The Evolution of Cyber Espionage - Jessica Bourquin

7/27/2019 The Evolution of Cyber Espionage - Jessica Bourquin

1/32

Jessica N. Bourquin

The Evolution of Cyber Espionage:

A Case for an Offensive U.S. Counterintelligence Strategy

Jessica N. Bourquin

Utica College

CYB615 Professor J. Bardin

October 14, 2011

http://www.onlineuticacollege.com/programs/masters-cybersecurity.asp

[email protected]
http://www.onlineuticacollege.com/programs/masters-cybersecurity.asphttp://www.onlineuticacollege.com/programs/masters-cybersecurity.aspmailto:[email protected]:[email protected]:[email protected]://www.onlineuticacollege.com/programs/masters-cybersecurity.asp


2/32

EVOLUTION OF CYBER ESPIONAGE 2

APA citation style

Abstract

This goal of this paper is to establish an argument for a proactive cyber counterintelligence

strategy. By following the development of cyber-attacks as they evolve into to global espionage

by advanced persistent threats, the need for a change in counterintelligence strategy becomes

evident. The cyber-attacks this report presents as case studies are Moonlight Maze, Byzantine

Hades, Titan Rain, Operation Aurora, and Stuxnet. Analyzing this progression demands the

development of a national cyber counterintelligence program that implements offensive strategy

rather than exclusively defensive techniques.

While standard cyber defenses that block cyber intrusions are still necessary, this paper focuses

on cyber-attacks that successfully infiltrate systems and, more specifically, tactical responses to

advanced persistent threats. Standard procedures are, however, worth mentioning. Please refer

to the appendix for defensive recommendations. In addition, this paper will not detail the

historical development of United States counterintelligence policy. It will instead focus on

current policies and supporting case studies, as well as suggest strategies and actions. The

foundational source for the recommendations contained in this report is Michelle Van Cleaves

Counterintelligence and National Strategy publication (2007).

Key Words: cyber security, cyber espionage, advanced persistent threats, Moonlight Maze,

Byzantine Hades, Titan Rain, Operation Aurora, Stuxnet, Coreflood, counterintelligence,

offensive counterintelligence


3/32


Table of Contents

Abstract........................................................................................................................................... 2

Introduction.................................................................................................................................... 4

Background and Terminology ......................................................................................................5

Current U.S. Cyber Policy ............................................................................................................5

Espionage .....................................................................................................................................6

Counterintelligence ......................................................................................................................7

Advanced Persistent Threats ........................................................................................................9

Case Studies.................................................................................................................................. 11

Moonlight Maze .........................................................................................................................11

Byzantine Hades .........................................................................................................................13Titan Rain ...................................................................................................................................15

Operation Aurora ........................................................................................................................17

Stuxnet ........................................................................................................................................20

Risk Assessment .........................................................................................................................21

Countermeasures: Offensive Tactics.........................................................................................23

The Coreflood Example .............................................................................................................23

Corporate Offensive Actions: Naming and Shaming ................................................................23

National Offensive Counterintelligence Recommendations ......................................................24

Conclusion ................................................................................................................................... 26

Appendix ...................................................................................................................................... 27

References .................................................................................................................................... 28


4/32


Introduction

Counterintelligence without an offensive strategy leads to engaging adversaries on home

soil, which is severely disadvantageous. In the military, youre taught that in a defensive

position, you have a three-to-one advantage over an attacker, said Greg Conti, associate

professor of computer science at West Point, but in security, its the opposite. The attacker has

nearly a thousand-to-one advantage. We have to assume that a determined adversary can

overcome the defender, it is just a matter of how long it will take (Ahaman, 2011).

Historically, lawmakers have ignored counterintelligence at the national level, which

prevented policy from passing into action. This led intelligence collection agencies to prioritize

counterintelligence even lower, further diminishing its capabilities. Without collection against

foreign adversaries, there will be never by an effective counterintelligence strategy to oppose

them (Van Cleave, 2007). Study after study has enumerated the shortcomings of U.S.

counterintelligence, and yet very little has changed (Van Cleave, 2007). It is much simpler

fiscally to reorganize and modify existing programs than to create new ones. Additionally, the

preference of agencies that government officials tell them what to do and then leave them alone

to do it is a long-standing impediment on the road to a cohesive offensive counterintelligence

strategy (Van Cleave, 2007).

Authorities evaluate performance on a case-by-case level, tracking counterespionage

accomplishments instead of integrating operations with the larger strategic mission (Van Cleave,

2007). This facilitates homeland security and counterterrorism efforts domination of national

limelight, which convinces the American public and policymakers alike that other threats, such

as cyber espionage, are incomparable in severity. Foreign intelligence threats have taken on

roles secondary to those of, for instance, the current wars. Unfortunately, this may lead to a

situation similar to the Cold War with Russia, in which the narrow focus of attention (World War

II) rendered U.S. counterintelligence effectively blind to Russian capabilities (Van Cleave,

2007).

Recently, the United States government has made significant strides developing cyber

security, such as establishing Cyber Security Awareness Month and beginning the construction

of the nations first Cyber Warfare Intelligence Center. The new wave of awareness provides the

ideal opportunity to pursue changing from a primarily defensive to an effective offensive

strategy.


5/32


Background and Terminology

Current U.S. Cyber Policy

In 2009, President Obama approved the Comprehensive National Cyber Security

Initiative. This policy aimed to establish a front line of defense against todays immediate

threats, to defend against the full spectrum of threats, and to strengthen the future cyber

security environment (The Comprehensive National Cyber Security Initiative). In order to

accomplish these goals, the report announced the following primary objectives (2009):

Initiative #1. Manage the Federal Enterprise Network as a single network enterprisewith Trusted Internet Connections.

Initiative #2. Deploy an intrusion detection system of sensors across the Federalenterprise.

Initiative #3. Pursue deployment of intrusion prevention systems across the Federalenterprise.

Initiative #4: Coordinate and redirect research and development (R&D) efforts. Initiative #5. Connect current cyber ops centers to enhance situational awareness. Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI)

plan.

Initiative #7. Increase the security of our classified networks. Initiative #8. Expand cyber education. Initiative #9. Define and develop enduring leap-ahead technology, strategies, and

programs.

Initiative #10. Define and develop enduring deterrence strategies and programs. Initiative #11. Develop a multi-pronged approach for global supply chain risk

management.

Initiative #12. Define the Federal role for extending cyber security into criticalinfrastructure domains (2009).While this proposal represents forward progress, only one of the 12 enumerated

initiatives addresses counterintelligence. In initiative #6, the U.S. government explained the

necessity of implementing a government-wide cyber counterintelligence plan in order to detect,

deter, and mitigate evolving threats (The Comprehensive National Cyber Security Initiative,


6/32


2009). Although the specified methodologies of expanding education, awareness, and workforce

development are helpful, changing tactics is critical.

Espionage

Espionage is the most efficient and cost-effective method of opposing the United States.

