Saturday, November 1, 2014

Cyber-espionage: Sandworm and Taidoor

Recently, NATO officials, the Ukrainian government, EU governments, and others have received emails with compromised attachments containing spyware and other malicious code. Cyber-threat intelligence group iSight called this attack Sandworm. Similar emails with malware and spyware have been discovered in Taiwan. In both these cases, malicious code that exploits weaknesses in the Windows operating system and in Microsoft Office was found in Office documents, mainly PowerPoint, by iSight, or by McAfee and Google researchers. The code uses a “zero-day vulnerability” and takes advantage of the Object Linking and Embedding mechanisms in Office files, which allow, for example, Excel graphs to be shown in PowerPoint. Rather than embed a graph, however, the hackers embedded code that spied on the recipients. A similar case in August called Epic Turla, also from Russia, included malware that searched the recipient’s computer for phrases relating to sensitive documents. If the phrases were present, more code could be remotely enabled that would do more thorough searches and report what it found to its creator. This case used compromised websites rather than email attachments.

In the case of Sandworm, the documents used were written in Russian and were usually interesting to the target, such as falsified lists of pro-Russian Ukrainian separatists. In Taiwan, very similar Chinese code was discovered. The malware used in Taiwan is called Taidoor, and has been previously linked to Chinese cyber-espionage. Due to the nature of the compromised documents and the code, the researchers believe they are linked to or controlled by the Russian and Chinese governments, respectively, rather than originating from civilian black-hat hackers. However, there is currently no way to know for sure. Without proven government involvement, the international community can take no effective action against the attackers.

Even if government involvement was proven in either case, there is still not much the international community can really do. Although spyware sent from a government to foreign officials might be a violation of international law and could be considered a violation of state sovereignty, it cannot be classified as a cyber-attack and therefore is not an act of war or controlled by the law of war.

As we read in Sanger, an example of something that could be considered a cyber-attack is the Stuxnet virus. Stuxnet, like Sandworm, exploited four “zero-day vulnerabilities.” Unlike Sandworm, however, Stuxnet was introduced by USB drives and was used initially to disrupt and damage Iranian nuclear facilities by affecting data and computer networks and then destroying nuclear centrifuges. Sandworm and the similar Chinese threat were spyware; they only reported data and did not alter data or disrupt or take control of the computer.

In class, we defined a cyber-attack as something that has force similar to an armed attack or that undermines the function of the network. Since Stuxnet caused the destruction of nuclear facilities, it is clear that it was a cyber-attack. Sandworm and the Chinese code are obviously some kind of intrusive and malicious program, but they do not have the ability to cripple systems like Stuxnet, so they cannot be called a cyber-attack. In Hathaway (2012), their recommended definition of a cyber-attack states that the program must “undermine the function” of a system. This is typically done by adding or modifying information and is not done by just observing the computer or network. Programs that simply observe, as Sandworm does, are considered cyber-espionage instead. Since cyber-espionage does not have any force similar to an armed attack or undermine the function of the network, it cannot be considered an act of war. Therefore, it is not governed by the law of war, and Article 51 of the UN Charter governing self-defense does not apply.

Even without this definition, it makes sense to classify Sandworm as espionage; it only looked at data on the infected computers and did not contain the ability to destroy documents, take over the computers, or spread more malicious code over a network. As sensitive as the information might have been that was retrieved or observed by the programs, Sandworm is not a cyber-attack. Those affected by the virus could take diplomatic measures against the suspected hackers, but there is a good chance they will not be effective, because of lack of proof, government denials, the risk of further worsening relations, or the threat of further attacks or intrusions. There is nothing effective the affected parties can do but tighten their own internet security policies and wait for Microsoft to release a patch to the operating system or to Office.

Hathaway et. al., California Law Review:

No comments: