By Kevin Coleman
Defense Tech Chief Cyber War Correspondent
Black-Cyber-Operations have become all too common, launching highly sophisticated cyber actions against their targets that go undetected for months or years. A black operation (black-op) is generally accepted worldwide by militaries and intelligence agencies to represent specific types of covert operations typically involving activities that are either secret or of questionable legitimacy and often violate international law and demand deniability.
Russia began developing black-cyber-ops teams as far back as the early 1990s. But Russia is not the only military with these capabilities. A Chinese black-ops team is credited with the design and execution of the “Titan Rain” initiative that long went unchecked and undetected deep inside the U.S. Department of Defense networks. This cyber event is said to be second only to the cyber attack that hit the Pentagon in 2008 and impacted both theaters of operation (Afghanistan and Iraq).
These highly specialized teams are rarely talked about in the open media, but sometimes come up in quiet, off-line conversations at conferences. Recently, at a cyber warfare event, the lunch break conversation turned to cyber weapons. “If I were to start a business today, I would start a black-cyber-ops and cyber weapons development organization,” I told those sitting nearby. Somebody (from a three letter organization) leaned over, tapped me on the shoulder and said, “I’ll be your first customer.”
As the conversation went on, another said, “We need the equivalent of a Cyber Blackwater” (or Xe). While there are black-cyber-ops organizations around the world and cyber arms developers and dealers, this appears to be an underserved market niche. Given the attention cyber warfare is now receiving, you can bet there will be more such organizations going active in the next few years.
FACT: Black-Cyber-Ops are often used for political, military, intelligence and business reasons.
FACT: The only difference between a cyber weapon and a security or capacity testing tool is the intent of the individual using it.
FACT: There is a reference to at least one Black-Cyber-Ops Conference that was said to involve the Israeli Military and the Mossad.
{ 6 comments… read them below or add one }
The US is often mentioned as having the biggest and most advanced offensive cyber-capability. I suspect a "cyber Xe" does already exist, you just haven't spotted them yet.
God, I hope you’re right. I for one have only heard negative things about our cyber capabilities… And I know a lot of tech-savvy, hacker type characters, and they’re all quite anti-government, unfortunately. Maybe a cyber-merc type thing would be a good idea, since it would entice with payment and a loose connection to the government.
I hope so. The idea of having to hire Ukrainian or Bulgarian cyber-mercenaries to do our black cyber work seems really counterproductive. Surely the United States has the most to lose in a global no-holds-barred cyber war where the direct combatants are all criminals.
"FACT: The only difference between a cyber weapon and a security or capacity testing tool is the intent of the individual using it."
The article already answered its own question. The tools are already there (they are called fuzzers), and already in use by the defense guys. Exactly the same tools will give you the offensive use scenarios also. One of the leading zero-day discovery tools in the market is Defensics from Codenomicon: http://www.codenomicon.com/defensics/
Using a tool intended for defense for offense requires building a lot of stealth into the tools. Whereas Defensics is intentionally noisy and therefore easy to detect and block, the tools that have been built purely for offensive use are often created to be stealthy. These tools typically are just libraries of exploits. A free (?) exploitation framework example would be Metasploit. A commercial example of such are the tools from Immunity (even if they claim so, I find it very hard to think of any legal use for such tools): http://www.immunitysec.com/products-canvas.shtml
Unfortunately, the biggest problem with commercial tools (and especially the free tools) is that you loose your zero-day impact. An exploit in Metasploit or Canvas is no longer zero-day when the vendor issues a fix to the flaw. Similarly, a fuzz test case in a fuzzing product such as Defensics is ineffective against systems that are already using similar tools in R&D. Fortunately for the rest of us, f effective black-ops, you basically have to be faster and more effective in bug discovery than anyone else. I am sure the black-ops have several similar (usually internally built) tools and frameworks for that purpose. The commercial tools are best at training the capability as they find zero-day problems daily in any practice environment, and do not need to be secret.
Commercial programs are all well and good, but the scariest is the home made ones. Commercial programs offer a signature that can be detected. IDS systems detect these signatures. But how do you do signature matching for a program that hasn't been used yet?
The Register had an interview with a vigilante hacker named 'Jester' who uses his home built program to take down militant Islamic training websites. He has a video showing it being used. One second it is up, the next the site is down.
A US black ops cyber team would definetly have programmers on staff cooking up home brewed penetration utilities.
Ptsfp
You can easily turn off signatures in commercial tools. They are there just in case someone by mistake turns off a global interconnected service such as gmail, yahoo, or vonage. The commercial tools do not prevent anyone from modifying the contents of each attack, or extracting the attacks from the tools.