Intel Wars (36 page)

As the antics of the hackers and cyber criminals began appearing with greater frequency in the press in the 1990s, the intelligence services of a number of countries decided that they needed their own corps of teenage hackers who could infiltrate foreign government communications networks and computer systems to gather secrets and, if necessary, attack and destroy these systems.

One of these was America's electronic eavesdropping Goliath, the National Security Agency, which has been secretly engaged in disrupting foreign computer systems and e-mail traffic for more than twenty years. Shortly after the end of the Cold War in the early 1990s, NSA set up a small unit called the Information Warfare Support Center to experiment with penetrating and disrupting foreign government communications systems and computer networks.

The concept was given a dry run during Operation Desert Storm in 1991, when NSA was able to electronically disrupt the French-made computers that controlled the Iraqi air defense system. But it was not until March 1999 that NSA first systematically applied its new cyber-attack capability when it electronically knocked down large parts of the communications and computers that supported the Yugoslav air defense system during the short war over the breakaway province of Kosovo.

In the run-up to the invasion of Afghanistan in October 2001, the United States tried to duplicate its success in Kosovo by using cyber attacks to degrade the Taliban air defense system, but the system was so antique and decrepit that it defied attack by electronic means.

The Pentagon took its first giant leap into the area of cyber war in January 2005 with the creation of a 125-person unit at NSA headquarters at Fort George G. Meade called the Joint Functional Component Command–Network Warfare, which was described at the time as the single largest conglomeration of computer hackers in the world.

As soon as the unit was created, teams of its personnel were secretly deployed to Iraq to begin mapping the communications networks of the Iraqi insurgents and al Qaeda foreign fighters opposing the U.S. military there. Over a period of almost two years, this small team of military computer surveillance specialists, called the Multi-National Force–Iraq Cyber Team, carefully watched the flow of e-mails and text messages inside Iraq. They managed to identify the electronic addresses of hundreds of computers and personal messaging systems that were then being used by the Iraqi insurgents.

As first reported by Shane Harris of the
National Journal
, several months before the beginning of General Petraeus's 2007 Baghdad surge offensive, the NSA was authorized by the White House to launch a cyber attack on all of the Iraqi insurgent e-mail and text messaging systems that the Cyber Team had located. According to intelligence officials, the cyber attack knocked off the air almost all of the communications of the Iraqi insurgents and al Qaeda in Iraq fighters around Baghdad for three days.

On April 27, 2007, while NSA was gearing up to launch its electronic offensive against Iraqi insurgents, right-wing Russian nationalists, enraged by the decision of the Estonian government to relocate a huge Stalin-era statue of a Soviet soldier in downtown Tallinn, the capital of Estonia, launched a concerted month-long cyber attack on virtually every Estonian computer server, router, Web site, and e-mail system that served the country's government ministries, banks, newspapers, and television and radio stations. According to a leaked State Department cable, “
On April 28, less than 24 hours after the first cyber attacks
, Russian-language internet forums … were exhorting people to attack specific GOE [government of Estonia] websites and offering links to software tools.”

A year later, in August 2008, the Russian government itself launched a cyber attack on the communications and computer systems of the Georgian government and news media prior to the launch of a major military offensive to retake portions of the breakaway province of South Ossetia that had recently been captured by Georgian forces. A 2009 report by the NSA examining the cyber attack on Georgia found that the Russians managed to plant a Trojan Horse program into a number of Georgian government computer networks that allowed Moscow to launch continuous denial-of-service attacks on the host computers, temporarily knocking them out of commission. The Georgian government's computer experts were able to quickly put together an ad hoc communications system to replace the one being jammed by the Russians, but the incident highlighted the fact that cyber attacks, if done right, can be more effective than an artillery barrage or air strike in wreaking havoc on foreign computer and communications systems.

Leaked State Department documents reveal that the intelligence services of the People's Republic of China have become the world's foremost practitioners of cyber war. The scope of the Chinese cyber-war effort is massive. In March 2009, researchers in Canada and Great Britain discovered that someone in China was conducting a cyber-spying operation, which they named GhostNet, that involved inserting undetectable Trojan Horse viruses into computers around the world, including the personal computer of the Tibetan leader-in-exile, the Dalai Lama. Whoever was running the operation inside China was reading all of the e-mails sent to and from the targeted computers and monitoring which Web sites they visited, leading to the obvious conclusion that GhostNet was a Chinese government spying operation, though this remains to be proved.

The classified reporting of the U.S. intelligence community strongly suggests that GhostNet was but a small part of a much larger global cyber-spying operation by the Chinese government that has been going on for almost a decade. Leaked State Department documents show that since 2002, Chinese hackers have succeeded in penetrating a number of Canadian, French, and German government computer systems, some of them very high-level.
For example, a secret 2008 report by the German equivalent of the FBI
, the Federal Office for the Protection of the Constitution, reported that hundreds of Chinese cyber attacks had “targeted a wide variety of German organizations to include German military, economic, science and technology, commercial, diplomatic, research and development, as well as high-level government [computer] systems.”

The main targets of the Chinese hackers have been the computer and communications systems of the U.S. government and military. According to a classified State Department report, “
Since late 2002, USG [U.S. government] organizations have been targeted
with social-engineering online attacks by [Chinese] actors.” The Chinese have used the same techniques as mainstream computer hackers; the cable revealed that they had “relied on techniques including exploiting Windows system vulnerabilities and stealing login credentials to gain access to hundreds of USG and cleared defense contractor systems over the years.” The cable confirmed that the cyber attacks have targeted virtually every department of the U.S. government involved in national security matters. According to the cable, “The majority of the systems [Chinese] actors have targeted belong to the U.S. Army, but targets also include other DoD [Department of Defense] services as well as DoS [Department of State], Department of Energy, additional USG entities, and commercial systems and networks.”

