2013年5月15日水曜日

The Comment Crew

The Comment Crewが報道された。
 米国防総省当局者は、米軍の無人機や偵察衛星開発に携わる「キネテ
ィック・ノースアメリカ」社がハッカー攻撃を受け、調査に乗り出した
ことを明らかにした。中国軍の関与が疑われており、重要な軍事機密が
盗み出された可能性がある。

米国防総省
・「侵入を把握しており、深刻な問題だ。実際に何が起きたのか、同社
 と緊密に協力して調べているところだ」。
・中国の軍事動向に関する年次報告書にて、米政府などへの昨年のサイ
 バー攻撃の一部は「中国政府と中国軍が直接関与したとみられる」 
 と明記。

ブルームバーグ
・中国軍の「61398部隊」のハッカー集団の犯行とみられている。

QinetiQ North America
・2007年-2010年
・開発部門や製造部門のネットワークが広範囲に侵入。
・文書130万ページに相当するデータが流出。
 軍事機密が多数
  戦闘ヘリコプター部隊の配置や能力に関する情報
  中東配備の特殊部隊使用の秘密衛星やUAV、ソフトウェア
  軍事ロボット

Mandiant
Mandiant Intelligence Center Report APT1: Exposing One of China's Cyber Espionage Units
・2006年以降、世界で少なくとも141企業がコメント・クルーのハッカー
 攻撃を受けたとする報告書を発表。
・攻撃目標は英語圏の国が9割近くを占め、115件が米企業向け。
・電力網などインフラや株式市場、金融システムなども攻撃対象。

ヘイデン
・中国は莫大な研究開発費を投じた米国の技術を盗用し、技術的優位に
 立とうとしている。

コメントクルーは、米軍と契約している会社を狙い、軍事情報を搾取
しているようだ。

連邦政府は、情報提供により、FBIとNCISが情報流出を確認しており、
少しの間、QinetiQをおとりとして使っていたのかもしれない。
F35の情報が流出した時、流出した会社を公表しなかったが、QinetiQは
公表された。新規開発の契約が終了したのか機密度が低い等の理由かと
思ったら、米運輸省と470万ドルのサイバーセキュリティの契約をした。

QinetiQは、米陸軍との契約が多いようだが、中東の特殊部隊も米陸軍と
言うことだろうか。
NCISは、海軍の管轄だから、連邦政府の保安機関の多くは周知だったの
だろう。

中国は、米軍と同様の装備品を揃えても、インフラが整備されていない
ので、宝の持ち腐れとなる。次は、インフラ情報を狙うのか。

サイバー攻撃 犯罪、侵略は誰が判断
中国製エシュロンシステム
Chinese Army Unit61398
China Cyber-Espionage Campaign
わが民族同士 会員名簿公開
スプリント・ネクステル買収競争
The Tallin Manual


QinetiQ Air Division 2013


Mini-Robots for the US Army; iRobot First Look & QinetiQ DragonRunner 10


TALON MK2 "Bomb Disposal" Robot Playing with Kids


---米軍事機密流出 諜報機関「コメント・クルー」の疑い 中国軍指揮下のハッカー集団---
2013.5.8 20:00
http://sankei.jp.msn.com/world/news/130508/chn13050820020002-n1.htm

