This document summarizes the cyber threats posed by state actors like Russia, China, and Iran as well as criminal groups. It discusses how cyber espionage and cyber attacks have targeted governments, businesses, and critical infrastructure. Nation states are using cyber tools for espionage and information warfare, and in some cases working with criminal groups. The threats are growing more sophisticated over time as tools become more advanced and actors converge. Strong defenses are needed to protect against these evolving cyber threats.

1. Cyber Espionage and Criminal Hacking: The
New Threat Matrix
Paul M. Joyal, NSI Managing Director,
Public Safety & Homeland Security Practice
GovSec | US Law Conference March 23-24, 2010

2. Cyber Threat Actors
• “Cyber threats to federal information systems and cyber-based
critical infrastructures… can come from a variety of sources,
such as foreign nations engaged in espionage and information
warfare, criminals, hackers, virus writers, and disgruntled
employees and contractors working within an organization.”
– Gregory C. Wilshusen,
Director, Information Security Issues
Government Accountability Office, 2009

3. Cyber Crime Increases in the Private Sector
• More than 75,000 computer systems at nearly 2,500
companies in the United States and around the world have
been hacked in what appears to be one of the largest and most
sophisticated attacks by cyber criminals
• The attack targeted proprietary corporate data, e-mails, credit-card
transaction data and login credentials at companies in the
health and technology industries in 196 countries, according to
NetWitness.

4. Cyber Crime and Espionage
• Ten government agencies were penetrated, none in the
national security area, NetWitness said.
• The systems penetrated were mostly in the United States,
Saudi Arabia, Egypt, Turkey and Mexico
• Some estimate the global cyber-crime business amounts to
$100 billion-a-year.

5. Cyber Crime Cash is bigger than Narcotics Trade
• Cyber-crime, by some estimates, has outpaced the amount of
illicit cash raked in by global drug trafficking.
• Hackers from Russia and China are among the chief culprits,
and the threat they pose now extends far beyond spam,
identity theft and bank heists.
• “The Internet can now be used to attack small countries,”.
“There are Russian and Chinese hackers that have the power to
do that.”
Yevgeny Kaspersky, chief executive of Moscow-based Kaspersky Lab

6. Criminals are spamming the Zeus banking Trojan to
attack government computers
• According one state government security expert who received
multiple copies of the message, the e-mail campaign —
apparently designed to steal passwords from infected systems
— was sent exclusively to government (.gov) and military (.mil)
e-mail addresses.
• The messages appear to have been sent by the National
Intelligence Council (address used was nic@nsa.gov), which
serves as the center for midterm and long-range strategic
thinking for the U.S. intelligence community and reports to the
office of the Director of National Intelligence.

7. E-Mail spoofs the National Security Agency
• The e-mails urge recipients to download a copy of a report
named “2020 Project.” Another variant is spoofed to make it
look like the e-mail from admin@intelink.gov. The true sender,
as pulled from information in the e-mail header, is
nobody@sh16.ruskyhost.ru

8. 8
Growth of Cyber Threats
Sophistication
Required of Actors
Back doors
Declining
Disabling audits
Sophistication
of Available Tools
Growing
Packet spoofing
Sniffers
Sweepers
Denial of Service
GUI
Staging
“Stealth”/advanced
scanning techniques
Convergence
Sophisticated C2
Cross site scripting / Phishing
Distributed attack tools
www attacks
Automated probes/scans
Network mngt. diagnostics
Hijacking sessions
Burglaries
Exploiting known vulnerabilities
Password cracking
Self-replicating code
Password guessing
Estonia DoS
Russia invades
Georgia
1980 1985 1990 1995 2000 2009
High
Sophistication
Low

