Electronic Attacks With an Intelligence Background · Even the latest antivirus software cannot detect such malware! Electronic attacks are so dangerous (and „successful“) because

Bundesamt fürVerfassungsschutz

ElectronicAttacks

with an Intelligence Background

Electronic Attackswith an Intelligence Background

1

2

Contents

Risks to Modern Information Society 5

Germany as a Target of Espionage 9

Definition of Electronic Attacks 13

Methods of Attack 19

Example: G20 Summit 21

Attacks on Trade and Industry 23

Cyber-SabotageTargeting National Critical Infrastructures 27

Co-operation in the National Cyber Response Centre 33

Conclusion 35

3

4

Risks to Modern InformationSocietyUntil 20 years ago, newspapers, radio, and TV as well as phone,fax, and traditional mail prevailed in our everyday communica-tions. In the early nineties, the computer, Internet, emails, mo-bile phones, and other forms of digital media made an entranceinto our everyday lives.

This continuing digital revolution has rapidly changed theworld in the past decades. It has influenced the individual com-municative behaviour in society, and it has multiplied the quan-tity of information quickly available.

Apart from new liberties and conveniences, also new depen-dences and risks have emerged. The information and communi-cation technology creates new spaces, but it is simultaneouslyexposed to various threats.

The Bundesamt für Verfassungsschutz (BfV) has been observingfor some time how extremists and terrorists use the new tech-nologies for their own purposes and adapt their forms of agita-tion and their strategies to the new possibilities. There are alsovarious possibilities offered to foreign intelligence services bythe rapid development in information and communicationtechnology: possibilities which may be exploited for data spy-ing, data alteration and computer sabotage. So the protection ofhighly sensitive information as well as of national critical infra-structures has become a priority in the context of internal secu-rity in recent years, for almost our entire social dealings dependon a well and reliably working IT infrastructure these days.

5

6

Our modern information society is currently being faced withthe challenge to maintain a balance between security interestsand civil rights and liberties on the one hand and on the otherhand to counter the various threats posed by the digital revolu-tion in an efficient and forward-looking way.

It is the task of BfV’s counterintelligence in particular to findways how to reliably protect IT systems against unauthorisedaccess by foreign intelligence services. Thus, we feel it our dutyto identify illicit measures of foreign services on German terri-tory in a timely manner and to prevent them.

7

8

Germany as a Target ofEspionageThe Federal Republic of Germany is, due to its geopolitical posi-tion, its role in the European Union and in NATO, as well as itsbeing a site for numerous leading-edge technology enterprises,attractive to foreign intelligence services. Its open and pluralis-tic society makes it easy for foreign powers to collect informa-tion. This intelligence collection takes place both overtly andcovertly.

The intelligence and security services of the People’s Republic ofChina and the Russian Federation in particular are engaged inextensive espionage activities against Germany. Their prioritiesdepend on the political guidelines set by their governments.

This includes the statutory or official task to support the coun-try’s national economy by providing information collected byintelligence methods.

The sustainability and global orientation which characterisesthe presumed attackers’ intelligence collection efforts are clearevidence of a strategic intelligence collection approach.

The „classical“ means of espionage such as the use of humansources continue to be a major part of espionage activitiesagainst Germany. This has recently been confirmed by a couplesentenced to several years in prison (in 2013). For more thantwenty years, both the husband and his wife had worked, usingfalse identities, for a Russian external intelligence service.

9

10

Besides, technical intelligence collection methods have contin-uously been gaining in importance. Another undisputed fact isthat apart from China and Russia also the intelligence servicesof other states have the resources to be able to carry out similartechnical intelligence collection measures against German tar-gets from abroad.

11

12

Definition of ElectronicAttacksSince 2005, extensive targeted electronic attacks against federalagencies, political decision-makers and commercial enterpriseshave been noted, which have been and continue to be of a highquality standard and which pose a serious threat to informationsecurity in these areas.

The large number of sophisticated cyber-espionage attackssolely against German federal agencies observed by us for manyyears has shown that there is a serious threat to the security ofGerman IT systems. Of special interest to the attackers are thefields of foreign affairs and security policy, finance as well as themilitary and armaments.

