Cyber espionage is a relatively new type of intelligence gathering capability with various strategies, tactics and tools. Cyber espionage is defined as the intentional use of computers or digital communications activities in an effort to gain access to sensitive information about an adversary or competitor for the purpose of gaining an advantage or selling the sensitive information for monetary reward. This widely accepted definition was originally crafted by Spy-Ops
in their cyber warfare analysis program back in 2004.
Cyber espionage blasted on the scene in the mid 90s and has grown at a steady pace along side the adoption and use of the Internet by business, government and industry. Even though cyber espionage is relatively new, countries like China have already invested in building large and well trained cyber-espionage forces. By the beginning of 2009, Spy-Ops estimates about 140 countries and over 50 terrorist and criminal/extremist groups will be developing cyber weapons and espionage capabilities.
In conventional espionage you rely on deep cover covert operatives to conduct espionage and gain intelligence. In cyber espionage you use computer systems and data coupled with conventional techniques to gain intelligence and sensitive information. Events like the ones at ClearanceJobs
and the Oakridge National Labs
seem to indicate that the U.S. science and engineering community is being targeted. Let’s look at these two incidents a bit closer.
Incident #1 ClearanceJobs.com
ClearanceJobs.com is an online jobs board that specifically addresses the needs of individuals with security clearances and those who hire them. They only focus on active or current security clearances. As such, those who apply to job postings on the ClearanceJobs site are ready to work on sensitive/classified projects.
The jobs board sent out an e-mail to all those who registered at the Web site on disclosing a security and systems breach. (This breach ocurred one year ago.) The hackers did not obtain resume information; however, they did gain access to names, e-mails and contact information according to the company.
The company currently has approximately 3,700 job posting that attract a significant number of candidates seeking a new position. To illustrate the sensitive nature of many of these posted opportunities, a search on Top Secret SCI resulted in a return of 2,660 listings with that as a requirement. Top Secret is applied to information or materials that the unauthorized disclosure of which would be expected to cause exceptionally grave damage to the national security. SCI is the abbreviation for Sensitive Compartmented Information, the term given to a method for handling specific types of classified information that relates to national security topics or programs whose existence is not publicly acknowledged.
The cyber attack used a SQL injection to gain access to information. This attack is thought to have originated in Russia.
Incident #2 Oakridge National Labs
Oak Ridge National Laboratory (ORNL) is a multi-program science and technology laboratory operated by the U.S. Department of Energy. Scientists and engineers at ORNL conduct basic and applied research and development to create scientific knowledge and technological solutions that strengthen the nation's leadership in key areas of science; increase the availability of clean, abundant energy; restore and protect the environment; and contribute to national security.
A cyber attack targeted the lab by using phishing e-mails which opened the door for hackers to glean the sensitive information of up to 12,000 visitors to the facility. This was just one part of cyber battle plan that attempted to gain access to computer networks at numerous laboratories and other institutions across the country. A spokesperson for the lab publicly stated that it is possible the hackers may have gained access to a database of names, birth dates, and social security numbers of every lab visitor between 1990 and 2004. It is unknown how many of these individuals held security clearances and worked on classified programs. While ORNL's management doesn't believe that the attackers managed to get access to classified data on their system, there may be an arterial motive for accessing this data.
It should be noted that Oakridge was just one of multiple national labs that were targeted by this coordinated phishing attack thought to originate in China. Additional reports that the 10 most prominent U.S. defense contractors that included Raytheon, Lockheed Martin, Boeing and Northrop Grumman have been the victims of the same sort of cyber espionage.
Scenario-Based Intelligence Analysis (SBIA)
SBIA is a technique pioneered by Technolytics, Intelomics and Spy-Ops. It creates a framework that allows scenarios to be examined and attempts to answer the “so what does this mean” with respect to events under analysis. Using this technique we looked at both of these events. The following was the result.
Specified target: Information about persons who have access to sensitive or proprietary information.
So how can this information be used? Think about this scenario: The foreign intelligence service contacts these individuals using the information they obtained. Armed with that data, they present a great job opportunity to a specific individual and set up a bogus phone interview for the made-up position. The potential target is wooed by the position, salary, benefits or other enticements. During the upfront interview process, the individual becomes comfortable and less guarded when discussing the details of the work they are doing or have previously done. Answering these seemingly harmless questions about strategies, plans, programs, practices, people or even technologies can lead to derivative intelligence. Derivative Intelligence (DI) is synthesized out of the lower level data, facts, timelines and events that may be disclosed during a casual conversation or on a professional’s resume. The information collected using this technique could compromise national security by unintentionally disclosing classified programs, projects or systems.
One recruiting professional, who asked not to be identified, said this tactic has been and still is used in Silicon Valley where the competitive environment is extremely intense among technology companies. One interesting fact is that the Defense Security Services did not identify this method in their Technology Collection Trends 2005 report.
An Internet search turned up multiple resumes of individuals with Top Secret/SCI clearance that listed their home addresses and past and current projects for major defense contractors. One resume listed projects at Ft. Meade, home of the National Security Agency. While the information contained on the resume may or may not provide any useful intelligence, it at least creates a security risk for the individuals who provided their home address and a potential for recruitment by adversaries or worse.
Espionage is the act of obtaining non-public or secret information from rivals or enemies for military, political, or economic advantage. Espionage activities such as these are thought to be related to the theft of government secrets and are a real threat to national security. Covert operations and espionage are often precursor events to conventional or in this case cyber conflicts. You would want to believe individuals who have security clearance and work in sensitive areas would not be doped by the common hacker practices. The reality is we are all susceptible to lapses in our security awareness. This is not just a problem for the security and defense industry. It can also be directed against corporations as well.
Currently, corporate espionage alone is estimated at costing companies over $1.5 trillion annually. A security strategy must include an ongoing effort to educate users and developers about these common exploits and to achieve a high level of awareness.
P. Cordaro a security training specialist at Spy-Ops said, “The dynamics of cyber warfare and system security are such that we all need a continuous update of our skills and knowledge.”
With nearly 6,500 cyber attacks being reported in the last minute, we can not afford to let down our guard for one second.
Kevin G. Coleman, a consultant and advisor with Technolytics Institute, writes the Data Security column for TMCnet. To read more of Kevin’s articles, please visit his columnist page.
Edited by Michelle Robart