Part 10 (1/2)
Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience nor by any deductive calculation.
Knowledge of the enemy's dispositions can only be obtained from other men. Hence the use of spies, of whom there are five cla.s.ses: (1) Local spies; (2) inward spies; (3) converted spies; (4) doomed spies; (5) surviving spies.
When these five kinds of spy are all at work, none can discover the secret system. This is called ”divine manipulation of the threads.” It is the sovereign's most precious faculty.
An effective cyber intelligence operation must include the use of espionage and covert surveillance inside the hacker criminal underground as well as nationalistic youth organizations. This is a very broad arena that allows for any number of imaginative approaches, but one thing that is critical, and is a major stumbling block to many US agencies, is the employment of US citizens of foreign birth in the nations that are generally considered adversarial (e.g., the Russian Federation and the People's Republic of China). The irony of the federal bureaucracy is that it keeps out the very people on whom our national security may depend. A 29-year-old naturalized US citizen who lived his entire life in Russia, was educated in the best Russian inst.i.tutions, and has now adopted the United States as his home will almost never receive the security clearance that he needs to do the work for which his experience has perfectly prepared him.
This is one of the areas, however, that creates opportunities for GreyLogic's Project Grey Goose and other investigative international security trust networks (STNs). PGG is not bound by the same bureaucratic shackles or legal authorities that employees and contractors of the intelligence community are. Volunteers are vetted not by their ability to receive a Top Secret/SCI with Full Scope Polygraph clearance; they are vetted by their peers who know and trust them and by the quality of the work they produce, which often speaks for itself.
I have had the opportunity to broach this subject many times during briefings that I provided to various agencies within the IC. Since these were uncla.s.sified briefings based on open source intelligence (OSINT), the moment I would broach the subject of conducting this type of covert campaign, the conversation ended. I was told that that was out of their domain. Astoundingly, the very sources and methods on which a successful cyber intelligence operation depends is outside the domain of the very federal employees tasked with the mission of open source cyber intelligence gathering.
An experienced military officer who has spent the bulk of his career working in Computer Network Operations and with whom I have had frequent discussions pointed out that the DoD employees tasked with open source work could not comment or discuss a covert action simply because covert actions are, by definition, not open source.
The open source intelligence model as used by Project Grey Goose investigators is not a pa.s.sive one that simply gathers publicly available data for a.n.a.lysis. Instead, the model uses active discovery that pushes the envelope but never crosses into illegal activities.
Although progress is being made inside the US intelligence community, this distinction between active and pa.s.sive collection, as well as legacy constraints on OSINT a.n.a.lysts, is a contributing factor in why the United States government finds itself constantly on the defensive in cybers.p.a.ce and vulnerable to whomever wants to attack its networks and access its critical infrastructure.
Chapter 6. Nonstate Hackers and the Social Web..
Social services such as Twitter, Facebook, Mys.p.a.ce, and LiveJournal are an essential part of the hacker's toolkit. Commonly known as the Social Web, these services provide a heretofore unprecedented data store of personal information about people, companies, and governments that can be leveraged for financial crime, espionage, and disinformation by both state and nonstate hackers.
In this new era of cyber warfare, the Web is both a battle s.p.a.ce and an information s.p.a.ce. As this chapter shows, it is also a social, educational, and support medium for hackers engaged in cyber operations of one kind or another.
This chapter also discusses security implications for employees of the US government, including the armed services, who use social media and how their activities can put critical networks in jeopardy of being compromised by an adversary.
In addition to the giant social applications mentioned earlier are hacker forums, many of which are private or offer VIP rooms for invited members. These forums, along with blogs and websites, provide recruitment, training, coordination, and fundraising help to support the hackers' nationalistic or religious activities. What follows is a sampling organized by nation.
Russia.
Social networking is very popular among Russians. A recent Comscore study shows that, as a group, Russians are the most engaged social networking audience in the world, spending an average of 6.6 hours viewing 1,307 pages per visitor per month. The United States came in ninth at 4.2 hours.
The Russian Security Services are quite aware of this and have expressed concern over violations of operations security by Russian military personnel via social networks such as LiveJournal, Vkontaktel.ru, and Odnokla.s.sniki.ru. In fact, the Federal Security Service (FSB) has banned its members from using Cla.s.smates.ru and Odnokla.s.sniki.ru. That ban does not apply to former military personnel, however, and that's who is doing most of the posting today, now that a more rigid policy has been put into effect.
Numerous Russian LiveJournal users self-identified as former or present members of the FSB, Spetsnaz, Special Rapid Reaction Unit (SOBR), Border Patrol, and others.
Odnokla.s.sniki.ru, however, has earned the attention of the Russian press and the Kremlin for a reason: it is rife with information of a military nature. As an example, one of Project Grey Goose's researchers was able to find mentions of over 50 strategic a.s.sets in this Russian social network, including: ”Ordinata” Internal Ministry of Defence Central Command Communication Center 2nd special forces division of FSB-GRU 42nd secret RF Navy Plant 63rd Brigade of RF Internal Defense Ministry Air defense ant-missile staging area for C-300 Air Paratroopers 38th special communication division C-75 missile complex Central Northern Navy Fleet missile test site-NENOKS Severodvisk Air map FSB division of Dzerzhinsky range Headquarters of Russian Strategic Rocket Forces (RSVN) Heavy Navy Carrier ”Admiral Gorshkov” location K-151 nuclear submarine location RF navy ”Admiral Lazarev” missile carrier RT-2M Topol (NATO SS-25 SICKLE) Mobile ICMB Launcher Base Russian Akula Submarine K-152 Nerpa (SSN) Russian Typhoon Cla.s.s SSBN Sheehan-2 Central Research and Testing Inst.i.tute of Chemical Defense Ministry troops The availability of this level of information has created a furor in various Russian online communities. One forum administrator complains that even the FSB doesn't have the data about Russian citizens, inst.i.tutions, and the armed forces and their movements and interactions that these social networks have, particularly Odnokla.s.sniki.ru.
China.
China has a huge Internet population and, as might be expected, has a correspondingly large population of hackers as well as servers hosting malware. There are literally hundreds of forums for hackers.
In his self-published book, The Dark Visitor, Scott Henderson wrote that he was astounded when he first began researching Chinese hacker groups. He had initially hoped to find a few Chinese citizens talking about their alliance, but what he ultimately uncovered was extensive, well-organized, and ma.s.sive-a hacker community consisting of over 250 websites and forums.
The China West Hacker Union website, for example, had 2,659 main topics and 7,461 postings. This was a fairly average number of doc.u.ments for a Chinese hacker website; some sites, such as KKER, had well over 20,000.
Unlike hackers from other countries, Chinese hackers tend not to use Facebook or other social networks, preferring an instant messaging service called QQ instead.
The Middle East.
The following are websites utilized by Arabic hackers:Now defunct, this was the address for The Arabic Mirror website, where hackers advertise exploits. It contained a section devoted specifically to defacements related to the Gaza crisis, where the websites targeted were Israeli or Western and the ”graffiti” contained messages about the crisis. The administrators identified themselves as The_5p3trum and BayHay.
The Arabic Mirror website has a pa.s.sword-protected forum with information about hacking and security vulnerabilities, among other subjects. Its moderator is Pr!v4t3 Hacker, who identifies himself as a 16-year-old from the Palestinian territories and a member of Kaspers Hackers Crew, which is involved in hacking Israeli websites.
/ The Gaza Hacker Team Forum is for sharing general information on hacking as well as a place to showcase the team's skills and achievements. The Gaza Hacker Team is a small group that conducts both political and apolitical attacks. It was responsible for defacing the Kadima party website on February 13, 2008. The forum has a recruiting function: members can join the Gaza Hacker Team by displaying sufficient skills and knowledge on the website.
The administrators of the Gaza Hacker Team forum state that their goal is to develop a community around their forum. They post guidelines for members instructing them to encourage, support, and a.s.sist one another, and to focus on creating a sense of respect and community rather than the rivalry and compet.i.tion present in other forums. ”This forum is your second home,” states one administrator, ”in which reside your friends and brothers to share knowledge with you and to share in your unhappy feelings when you are upset and in your joy when you are happy.”
/cc/ This is the site of the Arabs Security forum, which is affiliated with DNS Team.
al3sifa.com This is the site of the Storm forum, which is also located at 3asfh.com. This is an Arabic language forum on hacking and other technical topics. Its members do not appear to be as heavily focused on Gaza-related hacking as the other forums. The forum was online in the early January 2009, but it was down as of February 1.
arhack.net/vb The Arab Hacker website contains several forums devoted to IT security and hacking. It includes forums devoted to making viruses, creating spam, and obtaining credit card numbers. It also includes a section for hackers to boast about their successes, where the focus is on American, Israeli, Danish, and Dutch websites.
This used to be a more developed website called the Muslim Hackers Library. Now it contains only a list of downloadable resources for hackers in both Arabic and English.
Pakistani Hackers and Facebook.
On December 24, 2008, the Whackerz Pakistan Cr3w defaced India's Eastern Railway website with the following announcement: Cyber war has been declared on Indian cybers.p.a.ce by Whackerz-Pakistan.