Friday, December 5, 2008

From Russia With Love

According to the Los Angeles Times, "senior military leaders took the exceptional step of briefing President Bush this week on a severe and widespread electronic attack on Defense Department computers that may have originated in Russia." Specifically, the article noted that "the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network."

This attack appears to be the reason that Pentagon officials banned the use of external flash drives on military systems. This ban was likely designed to prevent the spread of the worm between unclassified and classified networks via sneakernets.

F-Secure provides a write-up on the worm in question, known as Agent.btz, and states explains that worm is spread "if the malware detects a new partition, or usb stick for example, it will get infected immediately." Further, the worm attempts two outbound connections in an attempt to download further binaries. The outbound connections are made to the following servers:[random digits].jpg[random digits].jpg


According to Netcraft, is hosted in Greece and is hosted in Hong Kong. The locations of these servers is inconsequential as the attacker likely choose these locations based off lax enforcement or weak security procedures by the hosting providers of the above websites and not based of his or her geographic proximity to these malware distribution points.

The Los Angeles Times's reporting that the attack originated in Russia would indicate that the malware downloaded from these servers attempted to steal data and siphon it directly or indirectly back to attackers in Russia.

This case demonstrates two points that we will discuss throughout the semester.

  • Conducting a cyber attack is an extremely low-risk and potentially high reward operation. The cost of failure here is extremely low. If the worm doesnt spread the attacker simply starts over and creates a new worm or virus. As a result of the massive amount of attacks attacks the Pentagon it is unlikely that the attack would be tracked down and held responsible for a failed attack. If the attack is successful then the attacker would expect to steal potential valuable information.
  • On a related note, attribution of a cyber attack is very hard. The technical evidence to date does not point definitively to a single source as the IP addresses involved are distributed around the world. Attribution of a cyber attack requires more than just technical analysis but also good human intelligence and investigative skills.

No comments: