations take the Russian threat to their online infrastructure seriously.

Still, the nature of the Internet is such that it is almost impossible to respond quickly enough. The government doesn't maintain its own botnets—large networks of zombified computers standing ready to attack—but can rent one from a crime network, like the Russian Business Network. Then, through state-controlled media, the government can inspire waves of nationalists to amplify the destructive force. "Everybody with a laptop has the responsibility to attack the enemy—and you find out who the enemy is by looking at what the government is saying," Woodcock says.

While no one can say who wrote the malware that was used to cause Georgian servers to crash, it certainly proliferated on Russian Web sites in a user-friendly form. Gary Warner, a cybercrime expert at the University of Alabama at Birmingham, says he found "copies of the attack script" posted in the reader comments section at the bottom of virtually every story in the Russian media that covered the Georgian conflict, complete with instructions on how the script could be used to attack a specific list of Web sites. The efficiency is enough to make Russia's tanks and planes and ships, however deadly, appear downright anachronistic.


http://www.newsweek.com/id/154965/output/print

"It could be assumed the Estonia attack has benefited the United States agenda more than any other country..."

... I like what you say about a chinese IP space attacks or cyber crime
might not be the chinese government or its people,but could as easily
be another government who is carrying out cyber attacks and cyber
crime and making all evidence point towards China...



...Age, should not be the issue here. you can get people of all ages
creating a bot net for whatever purpose, and the profiteering seen in
the scene nowadays, there is business incentive for bot nets to be
developed too. Not only do we have individuals and groups in the
hacker underground with reasons to create bot nets, we've now got the
entry into the soup of the U.S Cyber Command and other governments
entering into the political cyber space. So not only have you got the
romanian teen theory of yours, we've now got the possibility of
governments, including Russia, U.S and UK who may have a vested
interests for cyber attacks, cyber crime and cyber espionage to point
towards chinese IP space. And, just the same that the IP range is
coming from China, the code is written in chinese and the money to buy
a phishing domain was Chinese yuan, and the company the domain was
registered at doesn't conclusively mean the attack is coming from the
Chinese government or even its citizens.

The government hackers, and state sponsored hacks by RU, US, UK all
know to cover their tracks and have all bases covered to fool forensic
analysts later on. Any good cyber attack is planned in the notion that
you're working from the point of forensic analysis backwards, you
don't plan your cyber attacks from the frontend to the back, well
script kiddies and dumb hackers do.

You work your attack from the back to the front. Backwards hacking I
call it, or Microwaving. You cook your target from the inside
outwards... in the attack mode, but in the planning stages, you must
work back to front to avoid possible detection by your targets
forensic team when they go into post-attack investigative mode.

The target may be a government or corporation you're gathering
intelligence from, or in the case of bot net, the cyber crime and
profiteering or bandwidth data attack to take out key infrastructure
of a government or corporation. Remember the U.S cyber command wants
to destroy important data of its adversaries, so backups of important
documents are an extra need to be needed for when the U.S cyber
command gets underway.

Russia is home to one of cyber crimes biggest bot net the Storm Worm
and FSB (the russian secret service) is protecting the Russian
Business Network owners from being arrested by western powers. If you
really want to get bot net culture under control you must start with
the biggest bot net of them all, and perhaps the most worrying of all
bot bets, the government bot net or the state sponsored bot net who
are capitalizing from the huge revenue globally to be made from cyber
crime, which has been proved to be a bigger trade now than illegal
drug trafficking and selling of those drugs in our towns and cities.

The government's of our world have every reason to point their bot
net's forensic outcome towards China, and to publish propaganda to the
media to make the Chinese government and its citizens look like they
are the number one cyber threat to the west, when most probably, the
true source of attacks is coming from U.S, UK or Russia.

I believe the number one cyber threat to the west is Russia, _but_ I
believe the overall number one cyber threat to the internet and its
well being at large is that of the United States Cyber Command and its
shoulder to shoulder friends in the United Kingdom, who are likely to
share the same cyber political agenda as far as breaking into things,
attacking things, destroying data and other activities for the reason
of the long term strategic interest of national security for both US/
UK.

The national interest of US/UK won't necessary be the interest of the
internet at large and its survival as a country-less global
infrastructure for data exchange of government, e-commerce and
civilian of economic, security and leisure.

