Of Night Dragons and Silver Bullets

By Marc MaiffretReading the headlines today one could not help but notice the latest
installment of “scary Chinese hacker press” making the headlines. And
who can blame the news media for latching on to this story as it has all
the right ingredients: foreign governments targeting U.S. interests,
catchy nicknames like Night Dragon, connections to a previous scary
threat “Operation Aurora” and a timely announcement leading up to one of
the security industry’s biggest conferences in San Francisco next week,
RSA. Wait, what?

Reading the headlines today one could not help but notice the latest

installment of “scary Chinese hacker press” making the headlines. And
who can blame the news media for latching on to this story as it has all
the right ingredients: foreign governments targeting U.S. interests,
catchy nicknames like Night Dragon, connections to a previous scary
threat “Operation Aurora” and a timely announcement leading up to one of
the security industry’s biggest conferences in San Francisco next week,
RSA. Wait, what?

Some of you might be experiencing déjà vu when you read about this
latest series of Chinese attacks targeting U.S. Oil and Gas companies.
You may recall that it was in January of 2010 that news actually broke
about the FBI investigating extensive targeted attacks that took place
against Oil and Gas companies during the 2008 and 2009 timeframe. The
attacks described then are not much different than the attacks described
now. I will leave the debate to others on whether the attacks in 2008
and 2009 are different attacks or if some security companies are just
now getting around to shedding extra technical light on years old
attacks. Either way, the answer would be uninteresting, but I digress…

Night Dragon might remind you of another series of attacks, Operation
Aurora, which if you do not remember, was the series of attacks that
became public around this same time last year. In the case of Aurora, it
was a series of targeted attacks against a variety of organizations,
but most notably against Google. The thing that made Operation Aurora
unique was not the technical aspect of the attack itself, but Google
coming forward to talk openly about the breach they suffered.

In the case of Night Dragon, the attacks were of varying levels of
sophistication. In some cases public attack tools, which have been known
for many years, were used by the attackers behind Night Dragon. Over
five months ago, eEye research was monitoring conversations on an
Iranian message board which is hosted in the United Kingdom. On the
message board, hackers openly discuss the usage of one of the attack
tools that was used within Night Dragon.

This was of course not interesting because the attack tool is well known
and commonly used to attack systems throughout the world. Nor is it
interesting that the discussion was taking place on an Iranian message
board. Attacks happen all the time to many organizations and countries.
Today even the most straightforward attacks are considered sophisticated
when contrasted against the outdated approach organizations and
governments take to protect their systems. Not to mention that tracing
back the origin of an attack is far from an exact science and one that
allows for attackers to easily manipulate the attribution of whom is
behind an attack.

Another example of how old and known components of Night Dragon are
is in the case of the malware components that were being embedded on
systems. Anti-virus companies have been detecting these malware
components for more than 5-6 months, most of which have been protecting
generically for these classes of malware long before that. This is
another stark contrast to Operation Aurora, which even after Google went
public, was still lacking detection by most anti-virus companies. More
importantly, the fact that so many components within the Night Dragon
attacks are publicly available and known in hacking circles, it makes it
even harder to really say with any authority which attacks were related
or not. This is again very different than the extremely targeted and
customized nature of Operation Aurora or even more so Stuxnet.

There are however things similar about Operation Aurora and Night
Dragon. Both of them made their big splash in the beginning of the year
only weeks ahead of the security industry’s largest conference, RSA.
Both of them also, like most attacks covered in the news, were simply
more of the same in that they did nothing to further our dialogue on
what to do about these attacks but rather only serve some security
company’s interests in product sales and continue a crippling effect on
what policy the United States, and other countries, might enact to
combat a most clear and present danger.

You see it is not that Operation Aurora or Night Dragon are not
problems; they very much are. But they are simply the tip of a massive
iceberg which any modern country is quickly sailing into in a way that
makes the Titanic disaster seem minor. Given the political deadlock in
Washington at the moment, it is unlikely that we will see government
step forward to solve this problem for us and in a lot of ways they are
probably not the ones that should have to solve it.

The role of government should not be to have to do the job that
corporations should be doing themselves in trying to prevent the theft
of intellectual property, but rather to do as law enforcement and our
military have done since their inception: to identify criminals and
those who would threaten our freedom to prosper and either bring them to
justice or draw a line in the sand of what will no longer be tolerated
without facing retribution.

If China is the aggressor that it appears to be in cyberspace, then
it is time to elevate this conversation and debate to one of substantial
action, instead of wielding it as another weapon of fear for security
industry sales and budget increase requests.

As the security industry gathers in San Francisco for RSA next week,
let’s hope we can for once shift the conversation beyond the latest
scary threat and the new silver bullet technology to solve the problem.
We should engage in a serious conversation about what it will take at a
policy level to make lasting improvements that impact the future
security of our technology-ingrained way of life.

Marc Maiffret is the CTO and co-founder of eEye Digital Security.

Suggested articles

Discussion

  • induboious on

    I can understand why they want to have a giant computer expo, inclusive of all types of software, hardware, computers, along with modeling concepts and new approaches to network security. But, what I don't understand is why they want to hold it in San Fransisco. Of all places, isn't this the one place that their majority counsel whose governer and major had a break-in from hackers who actually stole all their local keys and passwords for the whole town...?

    Maybe they need the extra security , nothing this way could elapse them; they would be set; set for a whole new methodology in securing frameworks and infrastructure. They are the St. Fracis' you know. Their pestulance and ability to map out uncharted territories and creating treaties based on acartographical knowledge, is beyonfd me...

    So, perhaps they could have a dual quality forming here with their exploration heritage and their new found in-optedness for computers. This could be also, the time that the Fransiscoans reclaim their innateness and redeeming styles of communucation and come along with new concepts that also arise in this regard for the technology world as well...

     

    ~~~~~~~~~~~~~~ -~~~~~~~~~~ -~~~~~~- ~~~~~~~~~~~~-~~~~~~~~~-~~~~~~~ -~~~~~

  • Anonymous on

    I tried to read the article, but I couldn't after the third run-on sentence.

  • Anonymous on

    Your criticisms are telling and accurate. I am not certain how you wish to solve the problem. I guess you're suggesting that a professional organization within the government be set up, something like the Fed, but staffed with security professionals instead of bankers, and having a long term perspective with minimal political interference?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.