@War: The Rise of the Military-Internet Complex (31 page)

Analysts were able to track the source of some traffic back to particular Internet addresses. Internet service providers blocked them, but then the flood just came from someplace else. As with the intrusions into the natural gas companies, the highest levels of government went on alert. But this time officials found themselves facing a more formidable adversary. The spies who targeted the gas companies seemed to want information and not to damage pipelines. But the bank attackers wanted to disrupt the companies' operations and sow panic among customers and in the financial industry. Their strategy worked, perhaps better than intended. Bank security personnel were panicked by the amount of traffic being fired at them, according to former US officials who responded to the attacks. “For the first two or three weeks, there were some very late nights” as officials tried to trace the source of the attacks and understand their motive, says Mark Weatherford, then deputy undersecretary for cyber security at the Homeland Security Department, its top cyber security official.

And that was the other troubling feature of this attack—it didn't stop after a single strike. Indeed, the attackers, who called themselves the Izz ad-Din al-Qassam Brigades, kept coming at the banks and adding new targets. And they continued their work into the next year. In 2013 the NSA identified approximately two hundred additional bank website attacks emanating from the same group. The attackers claimed to be a band of anti-American vigilantes carrying out the strikes in retaliation for an amateur online video called
The Innocence of Muslims
, which depicted Mohammed as a bloodthirsty pedophile and sparked protests across the Middle East. But US intelligence officials suspected this was a cover story, and that the attackers were really working on behalf of the government of Iran, possibly exacting revenge for the cyber strike on the Natanz nuclear facility.

For the past few years, American intelligence agencies had been tracking an Iranian buildup of cyber forces. Leaders of the Iranian Revolutionary Guard Corps, which owned the biggest telecommunications company in Iraq, had spoken openly about their ambitions to build a cyber army to rival that of the United States. Analysts believed the force was growing and comprised a network of intelligence and military units as well as patriotic “hacktivists.” Reportedly, the Iranian regime had spent more than $1 billion since 2011 on offense and defensive capabilities, in response to the Stuxnet attack as well as two other computer viruses that infected systems in Iran and were widely presumed to be the work of American and Israeli intelligence services.

Only a nation had the financial and technical resources, as well as the expertise and the motive, to pull off the operation against the banks, US officials concluded. “The scale and sophistication of the attacks was off the charts. It couldn't have been some guy in his basement,” Weatherford says.

What had at first seemed like an ordinary denial-of-service attack was now a potential international cyber war of unprecedented proportions. The question arose among senior US officials: could the United States launch a retaliatory cyber strike against Iran? Officials debated whether hitting an Iranian critical infrastructure would compel the attackers to stop, and whether such a strike was even legal. There was no clear answer and no consensus. Banks were a critical infrastructure by the government's own definition. But the attackers were targeting websites, not account information or the systems that handle interbank transactions. This was not the nightmare scenario Mike McConnell had painted for George W. Bush in 2007. Weatherford says that the senior Homeland Security official in charge of the department's cyber emergency response efforts came to him with no good options. “He said, ‘We have no playbook for this.'”

Officials grew concerned that a denial-of-service attack of this scale, if directed at other corporate computer networks, could cause physical disruption, not just inconvenience. US officials stayed in daily contact with the banks and their Internet service providers. The attackers announced in online forums when they planned to launch a new round of strikes. Each time the banks and the government braced for incoming. “There was some pretty significant concern by the ISPs and the federal government that we could get overwhelmed,” Weatherford says. “And that this could affect other critical infrastructure and the Internet itself.”

 

After al-Qassam announced one of its rounds of strikes, the chief security officer for an ISP confronted Weatherford and, by extension, the entire government. “What are you guys doing about this?” the executive asked him. “An event is about to happen any day now that will cause national-level impact. What is the government going to do?”

