Cyber Espionage

SpyVsSpyI had already written this blog a few days ago, but before I could publish it the news came out that the US has indicted Chinese officials for spying on US companies including Westinghouse, Alcoa Alumina and US Steel. They were clearly doing this to seek advantages for Chinese companies in areas like nuclear plant design, metallurgy and solar energy. Our outrage seems a little disingenuous since the Snowden leaked materials show that the US has been spying on Huawei, the Chinese telecom manufacturer.

You hear a lot about cyber attacks on the web, and these mostly involve denial of service attacks where somebody sends so much traffic to a given IP address that they overwhelm the site and effectively shut it down. But until this announcement there has not been a lot of news about cyber espionage. How does cyber espionage work? Instead of shutting down a site, the goal of cyber espionage is to gather information about somebody, ideally without them ever detecting it. The goal is to worm into somebody’s network to gain access to all of their files and communications.

Cyber espionage is done both by companies that spy on each other and by governments. Nobody knows how much of this is going on, but one has to suspect that since it can be done that it is being done on a large scale. Nobody can be entirely sure who is capable of this, because one good hacker can make this work. One would have to think that the cases the US just uncovered are only the tip of the iceberg.

Cyber espionage is very different than cyber warfare where countries make concerted attacks against other to try to shut down key institutions, disable electric grids and create general havoc. At the end of 2013 it was thought that Australia, Belarus, China, France, India, Iran, Israel, North Korea, Pakistan, Russia and the US have there wherewithal to conduct cyber warfare. But almost anybody can undertake espionage.

The most typical way to undertake cyber spying is through a trojan horse virus. The goal is to get somebody at a company or organization to open an email that has an infected document. The information on the sent email will be forged and will be made to look like it comes from a familiar person. The trojan horse doesn’t need to be sent to somebody high up in an organization because the goal of the invasion is to worm into the company servers.

Since EXE files don’t get through firewalls, attached file will be in the form of a Word, Excel or Adobe Reader file so as to not look suspicious. Normally these kinds of files are not malicious, but in this case the document would secretly include executable code. Generally when the file is opened the trojan horse then does two things. It opens the attached file to distract the recipient of the file and it also would execute binary code that would create a backdoor program that would give the spying party access to that computer. The trojan horse file would hide itself somewhere on the computer and establish a connection back to the spy, who would then be able to do almost anything possible from that computer.

Once in place the trojan horse can do such things as capture keystrokes to know what the infected machine is doing. They could even enable the microphone and listen in on conversations. But the most important feature of this kind of invasion is that the spy is given access to data on company servers at whatever level of security is enjoyed by the infected machine. In many cases, once they have gotten a foot inside the target location they will create an infected file from that user to get to other people within the organization.

A number of organizations have uncovered these kinds of spying attacks. The very nature of the attack always makes it nearly impossible to know where the attack originated. But one would think that most of the organizations that have been invaded in this way have no idea that they are being spied upon.

There is no really foolproof way of protecting against this kind of invasion. It only takes one employee to open an infected file and the spying is in place. The only real security from this kind of espionage is to not have confidential information on servers that can be connected to the Internet. That means that both the servers and the machines that use them must be fully isolated from external communications. That kind of security is extraordinary and generally only the military and other government organizations would take such drastic steps to protect top secret data. It’s the rare corporation that will tolerate that level of extra hassle in the name of security.

Leave a Reply