Adversaries hold a distinct advantage in the cost-benefit ratio of espionage (Van Cleave, 2007).

The U.S. government can spend billions of dollars on a technologically advanced weapons

system, but the advantage is lost as soon as adversaries steal the data and designs for it. Today,

the United States is a target of espionage for over 30 terrorist groups and the majority of the

worlds governments (Van Cleave, 2007). This vast array of adversaries often has similar

motivations (Van Cleave, 2007):

Control the development of national security strategies, technology, and the economy bymanipulating and misleading U.S. policymakers.

Preempt, influence, disrupt, terminate, or counter U.S. actions such as covert operationsand diplomatic activities.

Advance economic and militaristic interests by pillaging critical U.S. technologies andintellectual property.

Defeat U.S. objectives by compromising national security secrets such as technology,plans, and operations.Espionage can also target a variety of information. Economic espionage, for example, is

the unlawful or clandestine targeting or acquisition of sensitive financial, trade, or economic

policy information, proprietary economic information, or critical technologies (Bardin, 2011).

This definition excludes information that is legally available, such as open source software.

Industrial espionage involves foreign governments obtaining or helping a foreign company

obtain commercial secrets illegally (Bardin, 2011). Property espionage occurs when foreign

entities take information that is not publicly available, such as trade secrets and critical

technologies (Bardin, 2011). Espionage can harm capability of competing in the world

marketplace, as well as weaken the economy and national security (Bardin, 2011). Cyber

espionage applies to information stolen via the internet, networks, and individual computers.

Modern information technology and microelectronics advancements have drastically

improved the efficiency of espionage (Van Cleave, 2007). In a few keystrokes, foreign agents


7/32


can exfiltrate vast quantities of data without ever leaving their desk. Cyber espionage has

become dauntingly sophisticated and extremely subtle. Attacks can go unnoticed for prolonged

periods, and often leave little, if any, trace of their presence. In addition, determining who is

behind intrusions is often very difficult if not impossible. For the purposes of limiting scope, this

report will focus predominately (but not exclusively) on Chinese cyber espionage. Van Cleave

has enumerated several facts on Chinese espionage (2007):

China has remained one of the top intelligence threats for over 10 years because of itsstrategic capabilities, its intent to target the U.S., and its many opportunities.

China manages some of the most effective intelligence agencies in the world. China has successfully acquired a plethora of sensitive information on U.S. technologies,

including missile design and guidance technology, electromagnetic weapons research,

design schematics on nuclear weapons, and space launch capabilities.

The Chinese use nontraditional intelligence methods, including an extensive network ofinformants who are not intelligence officers. This also grants them plausible deniability

when cyber intrusions trace back to China, which is evident in cases like Titan Rain.

Their range of targeted information implies strategic foresight and the intent to modernize

their country. China is leveraging asymmetric strategy by hijacking U.S. data to boost their

military and economy, adhering to the most cost-effective method of opposing the United States.

Unfortunately, the very nature of the economic relationship between the United States and Chinarenders counteracting Chinese espionage extremely challenging.

Counterintelligence

Counterintelligence has several slightly different definitions, but the version applicable in

this case is:

Information gathered and activities conducted to identify, assess, neutralize, and exploit the

intelligence activities and capabilities of foreign powers, terrorist groups, and other foreign

entities that harm U.S. national security at home and abroad. These foreign intelligence activities

include espionage, technical collection, sabotage, influence operations, and manipulation of, or

interference with U.S. defense and intelligence activities. (Van Cleave, 2007).

As implied by the definition, counterintelligence involves two core elements

information gathering and acting on that information. The target of counterintelligence is foreign


8/32


intelligence more specifically, only non-U.S. persons and exclusively intelligence-related

information. This definition also identifies the process counterintelligence uses: identification,

assessment, neutralization, and exploitation.

The first tasks in the counterintelligence process gather and assess information.

Identifying and analyzing foreign intelligence activities directed against the United States and

its interests requires detecting intelligence anomalies and seeing if they show a pattern (Van

Cleave, 2007). For instance, anomalies like communications channels suddenly becoming

inactive or many reports containing uncharacteristically similar messages arriving may be pieces

of a larger puzzle (Van Cleave, 2007). Substantial financial reallocations can also signal pending

attacks, specifically more costly and involved operations such as those of advanced persistent

cyber threats. Additionally, knowledge of foreign intelligence operations can provide

forewarning, allowing policymakers to reduce the likelihood of severity of impacts by engaging

in threat mitigation early. Identification requires access to foreign intelligence, which obviously

necessitates moving the fight from U.S. onto foreign soil.

The following tasks of the counterintelligence process form the primary distinguishing

feature of counterintelligence from traditional intelligence - operational functionality (specified

in its very definition as activities conducted). Counterintelligence officers not only know

information, but act on it (Van Cleave, 2007). This is where law enforcement incorporates into

the operation. Unfortunately, excessive integration of law enforcement and counterintelligence

can become problematic. Motivations of foreign intelligence agencies differ from those of

criminals, and it is usually more difficult to catch a foreign spy than a gang member.

Additionally, in the cyber world, passive defenses such as firewalls simply cannot counter all

threats. In contrast, exploitation, the quintessence of offensive counterintelligence, involves

techniques like leveraging an adversarys own intelligence operations for U.S. benefit.

Counterintelligence tactics divide into four categories: passive defense, active defense,

passive offense, and active offense (Gerber & Sims, 2009). Passive defense keeps opponents

from valuable information by using tools like locks, vaults, and firewalls (Gerber & Sims, 2009).

This does not fluidly mesh with counterintelligence, as in addition to defending a system,

counterintelligence agents must ask such things as how, why, how long, and from whom, and

then act on that information. Active defense aims to bait offensive measures from opponents

using tools like wiretaps, moles, and honeypots (Gerber & Sims, 2009). Offensive


9/32


counterintelligence, on the other hand, uses various techniques to render attacks harmless or

manipulate adversaries into not attacking at all (Gerber & Sims, 2009). Passive offense involves

camouflaging techniques, and requires an opponent to be reasonably good at intelligence

collecting Gerber & Sims, 2009). Finally, in active offensive counterintelligence, agents fool

adversaries by directly feeding them false information and manipulating their interpretation of it

(Gerber & Sims, 2009).

Counterintelligence itself is not a novel concept. Its prioritization in U.S. national

security policy and the implementation of offensive tactics in the cyber realm, however, is. For

more than ten years, select officials have pushed for the implementation of a unified,

comprehensive offensive counterintelligence strategy, but the implementation has yet to reach

completion, at least to the degree it requires for true success (Wanted: An Integrated

Counterintelligence, 1995). Shortly after the turn of the century, United States policymakers

began slowly to realize the need for a proper counterintelligence program. For a start, they

designated a National Counterintelligence Executive (NCIX) to manage counterintelligence

operations and resources. While taking the? steps is certainly an improvement, many more

changes need to occur in order for an offensive counterintelligence strategy to reach its full

potential. If it is not implemented to its utmost capabilities, counterintelligence may remain

unable to combat the evolving cyber threats.

Advanced Persistent Threats

In the world of cyber security, the distinguishable boundary between government and

non-government targets has blurred. Now any information that can cause harm is at risk, and

there is no end in sight. If an organization is vulnerable for any period, the probability of a

compromise is high (Cole, 2010). The U.S. Air Force coined the term advanced persistent

threat around 2006. Advanced persistent threats (APTs) use stealth and adaptation techniques

to infiltrate computers and networks for months or even years. APTs differ from standard cyber

threats in their level of sophistication and the dedication of their operators. Their methods are

persistent, targeted, evasive, and complex. Instead of solely implementing new types of

intrusion techniques, APT authors coordinate multiple methodologies. APT operators are

disciplined, skilled, organized, and well-funded.


10/32


Advanced threats utilize the full spectrum of intrusion tools and techniques, often

combining several intrusion tactics such as internet-based malware, external malware, external

exploitation, and trusted connections (Advanced Persistent Threats, n.d.). Figure 1 below

shows specific examples of methods and vectors attackers use.

Figure 1.Tools and techniques of advanced persistent threats (Advanced Persistent

Threats, n.d.).

Persistent threats prioritize specific long-term goals over opportunistic financial gain,

which requires dedication, external guidance, and continuous monitoring over a prolonged

period (Advanced Persistent Threats, n.d.). They will adapt to security adjustments until they

accomplish their objectives or until the cost of the operation grows too high (Ahamad, 2011).

Advanced persistent threats commonly have three attack phases (Advanced Persistent

Threats and Other Advanced Attacks, 2011). The first involves reconnaissance, in which attack

operators research vulnerabilities and select desired assets, as well as launch the attack (e.g.

Spear phishing) and infect the target system (Advanced Persistent Threats and Other Advanced

Attacks, 2011). In the second attack phase, attackers control the APT from afar through

command-and-control (C&C) servers, adapting as needed to gain access to sensitive data and

avoid detection (Advanced Persistent Threats and Other Advanced Attacks, 2011). The third

phase encompasses the extraction of data (Advanced Persistent Threats and Other Advanced

Attacks, 2011). APT creators invest enormous effort into avoiding detection, so the network

activity phase three creates may provide the only effective means of detecting these threats.


11/32


Case Studies

Conventional wisdom once assumed that although cyber-attacks could be potentially

costly, they were usually composed of simple denial of service attacks and website graffiti.

Now, according to McAfee, cyber intruders steal more than $1 trillion worth of intellectual

property every year (Evans, 2010). Cyber espionage poses an extremely formidable threat

because it is difficult to defend and to attribute. Historically, espionage required going behind

enemy lines to extract information manually. Now, adversaries need only to log onto the internet

(Charkow, 2011). The following cyber-attacks are examples of espionage and theft of

intellectual property, beginning with Moonlight Maze, transitioning through Byzantine Hades,

Titan, Rain, and Operation Aurora. This compilation ends with Stuxnet, the first worm to bridge

advanced persistent threat intrusions into the physical world. This solidifies the fears implicated

by the other infiltrations.

Moonlight Maze

Moonlight Maze refers to a series of intrusions into Department of Defense computers

that began in March 1998. The intruders freely marauded through tens of thousands of files for

more than three years (Cyberwar, 2003). Moonlight Maze remained undetected until U.S.

officials accidentally identified a pattern in probing of computer systems at NASA, the Pentagon,

and the Energy Department, as well as private universities and research labs (Cyberwar, 2003).

Among the files accessed were troop configurations, maps of military installations, and military

hardware designs (Cyberwar, 2003). In 2001, chair of security consultancy iDefense James

Adams deemed Moonlight Maze the largest sustained cyber-attack on the United States

(Abreu).

Moonlight Maze used very sophisticated techniques. The penetrators took a plethora of

information without a clearly distinguishable pattern, which required restraint, discipline, and

training (Hamre, 2003). Its authors most likely came from an intelligence background, and had

strong computer and security skills (Hamre, 2003). Masking their identity, the Moonlight Maze

penetrators took advantage of the culture of openness in the scientific community. That is, rather

than invading via the internet, Moonlight Maze leveraged the vast science and engineering cyber

environment that has been continuously expanded within the scientific community for more than

10 years (Hamre, 2003). Specifically, the Department of Defense (DOD) operates large farms of


12/32


supercomputers, which are openly available to laboratories and universities for research purposes

(Hamre, 2003). Despite the implied unclassified status of information in this open realm, the

attackers targeted sensitive data and specifically searched for secret information (Hamre,

2003). The compromised information waited in cue at a printer, which meant that it remained

unencrypted and was not behind a firewall (Arquila, 2003).

Prior to the discovery of Moonlight Maze, the supercomputer centers did not

continuously monitor traffic, because the concept of a threat arising within the cyber community

that took advantage of open research was not even fathomed (Hamre, 2003). When stronger

security procedures were established, the DOD discovered that their unknown opponents were

adapting (Hamre, 2003). In other words, the adversaries were observing us while we were

observing them and continuously improving their methods in response to the DODs actions

(Hamre, 2003). Although this type of sophisticated attack is still a concern today, the volatile

nature of cyberspace establishes its own defense. For example, it would be impractical for an

intruder to plant bugs they plan on activating years later, because the software could easily

change in the meantime, rendering the bugs impotent, or even deleted (Hamre, 2003).

The attack forced officials to broaden their views of cyber security. This intrusion

proved that the United States was not only vulnerable to disruption, but also to exploitation from

an adversary who could access protected information at will over a considerable length of time

(Arquila, 2003). Moonlight Maze also highlighted the difficulties of attribution. While experts

were able to trace it to Moscow, they could not confirm Russia as the originator of the attack.

Attack perpetrators could easily have routed their traffic through a computer in Russia while

working from any other location in the world.

While the Moonlight Maze intrusions aimed only to access secure information, the

exploited vulnerabilities could have facilitated other outcomes with more severe consequences,

such as vast system disruptions and attacks on power grids or SCADA systems. In this respect,

Moonlight Maze was comparatively beneficial. The intrusion led to the discovery of new

vulnerabilities.

Key Points:

Moonlight Maze began in March 1998 and lasted for over three years.


13/32


The United States is vulnerable to prolonged covert cyber-attacks, especially throughspear phishing techniques.

As of 2001, it was the largest sustained cyber-attack on the United States (Abreu). The attackers were sophisticated, disciplined, and adaptable. Moonlight Maze demonstrated that even unclassified information in the Department of

Defense is a target of cyber espionage.

Even supercomputer centers designed for open research should encrypt data and monitortraffic.

