HOME

TheInfoList



OR:

Cyber-collection refers to the use of cyber-warfare techniques in order to conduct
espionage Espionage, spying, or intelligence gathering is the act of obtaining secret or confidential information ( intelligence) from non-disclosed sources or divulging of the same without the permission of the holder of the information for a tang ...
. Cyber-collection activities typically rely on the insertion of
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
into a targeted network or computer in order to scan for, collect and exfiltrate sensitive information. Cyber-collection started as far back as 1996, when widespread deployment of
Internet connectivity Internet access is the ability of individuals and organizations to connect to the Internet using computer terminals, computers, and other devices; and to access services such as email and the World Wide Web. Internet access is sold by Internet ...
to government and corporate systems gained momentum. Since that time, there have been numerous cases of such activities.Pete Warren,
State-sponsored cyber espionage projects now prevalent, say experts
', The Guardian, August 30, 2012
Nicole Perlroth,
Elusive FinSpy Spyware Pops Up in 10 Countries
', New York Times, August 13, 2012
Kevin G. Coleman,
Has Stuxnet, Duqu and Flame Ignited a Cyber Arms Race?
'', AOL Government, July 2, 2012
In addition to the state sponsored examples, cyber-collection has also been used by organized crime for identity and e-banking theft and by corporate spies. Operation High Roller used cyber-collection agents in order to collect PC and smart-phone information that was used to electronically raid bank accounts.Rachael King,
Operation High Roller Targets Corporate Bank Accounts
', June 26, 2012
The Rocra, aka Red October, collection system is an "espionage for hire" operation by organized criminals who sell the collected information to the highest bidder.Frederic Lardinois,
Eugene Kaspersky And Mikko Hypponen Talk Red October And The Future Of Cyber Warfare At DLD
', TechCrunch, January 21, 2013


Platforms and functionality

Cyber-collection tools have been developed by governments and private interests for nearly every computer and smart-phone operating system. Tools are known to exist for Microsoft, Apple, and Linux computers and iPhone, Android, Blackberry, and Windows phones.Vernon Silver,

