Microsoft Subnet An independent Microsoft community View more

Will Chinese hackers launch re-tread attacks into surveillance databases?

If Aurora attackers were looking for Google's surveillance database, will there be re-tread attacks?

At a press conference to announce the new Xbox, Xbox One—which is launching later this year—Microsoft promised that you will "have a relationship with your TV." Part of that relationship will include Skype, which is coming to Xbox One. Besides gaming, "the system also will allow users to watch live TV, make group video calls on the TV via Skype, and search the Web." Microsoft boasted, "This is the beginning of truly intelligent TV."

Do you want to Skype on your TV in your living room? Skype via Xbox voice commands would be great, but the end-to-end encryption debate is still raging as to the extent that Microsoft "reads" our Skype conversations and scans links. Instead of diving into all the hoopla about the new Xbox right now, something else caught my eye. 

Danger of re-tread cyberattacks
The Washington Post reported that unnamed current and former government officials said when Google announced that Chinese hackers breached the company's servers in 2010, Google did not publicly announce that those Aurora hackers also "gained access to a sensitive database with years' worth of information about U.S. surveillance targets."

The Washington Post wrote:

As Google was responding to the breach, its technicians made another startling discovery: its database with years' worth of information on surveillance orders had been hacked. The database included data on thousands of orders issued by judges around the country to law enforcement agents seeking to monitor suspects' emails.

The most sensitive orders, however, came from a federal court that approves surveillance on foreign targets such as spies, diplomats, suspected terrorists, and agents of other governments. Those orders, issued under the Foreign Intelligence Surveillance Act, are classified.

Last month, CIO published an interesting article in which Dave Aucsmith, senior director of Microsoft's Institute for Advanced Technology in Governments, claimed that the Chinese hackers behind 'Aurora' were actually "running counter-intelligence." According to Aucsmith and Microsoft's analysis of the attacks, "the hackers seeking to infiltrate its systems were apparently working under a motivation that had little if anything to do with the issues of human rights and repression widely associated with the Aurora operation."

"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on," Aucsmith says. "So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case."

Furthermore, Aucsmith said the attack on Microsoft appeared to be "a reconnaissance mission hackers were conducting to determine what type of surveillance U.S. authorities were conducting on undercover operatives through records obtained from the software giant via court orders."

Meanwhile the security firm Mandiant, whose extremely detailed report blew the lid off of Advanced Persistent Threats by Chinese Army-backed hackers, said those Chinese hackers are back in business after taking a three month break. The New York Times reported, "One day after Mandiant and the United States government revealed the P.L.A. unit as the culprit behind hundreds of attacks on agencies and companies, the unit began a haphazard cleanup operation. Attack tools were unplugged from victims' systems. Command and control servers went silent. And of the 3,000 technical indicators Mandiant identified in its initial report, only a sliver kept operating."

After CIO ran the article about Microsoft's Aucsmith, he wanted to clarify that he "was referring to statements in the media from the January 2010 timeframe." He wrote, "My comments were not meant to cite any specific Microsoft analysis or findings about motive or attacks, but I recognize that my language was imprecise. What I should have said was, 'According to what I've read concerning the so-called Aurora attack (e.g. this 2010 CNN article), industry investigators found that the point of entry was a backdoor access system created by Google in order to comply with government search warrants on user data'."

Just the same, after attackers have infiltrated a network once, they are familiar with the infrastructure; because they know their way around, they move much faster in re-tread attacks. Aucsmith had stated, "I believe it is fundamentally impossible to stop an attack for which you have never, ever conceived of. But I believe it may be in my power to find that first attack very quickly and then make everything else immune." And Mandiant has said, Unit 61398 is "now operating at 60-70% of the level they were working at before." Over the last couple months, they started "attacking the same victims from new servers and have reinserted many of the tools that enable them to seek out data without detection." So will the Aurora hackers again attempt gaining access to databases with names of targets under US surveillance?

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies