Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present


6 December 2010


Cyber Threats to Government and ISPs

Released by Wikileaks 6 December 2010

http://88.80.16.63/file/cablegate/cablegate-201012061424.7z

Cryptome mirror:

http://cryptome.org/0003/cablegate-201012061424.7z (926 cables, 2.9MB)

../2008/11/08STATE116943.html


ORIGIN DS-00    

INFO  LOG-00   MFA-00   EEB-00   AF-00    AIT-00   A-00     CIAE-00  
      INL-00   DNI-00   DODE-00  DOEE-00  WHA-00   EAP-00   DHSE-00  
      EUR-00   OIGO-00  OBO-00   TEDE-00  INR-00   IO-00    JUSE-00  
      LAB-01   L-00     MMP-00   MOFM-00  MOF-00   NEA-00   DCP-00   
      ISN-00   NSCE-00  NSF-01   OES-00   OIG-00   P-00     ISNE-00  
      DOHS-00  FMPC-00  SP-00    IRM-00   SSO-00   SS-00    DPM-00   
      USSS-00  NCTC-00  CBP-00   DSCC-00  PRM-00   DRL-00   SCA-00   
      SAS-00   FA-00      /002R

P 031812Z NOV 08
FM SECSTATE WASHDC
TO SECURITY OFFICER COLLECTIVE PRIORITY
AMEMBASSY TRIPOLI PRIORITY 
INFO AMCONSUL CASABLANCA PRIORITY 
XMT AMCONSUL JOHANNESBURG
AMCONSUL JOHANNESBURG

S E C R E T STATE 116943

NOFORN

E.O. 12958: DECL: MR
TAGS: ASEC
SUBJECT: DIPLOMATIC SECURITY DAILY

Classified By: Derived from Multiple Sources

SECRET//FGI//NOFORN//MR
Declassify on: Source marked 25X1-human, Date of source:
October 30, 2008

¶1. (U) Diplomatic Security Daily, November 1-3, 2008

[Excerpts] 

¶32. (U) Cyber Threats

¶33. (S//REL TO USA, FVEY) WHA - CTAD comment: On October 16,
at least one e-mail account within the Government of Canada
received a Trojanized message from a Yahoo account claiming
to represent a U.S. embassy. The bogus subject line was an
invitation for a private meeting with a named DoS employee.
The attached Microsoft Word document was a malicious
&invitation8 file that, when opened, attempts to beacon and
create a connection to &jingl.cable.nu8 via port 8080. The
&cable.nu8 domain remains one of concern, as it has
historically been associated with activity from Chinese
hacker organizations.

¶34. (U) EUR - CTAD comment: The European Commission (EC) this
week proposed legislation to establish a Critical
Infrastructure Warning Information Network (CIWIN) to improve
information sharing among European Union (EU) member nations.
The proposed legislation would enable the EC to launch and
manage the CIWIN, a secure information technology (IT) system
aimed at sharing knowledge on threats, vulnerabilities, and
protection of critical infrastructures. The CIWIN would be a
voluntary tool for transmitting sensitive information and
would also include a rapid alert system for critical
infrastructure, allowing EU nations to post alerts on
immediate threats.

¶35. (U) AF - CTAD comment: Sudanese law enforcement recently
reported the arrest of three hackers who have allegedly
attacked more than 300 government and public websites during
the last few months. Among the hacked sites was that of the
National Telecommunication Corporation, which is responsible
for oversight of telecommunication service providers as well
as many other aspects of Sudanese IT and network stability.
The three highly skilled hackers, all of whom are Sudanese,
reportedly caused significant damage to their targets, but
their motivation for the attacks and any potential group
affiliations are yet undetermined.

¶36. (C) NEA - CTAD comment: On October 21, officials from the
Kuwaiti Central Agency for Information (CAIT) and the
National Security Bureau (NSB) expressed concerns for foreign
and domestic threats to Kuwaiti information systems.
According to these organizations, some of the issues plaguing
Government of Kuwait (GoK) networks are suspected attacks
from Iranian hackers, insider corruption and misuse of
resources, and a lack of sufficient interagency coordination
and guidance for monitoring users, activities and
investigating incidents. For example, the groups, inability
to adequately examine malicious software (malware) injections
or internal abuse of system access continues to hinder the
GoK,s capacity to ensure the protection of sensitive
information. Therefore, the CAIT and NSB are interested in
learning more about U.S. cyber security programs as well as
receiving additional training and support.

¶37. (S//NF) EAP - CTAD comment: Between September 29 and
October 2, a conference was held by the German Federal Office
for the Protection of the Constitution (BfV). During this
conference, the BfV delivered a briefing on its analysis of
the cyber threat posed by the People,s Republic of China
(PRC), which appears to mirror conclusions drawn by the U.S.
Intelligence Community. The BfV surmises the intention of PRC
actors is espionage, and the primary attack vector used in
their malicious activity is socially engineered e-mail
messages containing malware attachments and/or embedded links
to hostile websites. According to reporting, &from October
2006 to October 2007, 500 such e-mail operations were
conducted against a wide range of German organizations,8 and
the attacks appear to be increasing in scope and
sophistication. The socially engineered e-mail messages
delivered to German computer systems were spoofed to appear
to come from trusted sources and contain information
&targeted specifically to the recipient,s interests,
duties, or current events.8 This malicious activity has
targeted a wide variety of German organizational levels to
include &German military, economic, science and technology,
commercial, diplomatic, research and development, as well as
high-level government (ministry and chancellery) systems.8
In addition, German intelligence reporting indicates an
increase in activity was detected immediately preceding
events such as German Government, or commercial, negotiations
involving Chinese interests.

