The Raytheon Company has acquired Technology Associates Inc., a privately held supplier to the U.S. intelligence community, providing system engineering support for mission-critical programs. Technology Associates’ capabilities include data extraction and analysis; digital media intercept and exploitation; embedded system programming; and information assurance services. Based in Reston, Va., Technology Associates was established in 1990 and has 110 employees.

Technology Associates will become part of Raytheon’s Intelligence and Information Systems (IIS) business. Technology Associates President Preston Harrelle joins Raytheon and will continue to lead business operations while taking on a broader cyberstrategy role across the Information Security Solutions (ISS) product line. “By acquiring Technology Associates and integrating its talent and expertise into our business, we’ll further strengthen our ability to meet the evolving needs of our customers.” Lynn Dugle, president of Raytheon IIS commented.

The FBI is after 17 members of a cyber crime 'mule' network involved in a fraud using Zeus Trojan malware. Photo: FBI

The FBI arrested 20 persons suspected to be members and operators in an international cyber crime network charged with bank fraud scheme. The network compromised dozens of individual and business accounts in the U.S. and transferred more than $3 million under false identities. The FBI is charging more than 60 people  from Russia, from Belarus, Kazakhstan and Ukraine, as well as U.S. nationals, some already convicted in money laundering and fraud. Of the 60 charged in this case only 20 were arrested in recent days, 17 are still at large in the U.S. and abroad. The charges followed Tuesday’s arrests of 19 people in Britain on computer crime charges being part of “a sweeping and coordinated effort to combat the 21st century’s variation on traditional bank robbery,” US Attorney Preet Bharara said in New York.

FBI Assistant Director-in-Charge Janice K. Fedarcyk, attributed the attack to the ‘Zeus Trojan’ malware which allegedly allowed hackers to get into victim accounts from thousands of miles away. “They did it with far less exertion than a safecracker or a bank robber.” Fedarcvk admitted but assured, they, “Like the money mules, many, if not all, will end up behind bars.”

Among the 17 cyber gang members still at large are Artem Tsygankov, believed to be the head of the network, Artem Semenov, one of the operators that managed several 'mules' in the U.S., he used at least six false identities to open seven accounts to transfer over $70,000, from which he managed to withdraw $28000 before the banks closed the accounts. Semenov was no stranger to the FBI. He was arrested in 2009 but released on bail. Sofia Dikova (left) provided false passports to the 'mules'. Pasports were claimed by identity thefts. Her photo was spotted on a shipment of false passports captured in Neywark in January 2010. Photos: FBI

According to the FBI, the scheme was headed by Artem Tsygankov, a Russian national, age 23, who recruited other young students to operate as mules and managed their activities, directing the money gained by the scheme through fraudulent wire transfers to the mules’ accounts. The network followed ‘multi-level’ scheme, where recruits and recruiters keep around 10% of the amount they transfer. The network recruited ‘mules’ by targeting young students holding U.S. tourist Visas, targeted on Russian social network sites. Tsygankov is still at large, wanted by the FBI. If convicted, he faces more than 30 years imprisonment.

After the ‘mules’ have opened hundreds of bank accounts, under false identities, at U.S. banks, the cyber attack was launched from Eastern Europe, unleashed by sending millions of emails containing the “Zeus Trojan”, targeting computers at small businesses and municipalities in the United States where security awareness is considered low. According to the FBI, once the email was opened, the malware embedded itself in the victims’ computers, and recorded their keystrokes – including their account numbers, passwords, and other vital security codes – as they logged into their bank accounts online. The hackers responsible for the malware then used the stolen account information to take over the victims’ bank accounts, making unauthorized transfers of thousands of dollars at a time to receiving accounts controlled by the co-conspirators.

Hundreds of receiving accounts were set up in advance by a “money mule organization” responsible for retrieving the proceeds of the malware attacks and transporting or transferring the stolen money overseas. To carry out the scheme, the money mule organization recruited individuals who had entered the United States on student visas, providing them with fake foreign passports, and instructing them to open false-name accounts at U.S. banks. Once these false-name accounts were successfully opened and received the stolen funds from the accounts compromised by the malware attacks, the “mules” were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.

The investigation began in February 2010 when New York Police Department (NYPD) investigated a suspicious $44,000 withdrawal from Bronx bank, said Commissioner Raymond W. Kelly said: “It soon became evident that it was just the tip of an international iceberg.” said Kelly. The investigation unfolded far beyond New York, involving national and trans-national agencies to reach and decipher the international scheme which represents the profile of typical modern cyber crime. As the incidence of transnational cybercrimes continues to rise, investigations and prevention activities are elevated to include the Diplomatic and Secret Service. “The results of this investigation clearly demonstrate how the Secret Service is forging strong partnerships with other law enforcement agencies, successfully combating cyberfraud, and bringing high-tech perpetrators to justice.” DSS Special Agent-in-Charge Christopher Paul added “The charges announced today send a strong message: Diplomatic Security is committed to collaborating with our law enforcement partners to make sure that those who commit fraud face consequences for their criminal actions. Diplomatic Security’s strong relationship with the U.S. Attorney’s Office and other law agencies around the world continues to be essential in the pursuit of justice.”

