The Evolution of Cyber Espionage - Jessica Bourquin
The Evolution of Cyber Espionage - Jessica Bourquin
The Evolution of Cyber Espionage - Jessica Bourquin
Bourquin
The Evolution of Cyber Espionage:
A Case for an Offensive U.S. Counterintelligence Strategy
J essica N. Bourquin
Utica College
CYB615 Professor J . Bardin
October 14, 2011
http://www.onlineuticacollege.com/programs/masters-cybersecurity.asp
jessbourquin@gmail.com
EVOLUTION OF CYBER ESPIONAGE 2
APA citation style
Abstract
This goal of this paper is to establish an argument for a proactive cyber counterintelligence
strategy. By following the development of cyber-attacks as they evolve into to global espionage
by advanced persistent threats, the need for a change in counterintelligence strategy becomes
evident. The cyber-attacks this report presents as case studies are Moonlight Maze, Byzantine
Hades, Titan Rain, Operation Aurora, and Stuxnet. Analyzing this progression demands the
development of a national cyber counterintelligence program that implements offensive strategy
rather than exclusively defensive techniques.
While standard cyber defenses that block cyber intrusions are still necessary, this paper focuses
on cyber-attacks that successfully infiltrate systems and, more specifically, tactical responses to
advanced persistent threats. Standard procedures are, however, worth mentioning. Please refer
to the appendix for defensive recommendations. In addition, this paper will not detail the
historical development of United States counterintelligence policy. It will instead focus on
current policies and supporting case studies, as well as suggest strategies and actions. The
foundational source for the recommendations contained in this report is Michelle Van Cleaves
Counterintelligence and National Strategy publication (2007).
Key Words: cyber security, cyber espionage, advanced persistent threats, Moonlight Maze,
Byzantine Hades, Titan Rain, Operation Aurora, Stuxnet, Coreflood, counterintelligence,
offensive counterintelligence
EVOLUTION OF CYBER ESPIONAGE 3
Table of Contents
Abstract ...........................................................................................................................................2
Introduction ....................................................................................................................................4
Background and Terminology ......................................................................................................5
Current U.S. Cyber Policy ............................................................................................................5
Espionage .....................................................................................................................................6
Counterintelligence ......................................................................................................................7
Advanced Persistent Threats ........................................................................................................9
Case Studies ..................................................................................................................................11
Moonlight Maze .........................................................................................................................11
Byzantine Hades .........................................................................................................................13
Titan Rain ...................................................................................................................................15
Operation Aurora ........................................................................................................................17
Stuxnet ........................................................................................................................................20
Risk Assessment .........................................................................................................................21
Countermeasures: Offensive Tactics.........................................................................................23
The Coreflood Example .............................................................................................................23
Corporate Offensive Actions: Naming and Shaming ................................................................23
National Offensive Counterintelligence Recommendations ......................................................24
Conclusion ...................................................................................................................................26
Appendix ......................................................................................................................................27
References ....................................................................................................................................28
EVOLUTION OF CYBER ESPIONAGE 4
Introduction
Counterintelligence without an offensive strategy leads to engaging adversaries on home
soil, which is severely disadvantageous. In the military, youre taught that in a defensive
position, you have a three-to-one advantage over an attacker, said Greg Conti, associate
professor of computer science at West Point, but in security, its the opposite. The attacker has
nearly a thousand-to-one advantage. We have to assume that a determined adversary can
overcome the defender, it is just a matter of how long it will take (Ahaman, 2011).
Historically, lawmakers have ignored counterintelligence at the national level, which
prevented policy from passing into action. This led intelligence collection agencies to prioritize
counterintelligence even lower, further diminishing its capabilities. Without collection against
foreign adversaries, there will be never by an effective counterintelligence strategy to oppose
them (Van Cleave, 2007). Study after study has enumerated the shortcomings of U.S.
counterintelligence, and yet very little has changed (Van Cleave, 2007). It is much simpler
fiscally to reorganize and modify existing programs than to create new ones. Additionally, the
preference of agencies that government officials tell them what to do and then leave them alone
to do it is a long-standing impediment on the road to a cohesive offensive counterintelligence
strategy (Van Cleave, 2007).
Authorities evaluate performance on a case-by-case level, tracking counterespionage
accomplishments instead of integrating operations with the larger strategic mission (Van Cleave,
2007). This facilitates homeland security and counterterrorism efforts domination of national
limelight, which convinces the American public and policymakers alike that other threats, such
as cyber espionage, are incomparable in severity. Foreign intelligence threats have taken on
roles secondary to those of, for instance, the current wars. Unfortunately, this may lead to a
situation similar to the Cold War with Russia, in which the narrow focus of attention (World War
II) rendered U.S. counterintelligence effectively blind to Russian capabilities (Van Cleave,
2007).
Recently, the United States government has made significant strides developing cyber
security, such as establishing Cyber Security Awareness Month and beginning the construction
of the nations first Cyber Warfare Intelligence Center. The new wave of awareness provides the
ideal opportunity to pursue changing from a primarily defensive to an effective offensive
strategy.
EVOLUTION OF CYBER ESPIONAGE 5
Background and Terminology
Current U.S. Cyber Policy
In 2009, President Obama approved the Comprehensive National Cyber Security
Initiative. This policy aimed to establish a front line of defense against todays immediate
threats, to defend against the full spectrum of threats, and to strengthen the future cyber
security environment (The Comprehensive National Cyber Security Initiative). In order to
accomplish these goals, the report announced the following primary objectives (2009):
Initiative #1. Manage the Federal Enterprise Network as a single network enterprise
with Trusted Internet Connections.
Initiative #2. Deploy an intrusion detection system of sensors across the Federal
enterprise.
Initiative #3. Pursue deployment of intrusion prevention systems across the Federal
enterprise.
Initiative #4: Coordinate and redirect research and development (R&D) efforts.
Initiative #5. Connect current cyber ops centers to enhance situational awareness.
Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI)
plan.
Initiative #7. Increase the security of our classified networks.
Initiative #8. Expand cyber education.
Initiative #9. Define and develop enduring leap-ahead technology, strategies, and
programs.
Initiative #10. Define and develop enduring deterrence strategies and programs.
Initiative #11. Develop a multi-pronged approach for global supply chain risk
management.
Initiative #12. Define the Federal role for extending cyber security into critical
infrastructure domains (2009).
While this proposal represents forward progress, only one of the 12 enumerated
initiatives addresses counterintelligence. In initiative #6, the U.S. government explained the
necessity of implementing a government-wide cyber counterintelligence plan in order to detect,
deter, and mitigate evolving threats (The Comprehensive National Cyber Security Initiative,
EVOLUTION OF CYBER ESPIONAGE 6
2009). Although the specified methodologies of expanding education, awareness, and workforce
development are helpful, changing tactics is critical.
Espionage
Espionage is the most efficient and cost-effective method of opposing the United States.
Adversaries hold a distinct advantage in the cost-benefit ratio of espionage (Van Cleave, 2007).
