A couple of weeks ago I presented at the annual FS-ISAC (Financial Sector - Information Sharing and Analysis Center) conference held in Saint Petersburg Florida. I know. It is a tough gig. Somebody has to do the hard jobs around here.
The FS-ISAC is one of several ISACs "mandated" by the US Government to facilitate information sharing between companies within the same business sector. Other prominent ISACs are the IT-ISAC and the Multi-State ISAC.
During the talk, I got to the part where I was discussing the Albert Gonzalez case. If you have been sleeping under a rock for the past year, Gonzalez is the guy that masterminded the TJX breaches. The US Government just recently sentenced him to 20 years for his efforts. It turns out though that he was also involved in some of the most nefarious cyber activity of the past decade in one shape or another.
For example, he was the snitch used by the USSS (United States Secret Service) in Operation Firewall back in 2004 where the feds snatched some 28+ underground carders. He was also a member of the infamous Darkmarket forum; the forum where FBI Agent Mularski infiltrated for two years and resulted in the arrest of some 56 underground carders. It is iDefense speculation that Gonzalez used Darkmarket to exchange credit card numbers with one of his main TJX accomplices: Maksym Yastremskiy. The USSS used Yastremskiy as the linchpin in the case to tie everything back to Gonzalez.
At this point in the presentation, I was telling the part of the story where the feds were paying Gonzalez an annual salary to be a "consultant" for them. You see, they did not know that he was secretly going behind their backs to do the TJX job while he earned $70K a year for being an informant. That was not a typo. They paid Gonzalez $70K a year.
But that is not the good part. This is the good part.
At this point in the presentation, one of the FS-ISAC leaders stopped me cold and said that he wanted to make an announcement. In the interest of full disclosure, he wanted the audience to know that, in fact, Albert Gonzalez presented at this very same conference not five years ago as part of his federal consultancy gig. The USSS brought him in to give the FS-ISAC membership a view from the hacker's mind. This was about the same time that Gonzalez was launching his TJX scheme.
How cool is that?
As you might imagine, this little nugget of information brought the house down. I was almost wiping tears from my eyes because I was laughing so much. I could not have planned it better if I was making it all up.
By now, you all know about the Google Breach. I have been handling belt-fed reporters on my cell phone since we published our press release late last night. In fact, talking to so many reporters has caused the intelligence to get a little confused.
Case in point is the Elinor Mills article on Cnet News interviewing one of our iDefense guys: Elli Jellenc. She has him saying that the hackers that attacked Google and others definitely leveraged an Adobe vulnerability. When I read that, I thought to myself, "Hey - that isn't right. The fact is that we do not know." But after re-reading our own press report, we definitely said that was the case. Elinor Mills is an excellent reporter ( I read her all the time) and reported what we gave her. Unfortunately, we muddled the message.
Let me clear this up. Here is what we know.
A well-targeted attack reportedly hit Google and over thirty other firms, many of them in the Silicon Valley. It appears that attackers primarily targeted source code repositories. Among the companies types targeted were high tech companies based in the Silicon Valley, financial institutions, defense contractors and chemical companies.
Google is convinced that the attackers are sponsored by the People's Republic of China. In fact, they even convinced the US Secretary of State, Hillary Clinton, that is was so. She is quoted as saying,
"We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation." Whatever evidence Google has, it must be strong.
Google reports that it identified malicious code on its system in mid-December. Google followed the code back to the drop servers and determined that in addition to the compromise of its own systems, more companies are involved. According to our sources, hackers hit ~ 33 additional companies.
The attack bears significant resemblance to a July 2009 attack in which attackers launched targeted e-mail campaigns against approximately 100 IT-focused companies. The July attack employed a PDF file that exploited a zero-day vulnerability in Adobe Reader. The malware associated with the summer attacks communicated with Command & Control Servers configured similarly to the Command and Control Servers involved in the Google attacks. In fact, the C&C servers from the Google attacks are within the same subnet and six IP addresses apart from the Command and Control server addresses in the summer attacks.
Considering the similarity of the two attacks, it is likely that the summer attacks and the Google attacks originate from the same actor and that the organizations targeted in the Silicon Valley attacks have been compromised since July. It is not much of a stretch to speculate (This is the speculation part) that both attacks leveraged an Adobe vulnerability although that has not been confirmed and Goggle is not talking.
If just half of this turns out to be true, the impact to Google, Silicon Valley and perhaps the US will be enormous. Google's reaction to China is a good example. They are considering pulling their business out of China as retaliation against the attacks. Google's a big player. Where they go, other smaller organization may follow. If Google and other tech-savvy companies started pulling out of China, that would make things very interesting for the next decade for both businesses in the technical sector and for policy negotiation between China and the US.
Yikes, that makes my head spin. I think I will go back to my belt-fed reporters.
A couple of weeks ago I presented at the annual FS-ISAC (Financial Sector - Information Sharing and Analysis Center) conference held in Saint Petersburg Florida. I know. It is a tough gig. Somebody has to do the hard jobs around here.
During the talk, I got to the part where I was discussing the Albert Gonzalez case. If you have been sleeping under a rock for the past year, Gonzalez is the guy that masterminded the TJX breaches. The US Government just recently sentenced him to 20 years for his efforts. It turns out though that he was also involved in some of the most nefarious cyber activity of the past decade in one shape or another.
At this point in the presentation, I was telling the part of the story where the feds were paying Gonzalez an annual salary to be a "consultant" for them. You see, they did not know that he was secretly going behind their backs to do the TJX job while he earned $70K a year for being an informant. That was not a typo. They paid Gonzalez $70K a year.
How cool is that?