Byzantine Hades

Byzantine Hades, publically acknowledged on April 14, 2011, represents a nearly

decade-long series of attacks that use targeted social engineering and malicious email

attachments to gain access to secure systems (McLean, Shane, & Tse, 2011). The intruders have

accumulated terabytes of sensitive information,1 from State Department usernames and

passwords to designs for multi-billion dollar weapons systems (Grow & Hosenball, 2011).

Byzantine Hades was comprised of three parts Byzantine Anchor, Byzantine Candor, and

Byzantine Foothold (Grow & Hosenball, 2011). Beginning in late 2002, Byzantine Candor

installed key-loggers and C&C utilities to facilitate illegal access to sensitive information

(Lemos, 2011). According to the Air Force Office of Special Investigations, the authors ofByzantine Hades headquartered in Shanghai and have ties with the Peoples Republic of China

and the Peoples Liberation Army (McLean, Shane, & Tse, 2011).

Byzantine Hades is polymorphic; that is, it has the ability to change forms every time it

runs (Grow & Hosenball, 2011). This allows it to avoid traditional detection methods and

remain hidden deep within computer networks for extended periods. Additionally, the authors of

Byzantine Hades tested it in advance to optimize its resistance to antivirus programs (Grow &

Hosenball, 2011). The creators of Byzantine Hades may have also authored the Gh0stNet

Remote Access Tool (RAT), which could capture keystrokes, take screen shots, install and

1 To establish a comparison: One byte of data contains a single character, two kilobytes can contain the data for atyped page, 5 megabytes of data can contain the complete works of Shakespeare, and 20 gigabytes of data cancontain a comprehensive audio collection of Beethoven's compositions (Huggins, 2011). One terabyte can hold thedata for all X-ray films inside a large technological hospital, and 10 terabytes can store the entire printed collectionin the U.S. Library of Congress (Huggins, 2011).


14/32


change files, as well as record sound with a connected microphone and video with a connected

webcam (Grow & Hosenball, 2011).

Chinese intelligence organizations, military units, and affiliated hacker groups are known

for combining the internet for details on potential targets for spear phishing attacks, looking for

job descriptions, networks of associates, and even the way they sign their emails (Grow &

Hosenball, 2011). Byzantine Candor used spoofed emails of trusted parties to infiltrate

Department of Energy, Department of State, Department of Defense, and several other agency

networks (McLean, Shane, & Tse, 2011). Byzantine Hades also targeted some French officials

as well as German military, economic, scientific, technological, commercial, and research

interests (Grow & Hosenball, 2011). These spear-phishing tactics tricked recipients into

accidentally compromising their systems. Over a period of several years, the intruders exploited

Windows vulnerabilities to gain access to private networks, and then used those compromised

systems to attack other United States government networks (McLean, Shane, & Tse, 2011).

Advanced persistent threats of this nature are frequently impossible to identify until they

begin forwarding stolen information back towards their C&C servers (Grow & Hosenball, 2011).

Security administrators can mitigate these threats by looking for the phoning home behaviors.

In fact, contact with a C&C server led to the discovery of Byzantine Hades (Grow & Hosenball,

2011).

While the United States attempted to engage in talks with China regarding cyber

espionage, China has a tendency to go rigid at the mention of such attacks (Grow & Hosenball,

2011). While China could certainly use theft of trade secrets and intellectual property to

stimulate their own innovation and hence economic growth, the Chinese government claims that

because of the significant U.S. debt, destabilizing the U.S. markets would benefit neither party

(Grow & Hosenball, 2011). Rather, they seem more likely to perform clandestine cyber

espionage operations that they will never publically claim. United States efforts to stop the

Byzantine Hades attacks are ongoing (Grow & Hosenball, 2011).

Key Points:

Byzantine Hades has been performing cyber espionage for more than 10 years. Computer users are still vulnerable to spear phishing techniques.


15/32


Network security administrators can mitigate advanced persistent threats by watching forcontact with C&C servers.

China denies involvement in cyber espionage.

Titan Rain

Some government network analysts at various nuclear labs as well as at military and

defense contractor facilities asserted that Titan Rain is among the most pervasive cyber

espionage threats that U.S. computer networks have ever faced (Thornburgh, 2005). In addition

to the frequently targeted government systems, Titan Rain aimed for destinations like automobile

companies who make tanks, food suppliers who provide military rations, oil companies who

supply fuel, and any companies with personal information on federal employees that can be

exploited to identify undercover operatives (Winkler, 2005). While the many files Titan Rain

has stolen are not technically classified, most contain sensitive information, which can compile

and create a threat equitable to that of stolen classified information. For example, Titan Rain

accumulated a plethora of aerospace documents, including hundreds of detailed schematics on

propulsion systems, solar paneling, and fuel tanks for NASAs Mars Reconnaissance Orbiter

(Thornburgh, 2005). The Titan Rain cyber espionage team also obtained copies of Falconview

3.2, the flight-planning software used by the U.S. Army and Air Force, as well as specificationsfor the aviation-mission-planning system used in Army helicopters (Thornburgh, 2005).

Titan Rain broke into Lockheed Martins network in September 2003 and into Sandia

National Laboratories network several months later (Thornburgh, 2005). On November 1, 2004

alone, Titan Rain hit hundreds of computers at various agencies, including the U.S. Army

Information Systems Engineering Command in Fort Huachuca, Arizona; the Defense

Information Systems Agency in Arlington, Virginia; the Naval Oceans Systems Center in San

Diego, California; and the U.S. Army Space and Strategic Defense center in Huntsville, Alabama

(Thornburgh, 2005).

Attributing a cyber-attack to its true source of origin is often impossible. Initially,

although the attacks traced back to Chinese computers, there was not enough solid evidence that

the attacks originated there (Winkler, 2005). However, while the argument of, the attacks could

have originated anywhere and simply be bounced through Chinese computers, would usually


16/32


diffuse any strong accusations, FBI security analyst Shawn Carpenter was able to track the Titan

Rain intruders (Winkler, 2005). In March 2004, Carpenter traced Titan Rain back to three

specific routers in China (Thornburgh, 2005).

The Titan Rain attacks usually lasted 10-30 minutes and predominately targeted U.S.

government and supporting systems with military and secret information of almost any variety

(Winkler, 2005). Before entering the targeted system, a scanner program scanned for

vulnerabilities (Thornburgh, 2005). Titan Rain commandeered a hidden section of a hard drive,

zipped as many files as possible, and immediately transmitted them to way stations (South

Korea, Hong Kong, or Taiwan) before forwarding them home to mainland China (Thornburgh,

2005). Carpenter established an alarm system that exemplified the frequency of Titan Rains

activity. When Carpenter discovered the routers Titan Rain originated from, he planted code that

emailed his anonymous Yahoo! account every time the router picked up relevant activity

(Thornburgh, 2005). Over the next two weeks, he received nearly 23,000 alerts (Thornburg,

2005). Carpenter estimated that 6 to 10 people, most likely from Chinese intelligence agencies,

continuously manage the Titan Rain invasions (Winkler, 2005). The Titan Rain team is fast,

efficient, skilled, and determined.