The U.S. government can spend billions of dollars on a technologically advanced weapons
system, but the advantage is lost as soon as adversaries steal the data and designs for it. Today,
the United States is a target of espionage for over 30 terrorist groups and the majority of the
worlds governments (Van Cleave, 2007). This vast array of adversaries often has similar
motivations (Van Cleave, 2007):
Control the development of national security strategies, technology, and the economy by
manipulating and misleading U.S. policymakers.
Preempt, influence, disrupt, terminate, or counter U.S. actions such as covert operations
and diplomatic activities.
Advance economic and militaristic interests by pillaging critical U.S. technologies and
intellectual property.
Defeat U.S. objectives by compromising national security secrets such as technology,
plans, and operations.
Espionage can also target a variety of information. Economic espionage, for example, is
the unlawful or clandestine targeting or acquisition of sensitive financial, trade, or economic
policy information, proprietary economic information, or critical technologies (Bardin, 2011).
This definition excludes information that is legally available, such as open source software.
Industrial espionage involves foreign governments obtaining or helping a foreign company
obtain commercial secrets illegally (Bardin, 2011). Property espionage occurs when foreign
entities take information that is not publicly available, such as trade secrets and critical
technologies (Bardin, 2011). Espionage can harm capability of competing in the world
marketplace, as well as weaken the economy and national security (Bardin, 2011). Cyber
espionage applies to information stolen via the internet, networks, and individual computers.
Modern information technology and microelectronics advancements have drastically
improved the efficiency of espionage (Van Cleave, 2007). In a few keystrokes, foreign agents
EVOLUTION OF CYBER ESPIONAGE 7
can exfiltrate vast quantities of data without ever leaving their desk. Cyber espionage has
become dauntingly sophisticated and extremely subtle. Attacks can go unnoticed for prolonged
periods, and often leave little, if any, trace of their presence. In addition, determining who is
behind intrusions is often very difficult if not impossible. For the purposes of limiting scope, this
report will focus predominately (but not exclusively) on Chinese cyber espionage. Van Cleave
has enumerated several facts on Chinese espionage (2007):
China has remained one of the top intelligence threats for over 10 years because of its
strategic capabilities, its intent to target the U.S., and its many opportunities.
China manages some of the most effective intelligence agencies in the world.
China has successfully acquired a plethora of sensitive information on U.S. technologies,
including missile design and guidance technology, electromagnetic weapons research,
design schematics on nuclear weapons, and space launch capabilities.
The Chinese use nontraditional intelligence methods, including an extensive network of
informants who are not intelligence officers. This also grants them plausible deniability
when cyber intrusions trace back to China, which is evident in cases like Titan Rain.
Their range of targeted information implies strategic foresight and the intent to modernize
their country. China is leveraging asymmetric strategy by hijacking U.S. data to boost their
military and economy, adhering to the most cost-effective method of opposing the United States.
Unfortunately, the very nature of the economic relationship between the United States and China
renders counteracting Chinese espionage extremely challenging.
Counterintelligence
Counterintelligence has several slightly different definitions, but the version applicable in
this case is:
Information gathered and activities conducted to identify, assess, neutralize, and exploit the
intelligence activities and capabilities of foreign powers, terrorist groups, and other foreign
entities that harm U.S. national security at home and abroad. These foreign intelligence activities
include espionage, technical collection, sabotage, influence operations, and manipulation of, or
interference with U.S. defense and intelligence activities. (Van Cleave, 2007).
As implied by the definition, counterintelligence involves two core elements
information gathering and acting on that information. The target of counterintelligence is foreign
EVOLUTION OF CYBER ESPIONAGE 8
intelligence more specifically, only non-U.S. persons and exclusively intelligence-related
information. This definition also identifies the process counterintelligence uses: identification,
assessment, neutralization, and exploitation.
The first tasks in the counterintelligence process gather and assess information.
Identifying and analyzing foreign intelligence activities directed against the United States and
its interests requires detecting intelligence anomalies and seeing if they show a pattern (Van
Cleave, 2007). For instance, anomalies like communications channels suddenly becoming
inactive or many reports containing uncharacteristically similar messages arriving may be pieces
of a larger puzzle (Van Cleave, 2007). Substantial financial reallocations can also signal pending
attacks, specifically more costly and involved operations such as those of advanced persistent
cyber threats. Additionally, knowledge of foreign intelligence operations can provide
forewarning, allowing policymakers to reduce the likelihood of severity of impacts by engaging
in threat mitigation early. Identification requires access to foreign intelligence, which obviously
necessitates moving the fight from U.S. onto foreign soil.
The following tasks of the counterintelligence process form the primary distinguishing
feature of counterintelligence from traditional intelligence - operational functionality (specified
in its very definition as activities conducted). Counterintelligence officers not only know
information, but act on it (Van Cleave, 2007). This is where law enforcement incorporates into
the operation. Unfortunately, excessive integration of law enforcement and counterintelligence
can become problematic. Motivations of foreign intelligence agencies differ from those of
criminals, and it is usually more difficult to catch a foreign spy than a gang member.
Additionally, in the cyber world, passive defenses such as firewalls simply cannot counter all
threats. In contrast, exploitation, the quintessence of offensive counterintelligence, involves
techniques like leveraging an adversarys own intelligence operations for U.S. benefit.
Counterintelligence tactics divide into four categories: passive defense, active defense,
passive offense, and active offense (Gerber & Sims, 2009). Passive defense keeps opponents
from valuable information by using tools like locks, vaults, and firewalls (Gerber & Sims, 2009).
This does not fluidly mesh with counterintelligence, as in addition to defending a system,
counterintelligence agents must ask such things as how, why, how long, and from whom, and
then act on that information. Active defense aims to bait offensive measures from opponents
using tools like wiretaps, moles, and honeypots (Gerber & Sims, 2009). Offensive
EVOLUTION OF CYBER ESPIONAGE 9
counterintelligence, on the other hand, uses various techniques to render attacks harmless or
manipulate adversaries into not attacking at all (Gerber & Sims, 2009). Passive offense involves
camouflaging techniques, and requires an opponent to be reasonably good at intelligence
collecting Gerber & Sims, 2009). Finally, in active offensive counterintelligence, agents fool
adversaries by directly feeding them false information and manipulating their interpretation of it
(Gerber & Sims, 2009).
Counterintelligence itself is not a novel concept. Its prioritization in U.S. national
security policy and the implementation of offensive tactics in the cyber realm, however, is. For
more than ten years, select officials have pushed for the implementation of a unified,
comprehensive offensive counterintelligence strategy, but the implementation has yet to reach
completion, at least to the degree it requires for true success (Wanted: An Integrated
Counterintelligence, 1995). Shortly after the turn of the century, United States policymakers
began slowly to realize the need for a proper counterintelligence program. For a start, they
designated a National Counterintelligence Executive (NCIX) to manage counterintelligence
operations and resources. While taking the? steps is certainly an improvement, many more
changes need to occur in order for an offensive counterintelligence strategy to reach its full
potential. If it is not implemented to its utmost capabilities, counterintelligence may remain
unable to combat the evolving cyber threats.
