Hackers, from technological evolution pillars to governmental weapons

TYPES OF HACKERS

Wikipedia’s hacker definition describes the hacker individual as a “highly skilled computer expert capable of breaking into computer systems and networks using bugs and exploits”. The hacker culture, on the other hand, is an idea derived from enthusiasm. The hacker is a tech skilled individual who is on a constant lookout for ways of improving technology, by finding weak points or imperfections in software, hardware or methods and trying to offer improvement solutions for the flaws that he or she discovers. Hacker culture is also about communities organised in subcultures, using communication channels like chats or forums, to exchange ideas, findings, or to discuss on technical topics. The hackers are usually classified into three groups. However, in this article you will discover that there are hackers that cannot be classified into either one of these three groups.

Image 1: The hacker culture symbol

The “white hat” hackers are, above all, ethical individuals, that are using their tech skills to improve systems, software and methods for the sake of a safer data environment and internet in general. They are in a constant fight with their “black hat” counterparts, the bad guys, who are usually on the “wrong” side of the law. On a world average, white hats are paid generously, they are not risking any punishments as their work is almost always consensual with the clients or employers that they are serving, and it is widely accepted that they are improving the internet and technology in general.

The “black hat” hackers however, are, negative characters, driven by financial gain or un-ethical principles, usually perceived as technological hitmen-for-hire. Their means are dangerous for the computer world not only because of their negative principles, but also due to the fact that, by not disclosing publicly their findings or disclosing them exclusively in the black hat community, the attacks they perform are not improving the cyber environment, if not opening it even more to cyber attacks and other evil actions. Due to the fact that the black hat hackers are sharing the same “hacker” name with the ethical side of this culture, they are often referred to as “crackers” by the “white hat” hackers, whose intention is to be clearly separated from evil and unethical individuals in the public space. Referring to a “black hat” as a “hacker” will often get you an angry face, should any ethical hacker be in the room at the time. Hackers, whose intention is to be clearly separated from evil and unethical individuals in the public space. Referring to a “black hat” as a “hacker” will often get you an angry face, should any ethical hacker be in the room at the time.

Image 2: Kevin Mitnick, famous blackhat hacker, now a top security expert

Another classification of hackers, called “grey hats”, describes individuals that are neither good or bad. They hack for fun or “troll” but also, are sometimes fighting on both sides of the law. They are a kind of cyberspace double agents that improve or destroy systems, software or methods, depending on factors like political and social principles or financial gain. (for instance, “white hats” that are not paid well enough to always remain on the ethical side.)

There is, however, a classification of hackers that most websites won’t ell you about because the concept is fairly new and only started to get public attention a few years ago. The “state-backed” or “government backed” hackers are individuals hired by the world governments to serve the interests of the “client”, usually performing dirty tasks that are often referred to by the tech community as “cyber espionage”. It is to the author’s understanding, based on recent events, that state sponsored hackers are coming from all and any of the three categories presented above, as the national security concept is usually and wrongly, in my opinion, above one nation’s laws or regulations.

USA

In 2009 the United States government initiated their cyber defence project, called USCYBERCOM. It is integrated into the US National Security Agency’s (NSA) infrastructure. It is also physically hosted in the same NSA compound in Fort Meade, Maryland, and, from the available public or declassified documents, we understand it shares the same NSA computer networks. In the tech community and world media it is perceived however as an offensive force, and there were very little arguments that state otherwise over the years that it has been functioning.

Image 3: US Cyber Command emblem

According to the US Department of Defense, USCYBERCOM “plans, coordinates, integrates, synchronises and conducts activities to: direct the operations and defence of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” USCYBERCOM is sub-unified to the US Strategic Command unit, the same institution responsible for the strategic nuclear arsenal of the United States of America.

A 2008, NSA Top Secret classified document called the ‘NSA ANT Catalogue’, that was leaked by an anonymous source, gave the international community an insight into the offensive cyber technologies used by the NSA for spying on the opponents. It is not the scope of the present article to analyse the content of the ANT catalogue, but I am going to give 2 examples of correlated events that generated from the public leaking of such document. They are the Huawei security breach and the first documented existence of the BadUSB concept, a USB protocol vulnerability that still spreads concerns throughout the cybersecurity community.

The COTTONMOUTH codename describes a USB Hardware Host Tap family of electronic devices, concealed in a USB type A connector, a USB hub or a USB switch, depending on the COTTONMOUTH [1-2-3] models described in the NSA “toys” catalogue. The capabilities of the device are described as a “a Universal Serial Bus (USB} hardware implant which will provide a wireless bridge into a target network, as well as the ability to load exploit software onto target PCs”. Following the public leak of the 2008 dated document and obviously inspired by the NSA ANT COTTONMOUTH, security experts were able to replicate the vulnerability and some companies, like Hak5, started to commercialise their own versions of the NSA COTTONMOUTH. The most commonly known product was the Rubber Ducky, a product launched as a proof of concept in 2010. It is important to note that a product that the NSA was already using in 2007 (as the ANT catalogue suggests), became available to the public three years later, confirming the time gap between military and civilian access to new technologies.

Another controversial product present in the ANT catalogue, called HEADWATER, is presented as a Persistent Backdoor implement for Huawei routers. Huawei, a multi-industry Chinese brand founded by an ex-PLA (China People´s Liberation Army) officer, has imposed itself on the networking market as a world leader for industrial grade networking. This attracted the attention of the NSA, probably because of the span threat the Huawei products started to achieve in the world, the existence of Huawei products in rival China’s data infrastructure, and also because of the possibility that potential backdoors implanted intentionally in Huawei products by the Chinese would have left the entire internet vulnerable to Chinese cyber espionage. The HEADWATER, dated 2008 in the catalogue, comes suspiciously close after a presumed NSA hack in the Huawei company’s infrastructure. The opearation was described in some NSA leaked documents and dated as far back as 2007, an operation confirmed by Edward Snowden, the famous NSA whistle-blower who defected in 2013 and who has had political asylum in Russia ever since. The fact that the HEADWATER got produced a year after the NSA covert operations against Huawei’s infrastructure could mean that the HEADWATER backdoor is a product of white-box analysis from the NSA on Huawei stolen source code. Though it does not represent a guarantee of this fact, the time correlation of the events is at least curious, if not extremely suspicious.

CHINA

The US, however, is not the only country which militarised hacking. In February 2013, a cyber security company called Mandiant, which was since acquired by FireEye (a world cybersecurity leading company and a National Security Advisor of the US) for an amount in excess of $1 billion, released a report about the APT1, a cyber espionage unit of the Chinese People’s Liberation Army which lead to criminal “convictions in absence” of 5 members of the PLA by a Grand Jury of the Western District of Pennsylvania. It made news globally at the time, being the first trial of this type in the US. The APT1 report is a masterpiece of the computer security industry, a very good example to follow for professionals all over the world.

Image 4: FBI´s wanted poster of the suspected Chinese PLA´s APT1 members

The Mandiant’s report is a collection of evidence about the existence of the APT1 PLA group, referred to by the official name of PLA Military unit 61398. The title of the report, “APT1, Exposing One of China’s Cyber Espionage Units” sparked the international fear that APT1 is not the only Chinese unit operating in the field. The Mandiant report, whose findings are spread over a three year period, is giving the international community a detailed insight about the covert cyberwar operations of China, the involvement of the PLA in these actions, the facilities, technology, skills and tools used by the APT1 group, and much more. Using RATs, social engineering and an extremely organised attack infrastructure with resources that the Mandiant report is reporting as state project resources, the APT1 was infiltrating data infrastructures and stealing sensitive data. They also got information that gave the Chinese government an advantage in commercial negotiations, or helped the Chinese industry produce cheaper technology to compete against the US hacked entities. A world leading company in steel manufacturing, US Steel, was allegedly breached by the APT1 in 2011 and had APT1 persistently spying on their infrastructure for approximately 3 years until the Mandiant report was published. Another aspect of the report that is worth mentioning is the impressive level of organisation of the APT1 operative cells worldwide and the purchase of high-speed fiber optic broadband and IPv4 ranges from China Telecom by the Chinese Army to support the APT1. This is documented in the Mandiant report and backed by evidence like commercial invoices, pictures of facilities and structures, attack logs and others.

RUSSIA

Not long ago, a system administrator was complaining on a forum that I was browsing that some assets that he was managing got hacked and they were all “made a mess”. He was suspecting Russian hackers. A member of the forum replied to him, “It was anybody else, but the Russians”. Asked how he knows that, the guy replied “If it would be the Russians, this thread would not exist, because you would have never known you got hacked”. Even if the presence of Russian state-backed hackers is well known all over the world and a lot has been written on the subject by the international media, very few concrete facts are known about Russia’s cyberwarfare units due to the high level of secrecy and the lack of public declarations on the subject.

Image 5: GRU (Main Intelligence Agency), Russia´s most feared Intelligence Service emblem

This fact, to me, represents a great advantage in this line of work. In 2014, Sergey Shoigu, Russia’s Minister of Defense, announced a hacker recruitment program, backed by $500 million of state funds. Although the structure of the cyber warfare units has never been disclosed by Russia, it is believed that such entities are sub-unified under the GRU (Russian military intelligence) structure. Recent declarations about the DNC hack, by US officials, suggested that the involvement of the Russian leadership in such programs is as high as the president Putin himself.

Russia’s APT groups use names like Fancy Bear and Cozy Bear and their existence is officially denied by the Russian leaders. Even if their non-ethical actions are condemned by the security community, no expert dares to argue on the professional skills of Russia’s cyber hitmen. The truth is, they are perceived as the best hackers in the world. Their silent actions would pass unobserved if it wasn’t for the huge impact they have over the affected entities they are attacking and the results of their actions. The recent DNC hack is believed to have influenced the result of the American elections. This was huge, not only because of the power and influence that the US has in the world, but also because nobody else is ever known to have had such a high level incursion into another state’s internal affairs. “An act of war” as it was presented by leading Republican senators, the DNC hack was apparently performed using one of the oldest tricks in the book, phishing. But it is not the means that matter, it is the purpose, and should the allegations be confirmed (my personal knowledge is that they are not confirmed yet) Russian hackers fulfilled the mission on a scale that was unprecedented in the cybersecurity world.

ISRAEL

Another notable example of countries that deployed cyberunits inside their military structures is Israel,

Image 6: Google Maps view of the Unit 8200 SIGINT Urim base, near Mountain Avital, Israel

whose presence in the cyberwarfare theatre was mentioned in the “Stuxnet” affair. In the documentary “0-days”, members of the US administration admitted a US-Israel joint cyber mission to infect and destroy Iranian critical nuclear infrastructure. Some public evidence exists that Israel is represented on the world’s cyberwarfare arena by the Special Unit 8200, ran by an army general whose identity is considered state secret, and its facilities are based in Mountain Avital. The Urim SIGINT base is a compound belonging to the 8200 Unit responsible of performing SIGINT operations for the Israeli government.(intelligence gathering and and signals recollection).

HOW DO THEY DO IT?

Even if technological advances offer new tools and methods everyday, some of the biggest computer attacks in the world were performed using simple and already known techniques. However, there is a huge difference between hacking your local newspaper’s WordPress login, and hacking a leading US party’s servers, or the NSA itself. So what makes state-backed hackers so dangerously efficient? There are multiple factors that could help.

A company in need of hackers would have a limited range of search influenced by geographical factors, financial capabilities, and other limiting factors like the platforms where they  advertise the job offer. A government, on the other hand, has full geographical reach, huge financial resources in comparison with a commercial entity, the capability of organising national recruitment programs, and activities to back them (security conferences, hacking competitions, educational events in schools and universities). The patriotism is also worth mentioning, as it is one of the main recruitment factors in most of the world armies. Another recruitment channel that is widely denied but practised by all the international governments is the conversion of convicted black hat hackers to state-backed ones by legal pardoning. Imagine a hacker that makes a mistake and gets caught and then, before getting convicted, receives an impossible to reject offer by an army

Image 7 : Gary McKinnon (Solo), famous black hat hacker

general that visits him in detention. “Work for us and we forget everything you did, today”. If you think these are movie tales, read the following article that clearly correlates official hacker pardoning with the expansion of the USCYBERCOM.

Once a hacker is hired, the mission of the government agency is to help him achieve the maximum efficiency in accomplishing his or her tasks. There is a huge factor that, in my view, is crucial and that is mixing intelligence operatives with computer security experts. An attack is much more efficient when performed from various angles and in both the physical and virtual space. A hacker that attacks an entity remotely is limited by the external defence measures of that entity, and there are organisations that are close to impossible to hack from outside, simply because the critical mainframes are not connected to the Internet. When a hacker fails to penetrate remotely his job ends. But when a state-backed hacker fails to penetrate remotely, the intelligence agency that backs him has the resources and the capabilities to physically infiltrate the target organisation. An intelligence operative applies for a position that allows access to the target’s computer infrastructure, and helped by the resources offered by the intelligence service he works for, he gets hired. He then implants a remote control device inside the target network, opens the communication with the computer expert that operates from far away,and checkmate! For instance, the NSA compound from Maryland was never hacked the classical way, or at least there is no evidence that such a breach ever took place. However, look what Snowden’s actions caused at a global level. It’s obviously easier to attack an entity from inside that from the outside.

ARE WE REALLY HELPLESS?

So what can companies, organisations and governments do to protect themselves against state-backed hackers? Are we really powerless against such powerful and destructive virtual hitmen teams? Well, there is one thing we all have to remember. The supreme grey eminence hacker, that can breach anything, is no more than a legend. A company that respects the computer security principles, that checks the background of new employees, that trains and raises awareness of its staff through materials and practical attack examples, that keeps their servers behind a lock, that audits its security as often as possible, has much less chance of ever facing a serious breach. However, the grey eminence will always be on the lookout for new methods of getting in and this attack-defense competition will always resemble a high-level chess game. So, in the future, keep your firewalls up, your trust level low, and prepare thoroughly for future cyber warfare. Don’t ever doubt that we are at war. We have been since the day that the first network was connected together.

• About
• Latest Posts

Sergiu Mesesan

As Chief Information Security Manager for ODS, Sergiu Mesesan evaluates all risks involved in our software, servers and networks. From his thorough analysis, he informs the ODS staff on what actions to take and to avoid in a cyber attack, which makes Sergiu one of the company's most vital components when tackling a project. As Head of IT Security and a member of the analyst team, Sergiu has 6 years of experience behind him, and among his competencies are web auditing, and IT security management.

Latest posts by Sergiu Mesesan (see all)

• Crysis, a dangerous ransomware that is infecting companies right now - January 10, 2018
• How to protect your business from brute-forcing subdomains attacks - June 13, 2017
• Hackers, from technological evolution pillars to governmental weapons - January 3, 2017