“Stuxnet is definitely not a military code, at least not a Western one” said Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. “Stuxnet is a sophisticated and highly advanced code, but it lacks certain elements commonly associated with military operations” Blitzblau explains that the broad, indiscriminate attack on industrial computers launched by Stuxnet is not characteristic to a military operation, where the nation launching the attack tries to minimize collateral damage and focus on a specific target.

“Every student can write a module discriminating the target computer and localizing the attack to a specific target” Blitzblau added, “The fact that this sophisticated code does not have such elements, and certain aspects of the functionality of the malicious code, allege to the creators’ aiming Stuxnet to target Siemens industrial systems on a broad base, rather than a specific application as reported by the media.” In addition, a high level code aimed at Network Intelligence Operations would have an anti-anti debug mechanism to avoid forensic analysis.

Who could be the perpetrators behind this attack and what were their goals?

Blitzblau describes an act of ‘Advanced Industrial Espionage’ a deliberate cyber sabotage launched by someone against Siemens – this could be a competitor or service-provider, seeking to exploit the situation for business opportunities – first create the problem and then – help fixing it. But there are also other aspects to the attack that could tell a different story. “This could also be a ‘general test’, prior to a planned attack, or a proof of concept, initiated by an academic group – in the past we witnessed such attacks, for example, one attack was launched from Japan, on video drivers.” According to Blitzblau a military test going out of control is not an option here. “Military offensive cyber ops are not conducted this way and even when an intelligence agency conducts such tests they will go a long way to ensure that the test is limited to a specific volume and not spread it worldwide.” He said. Blitzblau attributes the widespread infection of industrial networks in Iran to low level of security and, apparently the high popularity of Siemens systems in the country. In fact, Stuxnet could have propagated from Belarus, and Russia unintentionally by Russian system engineers, using USB devices to update and program Siemens systems in Iran, Indonesia and India. The intensity of attack in Iran could illuminate the intensity of their activities associated with the nuclear projects in Natanz and Bushehr.

While the media attributed Stuxnet as a cyber weapon launched by Israel or the USA against Iran’s nuclear facilities, the possibility of it being a cyber weapon developed and launched by international terrorists’ organization has not been tackled seriously by the media. Yet, Blitzblau has a grim outlook as to the potential value of such cyber weapon in the hands of terrorist organizations. “International terrorist organizations certainly have the will, and means to launch such an attack, and they could gain the most from it – creating mega events like bringing airports, disrupting train traffic, cutting power supplies and utilities. “Even if they did not create it, they now have access to such a weapon, as Stuxnet is now in their reach, like a loaded gun. Despite the countermeasures developed by Microsoft and Siemens, there are many networks that have not been patched yet – some will never be protected. Blitzblau warns that the current attack will probably set the route for new vectors for cyber terror, as the malicious code is modified and manipulated into a range of new forms and variants. The vulnerabilities highlighted by the current attack will undoubtedly set the course for more attacks aimed at industrial controllers and embedded systems. With that, the risk of compromising military systems will grow dramatically; as such elements are widely used in military weapon systems.

Stuxnet uncovers the vulnerability of our infrastructure system – exposing the vulnerable interfaces between the logical and physical world, these elements are totally unprotected and open disastrous vulnerabilities to attack by cyber terrorism and cyber criminals.

“We have analyzed the code, and compared it to other, similar known malware, this new code has definitely the parameters of a ‘military code’, but it lacks some aspects one would expect to find in military cyber warfare application” Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. Among these parameters are communications, encryption, internal self-protection (anti-anti debug) and certain methodologies that are followed by western cyber warfare specialists.

While Iran was marked as Stuxnet’s most popular target, other countries falling prey to the new malware were many third world nations where Siemens equipment is widely used and security and legal discipline in licensing and security methods are not strictly enforced. Stuxnet also attacked Indonesia, India, Russia, Belarus, and in Kirgizstan. What’s more important is where the Stuxnet didn’t attack – China and – most surprisingly – Germany, where only few systems were compromised yet none of the reports was confirmed!

“Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to Wieland Simon, press spokesman at Siemens, approximately one third of the 15 infections discovered at industrial plants worldwide have been found at sites in German process industry sector. Siemens’ own plants are said not to be affected” simon added.

Although it was ‘discovered’ by the media in late September, Stuxnet is definitely not a new threat and, in fact, most of the vulnerabilities it exploited have already been ‘patched’. It was created sometime in January-February according to the ‘time stamps’ embedded into the compiled code. Initial anomalies related to the new threat were reported about two months later. Maglan received the new threat as part of our technical support services to some of our customers, who were hit by the malware. After thorough analysis we have uncovered several interesting aspects of the code that were not familiar before, and lead us to assume that Stuxnet was not created by a western cyber warfare organization. However, the great effort and resources invested in this code testify to its value to its creators, who spent great investments – financial, technical and in – most importantly, in assets considered scarce commodities among the hackers community.

Targeting Industrial and Infrastructure Systems

First, and most important, the code was not written by “home based” hackers – unlike most other malware codes, it is not directed against conventional windows systems, but specifically at industrial systems, by exploiting four different vulnerabilities (security ‘holes’ detected by hackers but not yet patched, three months ago, by the targeted software provider – also called ‘Zero Day’ exploits). Such Zero-Day Exploits are not spent easily by hackers, and would rarely be used in tandem, let alone in a ‘quad’ formation, testifying to the fact that the developer team had no limits on the use of resources.

Multiplicity and redundancy were also employed addressing the targeted operating systems. The creators of Stuxnet also went into great effort to ensure the malware covers all potential avenues of approach – including systems that rarely interest hackers – like WindowsCC, a Microsoft operating system designed for embedded systems. The code also targets all Windows platforms from Windows ME, XP, NT, Vista, 2000, 2003 and 2008 to the latest Windows 7 – again not a simple task for regular hackers. Other aspects of the code target specific vulnerabilities attributed to Siemens PSC7 systems, designed to control Programmable Logic Controllers (PLC) widely used in utility and industrial SCADA systems.

While each of these penetration axes operates independently, these parallel lines are coordinated and supporting each others to achieve the goal – ‘hijack’ as many PLCs as possible and burry embedding itself into the command and control hubs. The malicious code does not carry the type of spyware commonly found in other bots, but is rather ‘attack oriented’ – carrying a ‘payload’ in form of a set of commands designed to bypass those controlling the PLC, and carry out a set of actions as instructed by the hijacker.

Self Contained Weapon’s Payload

The carry out and control such attack the creators of Stuxnet embedded three separate means of communications in the code – two are considered ‘advanced’ and one ‘low level’. However, the code lacks communications elements that would enable a ‘nation state’ operation much more flexibility and control, having the capability and means to conduct operations in the proximity of the targeted site. One of the unique features of Stuxnet is the way its payload is ‘packed’ into the code.

Previous malware attacks employed a communications mechanism that could download the payload – the intelligence collecting ‘spyware’ or ‘attack’ from the command and control center – this enables the use of more compact code, better precision and more flexibility as the attack unfolds. Stuxnet has the payload built-in to the code, alluding to the fact that it was targeted against known targets and its creators had little consideration as to the collateral damage they create. Again, this methodology is rarely used among Western cyber warfare operatives.

Although the code was designed with remotely controlled ‘uninstall’ and termination function, these do not work properly in most cases, as the level of sophistication invested in this segment fall behind the general high standard of Stuxnet.

Countermeasures and Concealment

Nevertheless, the creators took great effort to conceal the malicious code from detection, in an effort to mask its existence, activity and objectives. For example, the malicious code was written as a ‘dynamic link library’ (.dll) commonly associated with hardware device drivers – software elements rarely considered a risk, since these they are written, signed off and distributed by hardware providers to support specific functions of such hardware. Users commonly download these devices as part of hardware installations and support and trust their own anti-virus scanners and the companies that provided the drivers for their security. Alas, Stuxnet exploited this vulnerability – it uses highly sophisticated anti-anti-virus countermeasures, addressing 38 (!) known anti-virus programs, not only few of the most common ones, as most hackers will do.

In addition, the code is digitally signed by VeriSign as genuine Siemens software. Later, Siemens reported that these signatures were stolen but did not explain how such sensitive material was compromised and reached hostile elements. Technically, ‘extracting’ such signature from existing products is possible, but this capability is beyond the reach of hackers and could be done only with massive computing power not available in non governmental levels. In this area, Stuxnet creators have again demonstrated they can be generous – to ensure their code is accepted, they used two different signatures – by chip Taiwanese makers JMicron and Realtek. The fact that these signatures are time-stamped in within more than a week of each other could testify as to the lengthy process of the preparation, testing and operation planning.

A Cyber Storm III exercise participant briefs Department of Homeland Security (DHS) Deputy Secretary Jane Holl Lute during the exercise kickoff at U.S. Secret Service headquarters in Washington, D.C. Photo: DHS

The U.S. Department of Homeland Security (DHS) launched today the ‘Cyber Storm III’, a drill testing the nations’ resilience under a simulated, deliberate international cyber attack aimed at the hubs of government, infrastructure and business.