Advanced Persistent Threats
In the world of cyber security, the distinguishable boundary between government and
non-government targets has blurred. Now any information that can cause harm is at risk, and
there is no end in sight. If an organization is vulnerable for any period, the probability of a
compromise is high (Cole, 2010). The U.S. Air Force coined the term advanced persistent
threat around 2006. Advanced persistent threats (APTs) use stealth and adaptation techniques
to infiltrate computers and networks for months or even years. APTs differ from standard cyber
threats in their level of sophistication and the dedication of their operators. Their methods are
persistent, targeted, evasive, and complex. Instead of solely implementing new types of
intrusion techniques, APT authors coordinate multiple methodologies. APT operators are
disciplined, skilled, organized, and well-funded.
EVOLUTION OF CYBER ESPIONAGE 10
Advanced threats utilize the full spectrum of intrusion tools and techniques, often
combining several intrusion tactics such as internet-based malware, external malware, external
exploitation, and trusted connections (Advanced Persistent Threats, n.d.). Figure 1 below
shows specific examples of methods and vectors attackers use.
Figure 1.Tools and techniques of advanced persistent threats (Advanced Persistent
Threats, n.d.).
Persistent threats prioritize specific long-term goals over opportunistic financial gain,
which requires dedication, external guidance, and continuous monitoring over a prolonged
period (Advanced Persistent Threats, n.d.). They will adapt to security adjustments until they
accomplish their objectives or until the cost of the operation grows too high (Ahamad, 2011).
Advanced persistent threats commonly have three attack phases (Advanced Persistent
Threats and Other Advanced Attacks, 2011). The first involves reconnaissance, in which attack
operators research vulnerabilities and select desired assets, as well as launch the attack (e.g.
Spear phishing) and infect the target system (Advanced Persistent Threats and Other Advanced
Attacks, 2011). In the second attack phase, attackers control the APT from afar through
command-and-control (C&C) servers, adapting as needed to gain access to sensitive data and
avoid detection (Advanced Persistent Threats and Other Advanced Attacks, 2011). The third
phase encompasses the extraction of data (Advanced Persistent Threats and Other Advanced
Attacks, 2011). APT creators invest enormous effort into avoiding detection, so the network
activity phase three creates may provide the only effective means of detecting these threats.
EVOLUTION OF CYBER ESPIONAGE 11
Case Studies
Conventional wisdom once assumed that although cyber-attacks could be potentially
costly, they were usually composed of simple denial of service attacks and website graffiti.
Now, according to McAfee, cyber intruders steal more than $1 trillion worth of intellectual
property every year (Evans, 2010). Cyber espionage poses an extremely formidable threat
because it is difficult to defend and to attribute. Historically, espionage required going behind
enemy lines to extract information manually. Now, adversaries need only to log onto the internet
(Charkow, 2011). The following cyber-attacks are examples of espionage and theft of
intellectual property, beginning with Moonlight Maze, transitioning through Byzantine Hades,
Titan, Rain, and Operation Aurora. This compilation ends with Stuxnet, the first worm to bridge
advanced persistent threat intrusions into the physical world. This solidifies the fears implicated
by the other infiltrations.
Moonlight Maze
Moonlight Maze refers to a series of intrusions into Department of Defense computers
that began in March 1998. The intruders freely marauded through tens of thousands of files for
more than three years (Cyberwar, 2003). Moonlight Maze remained undetected until U.S.
officials accidentally identified a pattern in probing of computer systems at NASA, the Pentagon,
and the Energy Department, as well as private universities and research labs (Cyberwar, 2003).
Among the files accessed were troop configurations, maps of military installations, and military
hardware designs (Cyberwar, 2003). In 2001, chair of security consultancy iDefense J ames
Adams deemed Moonlight Maze the largest sustained cyber-attack on the United States
(Abreu).
Moonlight Maze used very sophisticated techniques. The penetrators took a plethora of
information without a clearly distinguishable pattern, which required restraint, discipline, and
training (Hamre, 2003). Its authors most likely came from an intelligence background, and had
strong computer and security skills (Hamre, 2003). Masking their identity, the Moonlight Maze
penetrators took advantage of the culture of openness in the scientific community. That is, rather
than invading via the internet, Moonlight Maze leveraged the vast science and engineering cyber
environment that has been continuously expanded within the scientific community for more than
10 years (Hamre, 2003). Specifically, the Department of Defense (DOD) operates large farms of
EVOLUTION OF CYBER ESPIONAGE 12
supercomputers, which are openly available to laboratories and universities for research purposes
(Hamre, 2003). Despite the implied unclassified status of information in this open realm, the
attackers targeted sensitive data and specifically searched for secret information (Hamre,
2003). The compromised information waited in cue at a printer, which meant that it remained
unencrypted and was not behind a firewall (Arquila, 2003).
Prior to the discovery of Moonlight Maze, the supercomputer centers did not
continuously monitor traffic, because the concept of a threat arising within the cyber community
that took advantage of open research was not even fathomed (Hamre, 2003). When stronger
security procedures were established, the DOD discovered that their unknown opponents were
adapting (Hamre, 2003). In other words, the adversaries were observing us while we were
observing them and continuously improving their methods in response to the DODs actions
(Hamre, 2003). Although this type of sophisticated attack is still a concern today, the volatile
nature of cyberspace establishes its own defense. For example, it would be impractical for an
intruder to plant bugs they plan on activating years later, because the software could easily
change in the meantime, rendering the bugs impotent, or even deleted (Hamre, 2003).
The attack forced officials to broaden their views of cyber security. This intrusion
proved that the United States was not only vulnerable to disruption, but also to exploitation from
an adversary who could access protected information at will over a considerable length of time
(Arquila, 2003). Moonlight Maze also highlighted the difficulties of attribution. While experts
were able to trace it to Moscow, they could not confirm Russia as the originator of the attack.
Attack perpetrators could easily have routed their traffic through a computer in Russia while
working from any other location in the world.
While the Moonlight Maze intrusions aimed only to access secure information, the
exploited vulnerabilities could have facilitated other outcomes with more severe consequences,
such as vast system disruptions and attacks on power grids or SCADA systems. In this respect,
Moonlight Maze was comparatively beneficial. The intrusion led to the discovery of new
vulnerabilities.
Key Points:
Moonlight Maze began in March 1998 and lasted for over three years.
EVOLUTION OF CYBER ESPIONAGE 13
The United States is vulnerable to prolonged covert cyber-attacks, especially through
spear phishing techniques.
As of 2001, it was the largest sustained cyber-attack on the United States (Abreu).
The attackers were sophisticated, disciplined, and adaptable.
Moonlight Maze demonstrated that even unclassified information in the Department of
Defense is a target of cyber espionage.
Even supercomputer centers designed for open research should encrypt data and monitor
traffic.
Byzantine Hades
Byzantine Hades, publically acknowledged on April 14, 2011, represents a nearly
decade-long series of attacks that use targeted social engineering and malicious email
attachments to gain access to secure systems (McLean, Shane, & Tse, 2011). The intruders have
accumulated terabytes of sensitive information,
1
from State Department usernames and
passwords to designs for multi-billion dollar weapons systems (Grow & Hosenball, 2011).