Weatherford tried to assure him that the situation was under control, but he knew there was no counteroffensive coming. In fact, Weatherford thought the NSA was taking too long to declassify threat intelligence that could help defend the banks. The agency had to scrub the information off all sources and methods about how it was gathered before passing it to Homeland Security, which made it available to the ISPs. Weatherford says he phoned NSA officials every day and urged them to quickly make more intelligence available to the companies before the next round of strikes. “It took six hours to turn the information around. But the event might last only six hours,” he says.

A group of financial executives pressed their case personally in a meeting with NSA officials.
They wanted to know why the government didn't just attack the sources of the traffic floods and take them offline, as if firing cruise missiles at an enemy encampment. The NSA officials told the executives they were stockpiling cyber weapons, primarily thousands of zero day exploits, to use during a national emergency or if the country ever went to war. “Once we use one of them, we can never use it again,” an official explained, according to a senior financial executive who participated in the meeting. “You really want us to waste these weapons just because your websites are down?”

The executives backed off.

The bank attacks were a test of national will. The NSA and the military would not respond with force unless the attackers threatened the transactional infrastructure of the financial services sector, or corrupted the accounts data so that they were no longer reliable. There'd have to be a crippling cyber attack that caused ripple effects in the broader society before the government would retaliate. Taking down a website, however frightening, wasn't justification for war. Nor was espionage.

For the banks—for all companies that suffered the onslaught of foreign cyber attackers and marauders—it raised the obvious question: if the government wasn't going to rescue them, who would?

THIRTEEN

T
HIRTY MILES FROM
downtown Washington, DC, in the suburb of Gaithersburg, Maryland, a low-slung office building sits across a busy highway from a Sam's Club, a truck dealership, and a Toys “R” Us. The pair of security guards at the gated checkpoint are the first clue that this isn't another box store or an ordinary office park. In a mostly windowless 25,000-square-foot wing of the building is a cyber watch center. There a few dozen analysts and malware researchers monitor traffic as it moves across a globally dispersed network of computers and servers that contain some of the most highly classified information in the United States, including designs for military fighter jets, missile control systems, and spy satellites. But this facility, which could pass for a top-secret command post at Fort Meade or the Pentagon, is neither owned nor controlled by the government. The NexGen Cyber Innovation & Technology Center, as it's properly called, is run by Lockheed Martin, the largest federal government contractor. Here, and in centers like it in Denver, Farnborough, England, and Canberra, Australia, a company that made its name building weapons systems is creating a new business in cyber defense.

It's a subject that Lockheed learned about firsthand when it was targeted by Chinese hackers who stole plans for the Joint Strike Fighter in 2006. The company is the largest seller of information technology goods and services to civilian and intelligence agencies and the military, and as such it remains a huge target. It spent the first few years after the 2006 attack closely studying the methods and techniques of hackers trying to break in to its classified systems and steal more of the government's secrets. A young Lockheed analyst named Eric Hutchins heard some pilots use the term “kill chain” to describe all the steps they went through before ever firing a weapon, from identifying a target to geographically fixing its location to tracking it. It occurred to Hutchins that the sophisticated hackers trying to penetrate Lockheed's networks also followed a step-by-step process, scouting out a target, acquiring malware, firing off a spear phish, and ultimately stealing data.
Working with two colleagues, he appropriated the military's concept and the “cyber kill chain” became the foundation of Lockheed's defense strategy, one it uses now to protect not only its own networks but those of some of its government customers, as well as banks, pharmaceutical companies, and at least seventeen public utilities that share information with the company and let it scan their traffic for threats.

The cyber kill chain has seven distinct steps, most of them offering an opportunity to block an intrusion or an attack before it occurs. The chain starts with reconnaissance. Lockheed monitors what keywords people are searching on Google and other search engines that lead them to the company's website. Hackers look for names of employees in company press releases and on Lockheed web pages in order to better tailor their spear-phishing e-mails. They identify program managers working on particular government contracts. They even keep track of speeches executives give so they can craft an e-mail that relates to a planned event. The company will alert employees who appear to be potential targets, so they know to be especially careful when opening documents attached to e-mails or clicking on links.

