The New E-spionage Threat

A BusinessWeek probe of rising attacks on America’s most sensitive computer networks uncovers startling security gaps

by Brian Grow, Keith Epstein and Chi-Chu Tschang

The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as “Poison Ivy” designed to suck sensitive data out of the $4 billion consulting firm’s computer network.

The Pentagon hadn’t sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the “sender” and “recipient” to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.

The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. “It’s espionage on a massive scale,” says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military’s networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon’s Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. “They have our information on their networks. They’re building our weapon systems. You wouldn’t want that in enemy hands,” Croom says. Cyber attackers “are not denying, disrupting, or destroying operations—yet. But that doesn’t mean they don’t have the capability.”

The Rest Here

Ahhh the ubiquitous 3322.org. It’s an ongoing problem even though this article comes to you in 2007. All of you out there in the infosec field should be at least liminally aware of this lil bugger if not fire fighting it now still. The Chinese have been rather pesky with this one too. It’s polymorphic and seems to hop systems like a flea on a pack of feral dogs.

You should also be looking out for 8800.org, 9966.org, and 8866.org… Actually just be looking for any number.org sites in your logs really like this DOE CIRC report shows from last December. And within the cacaphony of it all, there is a signal to noise ratio going on too. The inscrutble ones are out there hiding the SIGINT in the noise.

As yet, I have not seen a clear strategy on cleaning systems that have been infected because this particular set of attacks is polymorphic. If a system gets compromised and actually beacons out, it then downloads via alternate ports, to get an FTP session and downloads new code. Which then does all the new and fun things that the makers have thought up in the interim. Meanwhile, with all this going on, it’s the worm you don’t see that is the problem. The quiet ones, the stealth bugs. All of them though are taking small bites of data from all the companies and individuals in the “Thousand Grains Of Sand” approach that is Chinese espionage.

I hope that the executive orders signed by Bush are continued and enhanced by Obama and that we as a country take this threat seriously. The Chinese are the noisy ones… Just think about the ones you don’t hear about. So the next time you, Mr. CEO get an email that says “FREE SCREEN SAVER!” please, think before you click.

If you’d like a better breakdown of the 3322 bug (one of the iterations) then go HERE for a nice sniff of the traffic and a dissection of it’s code.