Cyberwar just jumped from the of rock-throwing level to the level of machine guns and barbed wire

What does cyberwar look like in the 21st century? Remember the anonymously-sourced denial of service attacks on the entire Internet in Georgia a few years ago that accompanied the Russian military attack on that nation? Today that's as primitive as throwing rocks. Vanity Fair has an excellent article describing the Stuxnet worm attack on the hidden Iranian nuclear program. Stuxnet is the most sophisticated piece of computer malware ever written. It has a unique delivery system put together with an extremely sophisticated attack payload and it is much too large and sophisticated to have been assembled by a single hacker or even a small independent team. The events first appeared in public in July 2009. Here's what happened :

A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects. These controllers, or P.L.C.’s, perform the critical scut work of modern life. They open and shut valves in water pipes, speed and slow the spinning of uranium centrifuges, mete out the dollop of cream in each Oreo cookie, and time the change of traffic lights from red to green.

Although controllers are ubiquitous, knowledge of them is so rare that many top government officials did not even know they existed until that week in July. Several major Western powers initially feared the worm might represent a generalized attack on all controllers. If the factories shut down, if the power plants went dark, how long could social order be maintained? Who would write a program that could potentially do such things? And why?

[...]

One month before that midnight summons—on June 17—Sergey Ulasen, the head of the Anti-Virus Kernel department of VirusBlokAda, a small information-technology security company in Minsk, Belarus, sat in his office reading an e-mail report: a client’s computer in Iran just would not stop rebooting. Ulasen got a copy of the virus that was causing the problem and passed it along to a colleague, Oleg Kupreev, who put it into a “debugger”—a software program that examines the code of other programs, including viruses. The men realized that the virus was infecting Microsoft’s Windows operating systems using a vulnerability that had never been detected before. A vulnerability that has not been detected before, and that a program’s creator does not know exists, is called a “zero day.” In the world of computer security, a Windows zero-day vulnerability signals that the author is a pro, and discovering one is a big event. Such flaws can be exploited for a variety of nefarious purposes, and they can sell on the black market for as much as $100,000.

The virus discovered by Ulasen was especially exotic, because it had a previously unknown way of spreading. Stick a flash drive with the virus into a laptop and it enters the machine surreptitiously, uploading two files: a rootkit dropper (which lets the virus do whatever it wants on the computer—as one hacker explains, “ ‘Root’ means you’re God”) and an injector for a payload of malicious code that was so heavily encrypted as to be, to Ulasen, inscrutable. The most unsettling thing about the virus was that its components hid themselves as soon as they got into the host. To do this, the virus used a digital signature, an encrypted string of bits that legitimate software programs carry to show that they come in peace. Digital signatures are like passports for software: proof of identity for programs crossing the border between one machine and the next. Viruses sometimes use forged digital signatures to get access to computers, like teenagers using fake IDs to get into bars. Security consultants have for several years expected malware writers to make the leap from forged signatures to genuine, stolen ones. This was the first time it was known to have actually happened, and it was a doozy of a job. With a signature somehow obtained from Realtek, one of the most trusted names in the business, the new virus Ulasen was looking at might as well have been carrying a cop’s badge.

[...]

Ulasen couldn’t figure that part out—what the payload was for. What he did understand was the basic injection system—how the virus propagated itself—which alone demanded an alert. Ulasen and Kupreev wrote up their findings, and on July 5, through a colleague in Germany, they sent a warning to the Microsoft Security Response Center, in Redmond, Washington. Microsoft first acknowledged the vulnerability the next day. Ulasen also wrote to Realtek, in Taiwan, to let them know about the stolen digital signature. Finally, on July 12, Ulasen posted a report on the malware to a security message board. Within 48 hours, Frank Boldewin, an independent security analyst in Muenster, Germany, had decrypted almost all of the virus’s payload and discovered what the target was: P.L.C.’s. Boldewin posted his findings to the same security message board, triggering the all-points bulletin among Western governments.

