Information Warfare Monitor

Last updated

The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The SecDev Group, an operational think tank based in Ottawa (Canada), and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The Principal Investigators and co-founders of the Information Warfare Monitor where Rafal Rohozinski (The Secdev Group) and Ronald Deibert (Citizen Lab). The Information Warfare Monitor as part of the Citizen Lab’s network of advanced research projects, which include the OpenNet Initiative, the Fusion Methodology Centre, and PsiLab.

Contents

It was an independent research effort and its stated mission was to build and broaden the evidence base available to scholars, policy makers, and others.

The research of the Information Warfare Monitor was supported by the Canada Centre for Global Security Studies (University of Toronto), a grant from the John D. and Catherine T. MacArthur Foundation, in-kind and staff contributions from the SecDev Group, and a donation of software from Palantir Technologies Inc.

History

The Information Warfare Monitor was founded in 2003 by Rafal Rohozinski (Advanced Network Research Group, Cambridge University) and Ronald Deibert (Citizen Lab, Munk School of Global Affairs, University of Toronto), as a sister project to the Open Net Initiative of which Deibert and Rohozinski are principal investigators along with John Palfrey (Berkman Center for Internet and Society, Harvard University) and Jonathan Zittrain (Oxford Internet Institute).

Between 2003 and 2008, IWM carried out a number of studies, including monitoring the status of the Iraqi Internet during the 2003 invasion, the 2006 Israel-Hezbollah war, the 2008 Russian Georgian war, and the January 2009 Israeli operations in Gaza.

The Information Warfare Monitor was also an organizing partner for two Russia-NATO workshops examining information warfare and cyber terrorism.

The Information Warfare Monitor (IWM) project closed in January 2012, having conducted advanced research activity tracking the emergence of cyberspace as a strategic domain. [1]

Activities

The Information Warfare Monitor engaged in three primary activities:

Case studies - The Information Warfare Monitor designs and carries out active case study research. These are self-generated activities consistent with the IWM's mission. It employs a rigorous and multidisciplinary approach to all case studies blending qualitative, technical, and quantitative methods. As a general rule, its investigations consist of at least two components:

Field-based investigations - The IWM engaged in qualitative research among affected target audiences and employ techniques that include interviews, long-term in situ interaction with partners, and extensive technical data collection involving system monitoring, network reconnaissance, and interrogation. Its field-based teams are supported by senior analysts and regional specialists, including social scientists, computer security professionals, policy experts, and linguists, who provide additional contextual support and substantive back-up.

Technical scouting and laboratory analysis - Data collected in the field is analyzed using a variety of advanced data fusion and visualization methods. Leads developed on the basis of infield activities are pursued through “technical scouting,” including computer network investigations, and the resulting data and analysis is shared with infield teams and partners for verification and for generating additional entry points for follow-on investigations.

Open source trend analysis - The IWM collected open source information from the press and other sources tracking global trends in cyberspace. These are published on its public website.

Analytical workshops and outreach - The IWM worked closely with academia, human rights organizations, and the defense and intelligence community. It publishes reports, and occasionally conducts joint workshops. Its work is independent, and not subject to government classification, Its goal is to encourage vigorous debate around critical policy issues. This includes engaging in ethical and legal considerations of information operations, computer network attacks, and computer network exploitation, including the targeted use of Trojans and malware, denial of service attacks, and content filtering. [2]

Publications

Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform (2008)

In 2008, the Information Warfare Monitor discovered a surveillance network being operated by Skype and its Chinese Partner, TOM Online, which insecurely and routinely collected, logged, and captured millions of records (including personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform). [3]

Tracking GhostNet: Investigating a Cyber Espionage Network (2009)

In 2009, after a 10-month investigation, the Information Warfare Monitor discovered and named GhostNet , a suspected cyber-espionage operation, based mainly in the People's Republic of China, which has infiltrated at least 1,295 computers in 103 countries. 30% of these computers were high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs. [4]

Shadows in the Cloud: Investigating Cyber Espionage 2.0 (2010)

In their 2010 follow-up report, Shadows in the Cloud: Investigating Cyber Espionage 2.0, the Information Warfare Monitor documented a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. [5]

Koobface: Inside a Crimeware Network (2010)

Having discovered archived copies of the Koobface botnet's infrastructure on a well-known Koobface command and control server, Information Warfare Monitor researchers documented the inner workings of Koobface in their 2010 report, Koobface: Inside a Crimeware Network. [6] Researchers discovered that in just one year, Koobface generated over US$2million in profits. [7]

See also

Related Research Articles

<span class="mw-page-title-main">Information warfare</span> Battlespace use and management of information and communication technology

Information warfare (IW) is the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. It is different from cyberwarfare that attacks computers, software, and command control systems. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is.