 【ワシントン=佐々木類】最先端のロボット兵器や無人航空機の開発に携わる米軍事企業へのハッカー攻撃が新たに発覚し、米軍当局は、中国軍指揮下のハッカー集団が関与していた疑いを強めている。
 この米企業は、南部バージニア州マクリーンに本社のあるキネティック・ノースアメリカ社。ハッカー攻撃したのは、上海にある中国軍の諜報機関「61398部隊」の指揮下にあるハッカー集団“コメント・クルー”とみられる。活動拠点は61398部隊の本部近くの上海近郊に4カ所あることが判明している。
 2007年から10年にかけキネティック社の開発部門を中心に侵入され、文書130万ページに相当するデータの流出が確認された。具体的には福島第1原子力発電所の放射線漏れ事故の際、施設内の放射線量を自動的に地図化するなどで活躍したロボット兵器や偵察衛星に関する機密情報が含まれていたとみられる。
 米情報セキュリティー企業マンディアントは今年2月、06年以降、世界で少なくとも141企業がコメント・クルーのハッカー攻撃を受けたとする報告書を発表した。攻撃目標は英語圏の国が9割近くを占め、115件が米企業向け。電力網などインフラや株式市場、金融システムなども攻撃対象とされていると警鐘を鳴らす。
 中国軍は昨年4月、キネティック社の爆弾処理ロボットと酷似したロボットを公開しているが、ハッカー攻撃の「成果」だった可能性もある。
 さらに懸念されるのが米軍が調達を計画する最新鋭ステルス戦闘機F35に関する機密情報の流出だ。米メディアも、開発主体の米ロッキード・マーチン社がF35をめぐりハッカー攻撃を受けたと報じている。F35開発の遅れは、ハッカー攻撃によるソフトウエアの書き換えに時間がかかっている可能性もある。
 米中央情報局(CIA)のヘイデン元長官は「中国は莫大(ばくだい)な研究開発費を投じた米国の技術を盗用し、技術的優位に立とうとしている」としている。
 米国防総省が6日発表した中国の軍事動向に関する年次報告書でも、米政府などへの昨年のサイバー攻撃の一部は「中国政府と中国軍が直接関与したとみられる」と明記された。


---中国が米軍事機密入手か、無人機や偵察衛星開発など ハッカー攻撃---
2013.5.4 15:49
http://sankei.jp.msn.com/world/news/130504/amr13050415520004-n1.htm

 米国防総省当局者は3日、米軍の無人機や偵察衛星開発に携わる「キネティック・ノースアメリカ」社がハッカー攻撃を受け、調査に乗り出したことを明らかにした。中国軍の関与が疑われており、重要な軍事機密が盗み出された可能性がある。
 同当局者は記者団に対し「侵入を把握しており、深刻な問題だ。実際に何が起きたのか、同社と緊密に協力して調べているところだ」と述べた。
 米通信社ブルームバーグによると、これまでの調査の結果、上海にある中国軍の「61398部隊」のハッカー集団の犯行とみられている。
 2007年ごろから10年にかけ、同社の開発部門や製造部門のネットワークが広範囲に侵入され、文書130万ページに相当するデータが流出した。戦闘ヘリコプター部隊の配置や能力に関する情報など軍事機密が多数含まれている可能性があるという。(共同)


---Chinese Cyber-spying on QinetiQ Probed by Pentagon--
By Ben Elgin & Michael Riley - May 7, 2013 9:59 PM GMT+0900
http://www.bloomberg.com/news/2013-05-07/chinese-cyber-spying-on-qinetiq-probed-by-pentagon.html

The U.S. Defense Department is investigating intrusions by Chinese cyber-spies into the computer systems of defense contractor QinetiQ North America, the Pentagon said.

For three years, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research, which includes work on secret satellites, drones and software used by U.S. special forces in Afghanistan and the Middle East, Bloomberg News reported May 2.

“We are working very closely with QinetiQ to determine exactly the scope and breadth of this incident,” Pentagon spokesman Army Colonel Steve Warren told reporters on May 3.

Warren wouldn’t say whether national security had been compromised. “That’s an assessment we are not prepared to announce yet,” he said. “We are looking closely at a number of different levels to determine exactly what happened and when.”

Jennifer Pickett, a spokeswoman for McLean, Virginia-based QinetiQ North America, didn’t immediately respond to e-mail and phone messages seeking comment about the Pentagon’s probe. Pickett declined to comment on Bloomberg’s May 2 story, citing a company policy to not discuss security measures.

QinetiQ is only one target in a broader online campaign. Beginning at least as early as 2007, Chinese computer spies raided the data of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.

New Accusations

Chinese cyber-spying appears even broader. The Pentagon released a report yesterday accusing China’s military of targeting U.S. government computers to bolster its defense and technology industries and to support military planning.

“China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs,” the report said.

In the QinetiQ case, investigators eventually identified the Shanghai-based hackers that broke into QinetiQ as a crack team, nicknamed the Comment Crew by security experts. That team has also hit major corporations and political figures. At least one other Chinese hacking team also may have been involved, according to a person familiar with the investigation.

In a Feb. 18 report, Mandiant, an Alexandria, Virginia- based security firm, attributed 141 major cyber-attacks to the Comment Crew without naming the targets. Mandiant identified the Comment Crew as the People’s Liberation Army Unit 61398, which is similar in some respects to the U.S. National Security Agency. Mandiant’s report prompted Tom Donilon, President Obama’s national security adviser, to call on China to stop the hacking of U.S. companies.
Jeopardized Secrets

The spying operation on QinetiQ jeopardized the company’s sensitive technology involving drones, satellites, the U.S. Army’s combat helicopter fleet and military robotics, according to internal investigations.

“Cyber-activities are becoming increasingly something that we need to worry about,” said the Pentagon’s Warren, who declined to elaborate further on the investigation into QinetiQ.

Federal agencies have known for years that QinetiQ was losing confidential data. In December 2007, the Naval Criminal Investigative Service informed QinetiQ that employees in McLean were losing confidential data from their computers. In September 2010, the FBI called QinetiQ with evidence that its information was being stolen.

NCIS and FBI representatives have declined to comment on QinetiQ.

The QinetiQ intrusions haven’t affected the company’s ability to win government contracts or provide cyber-security to federal agencies.

In May 2012, QinetiQ received a $4.7 million cyber-security contract from the U.S. Transportation Department, which includes protection of the country’s critical transport infrastructure.

For Related News and Information: China Cyber-spies Outwit U.S. Stealing Vital Military Secrets Coca-Cola Hacked Doesn’t Get to Shareholders as Firms Won’t Say Obama Orders Cyber-security Standards for U.S. Infrastructure


---U.S. Blames China’s Military Directly for Cyberattacks---
By DAVID E. SANGER
Published: May 6, 2013
http://www.nytimes.com/2013/05/07/world/asia/us-accuses-chinas-military-in-cyberattacks.html?_r=0

WASHINGTON - The Obama administration on Monday explicitly accused China’s military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map “military capabilities that could be exploited during a crisis.”

 While some recent estimates have more than 90 percent of cyberespionage in the United States originating in China, the accusations relayed in the Pentagon’s annual report to Congress on Chinese military capabilities were remarkable in their directness. Until now the administration avoided directly accusing both the Chinese government and the People’s Liberation Army of using cyberweapons against the United States in a deliberate, government-developed strategy to steal intellectual property and gain strategic advantage.

“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” the nearly 100-page report said.

The report, released Monday, described China’s primary goal as stealing industrial technology, but said many intrusions also seemed aimed at obtaining insights into American policy makers’ thinking. It warned that the same information-gathering could easily be used for “building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis.”

It was unclear why the administration chose the Pentagon report to make assertions that it has long declined to make at the White House. A White House official declined to say at what level the report was cleared. A senior defense official said “this was a thoroughly coordinated report,” but did not elaborate.

On Tuesday,  a spokeswoman for the Chinese Ministry of Foreign Affairs,  Hua Chunying, criticized the report.

‘‘China has repeatedly said that we resolutely oppose all forms of hacker attacks,’’ she said. ‘‘We’re willing to carry out an even-tempered and constructive dialogue with the U.S. on the issue of Internet security. But we are firmly opposed to any groundless accusations and speculations, since they will only damage the cooperation efforts and atmosphere between the two sides to strengthen dialogue and cooperation.’’