The next day, July 15, a tech reporter named Brian Krebs broke the news of the virus on his blog. The day after that, Microsoft, having analyzed the malware with the help of outside researchers, issued the first of several defenses against the virus. At this point it had been detected in only a few sites in Europe and the U.S. The largest number of infections by far—more than 15,000, and growing fast—was found in Asia, primarily in India, Indonesia, and, significantly, Iran.

[...]

Kaspersky [founder of the computer security company called Kaspersky] is a 1987 graduate of the Soviet Institute of Cryptography, Telecommunications and Computer Science, which had been set up as a joint project of the K.G.B. and the Russian Ministry of Defense.

[...]

Analysts at Kaspersky and Symantec quickly found that Stuxnet exploited not a single zero-day flaw but in fact four of them, which was unprecedented—one of the great technical blockbusters in malware history.

As the zero days piled up, Kaspersky says, he suspected that a government had written Stuxnet, because it would be so difficult and time-consuming for an outsider to find all these flaws without access to the Windows source code.

[...]

Stuxnet appears to be the product of a more sophisticated and expensive development process than any other piece of malware that has become publicly known. A Symantec strategist estimated that as many as 30 different people helped write it. Programmers’ coding styles are as distinctive as writers’ prose styles. One expert estimated that the worm’s development took at least six months. Once Stuxnet was released into the wild, other technicians would have maintained the command-and-control servers in Denmark and Malaysia to which Stuxnet phoned home to report its current locations and seek updates.

Most curious, there were two major variants of the worm. The earliest versions of it, which appear to have been released in the summer of 2009, were extremely sophisticated in some ways but fairly primitive in others, compared with the newer version, which seems to have first circulated in March 2010. A third variant, containing minor improvements, appeared in April. In Schouwenberg’s view, this may mean that the authors thought Stuxnet wasn’t moving fast enough, or had not hit its target, so they created a more aggressive delivery mechanism. The authors, he thinks, weighed the risk of discovery against the risk of a mission failure and chose the former.

[...]

Langner [His Hamburg-based company is a big name in the small world of industrial-control-systems security] had been reverse engineering the payload of Stuxnet throughout August, and he was the first analyst to announce that it contained two components that he called “warheads.” Langner had come to believe that Stuxnet was aimed at Iran’s nuclear program. Iran has been suspected of trying to build a nuclear bomb for several years, and in 2003 it failed to disclose details regarding uranium-enrichment centrifuges to inspectors from the International Atomic Energy Agency. Western governments have been trying to stop Iran’s nuclear program ever since, using diplomatic pressure, trade embargoes, and covert operations.

Stuxnet had initially grabbed the tech world’s attention as a hack of the Windows operating system—a virus that exploited an unknown vulnerability. This was like learning that someone had found his way into your house, and figuring out how they got inside. Next, Frank Boldewin had discovered what valuables the intruder was after—programmable-logic controllers. Specifically, the target was P.L.C.’s made by the German engineering conglomerate Siemens. Finally, Langner figured out the rudiments of what Stuxnet’s payload did—that is, how the intruder went about his work. When Stuxnet moves into a computer, it attempts to spread to every machine on that computer’s network and to find out whether any are running Siemens software. If the answer is no, Stuxnet becomes a useless, inert feature on the network. If the answer is yes, the worm checks to see whether the machine is connected to a P.L.C. or waits until it is. Then it fingerprints the P.L.C. and the physical components connected to the controller, looking for a particular kind of machinery. If Stuxnet finds the piece of machinery it is looking for, it checks to see if that component is operating under certain conditions. If it is, Stuxnet injects its own rogue code into the controller, to change the way the machinery works. And even as it sabotages its target system, it fools the machine’s digital safety system into reading as if everything were normal.

Industrial-control systems have been sabotaged before. But never have they been remotely programmed to be physically altered without someone’s fingers on a keyboard somewhere, pulling the virtual trigger. Stuxnet is like a self-directed stealth drone: the first known virus that, released into the wild, can seek out a specific target, sabotage it, and hide both its existence and its effects until after the damage is done. This is revolutionary. Langner’s technical analysis of the payload would elicit widespread admiration from his peers. Yet he also found himself inexorably drawn to speculation about the source of the malware, leading him to build a detailed theory about who had created it and where it was aimed.