<span class="mw-page-title-main">Citizen Lab</span> Digital research center at the University of Toronto

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness and security of the Internet and that pose threats to human rights. The organization uses a "mixed methods" approach which combines computer-generated interrogation, data mining, and analysis with intensive field research, qualitative social science, and legal and policy analysis methods. The organization has played a major role in providing technical support to journalists investigating the use of NSO Group's Pegasus spyware on journalists, politicians and human rights advocates.

<span class="mw-page-title-main">Ronald Deibert</span> Canadian academic (born 1964)

Ronald James Deibert is a Canadian professor of political science, philosopher, founder and director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

Crimeware is a class of malware designed specifically to automate cybercrime.

The OpenNet Initiative (ONI) was a joint project whose goal was to monitor and report on internet filtering and surveillance practices by nations. Started in 2002, the project employed a number of technical means, as well as an international network of investigators, to determine the extent and nature of government-run internet filtering programs. Participating academic institutions included the Citizen Lab at the Munk Centre for International Studies, University of Toronto; Berkman Center for Internet & Society at Harvard Law School; the Oxford Internet Institute (OII) at University of Oxford; and, The SecDev Group, which took over from the Advanced Network Research Group at the Cambridge Security Programme, University of Cambridge.

Proactive cyber defense, means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defense can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

GhostNet is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying operation discovered in March 2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies undetected. Its command and control infrastructure is based mainly in the People's Republic of China and GhostNet has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "RAT" part of the name refers to the software's ability to operate as a "Remote Administration Tool".

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Informatized warfare of China is the implementation of information warfare (IW) within the People's Liberation Army (PLA) and other organizations affiliated or controlled by the Chinese Communist Party (CCP). Laid out in the Chinese Defence White Paper of 2008, informatized warfare includes the utilization of information-based weapons and forces, including battlefield management systems, precision-strike capabilities, and technology-assisted command and control (C4ISR). However, some media and analyst report also uses the term to describe the political and espionage effort from the Chinese state.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

<span class="mw-page-title-main">Morgan Marquis-Boire</span> New Zealand hacker, journalist, and security researcher

Morgan Marquis-Boire is a New Zealand-born hacker, journalist, and security researcher. Marquis-Boire previously served as an advisor to the Freedom of the Press Foundation. He was a Special Advisor to the Electronic Frontier Foundation (EFF) and advisor to the United Nations Interregional Crime and Justice Research Institute. He was the Director of Security at First Look Media and a contributing writer at The Intercept. He has been profiled by Wired, CNN, Süddeutsche Zeitung, and Tages Anzeiger. He was one of Wired Italy 's Top 50 people of 2014. In March 2015 he was named a Young Global Leader.

CyberHumint refers to the set of skills used by hackers, within Cyberspace, in order to obtain private information while attacking the human factor, using various psychological deceptions. CyberHumint includes the use of traditional human espionage methodologies, such as agent recruitment, information gathering through deception, traditionally known as Humint, combined with deception technologies known as Social engineering.

The Shadow Network is a China-based computer espionage operation that stole classified documents and emails from the Indian government, the office of the Dalai Lama, and other high-level government networks. This incident is the second cyber espionage operation of this sort by China, discovered by researchers at the Information Warfare Monitor, following the discovery of GhostNet in March 2009. The Shadow Network report "Shadows in the Cloud: Investigating Cyber Espionage 2.0" was released on 6 April 2010, approximately one year after the publication of "Tracking GhostNet."

Candiru is a Tel Aviv-based technology company offering surveillance and cyberespionage technology to governmental clients.

References

  1. "Information Warfare Monitor Project Closure". January 2012. Archived from the original on 4 December 2012. Retrieved October 25, 2016.
  2. "About - Information Warfare Monitor". Archived from the original on 4 September 2012. Retrieved October 25, 2016.
  3. Breaching Trust Retrieved 2010-09-11
  4. Shadows in the Cloud: Investigating Cyber Espionage 2.0 Retrieved 2010-09-11
  5. Tracking GhostNet Investigating a Cyber Espionage Network Retrieved 2010-09-11
  6. "Koobface: Inside a Crimeware Network" (PDF). Archived from the original on September 14, 2012. Retrieved October 25, 2016.{{cite web}}: CS1 maint: unfit URL (link)
  7. Meet Koobface, Facebook's evil doppelgänger Retrieved 2010-11-12