The cyber espionage ring took care to leave behind only a hidden beacon, which they

could use to re-enter a computer system later (Thornburgh, 2005). There is significant concern

that Titan Rain could be establishing a cyber path capable of shutting down or taking over a

number of different U.S. military networks (Thornburgh, 2005). Titan Rain has also invaded

computer systems in Britain, Canada, Australia, and New Zealand, which prompts similar

concerns internationally (Thornburgh, 2005).

Other concerns ride with the fact that the FBI may not have the ability to enter into a

cyber engagement with China. Saddled with regulations of law enforcement, they become

unable to combat threats. For example, although both the counterterrorism and cyber-crime

divisions of the FBI have been working to fight Titan Rain, they simply cannot hack into foreign

systems like those that Carpenter did without authorization from high-level diplomatic and

Department of Justice officials (Thornburgh, 2005). Additionally, because Carpenter discovered

the origin of Titan Rain by illegally hacking into foreign computers, the U.S. government is not

legally able to act on any of the information he accumulated (Thornburgh, 2005). Hence, despite

the certainty of attribution proclaimed by network-security analysts like Carpenter, the U.S.


17/32


government cannot make the same claims (Thornburgh, 2005). U.S. government officials,

however, suggest that the level of organization implies state sponsorship (Thornburgh, 2005). In

addition, head of the FBIs counterintelligence unit, David Szady, suggested, the Chinese are

more aggressive than anyone else when it comes to advancing their military via stolen data

(Thornburgh, 2005). The FBI has a good record of convincing foreign governments to cooperate

with catching most hackers, but China simply has not been cooperating with the U.S. when it

comes to Titan Rain (Thornburgh, 2005). While the military would have more reactive

flexibility than the FBI if they were heading the charge against Titan Rain, they could easily

spark an international incident by taking reactive measures (Thornburgh, 2005).

Key Points:

Titan Rain is among the most pervasive cyber espionage threats that the U.S. computernetworks have ever faced (Thornburgh, 2005).

Like Moonlight Maze, Titan Rain targets sensitive but unclassified data. Computer users are still vulnerable to spear phishing techniques. The Titan Rain attacks are fast and effective. The Titan Rain intrusions leave behind hidden beacons through which the attackers can

re-enter a system at will.

Titan Rain may be capable of shutting down or taking over U.S. military networks. The FBI cannot continue Shawn Carpenters investigation, because he hacked into

foreign computers illegally.

China apparently knows the law enforcement limitations of the FBI, and still deniesinvolvement in cyber espionage.

Operation Aurora

Operation Aurora, so named because of a file folder referenced in the code, marked the

first time industrial companies experienced such a highly sophisticated set of attacks (Zetter,

2010). Using social engineering and spear phishing techniques, these attacks targeted

intellectual property, user account information, and source code repositories from Google,

Adobe, and many other high-profile corporations (Zetter, 2010). Operation Aurora utilized an


18/32


unprecedented combination of advanced encryption, multiple pieces of malware, and stealth

programming (Zetter, 2010). Aurora also opened a backdoor by exploiting a zero-day

vulnerability in Microsoft Internet Explorer (Krutz, 2010).

The attack began after an employee opened a spoofed email, presumably containing an

infected Excel file, PDF document, or the URL to a malicious website, which activated the

exploit. Internet Explorer then covertly downloaded several layers of nested, encrypted malware

(Zetter, 2010). The malicious programs, previously unknown to antivirus systems, created a

backdoor that established an encrypted, covert channel designed to look like an SSL connection

(Zetter, 2010). The data initially passed to C&C servers in Illinois, then through Texas and

Taiwan (Zetter, 2010).

The attacks began at least as early as December 15, 2009, and continued until the

implicated C&C servers shut down on January 4, 2010 (Zetter, 2010). The cause of the server

shut down is unknown. Google discovered the breach within their systems in mid-December,

while Adobe discovered its intrusion on January 2 (Zetter, 2010). Both corporations publically

announced the breach on January 12, 2010. In all likelihood, Operation Aurora purposefully

launched around the holiday season, when most companies and response teams lacked

substantial staffing (Zetter, 2010).

Aurora proved that advanced persistent threats have entered the corporate battlefield, and

that companies of all sectors are now lucrative targets (Krutz, 2010). Before Aurora, this level of

sophistication only appeared in attacks on government networks. In addition, most attacks that

targeted the commercial industry used common methods like SQL-injection attacks, focused

only on obtaining financial data, and did not prioritize subtlety as highly (Zetter, 2010). McAfee

Chief Technology Officer (CTO) George Krutz calls Operation Aurora the tip of the iceberg,

and proclaims that threat models need to be adapted accordingly (2010). Companies must now

focus on protecting all core intellectual property, private nonfinancial customer information and

anything else of intangible value (Krutz, 2010).

Kurtz asserted that Chief Information Officers (CIOs) need to adapt to the new reality of

these persistent threats (Evans, 2010). Cyber threats have evolved into very sophisticated,

highly targeted tools designed to infect, conceal access, siphon data, or, even worse, modify

data without detection (Krutz, 2010). Cyber-attacks have become so sophisticated that they

leave behind almost no trace of their presence in a system. The major problem exemplified by


19/32


this is convincing the Chief Executive Officer (CEO) and the CIO there is an issue at all, let

alone an urgent one. Discovering and combating cyber-attacks like Aurora is not as

straightforward as forensically examining infected systems and finding correlations between

activity and firewall logs (Krutz, 2010). Dont expect [a sophisticated attacker] to drive a truck

through your network and leave a calling card on the way out, Kurtz argued (Evans, 2010).

Instead, expect low and slow movements of data that blend into the massive amount of traffic

flow that happens on a daily basis on your network (Evans, 2010).

According to most published articles, Aurora attacked more than 30 different

corporations (Claburn, 2010). Joel Brenner, former counterintelligence chief for the Office of

the Director of National Intelligence, asserts that Aurora targeted several thousand, not just over

thirty, companies (Grow & Hosenball, 2011). Immediately following Googles announcement of

the attack they traced back to China, Adobe also admitted being a target of a sophisticated,

coordinated attack (Claburn, 2010). Other targeted companies include Juniper Networks,

Symantec, Dow Chemical, Northrop Grumman, Yahoo, Intel, Morgan Stanley, and Rackspace

Hosting (Claburn, 2010). Many companies were reluctant to join Google in its stand against the

Aurora attacks because of the depth of their investments in China. Some corporations, like

Microsoft, specifically distanced themselves in favor of Chinese business investments, calling

Aurora the Google problem (Microsoft, HP fail to back Googles China move, 2010).

