May24
Shadow Network posted by Rick Howard
Filed in: Cyber Espionage India Google
I just finished reading the paper called, "Shadows in the Cloud" published by our friends over at the Information Warfare Monitoring Group and the Shadowserver Foundation around the beginning of April. The folks in the Information Warfare Monitoring Group are the same guys that published the Ghostnet paper last year regarding cyber espionage attacks against the Dalai Lama, In fact, this most recent paper is based on leads not pursued by the original research.
This is really a well written paper. It does not go off half cocked like many other research efforts of the same ilk. The authors make it very clear that although the attacks originated from the Peoples Republic of China (PRC), the researchers have absolutely no evidence linking the Chinese government to the attacks. In other words, there is no smoking gun. They also do a very thorough job outlining their methodology.
The report suggests that although the attackers targeted victims from around the world, they were most interested in government officials in India. Places like- The Indian National Security Council Secretariat
- Any and all Indian Diplomatic Missions
- Indian Military Engineer Services
They propose two interesting hypotheses that they admit do not have enough evidence to prove, but seem intriguing.
The first is that "political espionage networks may be deliberately exploiting criminal kits, techniques and networks both to distance themselves from attribution and to strategically cultivate a climate of uncertainty."
iDefense has no proof of this either but I think it is highly likely. In fact, another security research group called Damballa suggested that the Google Aurora attacks were nothing more then a cyber criminal attack based solely on the techniques used by the attackers. Here at iDefense, we disagree. Our hypothesis has always been that the tools of the trade are the same regardless of what malicious activity you are pursuing. But we should consider this hypotheses from the "Shadows in the Crowd" report. It may not be a matter of convenience but a distinct choice for cyber espionage groups to use criminal kits as a way to hide in the noise.
Their 2d hypothesis is the idea of Collateral Compromise. The researchers say that "there is a high probability for collateral compromise in any malware network because of mutual dependencies between targeted victims and their associations in Social networks."
I'd say this is highly likely too. It has been my experience over the years that cyber espionage groups throw a large net out initially to see what is there. Then they seek targets of opportunity as they are discovered. This is what happened here in India. The bad guys went after the Dalai Lama and eventually found their way over to Indian Government officials through mutual social networking connections.
The researchers also outline attack methodologies in this report that iDefense has documented in other cyber espionage attacks for the past decade: essentially, attackers compromise machines using .PDF, .PPT, and .DOC file formats exploits and exfiltrate any documents found on the hard drive back to another region of the world. That region usually has no extradition treaties with the west.
One interesting intelligence nugget that is very similar to the Google incident is the conjecture that there were at least two, and possibly three, different hacking groups involved in the Shadow Network attacks. Our own iDefense sources say that there may have been multiple groups within Google too and they did not know about each other until Google went public. In my line of work, there is no such thing as a coincidence. What it means exactly is not clear. It could mean that that perpetrators contracted multiple hacker groups to go after the same targets on purpose or it could mean that the perpetrating organization is so large that they don't know what everybody is doing. Regardless, the fact that two separate, highly publicized cyber espionage attacks in two completely different regions of the world involved multiple hacking groups at the same time that may or may not have known about each other is very interesting indeed.
It's inconclusive who is behind the latest intrusions into India and the researchers are certainly not ready to lay blame. However, the report is fascinating and well worth a read.
