Attribution & Retribution in the age of Aurora and Stuxnet

This post is  inspired by my attendance at the Sydney session of the  McAfee Focus 2010 Security Seminar and recent discussions around the Stuxnet malware.

At  McAfee’s  Focus 2010 Security Seminar, one of the more interesting sessions  was an analysis of Operation Arurora presented by McAfee’s head of Threat Research,  Dmitri Alperovitch.  Outside of  IT security circles, the name Operation Aurora probably doesn’t ring any bells.  But in January 2010,  the Aurora cyber-attack  was making headlines across the globe due to Google’s sensational claims it had been the victim of a security breach which had its origins in China.

Google wasn’t the only company infiltrated.  A number of other US companies in industries such as finance, defence and technology, were also targeted. But it was  Google’s actions – publicly outing itself as a victim, naming China as the source of the attacks and threatening to stop censoring its search results in China – which made it the public face of the Aurora attacks.

Whilst those with a background in IT security would probably get more from Dmitri’s presentation, the analysis of Aurora was presented in a way that made it accessible to a more general audience. Which is a great thing given some of the thought provoking issues raised.

1. Theft was the primary objective: Whilst much of the media attention was on Google’s claim  hackers had targeted the email of two Chinese human rights activists, the primary goal of the attack was theft. Aurora was a sustained attempt to steal intellectual property –  for example by targeting  software that would give the hackers the ability to steal source code. Dmitri’s view – the targeting of the Gmail accounts was an opportunistic exploitation of already compromised systems.

2.  Brilliantly planned, brilliantly executed:  Listening to the Aurora story unfold was like listening to  the plot of a spy movie.  To give an idea of the scale (and hence resources) involved, consider these points:

  • The number of companies simultaneously attacked. It’s been claimed up to 34 companies were attacked. Whilst a simultaneous attack  may yield some economies of scale (reuse of code, sharing of  infrastructure and human agents), to target so many companies at once is both impressive – and worrying.
  • The hackers had a common modus operandi , but customised their attacks based on the targeted company and the specific individuals in the organisation they were after.  This suggests some fairly detailed intelligence  gathering and preparation must have gone in to the set up for the main attack.
  • When targets were compromised, there were hackers standing by to take control of the compromised systems. Forget kids breaking in during their spare time, whoever was behind Aurora could afford to have people on stand by to capitalise on opportunities as soon as they came up.

3. Deterrence – attribution and/or retribution: One of the key themes of the McAfee event was that reactive and purely defensive security is no longer enough. Typically this was presented in the context of security software and hardware that works on threat prospecting and reputation scoring, rather than blacklists and traditional signature files.

But Dmitri also raised another idea – being able to identify the source of attacks (attribution) and create suitable deterrents – including “kinetic responses”.  (i.e. physical attacks).  But would any nation state really have the confidence to openly stage a physical attack in response to a cyber attack? Would a nation really order some form of direct military action if it were ‘proved’ that another nation had been engaged in some form of cyber attack?

Up until a few weeks ago I would have said no. But in the wake of Stuxnet I’m becoming more inclined to think that in the future, the answer may be yes.

Stuxnet is reportedly one of the most sophisticated pieces of malware seen to date. The latest speculation from the IT security community is that it was developed by a well funded organisation (nation state) to cripple Iran’s nuclear program.  Like Aurora,  it is likely to have taken a long time to plan, develop and execute the Stuxnet attack.

So how will countries targeted by this type of  incredibly destructive attack respond? Will they be prepared to bide their time before they stage an equally surreptitious counter-attack, or will they pursue the simpler and quicker “kinetic” option?  Will nations pre-emptively position themselves to be able to stage cyber-strikes; and create a virtualised state of mutual assured destruction that (mostly) keeps the peace?

Whatever the outcome, Aurora and Stuxnet have moved cyberwar from the stuff of Hollywood fiction to public reality.  Welcome, to the new world order?

Leave a Reply

This blog is kept spam free by WP-SpamFree.