While Google could most likely take the financial losses tied with halting Chinese

services in stride, they did not retract their business ties there after Aurora, and probably will not

any time soon. Specifically, China contributed less than 2% of Googles $21.8 billion annual

revenue in 2009 (Garner, Levy, & Womack, 2010). In contrast, Chinese business accounted for

13% of the Intel Corporations sales in 2008 and nearly 11% of revenue for Cisco Systems in a

recent quarter (Garner, Levy, & Womack, 2010). However, Chairman of the U.S.-China

Economic and Security Review Commission, Dan Slane, insists the organizations that are

reluctant to stand against Chinese cyber-attacks are simply missing the long-term picture

(Garner, Levy, & Womack, 2010). Specifically, Chinas end goal is to extract as much

technology out of American companies as they can, transfer that to their own companies, and,

when they feel those companies have reached a level of technical maturity, show the American

companies to the door (Garner, Levy, & Womack, 2010). Although the United States

government formally requested an explanation of the incident from China, the response was


20/32


vague and noncommittal. Jiang Yu, Chinas Foreign Ministry Spokesperson, declared that

Chinas internet is open, and that China welcomes international Internet corporations to do

business in China in line with law (Claburn, 2010).

Key Points:

Computer users are still vulnerable to spear phishing techniques. While present in the defense industry, the level of sophistication Aurora displayed had

never before appeared within the commercial sector (Zetter, 2010).

Aurora proved companies of all sectors are now lucrative targets for advanced persistentthreats.

Corporations must now protect a significantly wider array of information. CEOs and CIOs need to understand the urgency of cyber-attacks, even when they leave

almost no trace.

While Google declared willingness to take a financial stand against Chinese cyberespionage, none of the other 33+ companies followed suit.

Most corporations would rather hemorrhage intellectual property than sever business withChina.

China still denies involvement in cyber espionage.

Stuxnet

The fears surrounding the hidden backdoors placed by cyber-attacks such as Byzantine

Hades, Titan Rain, and Operation Aurora became reality with the release of Stuxnet. The

computer worm of unconfirmed origin bridged the gap between the cyber and physical worlds.

Stuxnets level of sophistication surpassed even Operation Aurora. Construction of the worm

required significant coding experience, thousands of working hours, substantial financial

backing, and a knowledge base from a variety of disciplines (Gross, 2011). Although the

outbreak began with infected USB sticks, Stuxnet spread by exploiting five Windows

vulnerabilities, four of which were zero-days. Stuxnet, designed to actively target only specific

models of programmable logic controllers (PLCs), infected hundreds of thousands of computers

over a year before it was discovered, continually updating itself through a peer-to-peer system


21/32


(News from the Lab, 2010). Unlike the aforementioned cyber-attacks, Stuxnets programming

includes a kill date, on which all rampant versions of the worm will delete themselves

(Schneier, 2010).

Stuxnet highlighted United States vulnerability to new types of cyber-attacks by

demonstrating the riskiness of dependence on PLCs and SCADA systems. The Stuxnet worm

attacked programmable logic controllers, or PLCs, as well as Supervisory Control and Data

Acquisition (SCADA) systems. PLCs control electromechanical processes such as traffic lights

and factory machinery. SCADA systems include the interface that controls PLCs, remote

terminal units (RTUs) that send data from PLCs to supervisory systems, communication

networks, a supervisory system that can monitor data and relay programmed instructions, and a

human-machine interface (HMI) (Bailey & Wright, 2003).

The most severe risk Stuxnet represents arises from the availability of its source code,

which attackers can now customize for alternate purposes. Stuxnet could allow attackers to

infiltrate vital infrastructure and monitor operations over a prolonged period in order to tailor the

most effective strike possible.

Key Points:

Stuxnet remained undiscovered in thousands of computers for over a year.

The Stuxnet attack bridged the gap between the cyber and physical worlds. The computer worm was extremely sophisticated, which most likely required state

sponsorship.

The Stuxnet code is reprogrammable for alternate purposes.

Risk Assessment

It is common sense that protecting an asset should cost less than the asset is worth. When

it comes to the threats cyber-attacks have evolved into, the common forms of defense are not

enough anymore. The cost of layering firewall upon firewall to combat a threat that can still

infiltrate a network is simply illogical. Expecting a different result from doing the same thing

repeatedly is Albert Einsteins definition of insanity (Greer, 2010). The Harvard National

Security Journal published, Analysts who measure the cost-effectiveness of defensive measures


22/32


in cyberspace relative to the accelerating growth of new cyber-attack methods suggest that the

defending side in cyberspace is already at a severe disadvantage and that the offensive-defensive

gap is widening (Greer, 2010).

The Ryan-Nichols risk equation, shown below, is an effective tool for assessing risk. It

accounts for vulnerabilities, potential severity of impacts, mitigating effects of countermeasures,

and threats that require intent, opportunity, and capability.

Risk = Impact x Threats x Vulnerabilities

Countermeasures

Vulnerability Standard defensive computer security measures like firewalls andintrusion detection systems can reduce, but not eliminate, system vulnerabilities.

Impact As evidenced by Stuxnet, the potential impact of cyber-attacks is exponentiallyincreasing, and there is very little that can change that.

Threat Commonly referred to as means, motive, and opportunity in the world ofcriminal justice, cyber security threats also require intent, opportunity, and capability

(Cloppert, 2009).

o Intent The definition of advanced persistent threats specifies a high degreededication.

o Opportunity One example of a problematic opportunity is the continuedsusceptibility of computer users to fall victim to spear phishing techniques.

o Capability As evidenced by the above case studies, adversaries havedemonstrated repeatedly that they are very capable of infiltrating systems.2

Countermeasures Measures currently in place are obviously not effectively managingtodays cyber threats. In other words, there is currently a very high risk associated with

advanced persistent threats. If you cannot afford the cost of losing a game, change the

rules.

2 To establish a comparison, Al Qaeda uses computers to encrypt information, but they do not use them with thesame level of sophistication that appeared in Moonlight Maze (Hamre, 2003). Al Qaeda has searched forinformation regarding the programming and control of SCADA systems, but this does not imply they have thecapability of completing such sophisticated attacks (Hamre, 2003).


23/32


Countermeasures: Offensive Tactics

The Coreflood Example

In the case of Coreflood, the FBI took unprecedented actions, which proved U.S.

capability for successful active offensive operations. The international botnet infected more than

1.8 million computers in the United States alone (Bardin, 2011). Coreflood trespassed through

computer systems of airports, hospitals, universities, financial institutions, state and local

government agencies, defense contractors, and other various businesses (Zetter, 2011). One of

the five command-and-control servers it relayed data to received nearly 190 gigabytes of user

names, passwords, account numbers, and other sensitive information it had accumulated for over

10 years (Zetter, 2011). Stolen financial information facilitated more than $1.2 million in

fraudulent wire transfers (Bourquin, 2011).

The FBI set up substitute C&C servers that returned a stop command to every pingreceived from Coreflood. They also removed Coreflood remotely from any infected computer

that granted authorization.3 The effectiveness of the FBIs offensive methods is undisputable.

The number of pings the decoy C&C servers received from infected U.S. computers dropped

almost 90% within a week of their inception (Zetter, 2011). This prevented Coreflood from

updating itself long enough for anti-virus programs to update, effectively eliminating the botnet

(Zetter, 2011). The specific techniques used in the Coreflood case are not applicable to most

active cyber threats, but the success of this offensive operation merits further exploration.

Naming and Shaming Techniques

One possible course of offensive action uses naming and shaming techniques to convince

foreign nations not to make the U.S. a target for cyber espionage. The concept of naming and

shaming requires the following three conditions:

Enough companies and countries willing to complain vociferously and continuously; A united front among companies and countries; and A [foreign] leadership that is shame-able and willing and able to stop or at least slow the

[intellectual property] theft (Segal, 2011).

3 In contrast, Microsoft, without the same case-by-case authorization, automatically deleted Coreflood from infectedcomputers (Ragan, 2009).


24/32


Google attempted this technique after discovering Operation Aurora by announcing that

they had observed the intrusion and would not tolerate it. However, as evidenced by the

aforementioned case studies, corporations and governments are usually reluctant to publicly

acknowledge any intrusions, let alone make blatant accusations. The other companies targeted

by Operation Aurora did not follow suit, and one even explicitly stated that Google was standing

alone.4 This exemplifies that corporations show a distinct lack of unity, at least so far.

Governments tend to be reluctant to point fingers at other nations, because it instigates

diplomatic battles (Charkow, 2011). Christian Leuprecht, an associate professor of political

science, declares that even when cyber espionage undeniably points to Chinese authorship, China

puts the blame on a rogue group of hackers they're very careful to make sure it never gets

traced back to intelligence or defense sources (Charkow, 2011). Even so, Chinese espionage in

the United States has become intolerably prevalent. Mike Rogers, Chairman of the Permanent

Select Committee on Intelligence, publicly admonished Chinese cyber espionage, calling it

a massive and sustained intelligence effort by a government to blatantly steal commercial data

and intellectual property (Segal, 2011). While the naming and shaming technique has

undeniable potential conceptually, there is not much evidence yet supporting its potential for

success in the United States.

National Offensive Counterintelligence Recommendations

The following elements of and requirements for a successful offensive

counterintelligence program are compilations from the publications of Burton Gerber, Jennifer

Sims, and Michelle Van Cleave (2009; 2007):

Credible, substantiated threats with clearly defined possible consequenceso The aforementioned case studies exemplify such threats.

A dynamic balance between national security and civil libertieso Adversaries are using American laws and constitutional values to their advantage:

the FBI, solely responsible for intelligence operations within the United States,

needs the support, data, and resources from other agencies. Creating a pragmatic

and flexibly national policy that can reasonably adjust to varying threat levels is

the most effective means of balancing privacy and security domestically. U.S.

4 Despite Aurora targeting over 30 companies, Microsoft labeled it the Google problem.


25/32


counterintelligence must regain the advantage by moving the battle to foreign

territory.

Clear leadership:o Revalidating and empowering the National Counterintelligence Executive (NCIX)

allows them to publish national counterintelligence strategies, identify and

prioritize intelligence threats, compile damage assessments, and manage

counterintelligence budgets, programs, and strategic objectives. Program and

budgeting authorities should also share a common mission and a common purse.

The development of a unified, comprehensive approach that accounts for domesticintelligence, counterintelligence, and oversight:

o The CIA should launch counterintelligence operations outside of the United Statesthat recruit foreign sources to implement denial, deception, and exploitation

techniques. The CIAs new National Clandestine Service may be suited for this

task, but must continually orient towards offensive strategies throughout

development.

o While interaction between operational intelligence agencies has increaseddramatically since September 11, no amount of interagency cooperation will

make them a cohesive, integrated unit. Instead of repeating the usual reshuffling

of organizations and offices, establish a national counterintelligence strategicoperations center.

o More counterintelligence funding is required, but altering the counterintelligencebusiness model from defense-oriented to offense-focused is fundamentally

imperative. Proactive counterintelligence mandates a coordinated effort that

transforms a case-driven system into a strategically oriented one.


26/32


Conclusion

After World War I, the French resolved to protect their German and Italian borders from

invasion. Using textbook passive defensive techniques, they constructed the Maginot line an

incredibly expensive impenetrable wall of concrete layered with various weapons systems. In

one sense, the wall worked it successfully dissuaded a direct attack. However, the German

forces were persistent, and willing to seek out additional vulnerabilities. They simply

circumvented the wall, invaded France, and took over the country in a matter of weeks.

Like France, the United States has been protecting its cyber borders with firewalls, and

like France, the defense is not keeping enemies out. Specifically with the evolution of cyber-

attacks into advanced persistent threats, it is often safer to assume that at some point attackers

can compromise any and every network. No nation on Earth has managed to find an impervious

defense, and yet the United States spends a massive amount of money perpetually trying to

construct one.

John Hamre, former deputy secretary of defense, asserted, You do not do anything about

cyber security until you experience a failure (2003). Despite this, the United States continues to

endure cyber-attacks without substantial alteration in strategy. If only a realization of the

severity of shortcomings can prompt radical change, how much more severe must cyber-attacks

become before policymakers transform cyber counterintelligence?


27/32


Appendix

Defense Recommendations:

It is important to remember that while responses to advanced threats evolve, baseline

defenses are still useful. In other words, instead of trading reactive for active security methods,

the two types should stack. It only takes one employee to make a small mistake for an attack to

be successful. Hence, corporations should continue the following:

Remove any unnecessary computer systems. Keep firewalls, anti-malware software, servers, desktops, and applications updated with

the latest security patches. This will close as many zero-day vulnerabilities as possible.

Continuously monitor intrusion detection and prevention systems. Use system information and event monitoring software. Establish internet, network, software, and hardware whitelists in secure areas. Test system security via vulnerability management programs. Continuously educate employees in effective security procedures, such as:

o Do not open attachments using secure systems,o Do not access risky websites from work computers, ando Choose strong passwords that contain lower case and upper case lattes as well as

numbers and other characters.

Ban the use of personal electronic devices (PEDs) such as USB sticks, smart phones, andMP3 players within secure areas. While this policy is already in use at many Department

of Defense agencies, corporations in the private sector could benefit from its

implementation.


28/32


References

Abreu, E. (2001, May 9). Cyberattack Reveals Cracks in U.S. Defense. PCWorld. Retrieved

from http://www.pcworld.com/article/49563/cyberattack_reveals_cracks_in_us_defense.html

Advanced Persistent Threats. (n.d.).Damballa. Retrieved from

http://www.damballa.com/knowledge/advanced-persistent-threats.php

Advanced Persistent Threats and Other Advanced Attacks. (2011). Websense. [PDF Document].

Ahamad, M. et al. (2011, October 11). Emerging Cyber Threats Report 2012. Georgia Tech

Cyber Security Summit 2011. [PDF Document].

Arquila, J. (Interviewee). (2003, March 4). Cyberwar. [Interview transcript]. Retrieved from

Frontline PBS web site:

http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html

Bailey, D., & Wright, E. (2003). Practical SCADA for industry. Amsterdam: Elsevier.

Bardin, J. (2011). Cyber Counterintelligence 615: Week 6 Chapter 9. Retrieved from Utica

Angel website: https://utica.angellearning.com/section/default.asp?id=CYB-615-Z1-201180

Bardin, J. (2011, June 1). Debate: The U.S. government was justified to take control of

Coreflood bot servers. SC Magazine. Retrieved from http://www.scmagazineus.com/debate-the-

us-government-was-justified-to-take-control-of-coreflood-bot-servers/article/202698/

Bourquin, J. (2011, September, 9). Security and Counterintelligence Implications of the FBIs

Takedown of Coreflood. Utica College.

Charkow, R. (2011, September 21). Cyber spying is the new face of espionage. CBC News.

Retrieved from http://www.cbc.ca/news/canada/story/2011/09/20/f-cyber-espionage.html


29/32


Claburn, T. (2010, January 15). Other Targets in Google Cyber Attack Surface.Information

Week. Retrieved from

http://www.informationweek.com/news/security/vulnerabilities/222301222

Cole, E. (2010, June 21). Advanced Persistent Threat (APT).McAfee. Retrieved from

http://blogs.mcafee.com/corporate/cto/advanced-persistent-threat-apt

Cloppert, M. (2009, July 23). Security Intelligence: Introduction (pt 2).Blog. Retrieved from

http://computer-forensics.sans.org/blog/2009/07/23/security-intelligence-introduction-pt-2

The Comprehensive National Cyber Security Initiative. (2009).Executive Office of the President

of the United States. [PDF Document].

Cyberwar. (2003, April 24). PBS. Retrieved from

http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

Evans, B. (2010, January 27). Global CIO: After Google Cyber Attack, CIOs Must Find the

Body.Information Week. Retrieved from http://www.informationweek.com/news/global-

cio/security/222600001

Garner, R., Levy, A., & Womack, B. (2010, January 15). Google Said to Have Tried to Get

Support Over Attack.Bloomberg. Retrieved from

http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aE5FWLzQMZGY

Gerber, B. & Sims, J. (2009). Vaults, Mirrors, and Masks. Washington, D.C.: Georgetown Press.

Greer, D. (2010, April 12). Advanced Persistent Threat.Network World. Retrieved from

http://www.networkworld.com/news/tech/2010/041210-tech-update.html?page=1

Gross, M. J. (2011, April). A Declaration of Cyber-War. Vanity Fair. Retrieved from

http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104


30/32


Grow, B., & Hosenball, M. (2011, April 14). Special report: In cyberspy vs. cyberspy, China has

the edge.Reuters. Retrieved from

http://www.reuters.com/article/2011/04/14/us-china-usa-cyberespionage-

idUSTRE73D24220110414

Hamre, J. (Interviewee). (2003, February 18). Cyberwar. [Interview transcript]. Retrieved from

Frontline PBS web site:

http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/hamre.html

Huggins, J. (2011, September 24). James S. Huggins' Refrigerator Door.JSH. Retrieved from

http://www.jamesshuggins.com/h/tek1/how_big.htm

Krutz, G. (2010, January 13). Google Attack is the Tip of Iceberg.McAfee. Retrieved from

http://siblog.mcafee.com/cto/google-attack-is-tip-of-iceberg/

Krutz, G. (2010, January 14). Operation Aurora Hit Google, Others.McAfee. Retrieved from

http://blogs.mcafee.com/corporate/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-

others

Krutz, G. (2010, January 25). Wheres the Body?McAfee. Retrieved from

http://siblog.mcafee.com/cto/where%E2%80%99s-the-body/

Lemos, R. (2011, April 21). Byzantine Hades shows Chinas cyber chops. CSO. Retrieved

from http://www.csoonline.com/article/680203/-byzantine-hades-shows-china-s-cyber-chops

McLean, A., Shane, S., & Tse, A. (2011, June 19). A Selection from the Cache of Diplomatic

Dispatches The New York Times. Retrieved from

http://www.nytimes.com/interactive/2010/11/28/world/20101128-cables-

viewer.html#report/china-08STATE116943


31/32


Microsoft, HP fail to back Google's China move. (2010, January 15). China Daily. Retrieved

from http://www.chinadaily.com.cn/china/2010-01/15/content_9329339.htm

News from the Lab. (2010, November 3). F-Secure. Retrieved from http://www.f-

secure.com/weblog/archives/00002066.html

Ragan, S. (2011, April 18). Coreflood: Botnet takedown introduces a potentially risky precedent.

The Tech Herald. Retrieved from

http://www.thetechherald.com/article.php/201116/7073/Coreflood-Botnet-takedown-introduces-

a-potentially-risky-precedent

Schneier, B. (2010, October 7). Stuxnet. Schneier on Security. Retrieved from

http://www.schneier.com/blog/archives/2010/10/stuxnet.html

Segal, A. (2011, October 11). Giant Sucking Sound: China and IPR Theft. Council on Foreign

Relations. Retrieved from http://blogs.cfr.org/asia/2011/10/11/giant-sucking-sound-china-and-

ipr-theft/

Thornburgh, N. (2005, August 25). Inside the Chinese Hack Attack. Time U.S. Retrieved from

http://www.time.com/time/nation/article/0,8599,1098371,00.html

Thornburgh, N. (2005, August 29). The Invasion of the Chinese Cyberspies. Time U.S. Retrieved

from http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html

Van Cleave, M. (2007, April). Counterintelligence and National Strategy.National Defense

University. [PDF Document]

Wanted: An Integrated Counterintelligence. (1995, September 18). Central Intelligence Agency.

Retrieved from https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-

csi/vol7no3/html/v07i3a02p_0001.htm


32/32


Winkler, I. (2005, October 20). Guard Against Titan Rain Hackers. ComputerWorld. Retrieved

from

http://www.computerworld.com/s/article/105585/Guard_against_Titan_Rain_hackers?taxonomy

Id=17&pageNumber=3

Zetter, K. (2011, April 26). FBI vs. Coreflood Botnet: Round 1 Goes to the Feds. Wired.

Retrieved from http://www.wired.com/threatlevel/2011/04/coreflood_results/

Zetter, K. (2010, January 14). Google Hack Attack was Ultra Sophisticated, New Details Show.

Wired. Retrieved from http://www.wired.com/threatlevel/2010/01/operation-aurora/

Date post:	14-Apr-2018
Category:	Documents
Upload:	vivek-khare
View:	226 times
Download:	0 times

The Evolution of Cyber Espionage - Jessica Bourquin

Documents