Tuesday, December 13, 2011

How to hack a classified network: update

Almost exactly three years ago I wrote a post called How to hack a classified network describing a massive breach of the US DoD classified computer networks.  There weren't a lot of details available about the incident, so the post was pretty theoretical, but laid out the problem:
So if you are the chief Bad Guy - Dr. Evil, head of an unfriendly government's Intelligence Service - how to you hack the Fed.Gov classified network? Give people interesting poisoned bait - an interesting or funny video that contains embedded malware that runs when the video is watched. They'll want it, because it's interesting. They'll download it from the Red network (Al Gore's Intarwebz) and take it onto the Black network, where it will spread.

And now your spy comes into the picture. All he has to do is pick up the classified data that's been harvested by the malware botnet army that has infested the Black network. Of course there's risk, because he does indeed have to get past the armed Marine guards, but there is a long history of this sort of thing happening.
Three years later, details of the whole situation are coming out, in a very good article in the Washington Post:

One likely scenario is that an American soldier, official or contractor in Afghanistan — where the largest number of infections occurred — went to an Internet cafe, used a thumb drive in an infected computer and then inserted the drive in a classified machine. “We knew fairly confidently that the mechanism had been somebody going to a kiosk and doing something they shouldn’t have as opposed to somebody who had been able to get inside the network,” one former official said.
Once a computer became infected, any thumb drive used on the machine acquired a copy of Agent.btz, ready for propagation to other computers, like bees carrying pollen from flower to flower. But to steal content, the malware had to communicate with a master computer for instructions on what files to remove and how to transmit them.
These signals, or beacons, were first spotted by a young analyst in the NSA’s Advanced Networks Operations (ANO) team, a group of mostly 20- and 30-something computing experts assembled in 2006 to hunt for suspicious activity on the government’s secure networks.
The risk to the Bad Guy was in gathering the collected material, which was the obvious (to me, at any rate) place to look for an intrusion.

It's a very interesting story of cyber cat and mouse, although the Wikileaks analogy doesn't have a place in it (that was espionage by a human actor, not malware).  RTWT, both my original post and the WaPo story.

4 comments:

Old NFO said...

Yep, inherent shortcuts by people tend to be 90% of the problem... sigh

Rev. Paul said...

"inherent shortcuts by people tend to be 90% of the problem..."

Yep. 100% of the time.

Anonymous said...

I wonder how the Iranians downed the drone flying over their territory didn't they have a small problem at drone HQ recently that wasn't a problem apparently.

As you can stop USB devices being used on a PC/laptop why wasn't that done?

Borepatch said...

knottedprop, I don't know if the malware on the drone control computers is related to this, or the lack of encryption on the drone links. Just don't know enough to speculate.