Byzantine Hades was comprised of three parts Byzantine Anchor, Byzantine Candor, and
Byzantine Foothold (Grow & Hosenball, 2011). Beginning in late 2002, Byzantine Candor
installed key-loggers and C&C utilities to facilitate illegal access to sensitive information
(Lemos, 2011). According to the Air Force Office of Special Investigations, the authors of
Byzantine Hades headquartered in Shanghai and have ties with the Peoples Republic of China
and the Peoples Liberation Army (McLean, Shane, & Tse, 2011).
Byzantine Hades is polymorphic; that is, it has the ability to change forms every time it
runs (Grow & Hosenball, 2011). This allows it to avoid traditional detection methods and
remain hidden deep within computer networks for extended periods. Additionally, the authors of
Byzantine Hades tested it in advance to optimize its resistance to antivirus programs (Grow &
Hosenball, 2011). The creators of Byzantine Hades may have also authored the Gh0stNet
Remote Access Tool (RAT), which could capture keystrokes, take screen shots, install and
1
To establish a comparison: One byte of data contains a single character, two kilobytes can contain the data for a
typed page, 5 megabytes of data can contain the complete works of Shakespeare, and 20 gigabytes of data can
contain a comprehensive audio collection of Beethoven's compositions (Huggins, 2011). One terabyte can hold the
data for all X-ray films inside a large technological hospital, and 10 terabytes can store the entire printed collection
in the U.S. Library of Congress (Huggins, 2011).
EVOLUTION OF CYBER ESPIONAGE 14
change files, as well as record sound with a connected microphone and video with a connected
webcam (Grow & Hosenball, 2011).
Chinese intelligence organizations, military units, and affiliated hacker groups are known
for combining the internet for details on potential targets for spear phishing attacks, looking for
job descriptions, networks of associates, and even the way they sign their emails (Grow &
Hosenball, 2011). Byzantine Candor used spoofed emails of trusted parties to infiltrate
Department of Energy, Department of State, Department of Defense, and several other agency
networks (McLean, Shane, & Tse, 2011). Byzantine Hades also targeted some French officials
as well as German military, economic, scientific, technological, commercial, and research
interests (Grow & Hosenball, 2011). These spear-phishing tactics tricked recipients into
accidentally compromising their systems. Over a period of several years, the intruders exploited
Windows vulnerabilities to gain access to private networks, and then used those compromised
systems to attack other United States government networks (McLean, Shane, & Tse, 2011).
Advanced persistent threats of this nature are frequently impossible to identify until they
begin forwarding stolen information back towards their C&C servers (Grow & Hosenball, 2011).
Security administrators can mitigate these threats by looking for the phoning home behaviors.
In fact, contact with a C&C server led to the discovery of Byzantine Hades (Grow & Hosenball,
2011).
While the United States attempted to engage in talks with China regarding cyber
espionage, China has a tendency to go rigid at the mention of such attacks (Grow & Hosenball,
2011). While China could certainly use theft of trade secrets and intellectual property to
stimulate their own innovation and hence economic growth, the Chinese government claims that
because of the significant U.S. debt, destabilizing the U.S. markets would benefit neither party
(Grow & Hosenball, 2011). Rather, they seem more likely to perform clandestine cyber
espionage operations that they will never publically claim. United States efforts to stop the
Byzantine Hades attacks are ongoing (Grow & Hosenball, 2011).
Key Points:
Byzantine Hades has been performing cyber espionage for more than 10 years.
Computer users are still vulnerable to spear phishing techniques.
EVOLUTION OF CYBER ESPIONAGE 15
Network security administrators can mitigate advanced persistent threats by watching for
contact with C&C servers.
China denies involvement in cyber espionage.
Titan Rain
Some government network analysts at various nuclear labs as well as at military and
defense contractor facilities asserted that Titan Rain is among the most pervasive cyber
espionage threats that U.S. computer networks have ever faced (Thornburgh, 2005). In addition
to the frequently targeted government systems, Titan Rain aimed for destinations like automobile
companies who make tanks, food suppliers who provide military rations, oil companies who
supply fuel, and any companies with personal information on federal employees that can be
exploited to identify undercover operatives (Winkler, 2005). While the many files Titan Rain
has stolen are not technically classified, most contain sensitive information, which can compile
and create a threat equitable to that of stolen classified information. For example, Titan Rain
accumulated a plethora of aerospace documents, including hundreds of detailed schematics on
propulsion systems, solar paneling, and fuel tanks for NASAs Mars Reconnaissance Orbiter
(Thornburgh, 2005). The Titan Rain cyber espionage team also obtained copies of Falconview
3.2, the flight-planning software used by the U.S. Army and Air Force, as well as specifications
for the aviation-mission-planning system used in Army helicopters (Thornburgh, 2005).
Titan Rain broke into Lockheed Martins network in September 2003 and into Sandia
National Laboratories network several months later (Thornburgh, 2005). On November 1, 2004
alone, Titan Rain hit hundreds of computers at various agencies, including the U.S. Army
Information Systems Engineering Command in Fort Huachuca, Arizona; the Defense
Information Systems Agency in Arlington, Virginia; the Naval Oceans Systems Center in San
Diego, California; and the U.S. Army Space and Strategic Defense center in Huntsville, Alabama
(Thornburgh, 2005).
Attributing a cyber-attack to its true source of origin is often impossible. Initially,
although the attacks traced back to Chinese computers, there was not enough solid evidence that
the attacks originated there (Winkler, 2005). However, while the argument of, the attacks could
have originated anywhere and simply be bounced through Chinese computers, would usually
EVOLUTION OF CYBER ESPIONAGE 16
diffuse any strong accusations, FBI security analyst Shawn Carpenter was able to track the Titan
Rain intruders (Winkler, 2005). In March 2004, Carpenter traced Titan Rain back to three
specific routers in China (Thornburgh, 2005).
The Titan Rain attacks usually lasted 10-30 minutes and predominately targeted U.S.
government and supporting systems with military and secret information of almost any variety
(Winkler, 2005). Before entering the targeted system, a scanner program scanned for
vulnerabilities (Thornburgh, 2005). Titan Rain commandeered a hidden section of a hard drive,
zipped as many files as possible, and immediately transmitted them to way stations (South
Korea, Hong Kong, or Taiwan) before forwarding them home to mainland China (Thornburgh,
2005). Carpenter established an alarm system that exemplified the frequency of Titan Rains
activity. When Carpenter discovered the routers Titan Rain originated from, he planted code that
emailed his anonymous Yahoo! account every time the router picked up relevant activity
(Thornburgh, 2005). Over the next two weeks, he received nearly 23,000 alerts (Thornburg,
2005). Carpenter estimated that 6 to 10 people, most likely from Chinese intelligence agencies,
continuously manage the Titan Rain invasions (Winkler, 2005). The Titan Rain team is fast,
efficient, skilled, and determined.