¶38. (U) SCA - CTAD comment: The National Science Foundation
and the Pakistan Higher Education Commission recently
announced the establishment of a Pakistan extension to an
international high-speed network already connecting U.S. and
EC systems. The new portion of the network links Pakistani
scientists and students to facilities in the U.S. through
additional connections to Singapore and Japan. This project
emerged from February 2007 discussions of the U.S.-Pakistan
Joint Committee on Science and Technology that sought to
promote cooperation and innovation among education and
business sectors. (Open sources; Appendix sources 41-43)

¶39. (S//NF) Worldwide - BC conducting CNE on USG systems:

¶40. (S//NF) Key highlights:
BC actively targets USG and other organizations via
socially engineered e-mail messages.
BC actors recently compromised the systems of a U.S. ISP
to carry out CNE on a USG network.
Additional IP addresses were identified this month as
compromised and used for BC activity.
BC has targeted DoS networks in the past and may again in
the future via spoofed e-mail.

¶41. (S//REL TO USA, FVEY) Source paragraph: &Byzantine
Candor (BC) actors have compromised multiple systems located
at a U.S. Internet service provider (ISP) and have used the
systems as part of BC,s U.S.-based attack infrastructure
since at least March, targeting multiple victims including at
least one USG agency.8

¶42. (S//NF) CTAD comment: Since late 2002, USG organizations
have been targeted with social-engineering online attacks by
BC actors. BC, an intrusion subset of Byzantine Hades
activity, is a series of related computer network intrusions
affecting U.S. and foreign systems and is believed to
originate from the PRC. BC intruders have relied on
techniques including exploiting Windows system
vulnerabilities and stealing login credentials to gain access
to hundreds of USG and cleared defense contractor systems
over the years. In the U.S., the majority of the systems BC
actors have targeted belong to the U.S. Army, but targets
also include other DoD services as well as DoS, Department of
Energy, additional USG entities, and commercial systems and
networks. BC actors typically gain initial access with the
use of highly targeted socially engineered e-mail messages,
which fool recipients into inadvertently compromising their
systems. The intruders then install malware such as
customized keystroke-logging software and command-and-control
(C&C) utilities onto the compromised systems and exfiltrate
massive amounts of sensitive data from the networks. This
month, BC actors attempted to compromise the network of a
U.S. political organization via socially engineered e-mail
messages (see CTAD Daily Read File dated October 16).

¶43. (S//REL TO USA, ACGU) CTAD comment: Also discovered this
month by USG analysts was the compromise of several computer
systems located at a commercial ISP within the United States.
According to Air Force Office of Special Investigations
(AFOSI) reporting, hackers based in Shanghai and linked to
the PRC,s People,s Liberation Army (PLA) Third Department
have been using these compromised systems as part of the
larger BC attack infrastructure to facilitate computer
network exploitation (CNE) of U.S. and foreign information
systems. Since March, the responsible actors have used at
least three separate systems at the unnamed ISP in multiple
network intrusions and have exfiltrated data via these
systems, including data from at least one USG agency. AFOSI
reporting indicates, on March 11, BC actors gained access to
one system at the ISP, onto which the actors transferred
multiple files, including several C&C tools. From here, the
intruders used the tools to obtain a list of usernames and
password hashes for the system. Next, on April 22, BC actors
accessed a second system at the ISP, where they transferred
additional software tools. From April through October 13, the
BC actors used this computer system to conduct CNE on
multiple victims. During this time period, the actors
exfiltrated at least 50 megabytes of e-mail messages and
attached documents, as well as a complete list of usernames
and passwords from an unspecified USG agency. Additionally,
multiple files were transferred to the compromised ISP system
from other BC-associated systems that have been previously
identified collecting e-mail messages from additional
victims. The third system at the U.S. ISP was identified as
compromised on August 14, when BC actors transferred a
malicious file onto it named
&salaryincrease-surveyandforecast.zip.8 According to AFOSI
analysis, BC actors use this system to host multiple webpages
that allow other BC-compromised systems to download malicious
files or be redirected to BC C&C servers.

¶44. (S//REL TO USA, FVEY) CTAD comment: Additional DoD
reporting this month indicates BC actors have used multiple
other systems to conduct CNE against U.S. and foreign systems
from February through September. A October 23 DoD cable
states Shanghai-based hackers associated with BC activity and
linked to the PLA have successfully targeted multiple U.S.
entities during this time period. The cable details dozens of
identified Internet Protocol (IP) addresses associated with
BC activity as well as the dates of their activity. All of
the IP addresses listed resolve to the CNC Group Shanghai
Province Network in Shanghai, and all the host names of the
addresses contained Asian keyboard settings as well as China
time zone settings. Most of these IP addresses were
identified as responsible for direct CNE of U.S. entities,
including unspecified USG organizations, systems and
networks. Interestingly, although the actors using each IP
address practiced some degree of operational security to
obfuscate their identities, one particular actor was
identified as lacking in these security measures. On June 7,
the BC actor, using an identified IP address, was observed
using a Taiwan-based online bulletin board service for
personal use.

¶45. (S//NF) CTAD comment: BC actors have targeted the DoS in
the past on multiple occasions with socially engineered
e-mail messages containing malicious attached files and have
successfully exfiltrated sensitive information from DoS
unclassified networks. As such, it is possible these actors
will attempt to compromise DoS networks in the future. As BC
activity continues across the DoD and U.S., DoS personnel
should practice conscientious Internet and e-mail use and
should remain informed on BH activity. (Appendix sources
44-46)