Cyber espionage is getting renewed attention as fresh evidence emerges of online break-ins at U.S. research labs and targeted phishing against corporations and government agencies here and abroad.
It's no wonder that research firm SANS Institute has ranked cyber espionage No. 3 on its ”Top Ten Cyber Menaces for 2008,” just behind Web site attacks exploiting browser vulnerabilities and botnets such as the infamous Storm.
“Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals,” SANS Institute claims. “The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source.”
Alan Paller, director of research at SANS Institute, adds that people should be aware that an “extraordinary treasure chest of information has been stolen,” and “the same people doing the military espionage are engaged in economic espionage using the same or very similar techniques to steal information from organizations that are working on business ventures in the attackers' country.” He offered no estimate as to how much cyber espionage is costing organizations.
Many have seen some form of cyber espionage up close.
“Absolutely there's espionage,” says Michele Stewart, manager of data security at Orlando-based AirTran Airways. (Learn more about Messaging Security products from our Messaging Security Buyer's Guide.)
Members of AirTran's executive management team were recently targeted by phishing e-mail that sought to trick them into divulging confidential corporate information as well as attempted to place bot malware on their computers, she says.
“The e-mail did get through our filter, but fortunately [our team] had the presence of mind to realize something strange was going on,” Stewart says. AirTran, which relies on Lancope network-behavior-analysis equipment to watch for anything outside the norm and conducts awareness training with employees, doesn't know who was targeting it, she says.
Separately, the U.S. Department of Energy's Oak Ridge National Laboratory (ORNL) last month acknowledged that about a dozen staff members fell for phony e-mail urging them to go to phishing sites or open attachments with malware.
Hackers not only infiltrated the ORNL network, accessing some nonclassified databases, but director Thom Mason told employees (via an e-mail message, ironically enough) it was all part of a “sophisticated cyber attack that now appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country.”
ORNL has officially declined to say more. But some security researchers close to the matter say investigations now point to China.
“I work with the FBI as president of the InfraGard Philadelphia chapter, and the FBI thinks IP addresses link this to China,” says Tom Bowers, senior security evangelist at Kaspersky Lab, referring to the FBI-industry collaboration called InfraGard. The FBI itself wouldn't comment on the matter.
In Great Britain, too, the threat of cyber espionage is being raised by the British Security Service MI5, which has warned hundreds of banks and legal firms there that they are under electronic espionage attack by Chinese state organizations — a claim angrily refuted by China, which says it's under attack itself by hackers
Many security experts are quick to point out that just because an attack might be traced to any server in any country doesn't provide direct evidence of much since attackers may simply be controlling the servers from almost anywhere in the world.
“The issue is not just who did it, it's that China is not actively trying to stop bad guys,” says Gartner analyst John Pescatore, who thinks government-funded cyber espionage is minimal in comparison to that carried out by criminals motivated to steal information for financial gain.
“Industrial espionage is not primarily for intellectual property; it's more for your customers' personal information,” he says., Pescatore notes, last month disclosed a data breach in which one of its salespeople got hit with malware on a PC that was able to harvest customers' e-mail.
“The clever thing when you go after a salesperson is that they have a lot of contact and personal information about people,” Pescatore says. “They e-mail to these people quite a bit.”
The goal in corporate espionage is not just to grab sensitive corporate data but corporate credit card information with large credit limits and usage patterns outside the country that might not be noticed, Pescatore says.
In the Saleforce.com incident, the company started to get reports from customers about suspicious e-mail with fake documents that looked like they were coming from legitimate Salesforce.com sources but were actually phishing attempts. The company told Pescatore it thinks the attack had been ongoing since June.
The possibility that online espionage might occur is a concern for those who outsource IT functions as well.
“One reason we use the back-up service we do is because the data is not identified by financial institution on their end,” says Joe Sinkovits, vice president of operations and compliance officer at Illinois-based Lisle Savings Bank. “There will always be a problem with espionage — it's always a real possibility.”
F-Secure, which makes antimalware software, says its customers are discovering troubling indications that their networks have been targeted.
“We have a tool called Blacklight that discovers rootkits which are used to hide other files,” says Patrik Runald, F-Secure's security response manager. “The rootkit intercepts communications between the security software and Windows. People using our tools all over the world, especially in manufacturing or defense, find these rootkits are opening up back doors and sending data to China. When we check in some of these cases, the rootkit has been there for months.”
Runald adds it doesn't mean the perpetrators are from China, simply that the communications are to China. In contrast, most of the “bulk malware” targeting consumers, such as bank Trojans, seems to be associated with Russia and Eastern Europe, he says.
In one example of targeted corporate espionage that F-Secure saw recently, one company's human resources director was the victim of an infected e-mail attachment falsely posing as a résumé document for a position posted on the company's Web site. “The H.R. person is the contact, and it was about tricking him,” Runald says.
Runald points out that the rise of social networking sites such as LinkedIn and Facebook is unfortunately giving attackers additional means to find out more about business relationships in order to exploit them for purposes of espionage.
The term “open source espionage” describes the process of gathering information through readily available posted information, says Nick Selby, director of the enterprise security practice at The 451 Group.
These days, that could be LinkedIn, Facebook, MySpace or scouring Google searches for corporate info mistakenly left exposed to the public, he points out. And it's known that some companies have put some servers out on the Internet simply to try and sniff another company's unencrypted traffic.
Tim Mather, chief security strategist for RSA Conferences, says worries over online espionage may be overblown. But he does believe that open source intelligence gathering is big, with companies as diverse as Aegis Defence Services and Concentric Solutions International available for hire to scour every nook and cranny of the online world for desired information.
“These kinds of companies might be trolling chat sites, anywhere, to find out something,” says Mather. “It's a growth industry.”
How to defend yourself
To lower risks associated with cyber espionage, taking steps such as deploying data-leak prevention products to watch what data leaves the organization as well as database-monitoring tools and appropriate access controls may be a good idea. (Learn more about Data Leak Prevention products from our Data Leak Prevention Buyer's Guide.) Selby suggests that classifying data as public or confidential is often desirable. But the main problem for corporations, he says, is that all too often they simply can't answer the question “Where is the data coming from? They just don't know.”Some companies are taking an even more drastic approach.
Paul Kocher, president of Cryptography Research, which provides specialized security and product-design analysis to its business and government clientele, says his firm is so wary of cyber espionage that it maintains two separate networks.
“We run one for the Internet and e-mail, and another just for internal communications,” Kocher says. “Everyone has two computers under their desk. We buy twice as much software. It is inconvenient and it doubles out IT budget. We do this to protect our customers. We’re a logical target.”