The cyber espionage ring took care to leave behind only a hidden beacon, which they
could use to re-enter a computer system later (Thornburgh, 2005). There is significant concern
that Titan Rain could be establishing a cyber path capable of shutting down or taking over a
number of different U.S. military networks (Thornburgh, 2005). Titan Rain has also invaded
computer systems in Britain, Canada, Australia, and New Zealand, which prompts similar
concerns internationally (Thornburgh, 2005).
Other concerns ride with the fact that the FBI may not have the ability to enter into a
cyber engagement with China. Saddled with regulations of law enforcement, they become
unable to combat threats. For example, although both the counterterrorism and cyber-crime
divisions of the FBI have been working to fight Titan Rain, they simply cannot hack into foreign
systems like those that Carpenter did without authorization from high-level diplomatic and
Department of J ustice officials (Thornburgh, 2005). Additionally, because Carpenter discovered
the origin of Titan Rain by illegally hacking into foreign computers, the U.S. government is not
legally able to act on any of the information he accumulated (Thornburgh, 2005). Hence, despite
the certainty of attribution proclaimed by network-security analysts like Carpenter, the U.S.
EVOLUTION OF CYBER ESPIONAGE 17
government cannot make the same claims (Thornburgh, 2005). U.S. government officials,
however, suggest that the level of organization implies state sponsorship (Thornburgh, 2005). In
addition, head of the FBIs counterintelligence unit, David Szady, suggested, the Chinese are
more aggressive than anyone else when it comes to advancing their military via stolen data
(Thornburgh, 2005). The FBI has a good record of convincing foreign governments to cooperate
with catching most hackers, but China simply has not been cooperating with the U.S. when it
comes to Titan Rain (Thornburgh, 2005). While the military would have more reactive
flexibility than the FBI if they were heading the charge against Titan Rain, they could easily
spark an international incident by taking reactive measures (Thornburgh, 2005).
Key Points:
Titan Rain is among the most pervasive cyber espionage threats that the U.S. computer
networks have ever faced (Thornburgh, 2005).
Like Moonlight Maze, Titan Rain targets sensitive but unclassified data.
Computer users are still vulnerable to spear phishing techniques.
The Titan Rain attacks are fast and effective.
The Titan Rain intrusions leave behind hidden beacons through which the attackers can
re-enter a system at will.
Titan Rain may be capable of shutting down or taking over U.S. military networks.
The FBI cannot continue Shawn Carpenters investigation, because he hacked into
foreign computers illegally.
China apparently knows the law enforcement limitations of the FBI, and still denies
involvement in cyber espionage.
Operation Aurora
Operation Aurora, so named because of a file folder referenced in the code, marked the
first time industrial companies experienced such a highly sophisticated set of attacks (Zetter,
2010). Using social engineering and spear phishing techniques, these attacks targeted
intellectual property, user account information, and source code repositories from Google,
Adobe, and many other high-profile corporations (Zetter, 2010). Operation Aurora utilized an
EVOLUTION OF CYBER ESPIONAGE 18
unprecedented combination of advanced encryption, multiple pieces of malware, and stealth
programming (Zetter, 2010). Aurora also opened a backdoor by exploiting a zero-day
vulnerability in Microsoft Internet Explorer (Krutz, 2010).
The attack began after an employee opened a spoofed email, presumably containing an
infected Excel file, PDF document, or the URL to a malicious website, which activated the
exploit. Internet Explorer then covertly downloaded several layers of nested, encrypted malware
(Zetter, 2010). The malicious programs, previously unknown to antivirus systems, created a
backdoor that established an encrypted, covert channel designed to look like an SSL connection
(Zetter, 2010). The data initially passed to C&C servers in Illinois, then through Texas and
Taiwan (Zetter, 2010).
The attacks began at least as early as December 15, 2009, and continued until the
implicated C&C servers shut down on J anuary 4, 2010 (Zetter, 2010). The cause of the server
shut down is unknown. Google discovered the breach within their systems in mid-December,
while Adobe discovered its intrusion on J anuary 2 (Zetter, 2010). Both corporations publically
announced the breach on J anuary 12, 2010. In all likelihood, Operation Aurora purposefully
launched around the holiday season, when most companies and response teams lacked
substantial staffing (Zetter, 2010).
Aurora proved that advanced persistent threats have entered the corporate battlefield, and
that companies of all sectors are now lucrative targets (Krutz, 2010). Before Aurora, this level of
sophistication only appeared in attacks on government networks. In addition, most attacks that
targeted the commercial industry used common methods like SQL-injection attacks, focused
only on obtaining financial data, and did not prioritize subtlety as highly (Zetter, 2010). McAfee
Chief Technology Officer (CTO) George Krutz calls Operation Aurora the tip of the iceberg,
and proclaims that threat models need to be adapted accordingly (2010). Companies must now
focus on protecting all core intellectual property, private nonfinancial customer information and
anything else of intangible value (Krutz, 2010).
Kurtz asserted that Chief Information Officers (CIOs) need to adapt to the new reality of
these persistent threats (Evans, 2010). Cyber threats have evolved into very sophisticated,
highly targeted tools designed to infect, conceal access, siphon data, or, even worse, modify
data without detection (Krutz, 2010). Cyber-attacks have become so sophisticated that they
leave behind almost no trace of their presence in a system. The major problem exemplified by
EVOLUTION OF CYBER ESPIONAGE 19
this is convincing the Chief Executive Officer (CEO) and the CIO there is an issue at all, let
alone an urgent one. Discovering and combating cyber-attacks like Aurora is not as
straightforward as forensically examining infected systems and finding correlations between
activity and firewall logs (Krutz, 2010). Dont expect [a sophisticated attacker] to drive a truck
through your network and leave a calling card on the way out, Kurtz argued (Evans, 2010).
Instead, expect low and slow movements of data that blend into the massive amount of traffic
flow that happens on a daily basis on your network (Evans, 2010).
According to most published articles, Aurora attacked more than 30 different
corporations (Claburn, 2010). J oel Brenner, former counterintelligence chief for the Office of
the Director of National Intelligence, asserts that Aurora targeted several thousand, not just over
thirty, companies (Grow & Hosenball, 2011). Immediately following Googles announcement of
the attack they traced back to China, Adobe also admitted being a target of a sophisticated,
coordinated attack (Claburn, 2010). Other targeted companies include J uniper Networks,
Symantec, Dow Chemical, Northrop Grumman, Yahoo, Intel, Morgan Stanley, and Rackspace
Hosting (Claburn, 2010). Many companies were reluctant to join Google in its stand against the
Aurora attacks because of the depth of their investments in China. Some corporations, like
Microsoft, specifically distanced themselves in favor of Chinese business investments, calling
Aurora the Google problem (Microsoft, HP fail to back Googles China move, 2010).
While Google could most likely take the financial losses tied with halting Chinese
services in stride, they did not retract their business ties there after Aurora, and probably will not
any time soon. Specifically, China contributed less than 2% of Googles $21.8 billion annual
revenue in 2009 (Garner, Levy, & Womack, 2010). In contrast, Chinese business accounted for
13% of the Intel Corporations sales in 2008 and nearly 11% of revenue for Cisco Systems in a
recent quarter (Garner, Levy, & Womack, 2010). However, Chairman of the U.S.-China
Economic and Security Review Commission, Dan Slane, insists the organizations that are
reluctant to stand against Chinese cyber-attacks are simply missing the long-term picture
(Garner, Levy, & Womack, 2010). Specifically, Chinas end goal is to extract as much
technology out of American companies as they can, transfer that to their own companies, and,
when they feel those companies have reached a level of technical maturity, show the American
companies to the door (Garner, Levy, & Womack, 2010). Although the United States
government formally requested an explanation of the incident from China, the response was
EVOLUTION OF CYBER ESPIONAGE 20
vague and noncommittal. J iang Yu, Chinas Foreign Ministry Spokesperson, declared that
Chinas internet is open, and that China welcomes international Internet corporations to do
business in China in line with law (Claburn, 2010).
Key Points:
Computer users are still vulnerable to spear phishing techniques.
While present in the defense industry, the level of sophistication Aurora displayed had
never before appeared within the commercial sector (Zetter, 2010).
Aurora proved companies of all sectors are now lucrative targets for advanced persistent
threats.
Corporations must now protect a significantly wider array of information.
CEOs and CIOs need to understand the urgency of cyber-attacks, even when they leave
almost no trace.
While Google declared willingness to take a financial stand against Chinese cyber
espionage, none of the other 33+companies followed suit.
Most corporations would rather hemorrhage intellectual property than sever business with
China.
China still denies involvement in cyber espionage.
Stuxnet
The fears surrounding the hidden backdoors placed by cyber-attacks such as Byzantine
Hades, Titan Rain, and Operation Aurora became reality with the release of Stuxnet. The
computer worm of unconfirmed origin bridged the gap between the cyber and physical worlds.
Stuxnets level of sophistication surpassed even Operation Aurora. Construction of the worm
required significant coding experience, thousands of working hours, substantial financial
backing, and a knowledge base from a variety of disciplines (Gross, 2011). Although the
outbreak began with infected USB sticks, Stuxnet spread by exploiting five Windows
vulnerabilities, four of which were zero-days. Stuxnet, designed to actively target only specific
models of programmable logic controllers (PLCs), infected hundreds of thousands of computers
over a year before it was discovered, continually updating itself through a peer-to-peer system
EVOLUTION OF CYBER ESPIONAGE 21
(News from the Lab, 2010). Unlike the aforementioned cyber-attacks, Stuxnets programming
includes a kill date, on which all rampant versions of the worm will delete themselves
(Schneier, 2010).
Stuxnet highlighted United States vulnerability to new types of cyber-attacks by
demonstrating the riskiness of dependence on PLCs and SCADA systems. The Stuxnet worm
attacked programmable logic controllers, or PLCs, as well as Supervisory Control and Data
Acquisition (SCADA) systems. PLCs control electromechanical processes such as traffic lights
and factory machinery. SCADA systems include the interface that controls PLCs, remote
terminal units (RTUs) that send data from PLCs to supervisory systems, communication
networks, a supervisory system that can monitor data and relay programmed instructions, and a
human-machine interface (HMI) (Bailey & Wright, 2003).
The most severe risk Stuxnet represents arises from the availability of its source code,
which attackers can now customize for alternate purposes. Stuxnet could allow attackers to
infiltrate vital infrastructure and monitor operations over a prolonged period in order to tailor the
most effective strike possible.
Key Points:
Stuxnet remained undiscovered in thousands of computers for over a year.
The Stuxnet attack bridged the gap between the cyber and physical worlds.
The computer worm was extremely sophisticated, which most likely required state
sponsorship.
The Stuxnet code is reprogrammable for alternate purposes.
Risk Assessment
It is common sense that protecting an asset should cost less than the asset is worth. When
it comes to the threats cyber-attacks have evolved into, the common forms of defense are not
enough anymore. The cost of layering firewall upon firewall to combat a threat that can still
infiltrate a network is simply illogical. Expecting a different result from doing the same thing
repeatedly is Albert Einsteins definition of insanity (Greer, 2010). The Harvard National
Security J ournal published, Analysts who measure the cost-effectiveness of defensive measures
EVOLUTION OF CYBER ESPIONAGE 22
in cyberspace relative to the accelerating growth of new cyber-attack methods suggest that the
defending side in cyberspace is already at a severe disadvantage and that the offensive-defensive
gap is widening (Greer, 2010).
The Ryan-Nichols risk equation, shown below, is an effective tool for assessing risk. It
accounts for vulnerabilities, potential severity of impacts, mitigating effects of countermeasures,
and threats that require intent, opportunity, and capability.
Risk = Impact x Threats x Vulnerabilities
Countermeasures
Vulnerability Standard defensive computer security measures like firewalls and
intrusion detection systems can reduce, but not eliminate, system vulnerabilities.
Impact As evidenced by Stuxnet, the potential impact of cyber-attacks is exponentially
increasing, and there is very little that can change that.
Threat Commonly referred to as means, motive, and opportunity in the world of
criminal justice, cyber security threats also require intent, opportunity, and capability
(Cloppert, 2009).
o Intent The definition of advanced persistent threats specifies a high degree
dedication.
o Opportunity One example of a problematic opportunity is the continued
susceptibility of computer users to fall victim to spear phishing techniques.
o Capability As evidenced by the above case studies, adversaries have
demonstrated repeatedly that they are very capable of infiltrating systems.
2
Countermeasures Measures currently in place are obviously not effectively managing
todays cyber threats. In other words, there is currently a very high risk associated with
advanced persistent threats. If you cannot afford the cost of losing a game, change the
rules.
2
To establish a comparison, Al Qaeda uses computers to encrypt information, but they do not use them with the
same level of sophistication that appeared in Moonlight Maze (Hamre, 2003). Al Qaeda has searched for
information regarding the programming and control of SCADA systems, but this does not imply they have the
capability of completing such sophisticated attacks (Hamre, 2003).
EVOLUTION OF CYBER ESPIONAGE 23
Countermeasures: Offensive Tactics
The Coreflood Example
In the case of Coreflood, the FBI took unprecedented actions, which proved U.S.
capability for successful active offensive operations. The international botnet infected more than
1.8 million computers in the United States alone (Bardin, 2011). Coreflood trespassed through
computer systems of airports, hospitals, universities, financial institutions, state and local
government agencies, defense contractors, and other various businesses (Zetter, 2011). One of
the five command-and-control servers it relayed data to received nearly 190 gigabytes of user
names, passwords, account numbers, and other sensitive information it had accumulated for over
10 years (Zetter, 2011). Stolen financial information facilitated more than $1.2 million in
fraudulent wire transfers (Bourquin, 2011).
The FBI set up substitute C&C servers that returned a stop command to every ping
received from Coreflood. They also removed Coreflood remotely from any infected computer
that granted authorization.
3
The effectiveness of the FBIs offensive methods is undisputable.
