Cyberattack and Espionage: The Easy Way In?

By Paul Rosenzweig, The George Washington University Law School

Typically, a a cyberattack arrives through an email message or some other innocent form of communication. Often, the message consists of just a website address—a hyperlink that one can click on. Such links will take you to Web pages where embedded malware lives. And that could be the start of your computer being compromised.

Phishing Attacks

More than 200 billion emails are sent every day, some of which are the source for roughly 150 million different phishing attacks. They are called phishing with a ph, because the bad link is the bait, and we are the fish. Even if only a teeny fraction of a percentage of these attacks succeeds, it still means that a massive number of people are affected by these types of attacks.

It is still a kind of simplistic cyberattack, what a moderately cautious, sophisticated user would not be afraid of. There is, however, a more subtle form of cyberattack—a malicious intrusion that goes by the very name of a Trojan horse, or more simply, a Trojan.

This is a transcript from the video series The Surveillance State: Big Data, Freedom, and You. Watch it now, on Wondrium.

Trojan Malware

These malicious intrusions are called Trojans because, typically, the malware is hidden inside a program that looks like an innocent piece of information—just like the famous Trojan horse that had Greek soldiers hidden inside it.

Usually, a cyberattack begins with the simple Trojan communication. Often it is just an email to someone. This is often called a spear phishing email, as it targets a specific individual or recipient, much like a spear used to catch a particular fish.

Spear Phishing Emails

Instead of a generic message that fits almost anyone, it will have a spear phishing message designed specifically for you or a narrow, targeted group. These mails are designed to appear as though they have come from an innocent source. But they will have a malicious program hidden within—either in the email itself or quite possibly in an attachment.

When the unsuspecting recipient clicks on the attachment, the malware begins the automated download of a controller program. This program then opens a backdoor communications channel allowing outside individuals to access the programs that control the target systems.

Learn more about how geolocation data is gathered.

Advanced Persistent Threats

The intrusion doesn’t have to be a quick hit-and-run. There is another class of attacks that are called, generically, advanced persistent threats, or APTs. These are intrusions that are developed over time, using sophisticated attack methodologies that are directed at specific targets.

They are the guided missiles of cyberspace. Once inside a system, the APT might stay resident in the target for a long period of time, and, in effect, make the target computer vulnerable to continuous monitoring from the outside.

Gh0stNet

These types of intrusions are common forms of surveillance operated by foreign governments. One of the most famous surveillance programs in cyber history is called Gh0stNet.

Gh0stNet was found back in 2008, running on the computers operated by the offices of the Dalai Lama. It was a sophisticated cyberattack and began with malware hidden in an email that was addressed from a trusted source—freetibet.org—and which contained a real document: a directory of friends of Tibet.

Controlling the System Remotely

It looked completely innocent. But it contained a Trojan horse program that avoided the Dali Lama’s intrusion-detection system, to insert itself into the operating system of the Dalai Lama’s servers. This program, in turn, communicated with controller servers operated by someone outside of the Dalai Lama’s organization.

These remote operators used the new malicious software to take control of the Dalai Lama’s computer system. Acting remotely, the installers could, for example, turn on a keystroke logger.

Keystroke Logger

A logger, as its name implies, is a program that captures all of the keystrokes entered on a keyboard attached to the computer—in this case, the laptops and keyboards in the Dalai Lama’s office.

Those who controlled the malicious software were also able to remotely turn on the video cameras and microphones on the computers in the offices of the Dalai Lama.

Tracking the Trail of Gh0stNet

Using the camera and microphone, the surveillers could see—and hear—anything that was happening within range of the computer. And they did this without anyone in the office knowing that it was happening.

In fact, it took an information-warfare organization in Canada more than a year to unravel the chain of controlling computers and track who was behind the Gh0stNet attack to the end of the trail. The chain, in fact, petered out in servers on Hainan Island off the coast of China—which, perhaps not coincidentally, is also the home of one of the People’s Liberation Army’s signals intelligence organizations. The Chinese government vehemently denied that it was responsible for this intrusion.

Learn more about the monitoring of Web searches.

China and OPM

Another example is the Chinese cyberattack on the US Office of Personnel and Management (OPM)—another successful spear phishing expedition. Sadly for the US government, OPM manages the security clearance process for federal employees.

As a result, it’s thought highly likely that every file associated with the OPM-managed security clearance process since 2000 was exposed. That’s data on roughly 22.1 million people who work in America’s security community, and it includes at least 5 million sets of fingerprints, as well as the detailed financial and health records of all these employees, as well as those of their spouses. In short, it is the greatest espionage surveillance coup of all time.

Common Questions about Cyberattack and Espionage

Keep Reading
Checks and Controls on America’s Surveillance System
Surveillance Technology and the Rule of Law
Amazon Listens to Random Echo Owners’ Alexa Commands