To conclude, the cyber threat from bot nets is no longer the teenager
or the humble individual anymore, its moved on from that. The true
threat now is from cyber command's of various countries who will do
anything they can to attack back their adversaries, if they are
attacked first, or if its in the national interest for a pre-emptive
cyber strike. Not only is government sponsored or government based
"attacks" the real threat now compared to the past when it was teen or
adolescents, its now militaries and its intelligence agencies who are
becoming the real problem on the internet, not the traditional
adolescent in its bedroom or college computer lab causing mayhem, its
now government cyber attacks, and government cyber crime is now the
new threat of today.

In your defense, the Estonia attack that everyone is getting worried
about as a proof of concept attack for world governments to wake up
and build cyber commands, turned out to of been carried out by a teen,
who was charged for creating a bot net, but he could easily be a
scapegoat plant for the Russian Business Network guys, who are widely
blamed for the Estonia attack by people in the know.

I'm not a government hacker for the UK, but I live in the UK as an
unemployed student. I know what's going on and I have monitored the
cyber security scene extensively for the last 9 years in many forms
and formats. I started off as a script kid on Yahoo--then worked my
way up, I currently run under my internet alias known to the security
community as "n3td3v". I have been misreported by the media and others
as a troll, this is not the case.

I continue to receive criticism for my outspoken and rude behaviour,
but in amongst that is true substance and cause in what I believe to
be the way things are in the cyber security landscape and the way its
developing towards 2010 and beyond.

n3td3v currently runs a news group on Google groups with over 4000
members and climbing, however please remember n3td3v operates as an
individual security researcher, there is no group of researchers
working under the n3td3v tag, and the members of the news group are
only the public at large who are not operated or controlled by me, it
is a news group for sharing information, news articles and other
commentry from around the world IP space.

Mark Seiden is no stranger to n3td3v, he knows me better than most on
the internet, he holds many n3td3v secrets and knows my true identity...

Mark Seiden is a high powered senior security consultant on a global
scale agenda, he advises and contributes to the security of many
government agencies and corporations around the world, His name is in
the top cyber elite's as a true recommended security expert for many
high level issues in the cyber world today. You can learn more, here
http://www.cutter.com/meet-our-experts/seidenm.html

This was in reply to Mark Seiden's "Cyberflexing" Blog post.
http://blog.cutter.com/2008/01/17/cyberflexing-what-were-in-store-for-in-2008/

An IRC transcript between n3td3v and a former U.S Navy cyber security expert
on the worries of the U.S cyber command and its upcoming impact on the
security community.
http://seclists.org/fulldisclosure/2008/Mar/0043.html

To highlight, the security community will no longer post
vulnerabilities to the mailing lists, when Af cyber based attacks, or
suspicious cyber attacks on different countries start to be reported
by our media and the security industry's businesses, especially if
power infrastructure is affected and we in the security community
start to personally suffer our quality of life due to unknown
attackers who are largely believed to be connected with the
establishment of the U.S cyber command.

For instance, if the U.S suffer a cyber attack, and its blamed on X
government or regime, are U.S hackers going to keep releasing
vulnerabilities to mailing lists, helping that X government obtain
further cyber ammo, or new technique/ research ideas. If the UK gets
hit by a cyber attack and its largely believed to be the U.S cyber
command, are U.K or the rest of the world going to continue to post
vulnerabilities, cyber ammo, or or new technique/ research ideas to
mailing lists? The answer is likely no, considering they won't want to
help the United States learn of new hack techniques, its likely the
uprise of U.S cyber command and a cyber war of real proportion would
slow down, if not kill the vulnerability release scene on the world
wide web and push the scene back underground into the dark ages before
wide spread full-disclosure was around.

If real case cyber attacks start to happen on big scale, that stops a
country from operating as it should, and the everyday life of security
researchers are disabled, or restricted because of national
infrastructure attacks by an individual, a group, a government, then
they aren't going to keep disclosing vulnerabilities to mailing lists
to help the cyber terrorist or cyber military to aid them in any
on-going attack, or help them gather ideas for later attacks after the
intial attack.

The government and its enemies will suffer from a lack of publically
disclosed vulnerabilities by security researchers, meaning the
government of whatever countries are going to have to be self
sufficient with research, zero-day discovery, and vulnerability
development, as in a time of cyber war, they won't have independent
security researchers from the security community publishing new
cutting edge cyber ammo to the mailing lists at large.

If a government and its enemies think people aren't going to notice
suspicious spectaculars connected with power outages then they need to
re-work what their strategy for covering it up will be to the world's
intelligence services and the security community at large.

If the Af cyber command think they are going to start attacking
things, destroying adversaries data and blacking out power grids of
enemy states and that, that kind of thing won't be cloaked by everyone
they have got to think again, because you've already declared you're
planning on cyber war once your offensive command and its staff are
trained and fully briefed and covert operation detail has been decided
upon.

The homepage of the upcoming U.S cyber command.
http://www.afcyber.af.mil/

A blog entry report on the scapegoat for the Estonia attack.
http://www.russophile.com/russia_blog/26159-one_russian_charged_estonia_bronze_soldier_denial_service_attack.html

The attack on Estonia and its impact on the security industry is not
fully known, although it was a landmark event for many cascading
events, political decisions and business marketing plans and media
news articles.

It could be assumed the Estonia attack has benefited the United States
agenda more than any other country, which the announcement of the Af
cyber command was based around that attack, so there is room for
speculation that there could have been underground deals with U.S, UK,
Russia and Estonia for this cyber attack to take place as a pathway
for a cyber war footing to mark the way for the Af cyber command and
to get funding for such a command.

My ending paragraph above cannot to proved and is unlikely to be, but
it has to be mentioned at the end of this response, as the real
beneficiaries of the Estonia cyber attack has been the United States
and funding of the new cyber command.

As noted by n3td3v previously, the security community and the security
industry are two different things, the security industry is eager to
use the Estonia attack to forward their business motives, and the
government are eager to use it to politically capitalise. While the
security community, a different species compared to the industry,
keeps sitting, watching, analyzing and working out the truth between
the propaganda lines spat out by our media and what's really going on
between governments in the underworld.

The security community is no fool to the security industry, we're
aware of what's going on and we're not gullible to the propaganda
being put infront of our computer screen and through media outlets and
business messages.

Yours,

n3td3v
http://www.security-express.com/archives/fulldisclosure/2008-04/0340.html


--------


"Russian nationalists waged a cyber war against Georgia. Fighting back is virtually impossible."
http://www.newsweek.com/id/154965/output/print

Eesti hostib Gruusia välisministeeriumi weebilehte

Eesti hostib Gruusia välisministeeriumi weebilehte.

Äärimiselt meeldiv oli seda uudist eile lugeda, õigemini ma tegelikult kõigepealt avastasin selle ise kuna ma teatud lehtedel silma peal hoitsin & siis asusin uudiseid otsima, esimesena reporteeris Richard Stiennon http://www.networkworld.com/community/stiennon


Uudis on vahva kuid loodan, et Eestlased jätkuvalt suudavad kaitsta ka tõsiste rünnakute vastu Eesti valitsuse weebilehti, eriti peale seda kui Gruusia välisministeeriumi leht http://www.mfa.gov.ge/ nüüd Eesti võrgus on [ http://www.robtex.com/dns/mfa.gov.ge.html / IP on Linxtelecom Estonia OÜ võrgus mis on Hollandi kapitalile tugineva Linx Telecommunications BV tütarfirma Eestis ].

Ületõstmine käis eile lühidalt peale seda kui kui kaks spetsialisti Eesti CERT'st Gruusiasse läksid teatas Baltic News Service.

Väismaailmas rohkem ja rohkem räägitakse väikesest riigist kes teeb imelugusi IT osas, suured tänud muidugi ka vene häkeritele kes meid kiirelt areenile aitasid ( www.estonia-russia.tk ). BusinessWeek juba eelmine aasta nimetas Eestit kui "Cyber Superpower"*.
Tõesti loodan, et Eesti hoaib seda imagot ning vb on see meie nö kaua otsitud "Nokia"


Vene netifoorumid igatahes juba arutavad selle üle kuidas jultunud Eestlastega arveid õiendada virtuaalselt.

Kuid loodame paremat, üks on kindel - ida pool ei istu nii sama ning ei laiutata käsi mida teha - rünnakud saavad suure tõenäosusega olema paremate profesionaalide poolt tehtud ja tõsisemal määral.

Huvitavat lisamaterjali võib ka lugeda www.expertiza.ru lehelt Komando G kohta.



* http://www.businessweek.com/globalbiz/content/dec2007/gb20071217_535635.htm?chan=globalbiz_europe+index+page_top+stories