The number of pings the decoy C&C servers received from infected U.S. computers dropped
almost 90% within a week of their inception (Zetter, 2011). This prevented Coreflood from
updating itself long enough for anti-virus programs to update, effectively eliminating the botnet
(Zetter, 2011). The specific techniques used in the Coreflood case are not applicable to most
active cyber threats, but the success of this offensive operation merits further exploration.
Naming and Shaming Techniques
One possible course of offensive action uses naming and shaming techniques to convince
foreign nations not to make the U.S. a target for cyber espionage. The concept of naming and
shaming requires the following three conditions:
Enough companies and countries willing to complain vociferously and continuously;
A united front among companies and countries; and
A [foreign] leadership that is shame-able and willing and able to stop or at least slow the
[intellectual property] theft (Segal, 2011).
3
In contrast, Microsoft, without the same case-by-case authorization, automatically deleted Coreflood from infected
computers (Ragan, 2009).
EVOLUTION OF CYBER ESPIONAGE 24
Google attempted this technique after discovering Operation Aurora by announcing that
they had observed the intrusion and would not tolerate it. However, as evidenced by the
aforementioned case studies, corporations and governments are usually reluctant to publicly
acknowledge any intrusions, let alone make blatant accusations. The other companies targeted
by Operation Aurora did not follow suit, and one even explicitly stated that Google was standing
alone.
4
This exemplifies that corporations show a distinct lack of unity, at least so far.
Governments tend to be reluctant to point fingers at other nations, because it instigates
diplomatic battles (Charkow, 2011). Christian Leuprecht, an associate professor of political
science, declares that even when cyber espionage undeniably points to Chinese authorship, China
puts the blame on a rogue group of hackers they're very careful to make sure it never gets
traced back to intelligence or defense sources (Charkow, 2011). Even so, Chinese espionage in
the United States has become intolerably prevalent. Mike Rogers, Chairman of the Permanent
Select Committee on Intelligence, publicly admonished Chinese cyber espionage, calling it
a massive and sustained intelligence effort by a government to blatantly steal commercial data
and intellectual property (Segal, 2011). While the naming and shaming technique has
undeniable potential conceptually, there is not much evidence yet supporting its potential for
success in the United States.
National Offensive Counterintelligence Recommendations
The following elements of and requirements for a successful offensive
counterintelligence program are compilations from the publications of Burton Gerber, J ennifer
Sims, and Michelle Van Cleave (2009; 2007):
Credible, substantiated threats with clearly defined possible consequences
o The aforementioned case studies exemplify such threats.
A dynamic balance between national security and civil liberties
o Adversaries are using American laws and constitutional values to their advantage:
the FBI, solely responsible for intelligence operations within the United States,
needs the support, data, and resources from other agencies. Creating a pragmatic
and flexibly national policy that can reasonably adjust to varying threat levels is
the most effective means of balancing privacy and security domestically. U.S.
4
Despite Aurora targeting over 30 companies, Microsoft labeled it the Google problem.
EVOLUTION OF CYBER ESPIONAGE 25
counterintelligence must regain the advantage by moving the battle to foreign
territory.
Clear leadership:
o Revalidating and empowering the National Counterintelligence Executive (NCIX)
allows them to publish national counterintelligence strategies, identify and
prioritize intelligence threats, compile damage assessments, and manage
counterintelligence budgets, programs, and strategic objectives. Program and
budgeting authorities should also share a common mission and a common purse.
The development of a unified, comprehensive approach that accounts for domestic
intelligence, counterintelligence, and oversight:
o The CIA should launch counterintelligence operations outside of the United States
that recruit foreign sources to implement denial, deception, and exploitation
techniques. The CIAs new National Clandestine Service may be suited for this
task, but must continually orient towards offensive strategies throughout
development.
o While interaction between operational intelligence agencies has increased
dramatically since September 11, no amount of interagency cooperation will
make them a cohesive, integrated unit. Instead of repeating the usual reshuffling
of organizations and offices, establish a national counterintelligence strategic
operations center.
o More counterintelligence funding is required, but altering the counterintelligence
business model from defense-oriented to offense-focused is fundamentally
imperative. Proactive counterintelligence mandates a coordinated effort that
transforms a case-driven system into a strategically oriented one.
EVOLUTION OF CYBER ESPIONAGE 26
Conclusion
After World War I, the French resolved to protect their German and Italian borders from
invasion. Using textbook passive defensive techniques, they constructed the Maginot line an
incredibly expensive impenetrable wall of concrete layered with various weapons systems. In
one sense, the wall worked it successfully dissuaded a direct attack. However, the German
forces were persistent, and willing to seek out additional vulnerabilities. They simply
circumvented the wall, invaded France, and took over the country in a matter of weeks.
Like France, the United States has been protecting its cyber borders with firewalls, and
like France, the defense is not keeping enemies out. Specifically with the evolution of cyber-
attacks into advanced persistent threats, it is often safer to assume that at some point attackers
can compromise any and every network. No nation on Earth has managed to find an impervious
defense, and yet the United States spends a massive amount of money perpetually trying to
construct one.
J ohn Hamre, former deputy secretary of defense, asserted, You do not do anything about
cyber security until you experience a failure (2003). Despite this, the United States continues to
endure cyber-attacks without substantial alteration in strategy. If only a realization of the
severity of shortcomings can prompt radical change, how much more severe must cyber-attacks
become before policymakers transform cyber counterintelligence?
EVOLUTION OF CYBER ESPIONAGE 27
Appendix
Defense Recommendations:
It is important to remember that while responses to advanced threats evolve, baseline
defenses are still useful. In other words, instead of trading reactive for active security methods,
the two types should stack. It only takes one employee to make a small mistake for an attack to
be successful. Hence, corporations should continue the following:
Remove any unnecessary computer systems.
Keep firewalls, anti-malware software, servers, desktops, and applications updated with
the latest security patches. This will close as many zero-day vulnerabilities as possible.
Continuously monitor intrusion detection and prevention systems.
Use system information and event monitoring software.
Establish internet, network, software, and hardware whitelists in secure areas.
Test system security via vulnerability management programs.
Continuously educate employees in effective security procedures, such as:
o Do not open attachments using secure systems,
o Do not access risky websites from work computers, and
o Choose strong passwords that contain lower case and upper case lattes as well as
numbers and other characters.
Ban the use of personal electronic devices (PEDs) such as USB sticks, smart phones, and
MP3 players within secure areas. While this policy is already in use at many Department
of Defense agencies, corporations in the private sector could benefit from its
implementation.
EVOLUTION OF CYBER ESPIONAGE 28
References
Abreu, E. (2001, May 9). Cyberattack Reveals Cracks in U.S. Defense. PCWorld. Retrieved
from http://www.pcworld.com/article/49563/cyberattack_reveals_cracks_in_us_defense.html
Advanced Persistent Threats. (n.d.). Damballa. Retrieved from
http://www.damballa.com/knowledge/advanced-persistent-threats.php
Advanced Persistent Threats and Other Advanced Attacks. (2011). Websense. [PDF Document].