In Germany, the BfV and the LfVs are responsible for the inves-tigation of intelligence activities or activities endangering secu-rity on behalf of a foreign power. Other responsibilities of theBfV as part of the German security architecture are

• countering electronic attacks carried out by foreign in-telligence services against targets at home and againstGerman diplomatic missions abroad;

• countering electronic attacks carried out by extremistsor terrorists against targets at home and against Germandiplomatic missions abroad.

The term ‘electronic attacks’ commonly refers to targeted ma-noeuvres by means of and against IT infrastructures. These in-clude activities aimed at collecting information, but also effortsdesigned to destroy or sabotage those systems.

13

14

Such activities are

• spying out, copying and modifying data,

• taking over third parties’ electronic identities,

• misusing or sabotaging IT infrastructures, as well as

• taking over computer-controlled web-based manufac-turing and control systems.

These attacks may be carried out:

• from outside via computer networks (such as the Internet)

or

• by direct, not web-based access to a computer (e.g. bymeans of manipulated hardware components).

Electronic attacks have become an additional major means ofinformation collection for foreign intelligence services in re-cent years. There are various reasons for that:

• Electronic attacks are an efficient means of informationcollection whose investigation by those concerned iscomplex, with the anonymity of the Internet making anidentification and tracing of the perpetrators extremelydifficult.

• In addition, such attacks are inexpensive, can be carriedout in real time and have excellent prospects of success.

15

16

The potential threat posed by electronic attacks against Germantargets which are controlled by an intelligence service is muchmore serious at present than that from electronic attacks car-ried out by extremists or terrorists, such as defacements orDDoS attacks. The attacks differ considerably in quantity andquality as well as in the financial and human resources availableto the perpetrators.

Foreign intelligence services are mainly interested in informa-tion which can be gathered from state institutions. The persist-ent electronic attacks with a presumed intelligence backgroundagainst federal agencies demonstrate the important role of thismodus operandi.

The length of some attack operations and the global orientationin selecting subjects and victims clearly point to strategic state-controlled intelligence procurement activities.

17

18

Methods of AttackThe number of undetected electronic attacks must still be as-sessed as being large, because the methods have become moreand more sophisticated. The attackers have continuously beendeveloping and refining the malware used, thus increasing theefficiency of such attacks.

Even the latest antivirus software cannot detect such malware!

Electronic attacks are so dangerous (and „successful“) becausethey are hard to detect and are often not recognised even by vic-tims with pronounced security awareness. Malicious mails aregenerally characterised by excellent „social engineering“, i.e.they are tailor-made so that they meet the victims’ fields of in-terest or responsibility, thus raising no suspicion at first view.Furthermore, the senders’ addresses of such emails are forged ina way that they seem to belong to a sender known to the victim.

Apart from the classical email involving a Trojan, where the ma-licious program is mostly contained in the annex and will onlybe activated when the annex is opened, other very sophisticatedand scarcely identifiable methods of attack have meanwhilebeen used. These include so-called drive-by infections: The at-tackers create websites containing malicious software or hackand manipulate existing websites. The selected victims are sys-tematically approached by sending emails and induced to visitthe infected websites via links. In addition, data carriers distrib-uted as advertising media for example (USB sticks, flash cards,CDs etc.) are used to infiltrate malware.

19

20

In connection with major fi-nancial and/or economicmeetings, there has regularlybeen an increase in the num-ber of electronic attacks. So in2013, as reflected by trends inprevious years, attacks werenoted which were relatedwith the G20 Summit held inSaint Petersburg (Russia) on 5and 6 September 2013. Apartfrom several federal min-istries, also the banking sec-tor was targeted. In skilfullyarranged emails sent to sen-ior decision-makers and theirdirect assistants, a communi-cation of the Sherpa Groupwas faked. This was done inan effort to make the unsus-pecting recipients of themails rashly open the mali-cious annex, thus setting offan infection of the systems.

21

The information obtained inthis way would - in theory -have allowed the attacker toassess the decisions of thismeeting on issues of interna-tional financial and econom-ic policies, of energy, climateand development policies, aswell as of anti-corruptionpolicy already in advance andto react accordingly.

Such information is of partic-ular interest to foreign intelli-gence services. On account ofthe characteristics and exist-ing parallels with other at-tacks on the German govern-ment’s network, the origin ofthese attacks of 2013 is sup-posed to be in China.