',, Bloomberg, August 29, 2012
Major manufacturers of
Commercial off-the-shelf Commercial off-the-shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of ...
(COTS) cyber collection technology include Gamma Group from the UK and
Hacking Team HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "''Remote Control Systems''" enable governments and corporati ...
from Italy. Bespoke cyber-collection tool companies, many offering COTS packages of zero-day exploits, include Endgame, Inc. and Netragard of the United States and Vupen from France.Mathew J. Schwartz,
Weaponized Bugs: Time For Digital Arms Control
', Information Week, 9 October 2012
State intelligence agencies often have their own teams to develop cyber-collection tools, such as
Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing subs ...
, but require a constant source of ''zero-day exploits'' in order to insert their tools into newly targeted systems. Specific technical details of these attack methods often sells for six figure sums.Ryan Gallagher,
Cyberwar’s Gray Market
', Slate, 16 Jan 2013
Common functionality of cyber-collection systems include: *''Data scan'': local and network storage are scanned to find and copy files of interest, these are often documents, spreadsheets, design files such as Autocad files and system files such as the passwd file. *''Capture location'': GPS, WiFi, network information and other attached sensors are used to determine the location and movement of the infiltrated device *'' Bug'': the device microphone can be activated in order to record audio. Likewise, audio streams intended for the local speakers can be intercepted at the device level and recorded. * ''Hidden Private Networks'' that bypass the corporate network security. A compute that is being spied upon can be plugged into a legitimate corporate network that is heavy monitored for malware activity and at same time belongs to a private wifi network outside of the company network that is leaking confidential information off of an employee's computer. A computer like this is easily set up by a double-agent working in the IT department by install a second Wireless card in a computer and special software to remotely monitor an employee's computer through this second interface card without them being aware of a side-band communication channel pulling information off of his computer. *''Camera'': the device cameras can be activated in order to covertly capture images or video. *''
Keylogger Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
and Mouse Logger'': the malware agent can capture each keystroke, mouse movement and click that the target user makes. Combined with screen grabs, this can be used to obtain passwords that are entered using a virtual on-screen keyboard. *''Screen Grabber'': the malware agent can take periodic screen capture images. In addition to showing sensitive information that may not be stored on the machine, such as e-banking balances and encrypted web mail, these can be used in combination with the key and mouse logger data to determine access credentials for other Internet resources. *''Encryption'': Collected data is usually encrypted at the time of capture and may be transmitted live or stored for later exfiltration. Likewise, it is common practice for each specific operation to use specific encryption and poly-morphic capabilities of the cyber-collection agent in order to ensure that detection in one location will not compromise others. *''Bypass Encryption'': Because the malware agent operates on the target system with all the access and rights of the user account of the target or system administrator, encryption is bypassed. For example, interception of audio using the microphone and audio output devices enables the malware to capture to both sides of an encrypted Skype call.Daniele Milan
The Data Encryption Problem
Hacking Team
*''Exfiltration'': Cyber-collection agents usually exfiltrate the captured data in a discrete manner, often waiting for high web traffic and disguising the transmission as secure web browsing.
USB flash drive A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since fir ...
s have been used to exfiltrate information from air gap protected systems. Exfiltration systems often involve the use of reverse proxy systems that anonymize the receiver of the data.Robert Lemos,
Flame stashes secrets in USB drives
'', InfoWorld, June 13, 2012
*''Replicate'': Agents may replicate themselves onto other media or systems, for example an agent may infect files on a writable network share or install themselves onto USB drives in order to infect computers protected by an air gap or otherwise not on the same network. *''Manipulate Files and File Maintenance'': Malware can be used to erase traces of itself from log files. It can also download and install modules or updates as well as data files. This function may also be used to place "evidence" on the target system, e.g. to insert child pornography onto the computer of a politician or to manipulate votes on an electronic vote counting machine. *''Combination Rules'': Some agents are very complex and are able to combine the above features in order to provide very targeted intelligence collection capabilities. For example, the use of GPS bounding boxes and microphone activity can be used to turn a smart phone into a smart bug that intercepts conversations only within the office of a target. *''Compromised cellphones''. Since, modern cellphones are increasingly similar to general purpose computer, these cellphones are vulnerable to the same cyber-collect attacks as computer systems, and are vulnerable to leak extremely sensitive conversational and location information to an attackers. Leaking of cellphone GPS location and conversational information to an attacker has been reported in a number of recent
cyber stalking Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, group, or organization. It may include false accusations, defamation, slander and libel. It may also include monitoring, identity theft, threa ...
cases where the attacker was able to use the victim's GPS location to call nearby businesses and police authorities to make false allegations against the victim depending on his location, this can range from telling the restaurant staff information to tease the victim, or making false witness against the victim. For instance if the victim were parked in large parking lot the attackers may call and state that they saw drug or violence activity going on with a description of the victim and directions to their GPS location.


Infiltration

There are several common ways to infect or access the target: *An '' Injection Proxy'' is a system that is placed upstream from the target individual or company, usually at the Internet service provider, that injects malware into the targets system. For example, an innocent download made by the user can be injected with the malware executable on the fly so that the target system then is accessible to the government agents.Pascal Gloor,
(Un)lawful Interception
'', SwiNOG #25, 07 November 2012
*'' Spear Phishing'': A carefully crafted e-mail is sent to the target in order to entice them to install the malware via a
Trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...
document or a drive by attack hosted on a web server compromised or controlled by the malware owner.Mathew J. Schwartz,
Operation Red October Attackers Wielded Spear Phishing
', Information Week, January 16, 2013
*'' Surreptitious Entry'' may be used to infect a system. In other words, the spies carefully break into the target's residence or office and install the malware on the target's system.FBI Records: The Vault,
Surreptitious Entries
', Federal Bureau of Investigation
*An ''Upstream monitor'' or '' sniffer'' is a device that can intercept and view the data transmitted by a target system. Usually this device is placed at the Internet service provider. The
Carnivore A carnivore , or meat-eater (Latin, ''caro'', genitive ''carnis'', meaning meat or "flesh" and ''vorare'' meaning "to devour"), is an animal or plant whose food and energy requirements derive from animal tissues (mainly muscle, fat and other ...
system developed by the U.S.
FBI The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, t ...
is a famous example of this type of system. Based on the same logic as a telephone intercept, this type of system is of limited use today due to the widespread use of encryption during data transmission. *A ''wireless infiltration'' system can be used in proximity of the target when the target is using wireless technology. This is usually a laptop based system that impersonates a WiFi or 3G base station to capture the target systems and relay requests upstream to the Internet. Once the target systems are on the network, the system then functions as an ''Injection Proxy'' or as an ''Upstream Monitor'' in order to infiltrate or monitor the target system. *A '' USB Key'' preloaded with the malware infector may be given to or dropped at the target site. Cyber-collection agents are usually installed by payload delivery software constructed using zero-day attacks and delivered via infected USB drives, e-mail attachments or malicious web sites.Kim Zetter,
"Flame" spyware infiltrating Iranian computers
', CNN - Wired, May 30, 2012
Anne Belle de Bruijn,
Cybercriminelen doen poging tot spionage bij DSM
', Elsevier, July 9, 2012
State sponsored cyber-collections efforts have used official operating system certificates in place of relying on security vulnerabilities. In the Flame operation,
Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...
states that the Microsoft certificate used to impersonate a
Windows Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...
was forged;Mike Lennon,
Microsoft Certificate Was Used to Sign "Flame" Malware
'', June 4, 2012
however, some experts believe that it may have been acquired through
HUMINT Human intelligence (abbreviated HUMINT and pronounced as ''hyoo-mint'') is intelligence gathered by means of interpersonal contact, as opposed to the more technical intelligence gathering disciplines such as signals intelligence (SIGINT), image ...
efforts.Paul Wagenseil,
Flame Malware Uses Stolen Microsoft Digital Signature
', NBC News, June 4, 2012


Examples of operations

*
Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing subs ...
*
Flame A flame (from Latin '' flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density the ...
*
Duqu Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Labo ...
*
Bundestrojaner Bundestrojaner (German for state-sponsored trojan horse, lit. Federal Trojan) may refer to one of several pieces of software with this purpose: * The Swiss MiniPanzer and MegaPanzer MiniPanzer and MegaPanzer are two variants of ''Bundestrojaner ...
* Rocra
"Red October" Diplomatic Cyber Attacks Investigation
', Securelist, January 14, 2013

Kaspersky Lab Identifies Operation Red October
'', Kaspersky Lab Press Release, January 14, 2013
* Operation High RollerDave Marcus & Ryan Cherstobitoff,
Dissecting Operation High Roller
'', McAfee Labs


See also

*
Cyberwarfare Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic war ...
* Computer surveillance *
Computer insecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, th ...
* Chinese intelligence operations in the United States *
Cyber-security regulation A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Troj ...
*
Industrial espionage Industrial espionage, economic espionage, corporate spying, or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security. While political espionage is conducted or orchestrated by governm ...
* GhostNet *
Proactive Cyber Defence Proactive cyber defence means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defence can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or d ...
* Surveillance *
Chaos Computer Club The Chaos Computer Club (CCC) is Europe's largest association of hackers with 7,700 registered members. Founded in 1981, the association is incorporated as an ''eingetragener Verein'' in Germany, with local chapters (called ''Erfa-Kreise'') in ...
*
Global surveillance disclosures (2013–present) Ongoing news reports in the international media have revealed operational details about the Anglophone cryptographic agencies' global surveillance of both foreign and domestic nationals. The reports mostly emanate from a cache of top secre ...
*
Tailored Access Operations The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, ...


References

{{intelligence cycle management Espionage Hacking (computer security) Cyberwarfare Military intelligence collection Cybercrime Information sensitivity Sabotage Spyware Mass intelligence-gathering systems Security engineering Social engineering (computer security) National security Computer security procedures Computing terminology