[...]

There is a marked difference in design style between Stuxnet’s injector and its payload. Tom Parker, a Washington, D.C.- based security researcher, argues from this fact that two nations were involved in the worm’s creation, implying that a major Western power, such as the U.S., may have developed the sleek warheads and that another nation, such as Israel, was responsible for the injector program.

We have a unique attack delivery system that appears to have required knowledge of the confidential code in the Microsoft operating system. The program is extremely complex certainly too much so to have been the product of any single individual. In fact, the program is so complex that it, requiring a very elaborate team, and the style of different segments rather clearly indicates that not only were there multiple teams,they were probably from different nations. Finally, the payload that does the damage is written to exploit the characteristics of a very narrowly defined target which is almost certainly the Iranian nuclear program.

There is a lot more in this very interesting article from Vanity Fair. the lengthy segment of the article which compares the development of Stuxnet to the published political events related to Iran and the rest of the world is worth the whole article. There will be a lot more to come out about Stuxnet. But what really matters is that cyberwar has stepped up to new levels, far above those of merely distributed denial of services. Stuxnet is a team-based (meaning national) approach to targeted malware specifically released on the Internet, very probably in coordination with other military and diplomatic efforts to stop the Iranians from achieving a nuclear weapon. The future arrived back in Summer of 2009 and we are now way off into unknown territory.

One more thing. The target, pretty clearly the Iranian nuclear program, is something the Iranians do not admit exists. So they cannot admit that it was effectively trashed by the Stuxnet worm. Nothing in the media on this subject can be trusted. It is part of the cyberwar and its associated diplomatic and psychological warfare attacks and counterattacks.

This Vanity Fair story is a report from the field about a very new form of combat. The technology of the worm itself is fascinating, but what is really important is that a whole new battlefield has now been opened up.

Finally, like targets of blackmail, the apparent target/victim remains silent because do do otherwise is to admit to committing a larger crime. They are building a nuclear weapon and they are lying to the world about that. So there's a lot left to this story.

More on the hacker war in the Internet

Here is some more background on the Internet war being battled around WikiLeaks. This is an Internet story with good guys, bad guys and no end of confusion regarding who is which.

Aaron burr of the security firm HBGary Federal has paid a high price for trying to expose the individuals behind Anonymous. so has HBGary Federal. I wrote last Friday about the The secret cyberwar being carried on by government and businesses to destroy Wikileaks. Aaron burr is the individual who named names behind Anonymous. This story shows what he was trying to do. The fact that he listed Glenn Greenwald as one of the Anonymous individuals certainly brings his methods and information into question.

Aaron Barr believed he had penetrated Anonymous. The loose hacker collective had been responsible for everything from anti-Scientology protests to pro-Wikileaks attacks on MasterCard and Visa, and the FBI was now after them. But matching their online identities to real-world names and locations proved daunting. Barr found a way to crack the code.

[...]

"At any given time there are probably no more than 20-40 people active, accept during hightened points of activity like Egypt and Tunisia where the numbers swell but mostly by trolls," he wrote in an internal e-mail. (All e-mails in this investigative report are provided verbatim, typos and all.) "Most of the people in the IRC channel are zombies to inflate the numbers."

The show was run by a couple of admins he identified as "Q," "Owen," and "CommanderX"—and Barr had used social media data and subterfuge to map those names to three real people, two in California and one in New York.

Near the end of January, Barr began publicizing his information, though without divulging the names of the Anonymous admins. When the Financial Times picked up the story and ran a piece on it on February 4, it wasn't long before Barr got what he wanted—contacts from the FBI, the Director of National Intelligence, and the US military. The FBI had been after Anonymous for some time, recently kicking in doors while executing 40 search warrants against group members.

[...]

When the liberal blog Daily Kos ran a story on Barr's work later that day, some Anonymous users commented on it. Barr sent out an e-mail to colleagues, and he was getting worked up: "They think all I know is their irc names!!!!! I know their real fing names. Karen [HBGary Federal's public relations head] I need u to help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested. This battle between us will help spur publicity anyway."

[...]

But within a day, Anonymous had managed to infiltrate HBGary Federal's website and take it down, replacing it with a pro-Anonymous message ("now the Anonymous hand is bitch-slapping you in the face.") Anonymous got into HBGary Federal's e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data.

They even claimed to have wiped Barr's iPad remotely.

[...]

Were Barr's vaunted names even correct? Anonymous insisted repeatedly that they were not. As one admin put it in the IRC chat with Leavy, "Did you also know that aaron was peddling fake/wrong/false information leading to the potential arrest of innocent people?" The group then made that information public, claiming that it was all ridiculous.

Thanks to the leaked e-mails, we now have the full story of how Barr infiltrated Anonymous, used social media to compile his lists, and even resorted to attacks on the codebase of the Low Orbit Ion Cannon—and how others at his own company warned him about the pitfalls of his research.

This is a very modern story and it looks like it is not over yet.

The secret cyberwar being carried on by government and businesses to destroy Wikileaks.

I wasn't too sure what to make of the recent reports that Wikileaks has a bunch of documents about a major American bank that will demonstrate its corrupt activities. Apparently Bank of America is quite certain that the threat is real and that they are the target. It seems that there is a cyberwar going on right now. Glenn Greenwald, the human rights lawyer/blogger has written an interesting article at Salon that pulls together a lot of the story.

The story, first reported by The Tech Herald, has been been written about in numerous places (see Marcy Wheeler, Forbes, The Huffington Post, BoingBoing, Matt Yglesias, Reason, Tech Dirt, and others), so I'll provide just the summary.

Last week, Aaron Barr, a top executive at computer security firm HB Gary, boasted to the Financial Times that his firm had infiltrated and begun to expose Anonymous, the group of pro-WikiLeaks hackers that had launched cyber attacks on companies terminating services to the whistleblowing site (such as Paypal, MasterCard, Visa, Amazon and others). In retaliation, Anonymous hacked into the email accounts of HB Gary, published 50,000 of their emails online, and also hacked Barr's Twitter and other online accounts.

• Continue reading

Among the emails that were published was a report prepared by HB Gary -- in conjunction with several other top online security firms, including Palantir Technologies -- on how to destroy WikiLeaks. The emails indicated the report was part of a proposal to be submitted to Bank of America through its outside law firm, Hunton & Williams. News reports have indicated that WikiLeaks is planning to publish highly incriminating documents showing possible corruption and fraud at that bank, and The New York Times detailed last month how seriously top bank officials are taking that threat. The NYT article described that the bank's "counterespionage work" against WikiLeaks entailed constant briefings for top executives on the whistle-blower site, along with the hiring of "several top law firms" and Booz Allen (the long-time firm of former Bush DNI Adm. Michael McConnell and numerous other top intelligence and defense officials). The report prepared by these firms was designed to be part of the Bank of America's highly funded anti-WikiLeaks campaign.

The leaked report suggested numerous ways to destroy WikiLeaks, some of them likely illegal -- including planting fake documents with the group and then attacking them when published; "creat[ing] concern over the security" of the site; "cyber attacks against the infrastructure to get data on document submitters"; and a "media campaign to push the radical and reckless nature of wikileaks activities." Many of those proposals were also featured prongs of a secret 2008 Pentagon plan to destroy WikiLeaks.

One section of the leaked report focused on attacking WikiLeaks' supporters and it featured a discussion of me. A graph purporting to be an "organizational chart" identified several other targets, including former New York Times reporter Jennifer 8 Lee, Guardian reporter James Ball, and Manning supporter David House. The report claimed I was "critical" to WikiLeaks' public support after its website was removed by Amazon and that "it is this level of support that needs to be disrupted"; absurdly speculated that "without the support of people like Glenn, WikiLeaks would fold"; and darkly suggested that "these are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause." As The Tech Herald noted, "earlier drafts of the proposal and an email from Aaron Barr used the word 'attacked' over 'disrupted' when discussing the level of support."

Then there is this interesting report from Think Progress.

ThinkProgress has learned that a law firm representing the U.S. Chamber of Commerce, the big business trade association representing ExxonMobil, AIG, and other major international corporations, is working with set of “private security” companies and lobbying firms to undermine their political opponents, including ThinkProgress, with a surreptitious sabotage campaign.

According to e-mails obtained by ThinkProgress, the Chamber hired the lobbying firm Hunton and Williams. Hunton And Williams’ attorney Richard Wyatt, who once represented Food Lion in its infamous lawsuit against ABC News, was hired by the Chamber in October of last year. To assist the Chamber, Wyatt and his associates, John Woods and Bob Quackenboss, solicited a set of private security firms — HB Gary Federal, Palantir, and Berico Technologies (collectively called Team Themis) — to develop tactics for damaging progressive groups and labor unions, in particular ThinkProgress, the labor coalition called Change to Win, the SEIU, US Chamber Watch, and StopTheChamber.com.

According to one document prepared by Team Themis, the campaign included an entrapment project. The proposal called for first creating a “false document, perhaps highlighting periodical financial information,” to give to a progressive group opposing the Chamber, and then to subsequently expose the document as a fake to undermine the credibility of the Chamber’s opponents. In addition, the group proposed creating a “fake insider persona” to “generate communications” with Change to Win.

Digby has weighed in with her take on the story. She focuses on Aaron Barr, an executive at the private security firm HB Gary, who obtained and published detailed information about political opponents’ children, spouses, and personal lives. When Anonymous, in defending WikiLeaks, learned what he had done they hacked into his accounts and published some 40,000 documents on his activities and on his family. After having done the same thing to other, Barr was very upset that someone might have named his family on line.

This is stuff that is not going away. We are going to see more of organizations like banks, governments and criminal organizations going after other people on the Internet. Think not? Here is more from Glenn Greenwald:

...it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation's largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir). Moreover, these kinds of smear campaigns are far from unusual; in other leaked HB Gary emails, ThinkProgress discovered that similar proposals were prepared for the Chamber of Commerce to attack progressive groups and other activists (including ThinkProgress). And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America's General Counsel by the Justice Department -- meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.

That's why this should be taken seriously, despite how ignorant, trite and laughably shallow is the specific leaked anti-WikiLeaks proposal. As creepy and odious as this is, there's nothing unusual about these kinds of smear campaigns. The only unusual aspect here is that we happened to learn about it this time because of Anonymous' hacking. That a similar scheme was quickly discovered by ThinkProgress demonstrates how common this behavior is. The very idea of trying to threaten the careers of journalists and activists to punish and deter their advocacy is self-evidently pernicious; that it's being so freely and casually proposed to groups as powerful as the Bank of America, the Chamber of Commerce, and the DOJ-recommended Hunton & Williams demonstrates how common this is. These highly experienced firms included such proposals because they assumed those deep-pocket organizations would approve and it would make their hiring more likely.

But the real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power. I've written many times about this issue -- the full-scale merger between public and private spheres -- because it's easily one of the most critical yet under-discussed political topics. Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former. The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.

That's what this anti-WikiLeaks campaign is generally: it's a concerted, unified effort between government and the most powerful entities in the private sector (Bank of America is the largest bank in the nation). The firms the Bank has hired (such as Booz Allen) are suffused with the highest level former defense and intelligence officials, while these other outside firms (including Hunton & Williams and Palantir) are extremely well-connected to the U.S. Government. The U.S. Government's obsession with destroying WikiLeaks has been well-documented. And because the U.S. Government is free to break the law without any constraints, oversight or accountability, so, too, are its "private partners" able to act lawlessly. That was the lesson of the Congressional vesting of full retroactive immunity on lawbreaking telecoms, of the refusal to prosecute any of the important Wall Street criminals who caused the 2008 financial crisis, and of the instinctive efforts of the political class to protect defrauding mortgage banks.

The exemption from the rule of law has been fully transferred from the highest level political elites to their counterparts in the private sector. "Law" is something used to restrain ordinary Americans and especially those who oppose this consortium of government and corporate power, but it manifestly does not apply to restrain these elites.