Missing from the Pentagon report was any acknowledgment of the similar abilities being developed in the United States, where billions of dollars are spent each year on cyberdefense and constructing increasingly sophisticated cyberweapons. Recently the director of the National Security Agency, Gen. Keith Alexander, who is also commander of the military’s fast-growing Cyber Command, told Congress that he was creating more than a dozen offensive cyberunits, designed to mount attacks, when necessary, at foreign computer networks.

When the United States mounted its cyberattacks on Iran’s nuclear facilities early in President Obama’s first term, Mr. Obama expressed concern to aides that China and other states might use the American operations to justify their own intrusions.

But the Pentagon report describes something far more sophisticated: a China that has now leapt into the first ranks of offensive cybertechnologies. It is investing in electronic warfare capabilities in an effort to blind American satellites and other space assets, and hopes to use electronic and traditional weapons systems to gradually push the United States military presence into the mid-Pacific nearly 2,000 miles from China’s coast.

The report argues that China’s first aircraft carrier, the Liaoning, commissioned last September, is the first of several carriers the country plans to deploy over the next 15 years. It said the carrier would not reach “operational effectiveness” for three or four years, but is already set to operate in the East and South China Seas, the site of China’s territorial disputes with several neighbors, including Japan, Indonesia, the Philippines and Vietnam. The report notes a new carrier base under construction in Yuchi.

The report also detailed China’s progress in developing its stealth aircraft, first tested in January 2011.

Three months ago the Obama administration would not officially confirm reports in The New York Times, based in large part on a detailed study by the computer security firm Mandiant, that identified P.L.A. Unit 61398 near Shanghai as the likely source of many of the biggest thefts of data from American companies and some government institutions.

 Until Monday, the strongest critique of China had come from Thomas E. Donilon, the president’s national security adviser, who said in a speech at the Asia Society in March  that American companies were increasingly concerned about “cyberintrusions emanating from China on an unprecedented scale,” and that “the international community cannot tolerate such activity from any country.” He stopped short of blaming the Chinese government for the espionage.

But government officials said the overall issue of cyberintrusions would move to the center of the United States-China relationship, and it was raised on recent trips to Beijing by Treasury Secretary Jacob J. Lew and the chairman of the Joint Chiefs of Staff, Gen. Martin E. Dempsey.

To bolster its case, the report argues that cyberweapons have become integral to Chinese military strategy. It cites two major public works of military doctrine, “Science of Strategy” and “Science of Campaigns,” saying they identify “information warfare (I.W.) as integral to achieving information superiority and an effective means for countering a stronger foe.” But it notes that neither document “identifies the specific criteria for employing a computer network attack against an adversary,” though they “advocate developing capabilities to compete in this medium.”

It is a critique the Chinese could easily level at the United States, where the Pentagon has declined to describe the conditions under which it would use offensive cyberweapons. The Iran operation was considered a covert action, run by intelligence agencies, though many techniques used to manipulate Iran’s computer controllers would be common to a military program.

The Pentagon report also explicitly states that China’s investments in the United States aim to bolster its own military technology. “China continues to leverage foreign investments, commercial joint ventures, academic exchanges, the experience of repatriated Chinese students and researchers, and state-sponsored industrial and technical espionage to increase the level of technologies and expertise available to support military research, development and acquisition.”

But the report does not address how the Obama administration should deal with that problem in an economically interconnected world where the United States encourages those investments, and its own in China, to create jobs and deepen the relationship between the world’s No. 1 and No. 2 economies. Some experts have argued that the threat from China has been exaggerated. They point out that the Chinese government - unlike, say, Iran or North Korea - has such deep investments in the United States that it cannot afford to mount a crippling cyberstrike on the country.

The report estimates that China’s defense budget is $135 billion to $215 billion, a large range attributable in part to the opaqueness of Chinese budgeting. While the figure is huge in Asia, the top estimate would still be less than a third of what the United States spends every year.

Some of the report’s most interesting elements examine the debate inside China over whether this is a moment for the country to bide its time, focusing on internal challenges, or to directly challenge the United States and other powers in the Pacific.

But it said that “proponents of a more active and assertive Chinese role on the world stage” - a group whose members it did not name - “have suggested that China would be better served by a firm stance in the face of U.S. or other regional pressure.”


---Don't Underestimate Cyber Spies---
Richard Bejtlich
May 2, 2013
http://www.foreignaffairs.com/articles/139357/richard-bejtlich/dont-underestimate-cyber-spies?page=show

How Virtual Espionage Can Lead to Actual Destruction

It is easy to get lost in cyberspace. This world, created by engineers and populated by everyone, looks different to every person or group that interacts with it. For the U.S. military, cyberspace is a war-fighting domain; for a student, it is a place to interact with peers; for a business, it is a place to make money -- and the list goes on.

Discussions of a related topic, cybersecurity, share the same characteristic. How to achieve security, or even define it, also depends on the participant. For most in the world of cybersecurity, digital espionage is a hot topic. Few news items have caused such a stir in this world as the report released in February by my firm, Mandiant, on Unit 61398, formally known as the Second Bureau of the People’s Liberation Army’s General Staff Department’s Third Department. The report revealed the seven-year history of digital espionage by Unit 61398 against at least 141 Western companies. Mandiant traced Chinese cyber- spying back to the doorstep of a 12-story office building outside Shanghai.

Espionage of any kind is serious, of course, but some do not understand how spying in the cyber world is different from spying in the physical world. Few realize that the same tools required to conduct digital espionage could allow intruders to go a step further and commit digital destruction. Once an adversary has entered a computer system, the amount of damage he does or does not inflict depends entirely on his intent. Whether such actions qualify as war is largely a political decision, but the ability to escalate from espionage to destruction is often ignored.

Critics are quick to assert that espionage is a step below a full-fledged digital attack -- which could constitute an act of war. The writer Bruce Schneier, for example, responded to reports of Chinese cyberactivity by saying, “This is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.”

A better general understanding of digital defense, spying, and war is clearly needed. Those with military backgrounds use three terms to explain cyberactivity: computer network defense (CND), computer network exploitation (CNE), and computer network attack (CNA). CND, protecting digital information from hackers, is universally considered to be a good thing. CNE and CNA are more problematic because they involve taking offensive actions against a target.

Security professionals in the West think of CNE as digital espionage and of CNA as altering, disrupting, or destroying computer systems, whether virtually or physically. Examples of CNE include penetrating computer networks to steal trade secrets or other sensitive data, monitoring individuals’ typing to steal their passwords, or capturing information as it passes through the Internet. Examples of virtual CNA include changing database records or deleting data, while examples of physical CNA include using computers to damage or destroy equipment or inflict other harm in the real world.

The term “cyberwar” usually refers to the use of a digital weapon to cause physical damage. Thus far, the only commonly accepted example of this was the Stuxnet attack against Iran’s nuclear facilities. Some employ “cyberwar” far too loosely, or consider many forms of digital action to be cyberwar so long as they are paired with real-world military operations, as when Russian hackers took down Georgian Web sites during the 2008 war between the two countries.

Any adversary that can spy can also harm -- the only limitation is his intent. As a result, depending on the target, cyber-espionage could quickly escalate to cyberwar -- in which digital weapons are used to inflict physical damage.

Consider the following attack pattern. First, an intruder performs reconnaissance against his target to survey its weaknesses and find ways to steal or manipulate data. Next, he delivers weaponized content (for example, a document with malicious code, or a link to a malicious Web site) via an e-mail message. The e-mail recipient opens the attachment or clicks on the link, resulting in his computer falling victim to the intruder. The attacker can now control the victim’s computer and is free to pursue his objectives.

This is the key moment: Does the intruder choose to spy or to destroy? In the vast majority of cases, the answer has always been to spy. Intruders typically have most to gain by accessing a target and quietly stealing data. This is true of both financially motivated cybercrime and digital espionage. It pays to be stealthy and persistent. Professional digital thieves do not want to announce their presence by destroying data or producing physical effects.