In step two, what Lockheed calls “weaponization,” analysts look for telltale forensic evidence of malware; for instance, an infected pdf document attached to an e-mail. Lockheed maintains a database of all the infected Adobe pdf files its analysts have ever seen, and it programs the information into scanners that automatically examine every e-mail that's sent to an employee, and quarantines potential carriers of malware.

The kill chain continues through the process of “delivery” (sending malware via an e-mail or an infected USB drive, for instance), “exploit,” in which analysts pay particular attention to finding zero days (they have discovered at least three specifically targeting Adobe products, Hutchins says), “installation” onto a computer, “command-and-control” communication with a host machine, and, finally, “actions on objectives” (stealing files, erasing data, or destroying a piece of physical machinery). At step seven, a hacker poses the greatest threat. If Lockheed analysts detect such an action, they immediately notify the target company's CEO. Hackers spotted earlier in the chain, say at step three, pose less of a threat, because they still have a number of steps to complete before they can cause any damage. If analysts determine that a hacker may try to infect computers using USB drives, a company can program its systems not to allow any USB drives to run computer code. The earlier in the chain that Lockheed or anyone using the kill chain can install a defense, the more secure it will be.

Using the kill chain model, Lockheed has been able to alert its customers to potential intrusions before they occur, according to retired general Charlie Croom, vice president of cyber security solutions.
Lockheed doesn't disclose who those customers are, so it's impossible to verify that claim. And the kill chain concept sounds like common sense. But many cyber security experts, including those who work for Lockheed's competitors, say it marked a turning point in the evolution of cyber defense when the company unveiled the concept in 2011. The kill chain broke down intrusions into discrete actions and moments, each of which offered defenders an opportunity to block their adversaries. And those defenders could marshal their resources more efficiently, because not every warning sign had to be treated as an emergency. The kill chain offered a conceptual map for how to build layers of defenses farther away from a target, and to block the intruders before they got too close.

The kill chain was important for another reason: it was developed by a corporation, not a government agency. Hutchins, who at thirty-four is Lockheed's chief intelligence analyst, had never worked for the government, nor did he serve in the armed forces. In fact, he's never worked anywhere but Lockheed, which he joined in 2002 after graduating from the University of Virginia with a degree in computer science. Lockheed is stocked with former government officials and military officers—among them Croom, who ran the Defense Information Systems Agency until he retired in 2008. But Lockheed developed the kill chain as a way of protecting itself, rather than relying on help from the NSA or any other agency. And then it turned that knowledge into a business.

Today Lockheed's cyber analysts monitor traffic on their own network, but they also receive information from about fifty defense companies that also work on sensitive and classified government programs. Lockheed is also the main contractor for the Defense Cyber Crime Center, the largest cyber forensics organization in the government, which handles counterterrorism and counterintelligence cases. And the company manages the Global Information Grid, applying its kill chain methodology to the Defense Department's secure worldwide information technology network. The contract is worth up to $4.6 billion. On just its own networks, Lockheed monitors about two billion individual transactions per day—every e-mail sent and received, every website visited, any action that leaves a digital record or log. All the data is stored for a year, and any information related to malicious activity is kept indefinitely. Lockheed has effectively built a library of hacker history from which it can draw when studying new intrusions. Using older data, analysts have discovered that more recent intrusions are actually part of broader campaigns that began months or years earlier and targeted several companies and organizations. Croom says that when he retired from the military in 2008, the Defense Department had identified and was tracking approximately fifteen campaigns attributed to nation-states. Today Lockheed is tracking about forty campaigns. The Defense Department is tracking some of the same ones—Croom declines to say which—and the company shares its information with the government through the Defense Industrial Base program. Lockheed has also discovered six campaigns that the Defense Department didn't know about, Croom says. The details are now classified.