The three day exercise is the third and largest in a series of annual cyber attack drills conducted outside the defense community. The current event involves more participants that past years, form the federal, state, and commercial sectors. Among the ‘defenders’ are players from seven government departments, 11 states, 12 different countries and 60 private sector companies. The exercise is managed by the DHS’s National Cyber Security Division (NCSD).

The cabinet-level departments participating in Cyber Storm III are from Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury. In addition, the White House and representatives from the intelligence and law enforcement communities will also attend the event. Eleven states are taking part – California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas and Washington. Among the participant countries are Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom (only four foreign nations participated in Cyber Storm II last year). DHS selected 60 companies from the private sector, to assess the effect of potential cyber attack on commercial services sectors, such as Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water.

The scenario developed by NCSD incorporates known, credible technical capabilities of adversaries and the exploitation of real cyber infrastructure vulnerabilities, resulting in a range of potential consequences – including loss of life and the crippling of critical government and private sector functions. By coincidence, such capabilities have surfaced in recent weeks, with the distribution of a new malicious code called Stuxnet, spreading through industrial systems and infrastructure networks. Such code has the potential to penetrate highly protected systems, including networks that are completely isolated from the internet, to conduct espionage, disruption or deliberate attack.

The ‘defenders’ could face over 1,500 separate events; some will be subtle, with only few hints indicating ongoing penetrations into computerized systems. Other events will be more dramatic, demonstrating the resulting effects to compromised networks. They will have to identify the ongoing attack in real time, mitigate the compromises and vulnerabilities that allowed it to occur, and deal with the possible consequences to compromised systems. “At its core, the exercise is about resiliency – testing the nation’s ability to cope with the loss or damage to basic aspects of modern life.” DHS officials explain, adding “the Cyber Storm III exercise scenario reflects the increased sophistication of our adversaries, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself – with the goal of compromising trusted transactions and relationships.”

Cyber Storm III provides the DHS with the first opportunity to assess and strengthen cyber preparedness and resilience of the nation’s critical infrastructure and key resources (CIKR) – evaluating how the collective cyber preparedness and response capabilities perform against realistic cyber attack. It will also provide the first opportunity to assess the newly-developed National Cyber Incident Response Plan (NCIRP) – a blueprint directed by President Barack Obama, for cybersecurity incident response. The exercise will examine the roles, responsibilities, authorities, and other key elements of the nation’s cyber incident response and management capabilities and use those findings to refine the plan. It will also test the new, National Cybersecurity and Communications Integration Center (NCCIC) inaugurated in October of 2009, which serves as the hub of national cybersecurity coordination.

Australia is wiring 12 of its new Super Hornets to receive Electronic Surveillance and Attack systems, if and when such capability will be required. Photo: Boeing

Boeing is pre-wiring 12 of the Royal Australian Air Force’s (RAAF) Super Hornet for potential conversion of the aircraft for Electronic Attack role. At present the Australians have not decided whether to equip the aircraft with such capabilities. According to RAAF Group Capt. Steve Roberton, Officer Commanding 82 Wing currently operating these fighters, the ability to introduce an electronic attack capability on part of the Australian Super Hornets provides maximum flexibility for future missions. “Ultimately, if a decision to incorporate an electronic attack option is pursued, it will further expand the broad capability of an already formidable Super Hornet weapon system.” Robertson said.

Pre-wiring prepares the infrastructure on aircraft to feed RF signals, power, and cool the unique payloads associated with electronic surveillance and attack. Pre-wiring will enable a standard Super-Hornet Block II to carry Signals Intelligence (SIGINT) payloads (ALQ-218 radar band and ALQ-227 communications scanners) as well as the ALQ-99 Electronic Attack jammer. Both are currently employed with the U.S. Navy’s F-18G Growler. Australia is the first Super Hornet customer to follow the ‘pre wiring’ track. Boeing completed the production of the first batch of 12 Australian F/A-18E/Fs and is on schedule to deliver the last of the 24h Super Hornets in 2011. According to Boeing’s Australian Super Hornet program manager, Carolyn Nichols, the pre-wired configuration reduces the cost associated with future retrofit at a later date”

The 24 F/A-18E/F Block II Super Hornets ordered by Australia in 2007 are multirole aircraft, able to perform virtually every mission in the tactical spectrum, including air superiority, day/night strike with precision-guided weapons, fighter escort, close air support, suppression of enemy air defenses, maritime strike, reconnaissance, forward air control and tanker missions. Adding an Electronic surveillance and Attack capabilities will dramatically enhance the nation’s cyber-warfare potential to engage future adversaries with non lethal but highly effective, means.