Reading the headlines today one could not help but notice the latest
installment of “scary Chinese hacker press” making the headlines. And
who can blame the news media for latching on to this story as it has all
the right ingredients: foreign governments targeting U.S. interests,
catchy nicknames like Night Dragon, connections to a previous scary
threat “Operation Aurora” and a timely announcement leading up to one of
the security industry’s biggest conferences in San Francisco next week,
RSA. Wait, what?
Some of you might be experiencing déjà vu when you read about this
latest series of Chinese attacks targeting U.S. Oil and Gas companies.
You may recall that it was in January of 2010 that news actually broke
about the FBI investigating extensive targeted attacks that took place
against Oil and Gas companies during the 2008 and 2009 timeframe. The
attacks described then are not much different than the attacks described
now. I will leave the debate to others on whether the attacks in 2008
and 2009 are different attacks or if some security companies are just
now getting around to shedding extra technical light on years old
attacks. Either way, the answer would be uninteresting, but I digress…
Night Dragon might remind you of another series of attacks, Operation
Aurora, which if you do not remember, was the series of attacks that
became public around this same time last year. In the case of Aurora, it
was a series of targeted attacks against a variety of organizations,
but most notably against Google. The thing that made Operation Aurora
unique was not the technical aspect of the attack itself, but Google
coming forward to talk openly about the breach they suffered.
In the case of Night Dragon, the attacks were of varying levels of
sophistication. In some cases public attack tools, which have been known
for many years, were used by the attackers behind Night Dragon. Over
five months ago, eEye research was monitoring conversations on an
Iranian message board which is hosted in the United Kingdom. On the
message board, hackers openly discuss the usage of one of the attack
tools that was used within Night Dragon.
This was of course not interesting because the attack tool is well known
and commonly used to attack systems throughout the world. Nor is it
interesting that the discussion was taking place on an Iranian message
board. Attacks happen all the time to many organizations and countries.
Today even the most straightforward attacks are considered sophisticated
when contrasted against the outdated approach organizations and
governments take to protect their systems. Not to mention that tracing
back the origin of an attack is far from an exact science and one that
allows for attackers to easily manipulate the attribution of whom is
behind an attack.
Another example of how old and known components of Night Dragon are
is in the case of the malware components that were being embedded on
systems. Anti-virus companies have been detecting these malware
components for more than 5-6 months, most of which have been protecting
generically for these classes of malware long before that. This is
another stark contrast to Operation Aurora, which even after Google went
public, was still lacking detection by most anti-virus companies. More
importantly, the fact that so many components within the Night Dragon
attacks are publicly available and known in hacking circles, it makes it
even harder to really say with any authority which attacks were related
or not. This is again very different than the extremely targeted and
customized nature of Operation Aurora or even more so Stuxnet.
There are however things similar about Operation Aurora and Night
Dragon. Both of them made their big splash in the beginning of the year
only weeks ahead of the security industry’s largest conference, RSA.
Both of them also, like most attacks covered in the news, were simply
more of the same in that they did nothing to further our dialogue on
what to do about these attacks but rather only serve some security
company’s interests in product sales and continue a crippling effect on
what policy the United States, and other countries, might enact to
combat a most clear and present danger.
You see it is not that Operation Aurora or Night Dragon are not
problems; they very much are. But they are simply the tip of a massive
iceberg which any modern country is quickly sailing into in a way that
makes the Titanic disaster seem minor. Given the political deadlock in
Washington at the moment, it is unlikely that we will see government
step forward to solve this problem for us and in a lot of ways they are
probably not the ones that should have to solve it.
The role of government should not be to have to do the job that
corporations should be doing themselves in trying to prevent the theft
of intellectual property, but rather to do as law enforcement and our
military have done since their inception: to identify criminals and
those who would threaten our freedom to prosper and either bring them to
justice or draw a line in the sand of what will no longer be tolerated
without facing retribution.
If China is the aggressor that it appears to be in cyberspace, then
it is time to elevate this conversation and debate to one of substantial
action, instead of wielding it as another weapon of fear for security
industry sales and budget increase requests.
As the security industry gathers in San Francisco for RSA next week,
let’s hope we can for once shift the conversation beyond the latest
scary threat and the new silver bullet technology to solve the problem.
We should engage in a serious conversation about what it will take at a
policy level to make lasting improvements that impact the future
security of our technology-ingrained way of life.
Marc Maiffret is the CTO and co-founder of eEye Digital Security.