|
||
6 December 2010
Cyber Threats to Government and ISPsReleased by Wikileaks 6 December 2010 http://88.80.16.63/file/cablegate/cablegate-201012061424.7z Cryptome mirror: http://cryptome.org/0003/cablegate-201012061424.7z (926 cables, 2.9MB) ../2008/11/08STATE116943.html
ORIGIN DS-00 INFO LOG-00 MFA-00 EEB-00 AF-00 AIT-00 A-00 CIAE-00 INL-00 DNI-00 DODE-00 DOEE-00 WHA-00 EAP-00 DHSE-00 EUR-00 OIGO-00 OBO-00 TEDE-00 INR-00 IO-00 JUSE-00 LAB-01 L-00 MMP-00 MOFM-00 MOF-00 NEA-00 DCP-00 ISN-00 NSCE-00 NSF-01 OES-00 OIG-00 P-00 ISNE-00 DOHS-00 FMPC-00 SP-00 IRM-00 SSO-00 SS-00 DPM-00 USSS-00 NCTC-00 CBP-00 DSCC-00 PRM-00 DRL-00 SCA-00 SAS-00 FA-00 /002R P 031812Z NOV 08 FM SECSTATE WASHDC TO SECURITY OFFICER COLLECTIVE PRIORITY AMEMBASSY TRIPOLI PRIORITY INFO AMCONSUL CASABLANCA PRIORITY XMT AMCONSUL JOHANNESBURG AMCONSUL JOHANNESBURG S E C R E T STATE 116943 NOFORN E.O. 12958: DECL: MR TAGS: ASEC SUBJECT: DIPLOMATIC SECURITY DAILY Classified By: Derived from Multiple Sources SECRET//FGI//NOFORN//MR Declassify on: Source marked 25X1-human, Date of source: October 30, 2008 ¶1. (U) Diplomatic Security Daily, November 1-3, 2008 [Excerpts] ¶32. (U) Cyber Threats ¶33. (S//REL TO USA, FVEY) WHA - CTAD comment: On October 16, at least one e-mail account within the Government of Canada received a Trojanized message from a Yahoo account claiming to represent a U.S. embassy. The bogus subject line was an invitation for a private meeting with a named DoS employee. The attached Microsoft Word document was a malicious &invitation8 file that, when opened, attempts to beacon and create a connection to &jingl.cable.nu8 via port 8080. The &cable.nu8 domain remains one of concern, as it has historically been associated with activity from Chinese hacker organizations. ¶34. (U) EUR - CTAD comment: The European Commission (EC) this week proposed legislation to establish a Critical Infrastructure Warning Information Network (CIWIN) to improve information sharing among European Union (EU) member nations. The proposed legislation would enable the EC to launch and manage the CIWIN, a secure information technology (IT) system aimed at sharing knowledge on threats, vulnerabilities, and protection of critical infrastructures. The CIWIN would be a voluntary tool for transmitting sensitive information and would also include a rapid alert system for critical infrastructure, allowing EU nations to post alerts on immediate threats. ¶35. (U) AF - CTAD comment: Sudanese law enforcement recently reported the arrest of three hackers who have allegedly attacked more than 300 government and public websites during the last few months. Among the hacked sites was that of the National Telecommunication Corporation, which is responsible for oversight of telecommunication service providers as well as many other aspects of Sudanese IT and network stability. The three highly skilled hackers, all of whom are Sudanese, reportedly caused significant damage to their targets, but their motivation for the attacks and any potential group affiliations are yet undetermined. ¶36. (C) NEA - CTAD comment: On October 21, officials from the Kuwaiti Central Agency for Information (CAIT) and the National Security Bureau (NSB) expressed concerns for foreign and domestic threats to Kuwaiti information systems. According to these organizations, some of the issues plaguing Government of Kuwait (GoK) networks are suspected attacks from Iranian hackers, insider corruption and misuse of resources, and a lack of sufficient interagency coordination and guidance for monitoring users, activities and investigating incidents. For example, the groups, inability to adequately examine malicious software (malware) injections or internal abuse of system access continues to hinder the GoK,s capacity to ensure the protection of sensitive information. Therefore, the CAIT and NSB are interested in learning more about U.S. cyber security programs as well as receiving additional training and support. ¶37. (S//NF) EAP - CTAD comment: Between September 29 and October 2, a conference was held by the German Federal Office for the Protection of the Constitution (BfV). During this conference, the BfV delivered a briefing on its analysis of the cyber threat posed by the People,s Republic of China (PRC), which appears to mirror conclusions drawn by the U.S. Intelligence Community. The BfV surmises the intention of PRC actors is espionage, and the primary attack vector used in their malicious activity is socially engineered e-mail messages containing malware attachments and/or embedded links to hostile websites. According to reporting, &from October 2006 to October 2007, 500 such e-mail operations were conducted against a wide range of German organizations,8 and the attacks appear to be increasing in scope and sophistication. The socially engineered e-mail messages delivered to German computer systems were spoofed to appear to come from trusted sources and contain information &targeted specifically to the recipient,s interests, duties, or current events.8 This malicious activity has targeted a wide variety of German organizational levels to include &German military, economic, science and technology, commercial, diplomatic, research and development, as well as high-level government (ministry and chancellery) systems.8 In addition, German intelligence reporting indicates an increase in activity was detected immediately preceding events such as German Government, or commercial, negotiations involving Chinese interests. ¶38. (U) SCA - CTAD comment: The National Science Foundation and the Pakistan Higher Education Commission recently announced the establishment of a Pakistan extension to an international high-speed network already connecting U.S. and EC systems. The new portion of the network links Pakistani scientists and students to facilities in the U.S. through additional connections to Singapore and Japan. This project emerged from February 2007 discussions of the U.S.-Pakistan Joint Committee on Science and Technology that sought to promote cooperation and innovation among education and business sectors. (Open sources; Appendix sources 41-43) ¶39. (S//NF) Worldwide - BC conducting CNE on USG systems: ¶40. (S//NF) Key highlights: BC actively targets USG and other organizations via socially engineered e-mail messages. BC actors recently compromised the systems of a U.S. ISP to carry out CNE on a USG network. Additional IP addresses were identified this month as compromised and used for BC activity. BC has targeted DoS networks in the past and may again in the future via spoofed e-mail. ¶41. (S//REL TO USA, FVEY) Source paragraph: &Byzantine Candor (BC) actors have compromised multiple systems located at a U.S. Internet service provider (ISP) and have used the systems as part of BC,s U.S.-based attack infrastructure since at least March, targeting multiple victims including at least one USG agency.8 ¶42. (S//NF) CTAD comment: Since late 2002, USG organizations have been targeted with social-engineering online attacks by BC actors. BC, an intrusion subset of Byzantine Hades activity, is a series of related computer network intrusions affecting U.S. and foreign systems and is believed to originate from the PRC. BC intruders have relied on techniques including exploiting Windows system vulnerabilities and stealing login credentials to gain access to hundreds of USG and cleared defense contractor systems over the years. In the U.S., the majority of the systems BC actors have targeted belong to the U.S. Army, but targets also include other DoD services as well as DoS, Department of Energy, additional USG entities, and commercial systems and networks. BC actors typically gain initial access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems. The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks. This month, BC actors attempted to compromise the network of a U.S. political organization via socially engineered e-mail messages (see CTAD Daily Read File dated October 16). ¶43. (S//REL TO USA, ACGU) CTAD comment: Also discovered this month by USG analysts was the compromise of several computer systems located at a commercial ISP within the United States. According to Air Force Office of Special Investigations (AFOSI) reporting, hackers based in Shanghai and linked to the PRC,s People,s Liberation Army (PLA) Third Department have been using these compromised systems as part of the larger BC attack infrastructure to facilitate computer network exploitation (CNE) of U.S. and foreign information systems. Since March, the responsible actors have used at least three separate systems at the unnamed ISP in multiple network intrusions and have exfiltrated data via these systems, including data from at least one USG agency. AFOSI reporting indicates, on March 11, BC actors gained access to one system at the ISP, onto which the actors transferred multiple files, including several C&C tools. From here, the intruders used the tools to obtain a list of usernames and password hashes for the system. Next, on April 22, BC actors accessed a second system at the ISP, where they transferred additional software tools. From April through October 13, the BC actors used this computer system to conduct CNE on multiple victims. During this time period, the actors exfiltrated at least 50 megabytes of e-mail messages and attached documents, as well as a complete list of usernames and passwords from an unspecified USG agency. Additionally, multiple files were transferred to the compromised ISP system from other BC-associated systems that have been previously identified collecting e-mail messages from additional victims. The third system at the U.S. ISP was identified as compromised on August 14, when BC actors transferred a malicious file onto it named &salaryincrease-surveyandforecast.zip.8 According to AFOSI analysis, BC actors use this system to host multiple webpages that allow other BC-compromised systems to download malicious files or be redirected to BC C&C servers. ¶44. (S//REL TO USA, FVEY) CTAD comment: Additional DoD reporting this month indicates BC actors have used multiple other systems to conduct CNE against U.S. and foreign systems from February through September. A October 23 DoD cable states Shanghai-based hackers associated with BC activity and linked to the PLA have successfully targeted multiple U.S. entities during this time period. The cable details dozens of identified Internet Protocol (IP) addresses associated with BC activity as well as the dates of their activity. All of the IP addresses listed resolve to the CNC Group Shanghai Province Network in Shanghai, and all the host names of the addresses contained Asian keyboard settings as well as China time zone settings. Most of these IP addresses were identified as responsible for direct CNE of U.S. entities, including unspecified USG organizations, systems and networks. Interestingly, although the actors using each IP address practiced some degree of operational security to obfuscate their identities, one particular actor was identified as lacking in these security measures. On June 7, the BC actor, using an identified IP address, was observed using a Taiwan-based online bulletin board service for personal use. ¶45. (S//NF) CTAD comment: BC actors have targeted the DoS in the past on multiple occasions with socially engineered e-mail messages containing malicious attached files and have successfully exfiltrated sensitive information from DoS unclassified networks. As such, it is possible these actors will attempt to compromise DoS networks in the future. As BC activity continues across the DoD and U.S., DoS personnel should practice conscientious Internet and e-mail use and should remain informed on BH activity. (Appendix sources 44-46)
|