In June 2009, Chinese hackers attempted to penetrate the computers of five State Department officials in the office of the special envoy for climate in Washington just as talks got under way in Beijing with the Chinese government over reducing greenhouse gas emissions. According to a leaked State Department cable, “
The event appears to be a targeted spear-phishing attempt
[attempting to acquire electronically sensitive personal or financial information, such as bank account passwords] and may be indicative of efforts [by the Chinese] to gather intelligence on the U.S.'s position on climate change issues.”

Despite knowing about the Russian and Chinese cyber attacks on U.S. and allied computer systems, the U.S. government chose to do nothing about them, fearing that Russia and other foreign countries might use the attacks to force the enactment of binding international agreements that would restrict Washington's ability to conduct its own cyber attacks on targets deemed to be threats to U.S. national security. According to a leaked 2009 State Department cable, “
U.S. policy remains that hackers and cyber criminals
, not states, are the most urgent cyber threat. [U.S. delegation] should continue to oppose Russian arguments for arms-control-like constraints on information technology and offensive capabilities.”

It was not until Chinese cyber attacks hit the giant American Internet service provider Google in January 2010 that the U.S. government finally was forced to take action. Although the U.S. intelligence community was certain that the attacks originated from inside China, no one knew exactly who launched them or why. According to a leaked State Department cable from the U.S. embassy in Beijing, “
A well-placed contact claims that the Chinese government
coordinated the recent intrusions of Google systems. According to our contact, the closely held operations were directed at the Politburo Standing Committee level.” Another source, however, indicated that it was one of Google's Chinese competitors who launched the attack. When Google formally complained to the U.S. government about the attack, in an unprecedented move, America's eavesdropping giant, the National Security Agency, was ordered to help the Internet giant erect electronic defenses against further attacks.

The actual culprit was never identified, and probably never will be. But the revelations in the press had the salutary effect of spurring the U.S. intelligence community into action. According to senior U.S. intelligence officials, the Chinese attacks on Google resulted in cyber warfare being instantly elevated to the single most important priority item within the intelligence community.
In testimony delivered before the Senate Select Committee on Intelligence in February 2010
, DNI Denny Blair warned that “the recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously.”

On May 21, 2010, a new military organization called U.S. Cyber Command was created, which is responsible for directing all of America's offensive and defensive cyber-war activities, including conducting cyber attacks on foreign government computer systems if so ordered. Although nominally independent, U.S. Cyber Command is, in fact, an adjunct of the National Security Agency. The director of the NSA, General Keith Alexander, is also the chief of the 1,100-person U.S. Cyber Command.

So what has Cyber Command been doing since becoming operational? No one knows for sure because of the secrecy surrounding its operations, but there are telltale signs that it is already active.

In July 2010, computer security experts discovered a new computer virus called Stuxnet, which the
New York Times
later described as “
the most sophisticated cyberweapon ever deployed
.” We know nothing for certain about the origins of Stuxnet, or who wrote the program. The
New York Times
has opined that the virus was written jointly by U.S. and Israeli intelligence, but there is as yet no substantive evidence to support this allegation.

What we do know is that the person or persons who wrote the Stuxnet program designed the system for a very narrow and specific application, and with a very specific target in mind. Unlike previous computer viruses, Stuxnet did not target personal computers or the computer servers used by corporations or financial institutions. Instead, Stuxnet was designed to attack a specific piece of software made by the German high-tech giant Siemens AG. And we now know that Stuxnet's principal target was the computer system that regulated the operations of the nine thousand centrifuges at Iran's main uranium enrichment plant at Natanz in central Iran.

It also is clear that whoever designed Stuxnet was not a teenage hacker but rather one or more individuals working for a foreign intelligence agency who knew virtually everything about the Natanz plant. A detailed study of the virus shows that Stuxnet was designed based on a near-complete understanding of the computer system at Natanz, which could only have come from someone inside the plant providing the virus's designers with the schematics of the plant's computer hardware and software systems.

Moreover, Stuxnet was deliberately designed to attack computer systems that were not connected to the Internet for security reasons, as was the case at Natanz. In order to get around the firewall, the Stuxnet virus had to be loaded onto a CD or flash drive and then covertly downloaded into the computer system at Natanz. Once again, this could only be accomplished by an intelligence service with an agent at Natanz with access to the plant's computer systems. Once buried inside the targeted computer's software, analysis of the virus shows, Stuxnet was programmed to take control of the host computer system.

According to computer security experts, the Stuxnet virus was somehow covertly inserted into the computers at Natanz in mid-2009, knocking out of commission almost one thousand of the facility's nine thousand centrifuges in a single blow. But a recent report by the International Atomic Energy Agency indicates that the damage caused by Stuxnet was only temporary. Beginning in late 2009, IAEA video cameras at Natanz caught Iranian workers carting off the damaged centrifuges. Six months later, in early 2010, the cameras saw the same workers hauling in crates containing new centrifuges. U.S. intelligence experts now believe that the Natanz plant is back in full operation.

Even if the cyber attack on Natanz was only a temporary setback for the Iranian nuclear program, cyber-war proponents still believe that the weapon has utility in any future conflict. “Stuxnet may be the wave of the future,” a former NSA official said in a recent interview. “Imagine a hundred Stuxnets, each aimed at the computer system of a specific foreign target, released simultaneously, and you have the potential for a cyber catastrophe—a perfect storm.”