Ahamad, M. et al. (2011, October 11). Emerging Cyber Threats Report 2012. Georgia Tech
Cyber Security Summit 2011. [PDF Document].
Arquila, J . (Interviewee). (2003, March 4). Cyberwar. [Interview transcript]. Retrieved from
Frontline PBS web site:
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html
Bailey, D., & Wright, E. (2003). Practical SCADA for industry. Amsterdam: Elsevier.
Bardin, J . (2011). Cyber Counterintelligence 615: Week 6 Chapter 9. Retrieved from Utica
Angel website: https://utica.angellearning.com/section/default.asp?id=CYB-615-Z1-201180
Bardin, J . (2011, J une 1). Debate: The U.S. government was justified to take control of
Coreflood bot servers. SC Magazine. Retrieved from http://www.scmagazineus.com/debate-the-
us-government-was-justified-to-take-control-of-coreflood-bot-servers/article/202698/
Bourquin, J . (2011, September, 9). Security and Counterintelligence Implications of the FBIs
Takedown of Coreflood. Utica College.
Charkow, R. (2011, September 21). Cyber spying is the new face of espionage. CBC News.
Retrieved from http://www.cbc.ca/news/canada/story/2011/09/20/f-cyber-espionage.html
EVOLUTION OF CYBER ESPIONAGE 29
Claburn, T. (2010, J anuary 15). Other Targets in Google Cyber Attack Surface. Information
Week. Retrieved from
http://www.informationweek.com/news/security/vulnerabilities/222301222
Cole, E. (2010, J une 21). Advanced Persistent Threat (APT). McAfee. Retrieved from
http://blogs.mcafee.com/corporate/cto/advanced-persistent-threat-apt
Cloppert, M. (2009, J uly 23). Security Intelligence: Introduction (pt 2). Blog. Retrieved from
http://computer-forensics.sans.org/blog/2009/07/23/security-intelligence-introduction-pt-2
The Comprehensive National Cyber Security Initiative. (2009). Executive Office of the President
of the United States. [PDF Document].
Cyberwar. (2003, April 24). PBS. Retrieved from
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/
Evans, B. (2010, J anuary 27). Global CIO: After Google Cyber Attack, CIOs Must Find the
Body. Information Week. Retrieved from http://www.informationweek.com/news/global-
cio/security/222600001
Garner, R., Levy, A., & Womack, B. (2010, J anuary 15). Google Said to Have Tried to Get
Support Over Attack. Bloomberg. Retrieved from
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aE5FWLzQMZGY
Gerber, B. & Sims, J . (2009). Vaults, Mirrors, and Masks. Washington, D.C.: Georgetown Press.
Greer, D. (2010, April 12). Advanced Persistent Threat. Network World. Retrieved from
http://www.networkworld.com/news/tech/2010/041210-tech-update.html?page=1
Gross, M. J . (2011, April). A Declaration of Cyber-War. Vanity Fair. Retrieved from
http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104
EVOLUTION OF CYBER ESPIONAGE 30
Grow, B., & Hosenball, M. (2011, April 14). Special report: In cyberspy vs. cyberspy, China has
the edge. Reuters. Retrieved from
http://www.reuters.com/article/2011/04/14/us-china-usa-cyberespionage-
idUSTRE73D24220110414
Hamre, J . (Interviewee). (2003, February 18). Cyberwar. [Interview transcript]. Retrieved from
Frontline PBS web site:
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/hamre.html
Huggins, J . (2011, September 24). J ames S. Huggins' Refrigerator Door. JSH. Retrieved from
http://www.jamesshuggins.com/h/tek1/how_big.htm
Krutz, G. (2010, J anuary 13). Google Attack is the Tip of Iceberg. McAfee. Retrieved from
http://siblog.mcafee.com/cto/google-attack-is-tip-of-iceberg/
Krutz, G. (2010, J anuary 14). Operation Aurora Hit Google, Others. McAfee. Retrieved from
http://blogs.mcafee.com/corporate/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-
others
Krutz, G. (2010, J anuary 25). Wheres the Body? McAfee. Retrieved from
http://siblog.mcafee.com/cto/where%E2%80%99s-the-body/
Lemos, R. (2011, April 21). Byzantine Hades shows Chinas cyber chops. CSO. Retrieved
from http://www.csoonline.com/article/680203/-byzantine-hades-shows-china-s-cyber-chops
McLean, A., Shane, S., & Tse, A. (2011, J une 19). A Selection from the Cache of Diplomatic
Dispatches The New York Times. Retrieved from
http://www.nytimes.com/interactive/2010/11/28/world/20101128-cables-
viewer.html#report/china-08STATE116943
EVOLUTION OF CYBER ESPIONAGE 31
Microsoft, HP fail to back Google's China move. (2010, J anuary 15). China Daily. Retrieved
from http://www.chinadaily.com.cn/china/2010-01/15/content_9329339.htm
News from the Lab. (2010, November 3). F-Secure. Retrieved from http://www.f-
secure.com/weblog/archives/00002066.html
Ragan, S. (2011, April 18). Coreflood: Botnet takedown introduces a potentially risky precedent.
The Tech Herald. Retrieved from
http://www.thetechherald.com/article.php/201116/7073/Coreflood-Botnet-takedown-introduces-
a-potentially-risky-precedent
Schneier, B. (2010, October 7). Stuxnet. Schneier on Security. Retrieved from
http://www.schneier.com/blog/archives/2010/10/stuxnet.html
Segal, A. (2011, October 11). Giant Sucking Sound: China and IPR Theft. Council on Foreign
Relations. Retrieved from http://blogs.cfr.org/asia/2011/10/11/giant-sucking-sound-china-and-
ipr-theft/
Thornburgh, N. (2005, August 25). Inside the Chinese Hack Attack. Time U.S. Retrieved from
http://www.time.com/time/nation/article/0,8599,1098371,00.html
Thornburgh, N. (2005, August 29). The Invasion of the Chinese Cyberspies. Time U.S. Retrieved
from http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html
Van Cleave, M. (2007, April). Counterintelligence and National Strategy. National Defense
University. [PDF Document]
Wanted: An Integrated Counterintelligence. (1995, September 18). Central Intelligence Agency.
Retrieved from https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-
csi/vol7no3/html/v07i3a02p_0001.htm
EVOLUTION OF CYBER ESPIONAGE 32
Winkler, I. (2005, October 20). Guard Against Titan Rain Hackers. ComputerWorld. Retrieved
from
http://www.computerworld.com/s/article/105585/Guard_against_Titan_Rain_hackers?taxonomy
Id=17&pageNumber=3
Zetter, K. (2011, April 26). FBI vs. Coreflood Botnet: Round 1 Goes to the Feds. Wired.
Retrieved from http://www.wired.com/threatlevel/2011/04/coreflood_results/
Zetter, K. (2010, J anuary 14). Google Hack Attack was Ultra Sophisticated, New Details Show.
Wired. Retrieved from http://www.wired.com/threatlevel/2010/01/operation-aurora/