9. The Vulnerability Matrix
Electric
Government
Natural
Gas
Wireless
26,000 FDIC
institutions
2,800 power plants
104 commercial
nuclear plants
1,600 municipal
wastewater facilities
66,000 chemical
plants
2 million miles
of pipelines
5,800 registered hospitals
E-commerce
2 billion miles of cable
5,000 airports
300 maritime
ports
300,000
production sites
120,000 miles
of major rails
3,000 govt.
facilities
Home
Users
Broadband
Connections
Viruses,
Worms
Banking
Telecom
Emergency
Services
Chemical
Rail
Natural Gas
Water
Waste Water
Transportation
Oil
80,000 Dams
Insiders
Configuration
Problems
150,000 miles transmission lines
130 overlapping grid controllers

10. CIA Report: Cyber Extortionists Attacked Foreign Power
Grid, Disrupting Delivery
• Tom Donahue, the CIA's top cybersecurity analyst, said, "We
have information, from multiple regions outside the United
States, of cyber intrusions into utilities, followed by extortion
demands. We suspect, but cannot confirm, that some of these
attackers had the benefit of inside knowledge.
• We have information that cyber attacks have been used to
disrupt power equipment in several regions outside the United
States.

11. Could these probes come from China?
• According to Jian-Wei Wang and Li-Li Rong, Chinese
researchers at the Institute of Systems Engineering of Dalian
University of Technology, have concluded in a published
research journal a counter intuitive conclusion:
• that attacks on power grid nodes with the lowest loads is
more harmful than an attack on the ones with the highest
loads.

12. Cascade-Based Attack Vulnerability – US Power Grid
• They published these findings in a paper on how to attack
a small U.S. power grid sub-network in a way that would
cause a cascading failure of the entire U.S. electrical grid.
• While some maintain that the research promotes a
defense posture, Mr. Wang’s research subject was
particularly unfortunate because of the widespread
perception, particularly among American military
contractors and high-technology firms, that adversaries
are planning to attack critical infrastructure like the United
States electric grid.

13. The Cyber Threat
Assessing the threat
(like a criminal threat)
Behavioral Profile
Technical Feasibility
THREAT
Operational Practicality

14. 14
Cyber Infrastructure

15. Russia’s NSA----FAPSI also Identified in Cyber theft
• In 1998 a U.S.-German satellite known as ROSAT, used for
peering into deep space, was rendered useless after it turned
suddenly toward the sun. NASA investigators later determined
that the accident was linked to a cyber-intrusion at the
Goddard Space Flight Center in the Maryland suburbs of
Washington. The interloper sent information to computers in
Moscow, NASA documents show.
• U.S. investigators fear the data ended up in the hands of a
Russian spy agency.

16. Russia’s NSA----FAPSI also Identified in Cyber theft
• A team of agents from NASA, the FBI, and the U.S. Air Force
Office of Special Investigations to follow the trail of what they
concluded was a criminal hacking ring with dozens of Internet
addresses associated with computers near Moscow.
• The investigators made an even more alarming discovery,
according to people familiar with the probe: The cyber-crime
ring had connections to a Russian electronic spy agency known
by the initials FAPSI.

17. European Credit Card Crime Accelerates
• Card-related crime is the fastest-growing criminal activity in the
United Kingdom, and, throughout Europe. Payment card
systems are under unprecedented attack from well-organized
and well-financed criminal gangs.

18. Card Fraud Plagues Europe some say its FAPSI
• The payments business is increasingly the subject of organized,
methodical attacks by Russian criminals, characterized by high
technical sophistication and even including access to systems
designed by FAPSI, the Russian state cryptographic agency.
• "We've seen techniques that could only have come from FAPSI," says
Jan Eivind Fondal, director of risk management at Europay Norge in
Oslo, Norway. "It's beyond anything we've seen. It's a new breed of
fraudster.“ "He had covered his tracks in a way only a security
professional would."

19. Russian Viruses Attack Banks
• Russian hackers rely on viruses that record keystrokes as
customers type log-ins and passwords. Russian-made viruses
are believed to be behind several major online heists, including
the theft of $1 million from Nordea Bank in Sweden in 2007
and $6 million from banks in the United States and Europe that
same year.
• Viruses and other types of “malware” are bought and sold for
as much as $15,000
• Rogue Internet service providers charge cyber-criminals $1,000
a month for police-proof server access.

20. Russian hacking flourishes as “a cyber-criminal
ecosystem”
• Russian hacking flourishes as “a cyber-criminal ecosystem” of
spammers, identity thieves and “botnets,” vast networks of
infected computers controlled remotely and used to spread
spam, denial-of-service attacks or other malicious programs. A
denial-of-service attack floods a Web site with inquiries, forcing
its shutdown.
• Yevgeny Kaspersky, chief executive of Moscow-based Kaspersky
Lab, one of the world’s leading computer security firms.

21. RBN: First Cyber Strike on Georgia was not Hactivists
• "The individual, with direct responsibility for carrying out the
cyber "first strike" on Georgia, is a RBN operative named
Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in
the attack was a programmer and spammer from Saint
Petersburg named Andrey Smirnov.
• These men are leaders of RBN sections and are not "script-kiddies"
or "hacktivists," as some have maintained of the cyber
attacks on Georgia – but senior operatives in positions of
responsibility with vast background knowledge.

22. RBN-Prime Mover
• Intelligence can suggest further information about these
individual cyber-terrorists. According to Spamhaus SBL64881,
Mr. Boykov operates a hosting service in Class C Network
79.135.167.0/24.
• It should be noted that the pre-invasion attacks emanated from
79.135.167.22, clearly showing professional planning and not
merely ‘hacktivism.’ Due to the degree of professionalism and
the required massive costs to run such operations, a state-sponsor
is suspected.

23. Known Russian Business Network routes identified
• The IP addresses of the range, 79.135.160.0/19 are assigned to
Sistemnet Telecom to provide services to companies who are
classified as engaging in illicit activities such as credit card
fraud, malware and so on.
• • 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet
(Turkey) are associated with AbdAllah_Internet which is linked
with cybercrime hosting such as thecanadianmeds.com. These
are known Russian Business Network routes. "

24. Hacking for Money and Politics in Russia
• And when it’s not money that drives Russian hackers, it’s
politics—with the aim of accessing or disabling the computers,
Web sites and security systems of governments opposed to
Russian interests. That may have been the motive behind a
recent attack on Pentagon computers.
• A new generation of Russian hacker is behind America’s latest
criminal scourge. Young, intelligent and wealthy enough to zip
down Moscow’s boulevards in shiny BMWs, they make their
money in cyber-cubbyholes that police have found impossible
to ferret out.

25. Proprietary . Confidential 25

26. RSA 2010 Conference: Malware industry getting
increasingly professional, warn experts
• The Russian Business Network (RBN), one of the most powerful
and extensive malware and hacking organisations, has been
buying time on Amazon's EC2 platform to build malware and
attack passwords, according to Ed Skoudis, founder of security
consultancy InGuardians.

27. Russian Cyber Attack model: as seen in Estonia and
Georgia attacks – Information Warfare
• The Kremlin, with the help of the FSB, targets opposition Web
sites for attack.
• Attack orders are passed down through political channels to
Russian youth organizations whose members initiate the
attack, which gains further momentum through crowd-sourcing.

28. Russian Cyber Attack model – Information Warfare
• Russian organized crime provides its international platform of
servers from which these attacks are launched, which in some
cases are servers hosted by badware providers in the U.S.
• LESSON
• For DoD planners and policy makers, an awareness of this
model should trigger a re-evaluation of the approach that is
taken in our cyber security strategy.

29. Iranian Crackdown Goes Global: RBN supports Efforts to
Track Dissidents
• Wall Street Journal investigation shows, Iran is extending its crackdown to
Iranians abroad. Part of the effort involves tracking the Facebook, Twitter
and YouTube activity of Iranians around the world, and identifying them at
opposition protests abroad. People who criticize Iran's regime online or in
public demonstrations are facing threats intended to silence them.“
• Caught by surprise with the power of social media during the disputed
election, Tehran has commissioned white paper studies by the Research
Center of Islamic Republic of Iran Broadcasting (crspa.ir) to "study the role
of social capital in knowledge sharing".
• The crspa.ir web site has been assisted by the Russian Business Network at
the well known RBN IP address 61.61.61.61, which is home to the many of
the RBN's spam, scam, and malware DNS servers.

30. Local Governments are defrauded also
• The New York town of Poughkeepsie reported that thieves had
broken into the town’s bank account and stolen $378,000 in
municipality funds.
• Poughkeepsie officials said $95,000 was recovered from a
Ukrainian bank.

31. China acquires US Rocket Engine designs
• Four years later, in 2002, an online intruder penetrated the
computer network at the Marshall Space Flight Center in
Huntsville, Ala., stealing secret data on rocket engine designs—
information believed to have made its way to China, according
to interviews and NASA documents.

32. Data flows to China
• Howard A. Schmidt, a technology consultant who served as a
White House special adviser on cyber-security from 2001 to
2003, concurs.
• "All indications are that the attacks are coming in from China,"
he says, "and the data is being exfiltrated out to China."

33. Intelligence Chief on Cyber Challenge
• “But cybersecurity is the soft underbelly of this country.”
Mike McConnell told a group of reporters Jan. 16, 2009
• “If we were in a cyberwar today, the United States would lose.”
Mike McConnell testimony to Congress, February 23, 2010

34. "Cyber Shockwave,"
Feb. 17, 2010
• Cyberattack Drill Shows U.S. Unprepared
• A group of high-ranking former federal officials scramble to
react to mobile phone malware and the failure of the electricity
grid in a staged exercise.
• Imagine what would happen if a massive cyber attack hit the
U.S., crippling mobile phones and overwhelming both
telephone infrastructure and the electricity grid.

35. RF’s Military Doctrine and Principles of state policy on
nuclear deterrence to 2020, on Information Warfare:
• RF’s Military Doctrine and Principles of state policy on nuclear deterrence to 2020, the following
sections relate to Information Warfare:
• 12. (d) Acknowledgment of the intensification of the role of information warfare in
contemporary military conflict.
• 13. (d) The prior implementation of measures of information warfare in order to achieve
political objectives without the utilization of military force and, subsequently, in the interest of
shaping a favorable response from the world community to the utilization of military force.
• 41. The tasks of equipping the Armed Forces and other troops with armaments and military
and specialized equipment are: (c) to develop forces and resources for information warfare
• But what if 41 (c) said “to develop state and non-state actors as forces in the use of
information warfare”.
Can you imagine the uproar that would occur; that Russia has “outed” its own use of non-state
actors? Well, that’s essentially what this document has done for the U.S. government.

36. From Russian Military Thought Leaders
• There is no need to declare war against one’s enemies and to
actually unleash more or less large military operations using
traditional means of armed struggle. This makes plans for
“hidden war” considerably more workable and erodes the
boundaries of organized violence, which is becoming more
acceptable.
• Viruses are viewed as force multipliers that can turn the initial
period of war into pure chaos if they are released in a timely
manner. (See Russia-Georgia War)

37. Make No Mistake You and America Are the Target
• Protect your Computer
• You are only a click away from anywhere in the world
• Report to FBI or appropriate US Government Agencies any
cyber attempts to compromise your identity or accounts.
• If you see something say something
• Get involved and stay vigillent
• It Takes a Network to Defeat a Network
• You are part of our network

38. Paul M. Joyal
NSI | Managing Director, Public safety and Homeland Security Practice
1400 Eye Street NW Suite 900| Washington, DC 20005
T 202 . 349 . 7005 (direct) | M 571 . 205 . 7126
pjoyal@nationalstrategies.com
www.nationalstrategies.com