Example: G20 Summit

22

Attacks on Trade and IndustryApart from guaranteeing the integrity of the government’s ITsystems, the security of IT systems in the economic sector is oneof BfV’s priorities.

It is clear that cyber-espionage is an efficient method of intelli-gence collection not only in the public sector, but especially inthe industrial sector and research area.

For economic reasons mainly, potential victims often rely onstandard IT components, which may contain vulnerabilitiesthat can be exploited by attackers. Also the increasing use of mo-bile devices (smartphones, tablet computers) with access to thecompany’s network offers new possibilities of infiltrating a sys-tem.

Successful attacks of espionage – either by traditional methodsof intelligence gathering or by means of electronic attacks –may cause immense damage to the country’s national economyif there is an outflow of intellectual property from research cen-tres and private companies. On the whole, electronic attacks byall the various groups of perpetrators have already caused finan-cial damage to Germany’s economy which is estimated at sever-al billions of euros up to now.

The main targets include companies specialised in the fields ofarmaments, automobiles, aerospace as well as satellite technol-ogy. In addition, technological enterprises and research insti-tutes close to industry are the focus of attention.

As opposed to attacks on federal agencies, electronic attacks onprivate companies are more prone to escape the security agen-cies’ notice because of the companies’ decentralised IT struc-tures, to which state authorities have no access.

23

24

Another factor is that private companies only rarely contact thesecurity agencies on their own initiative in order to report rele-vant IT incidents.

• We are aware of the companies’ fears to lose prestigeand to sustain drops in turnover if a successful attackof espionage or sabotage becomes public knowledge.

• We are, however, able to offer advice, without the ne-cessity of reporting the relevant incidents to the police.

• We can also refer companies seeking advice to compe-tent members of other German security agencies, whocan provide support.

Confidentiality is one of our top prioritiesin our offer of advice and support!

25

26

Cyber-SabotageTargeting NationalCritical InfrastructuresThe term ‘electronic attacks’ does not only refer to activitiesaimed at collecting information by electronic means. It also in-cludes electronic acts of sabotage systematically carried outagainst so-called national critical infrastructures, acts whichpose a considerable potential threat to internal security.

The malware used for electronic attacks to gather information,i.e. espionage malware, can basically also be used for the purpos-es of sabotage. If an attacker has gained access to an IT system,he can perform a variety of manoeuvres there without beinghampered, including those against its integrity and availability.

A country’s national critical infrastructures include organisa-tions and facilities of primary importance to the community.They are essential for the functioning of a society and economy,their failure or disruption would entail severe supply shortages,considerable disturbances of public security or have other dra-matic effects.

A medium-term or long-term paralysation of power stations,hospitals, railway stations or airports, for example, would cer-tainly cause immense chaos.

27

28

Sectors defined as critical infrastructures are:

• Energy

• Information technology and telecommunications

• Transport and traffic

• Health

• Water

• Food

• Finance and insurance industry

• Government and public administration

• Media and culture

So national critical infrastructures are facilities we depend on,facilities which are vital to our modern society. Nobody wants toimagine the chaos which might arise in case of long-termbreakdowns or system failures in above-mentioned sectors.

There is no evidence of a direct threat to national critical infra-structures in Germany from extremists or terrorists at present.There are no indications that the latter do have the IT expertiserequired and the human as well as financial resources to carryout attacks on complex IT systems provided that those systemsare appropriately protected and safeguarded.

29

30

Nevertheless, there have been some efforts by extremist and/orterrorist groups to acquire such know-how.

Military agencies and intelligence services of foreign states arecurrently judged to be more capable of carrying out attacks onnational critical infrastructures – though this threat must be de-scribed as being rather abstract at present. Some states are sup-posed to be able - considering their financial, technical and hu-man resources - to commit electronic acts of sabotage. But thereis currently no evidence of such activities which might be di-rected against Germany.

This assessment, however, just represents a snapshot. There arestill political and military imponderables as well as other factorswhich make it absolutely necessary to call attention to the riskof cyber-sabotage as a major challenge, which must be put onthe security policy agenda.

In view of the immense damage such attacks could cause, we aregoing to heighten our awareness and alertness in this respecteven more.

Besides, we must not forget that attacks on IT infrastructures ofother countries might have an impact on Germany, too, due tothe increasing degree of international networking in the field ofIT systems.

BfV as Germany’s domestic intelligence service is quite aware ofits role as the early warning system in our society and takes it se-riously. So one of our priorities is to be ahead of the attackers, toknow their aims and their modi operandi, and to prevent – inco-operation with national and international security agencies– electronic attacks from happening or at least to diminish theeffects of a serious act of sabotage.

31

32

Co-operation in the NationalCyber Response CentreThe increase in electronic attacks involves increasing challengesto and requirements on the security agencies.

On 23 February 2011, the Federal Cabinet adopted the „CyberSecurity Strategy for Germany“ developed by the Federal Min-istry of the Interior. Its aim is to improve the security and safetyof IT infrastructures as well as of information and communica-tions technology in Germany.

A major component of this strategy is constituted by the Na-tional Cyber Response Centre (Cyber-Abwehrzentrum - Cyber-AZ) established in Bonn in April 2011. The agencies involved, in-cluding BfV, have been co-operating trustfully and efficientlywithin this centre for more than three years now, with the Fed-eral Office for Information Security being the lead authorityand each agency keeping its own responsibilities and regula-tions.

The aim of the Cyber-AZ is to optimise co-operation betweenstate authorities in operational matters as well as to better co-ordinate security measures and countermeasures to be takenagainst potential cyber attacks.

The role of the Cyber-AZ is mainly that of a centre for theprompt and uncomplicated exchange of information betweenthe agencies involved, allowing it to respond quickly and in aconcerted manner to a cyber security incident. Especially incase of electronic attacks, where several security agencies are in-volved according to their respective responsibilities, close co-operation, particularly in terms of a daily exchange, is of utmostimportance.

33

34

ConclusionDue to the various threats posed by electronic attacks, not onlythe state authorities are required to take action to deal with thisissue. We can only protect our community effectively if stateand trade and industry jointly counter this increasing threat inclose co-operation and in an environment of trust. Securityagencies such as the BfV can give private enterprises advice in adiscreet way and without any financial interests.

BfV’s essential role in this context is to provide a precise assess-ment of the threats and risks posed by electronic attacks, toanalyse and attribute attacks which have occurred and finally tomake the results of these analyses available and usable for threatprevention by taking protective measures.

Only reliable information on the intensity of a threat and the at-tribution of activities to an originator allows a legal categorisa-tion and thus the right (also consequential) political decision.We receive intelligence from various internal and externalsources of information such as human sources, malware detec-tion systems, communications intelligence and other sorts ofintelligence information collection.

Only an overall view and assessment of all this information al-low BfV and its partners to make precise and solid statementson actors, their targets and modi operandi.

35

Imprint

PublisherBundesamt für VerfassungsschutzPublic Relations SectionMerianstraße 10050765 Kölnoeffentlichkeitsarbeit@bfv.bund.dewww.verfassungsschutz.dePhone:+49 (0) 221/792-0Fax: +49 (0) 221/792-2915

Layout and PrintingBundesamt für VerfassungsschutzPrint and Media Centre

Photo Credits© Production Pering - Fotolia.com© pressmaster - Fotolia.com© Nmedia - Fotolia.com© VRD - Fotolia.com© Konstantin Yolshin - Fotolia.com© Login - Fotolia.com© Victoria - Fotolia.com© Sergey Nivens - Fotolia.com© seen - Fotolia.com© Claireliot - Fotolia.com© industrieblick - Fotolia.com© peshkova - Fotolia.com© mmmx - Fotolia.com© FotolEdhar - Fotolia.com

Date of InformationJuly 2014

This brochure is released in the framework of the public relations work of theBundesamt für Verfassungsschutz, and it may not be used in a way that mightbe construed as the Bundesamt für Verfassungsschutz’ taking sides with indivi-dual political groups. It is forbidden to hand out copies of this brochure duringelection rallies or at information stands of political parties or to use them forany other canvassing purposes. The political parties are allowed to pass the bro-chure on to their own members for their information.

Reproduction of excerpts only permitted with reference to the source.

For further information on the Bundesamt für Verfassungsschutz see:

www.verfassungsschutz.de