A minority of cases, usually perpetrated by so-called hacktivists, do involve the destruction of data. Most observers consider such actions to be akin to vandalism. The attacker wants to embarrass the victim, so he penetrates the target, steals data, disables their computer by destroying key files, then publishes news of his conquest on the Internet. This model is far different from the world of CNE and CNA.

Unfortunately, three recent cases demonstrate that some outside the hacktivist community are opting to destroy as well. In August 2012, the state-owned Saudi Arabian Oil Company, also known as Saudi Aramco, suffered a digital destruction incident. According to Abdullah al-Saadan, a vice president at the company, foreign intruders deleted key files from more than 30,000 computers, rendering them useless until restored from backups. Major General Mansour al-Turki, a spokesman for the Saudi Interior Ministry, stated that “the attack failed to reach its ultimate goal, which was to stop the flow of Saudi oil.” Several days later, RasGas, a joint-stock company owned by Qatar Petroleum and ExxonMobil and one of the world’s largest liquefied natural gas suppliers, reported it suffered similar damage. Officials have been hesitant to point fingers at a potential culprit, but many suspect Iranian involvement.

Most recently, last March, digital destruction attacks affected more than 48,000 computers in South Korea. Three TV stations and three banks reported destruction of critical system files by malware, with effects similar to those suffered by Saudi Aramco and RasGas. Officials in South Korea attributed the attacks to North Korea.

It is important to differentiate at this point between digital attacks that temporarily disrupt networks and those that delete data. The first kind, known as DDoS, involve flooding computers and the networks to which they connect. Attackers deluge targeted computers with bogus network traffic, reducing the victim’s ability to communicate with the Internet and others’ ability to visit the targeted networks. The damage caused by such attacks ends as soon as the intruder stops the attack, or a security company steps in to help.

Data deletion attacks are more disruptive. When an attacker destroys data, he generally wipes material from the targeted hard drive. If no other copy of the data exists, the data is lost forever. If the affected system performs a crucial business function, that business function will be impaired until the computer is rebuilt or restored. For example, an intruder who attacks the computing controlling a magnetic resonance imaging machine or a robot stamping automobile parts would have effectively halted business.

In all three cases -- Saudi Aramco, RasGas, and South Korea -- the intrusions likely began the same way: spear phishing, followed by access, and finally follow-on activities. The attackers could easily have decided to spend days, weeks, or months spying on these companies. Had investigators discovered the intrusions and removed the attackers, some commentators would have claimed the attack was just another case of harmless espionage. After all, the intruders would have only been looking at data while roaming freely within the victims’ networks. The fact is, however, that in cyberspace, the power to steal is the power to destroy. Every instance of computer network exploitation is a potential case of computer network attack.

Addressing this problem requires taking several steps. First, policymakers should place the cavalier attitudes of the “only spying” crowd in proper context. True, some adversaries are likely to restrict their conduct to espionage and choose not to inflict damage -- but others will not be so kind. Second, organizations that find themselves targeted must recognize that intruders routinely penetrate their networks. Anyone operating a network should adopt a hunter’s mindset, conducting operations to root out intruders before they decide to steal or destroy data. Third, organizations should partner with peers, trusted and competent security providers, and government entities to exchange information about threats in standardized and machine-readable formats such as Mandiant’s OpenIOC format or MITRE’s Structured Threat Information Expression.

Once an organization is aware of the threat, it can call a company such as Mandiant to look for intruders and remove them when found. Mandiant uses a combination of tools and intelligence to assess evidence from networks, computers, and application logs to discover hidden threats and help victims restore their network to a trustworthy state.

Organizations win when they quickly identify intruders within their networks and remove them before the adversary accomplishes his mission -- whatever it is. We can no longer hide behind the fiction that intruder activity is tolerable because it is just espionage.

0 コメント: