Everyone does it. Why not governments?Apparently, BND has been copying hard drives and installing key loggers (Trojan horse software that can steal everything you type and do on your computer). This brings up security concerns for us and our organizations, as well as for the BND.
With the marked increase in computer usage in the past two decades, and with more information sources and communication channels moving to the Internet, intelligence gathering has been adapting accordingly, which should not be a surprise to any of us. The BND is no different; it was simply "caught," compromised by leaks to the press.
In this article we will cover what happened and Germany's reaction. We'll also look at how such attacks work, with background information on the scope of targeted attacks as they are known today, plus a few pointers on how we can defend our organizations.
Background While we won't concentrate on the legal and privacy concerns this case brings up, we should address them. This revelation draws much public debate inside of Germany regarding the BND's activities, legality of its actions, and effectiveness of existing civilian over-sight. The concern is undoubtedly important because the BND seems to have not been acting completely within the boundaries of the law, and not properly controlling the activity of its employees. But from an information security standpoint, I have other concerns.
According to a German friend of mine, this situation is "a big stink." In a separate case last year, the BND spied on reporters and an Afghan minister, causing public outcry. Further, German authorities want the police to use Trojan horses in the investigation of criminal cases. German police already made use of Trojan horses in the past, disclosed after-the-fact during a court case. It was ruled as illegal. A law was later passed to allow it, but the issue has been heavily contested in the German Federal Constitutional Court. Finding out the BND has already been using such software against German citizens and reporters on top of that doesn't look good.
German law enforcement does not stand alone in its wishes. There has been a marked trend in police forces around the world using Trojan horses for investigations. In fact, several companies I know develop such software specifically for law enforcement use. The first recorded case of such software used by law enforcement was Magic Lantern, as used by the FBI.
With a tinge of irony, I do want to jest. I'm shocked the German government would violate rights of citizens of other countries. Surely this has never happened before. Next we'll be told the CIA is a spy agency.
Specific legal limitation on actions the BND can take within German borders, or against their own citizens, exists. It is neither a secret the BND is an intelligence agency nor that it spies on foreigners -- much like the rest of the world supposedly does. I don't see this revelation as a big deal, except in the case where German citizens were supposedly spied on while abroad, which is murky legal ground, and where the BND supposedly spied on reporters inside of Germany.
There have been previous cases where German intelligence has been compromised in the press. The one mentioned above involving reporters broke in the press last April when the Der Spiegel wrote about the BND intercepting email messages between a Der Spiegel reporter and Afghan Commerce Minister Amin Farhang, which apparently continued with computer-based espionage attacks on the ministry itself. One could guess this was possibly done by use of this beach-head (his computer).
According to the Der Spiegel in this well-researched English language article, these previous attacks were performed by the use of Trojan horse software, which stole information, computer files, and the password for the minister's Yahoo! mail account -- which was later continually read. They further reported the attacks were performed by a small team called OPUS in department 26E. They mention that:
According to the BND's secret allocation of responsibilities, OPUS is in charge of "technical and operational attacks on IT systems."
The article further describes how the operation was initiated only days after Ernst Uhrlau, BND's president, said in a 2006 interview: "When it comes to the private sphere of a journalist, then I have to draw the line." That statement was uttered following yet another previous case in which the BND spied on reporters using informants, supposedly trying to discover the sources for a damaging article.
False Positives, Negatives Happen, Even In Intelligence Gathering This portion of the article is not complete without mentioning that even under the best conditions and intentions, intelligence gathering is a tedious and complicated job; data mining and researching at the scale an intelligence agency such as the BND handles cannot be easy.
Technically, IP addresses belonging to German ISPs can be used by, or even leased to, foreigners. German computers compromised by criminals can be "talking" on the Internet proxying foreigners. Email addresses from other countries, as well as free Web mail services abroad, can be used by Germans or German services by foreigners. Heck, a German can be touring abroad and checking email. And this is all before processing content. Operationally, however, you will on occasion hit false positives and negatives, which in this case translated into private communication of and by German citizens.
This is not to invent excuses for the BND. My opinion is that employees will see things they shouldn't no matter what, especially when it's their job to filter content. This is why ethics are at the core of the matter. People who are hired by the BND ought to be trusted and follow strict guidelines. But if the BND is to do its job, some mistakes will happen even under strict laws and oversight.
We need to remember that while these organizations should follow policies, their goal is to find relevant intelligence. They sift through useless garbage data and would like nothing more than to send their analysts just what's likely to have intelligence value. Even organizations such as the BND don't have endless resources.
These legalities, practicalities, and social matters explained, one must admit they mostly sound like internal German politics at play.
Moving on to security implications -- back to 2009.
2,500 Computers Attacked The new report mentions that in the past couple of years, the BND has spied on more than 2,500 computer systems. Among them, the Der Spiegel lists Pakistani nuclear scientist Abdul Qadir Khan, a computer network in Iraq, and computers of German civilians in the aid group Welthungerhilfe, stationed in Afghanistan.
The security implications for the BND, compromised with two devastating leaks to the press in the past year on the very fact they ran espionage operations, are significant. Not only that, but how they do so -- by use of a Trojan horse -- is damaging to its future operations. To top it all, some of its targets are listed. Whether real or not (and it certainly appears to be), this is likely very damaging -- and shocking -- to them for several points, such as:
- (a) the strain this must put on German foreign relations
(b) the further legal restraints that will possibly be imposed on the BND in the future
(c) the loss and potential compromise of these and other intelligence sources
(d) practical limitations on further operations against their opponents in the future; and
(e) an organization that will possibly be wary, maybe in a culture of fear, of doing its job.
For a modern intelligence agency to fail so miserably in operational security is far more than embarrassing. As to the number of supposed attacks performed -- 2,500 -- one could only guess. The number seems reasonable for targeted attacks performed by a mindful, covert intelligence agency in two years.
Then again, if the attacks' technical and operational capabilities are automated, and it has enough intelligence on targets to launch operations against to begin with, the number seems to be anywhere between reasonable and low.
That said, if it had no operational security to begin with and attacked without guidance (which seems rather doubtful), the number is indeed low. By Internet Trojan horse standards, with millions of infected computer systems for all to see, it's even incredibly low. The BND, however, is not the Russian mafia or a script-kiddie from Arkansas. Covertness is the name of the game.
There is a big difference in cost between automated hacking and targeted hacking. Just discovering who you should attack has a high cost.
Targeted Attacks And Relevance To Us Regardless of scale, this is interesting enough to be of note to us as security professionals and to our organizations. This disclosure clearly illustrates the real threat of targeted computer attacks by a capable, determined attacker with resources to invest.
Look, the concept of computer spying is not new. It has been shown to have happened millions of times during the past 10 years in the form of mass-propagation Trojan horses and worms on the Internet. But the targeted nature of these disclosed attacks, and that a nation-state performed them, reminds me of the phrase "seeing is believing."
In the past, targeted attacks were disclosed as mostly part of industrial espionage. Further generic disclosures on multiple targeted attacks against multiple governments (especially the United States) have been reported in recent years. A famous example was the Israeli Trojan horse case, in which dozens of international high-tech companies were implicated, either as clients of private intelligence companies that did the spying or as the victims.
In recent years, research (lately done at Microsoft) on targeted Internet attacks has shown an increase in what has now become known as "spear phishing," as well as an increase in use of zero-days (vulnerabilities previously unknown until discovered in-the-wild) against governments and corporations, mainly by attacking Microsoft Office applications.
On a general note, criminals are not the only concern for our organizations on this front. Multiple intelligence agencies around the world, with France as a prominent example (as seen in the quote below), have been spying in the hope of giving their local industries an edge on the international market.
A quote from "The Industrious Spies, Industrial Espionage in the Digital Age" illustrates the matter:
This transition fosters international tensions even among allies. "Countries don't have friends -- they have interests!" -- screamed a DOE poster in the mid-nineties. France has vigorously protested US spying on French economic and technological developments -- until it was revealed to be doing the same. French relentless and unscrupulous pursuit of purloined intellectual property in the USA is described in Peter Schweizer's "Friendly Spies: How America's Allies Are Using Economic Espionage to Steal Our Secrets."
This incident should serve as a wake-up call to CEOs, boards of directors, and other key personnel. As a security professional, you should make your superiors aware of what it means to your organization.
Is This Information Warfare? Cyberwar? In 2007 we saw massive-scale computer attacks launched against Estonia's infrastructure (PDF), which brought forth an abuse of the terminology in question. Many have been quick to use the term "information warfare" to describe many unrelated incidents.
While the Estonia attack was a prime example, and the later attack against Georgia was at the very least interesting, these were also rare in how we can attribute the tag "war" or, at the very least, "fighting" to them. As far as cyber-engagements (massive continuous campaigns) between nation-states are concerned, they simply don't happen. While I am unfortunately sure they will, information warfare in the foreseeable future will mainly consist of covert actions, such as espionage.
Massive infrastructure attacks on the Internet are of an international concern. The Internet is a critical international infrastructure, and many businesses in addition to governments, rely on it for their operations. Espionage, on the other hand, has been going on since the beginning of human history. We should leave it for the diplomats and militaries, and accept that computers are simply yet another tool added to the intelligence-gathering arsenal.
To illustrate the point, Afghan Commerce Minister Amin Farhang was quoted in the Der Spiegel article as being personally shocked by the spying, both being performed by Germany, a close friend of Afghanistan, and against him, a friend of Germany and a holder of a German passport. A distinction must be made between public diplomacy and espionage activity. History has continually shown that the two are not necessarily operating under the same policy or with the same interests. The same logic can be applied to the Internet.
This means that while we have no concern about who spies on whom, we should definitely do more to defend our organizations if we suspect we are a target.
Protecting Our Organizations Last year I detailed on my personal blog (later syndicated in other publications) examples of targeted computer attacks, as well as practical ideas about how we can defend our organizations against them.
Those ideas included more resources on network behavior analysis, social engineering training and procedures; prioritized cooperation with the physical security part of the organization and HR (for personnel screening); and monitoring the network for anomalies and establishing a baseline.
Further, this threat can be used to get more budget for security. An example would be establishing a five-year plan for better defending your organization from industrial espionage.
In Conclusion In Germany, the debate is raging on. Will Trojan horses be accepted for regular use in police investigations? Will the BND be "refreshed" on how it should not spy on German citizens, and, if so, how will it handle the trade-off between finding critical intelligence for Germany's security and protecting the privacy of its citizens?
While it has been obvious for a while now that countries are using computer attacks for intelligence gathering, there is nothing like a citation of a case study to make a point. A nation-state has been shown to be spying by the use of computer attacks. It has been doing so in a systematic fashion for a while. Thinking it is the only one would be a mistake.
We need to work to advance our organizations' security so we can face the real threat posed by targeted attacks. We should do so now.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.