Cyber-collection

Cyber-collection refers to the use of cyber-warfare techniques in order to conduct espionage. Cyber-collection activities typically rely on the insertion of malware into a targeted network or computer in order to scan for, collect and exfiltrate sensitive information.

Cyber-collection started as far back as 1996, when widespread deployment of Internet connectivity to government and corporate systems gained momentum. Since that time, there have been numerous cases of such activity.[1][2][3]

In addition to the state sponsored examples, cyber-collection has also been used by organized crime for identity and e-banking theft and by corporate spies. Operation High Roller used cyber-collection agents in order to collect PC and smart-phone information that was used to electronically raid bank accounts.[4] The Rocra, aka Red October, collection system is an "espionage for hire" operation by organized criminals who sell the collected information to the highest bidder.[5][6]

Platforms and Functionality

Cyber-collection tools have been developed by governments and private interests for nearly every computer and smart-phone operating system. Tools are known to exist for Microsoft, Apple, and Linux computers and iPhone, Android, Blackberry, and Windows phones.[7] Major manufacturers of Commercial off-the-shelf (COTS) cyber collection technology include Gamma Group from the UK[8] and Hacking Team from Italy.[9] Bespoke cyber-collection tool companies, many offering COTS packages of zero-day exploits, include Endgame, Inc. and Netragard of the United States and Vupen from France.[10] State intelligence agencies often have their own teams to develop cyber-collection tools, such as Stuxnet, but require a constant source of zero-day exploits in order to insert their tools into newly targeted systems. Specific technical details of these attack methods often sells for six figure sums.[11]

Common functionality of cyber-collection systems include:

Infiltration

There are several common ways to infect or access the target:

Cyber-collection agents are usually installed by payload delivery software constructed using zero-day attacks and delivered via infected USB drives, e-mail attachments or malicious web sites.[13][18] State sponsored cyber-collections efforts have used official operating system certificates in place of relying on security vulnerabilities. In the Flame operation, Microsoft states that the Microsoft certificate used to impersonate a Windows Update was forged;[19] however, some experts believe that it may have been acquired through HUMINT efforts.[20]

Examples of Cyber-Collection Operations

References

  1. Pete Warren, State-sponsored cyber espionage projects now prevalent, say experts,, The Guardian, August 30, 2012
  2. Nicole Perlroth, Elusive FinSpy Spyware Pops Up in 10 Countries,, New York Times, August 13, 2012
  3. Kevin G. Coleman, Has Stuxnet, Duqu and Flame Ignited a Cyber Arms Race?,, AOL Government, July 2, 2012
  4. Rachael King, Operation High Roller Targets Corporate Bank Accounts,, June 26, 2012
  5. Frederic Lardinois, Eugene Kaspersky And Mikko Hypponen Talk Red October And The Future Of Cyber Warfare At DLD,, TechCrunch, January 21, 2013
  6. Mark Prigg, The hunt for Red October: The astonishing hacking ring that has infiltrated over 1,000 high level government computers around the world,, Daily Mail, January 16, 2013
  7. Vernon Silver, Spyware Matching FinFisher Can Take Over IPhones, , Bloomberg, August 29, 2012
  8. FinFisher IT Intrusion
  9. Hacking Team, Remote Control System
  10. Mathew J. Schwartz, Weaponized Bugs: Time For Digital Arms Control, , Information Week, 9 October 2012
  11. Ryan Gallagher, Cyberwar’s Gray Market, , Slate, 16 Jan 2013
  12. Daniele Milan, The Data Encryption Problem,, Hacking Team
  13. 13.0 13.1 Robert Lemos, Flame stashes secrets in USB drives,, InfoWorld, June 13, 2012
  14. how to spy on a cell phone without having access
  15. Pascal Gloor, (Un)lawful Interception,, SwiNOG #25, 07 November 2012
  16. Mathew J. Schwartz, Operation Red October Attackers Wielded Spear Phishing,, Information Week, January 16, 2013
  17. FBI Records: The Vault, Surreptitious Entries,, Federal Bureau of Investigation
  18. Anne Belle de Bruijn, Cybercriminelen doen poging tot spionage bij DSM,, Elsevier, July 9, 2012
  19. Mike Lennon, Microsoft Certificate Was Used to Sign "Flame" Malware,, June 4, 2012
  20. Paul Wagenseil, Flame Malware Uses Stolen Microsoft Digital Signature,, NBC News, June 4, 2012
  21. "Red October" Diplomatic Cyber Attacks Investigation,, Securelist, January 14, 2013
  22. Kapersky Lab Identifieds Operation Red October,, Kapersky Lab Press Release, January 14, 2013
  23. Dave Marcus & Ryan Cherstobitoff, Dissecting Operation High Roller,, McAfee Labs

See also