(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Search Results

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

with 13 comments

From Wikipedia

Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of cyber espionage, but applies equally to other threats such as that of traditional espionage or attack.[1] Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[2]

Advanced Persistent Threats Are Not New: 先进的威胁不是持久性的新功能:

The news cycle has been abuzz again as to how China is capable of beating the pants off of us in the hacking sphere and that we should be worried. I say, this is not news in any way and those of you who read this blog should already know this fact. For those of you who are not so familiar with the DoD space, the knowledge of what has been called APT has been around for quite some time. In fact, the term was coined in 2006 by the Air Force, but the attack structure of how the Chinese and other state actors had been using similar tactics on DoD infrastructure goes back to the 90’s (Moonlight Maze, Titan Rain)

So, hello world outside of the insular DoD and Infosec sphere, They have been around quite a while. In fact, one could make the extension that the Chinese line of thought called “The Thousand Grains of Sand” has been around far longer and has been used as their model of espionage for a very long time. Obviously the connections can also be made to Sun Tzu and his precepts on warfare, which, just happen to involve a fair amount of espionage as the means to winning a war. It is little surprise to anyone who knows the Chinese mind and the teachings of Sun Tzu, that China would apply these same precepts to another battle space (cyberspace) the fifth domain as the US military calls it now.

APT and Buzzword Bingo: APT和Buzzword的宾果:

Since the Aurora operation’s being publicised, the media and the Infosec industry have latched onto the term like a pit-bull on a gravy covered bone. Many companies have leveraged the term without really knowing the true meaning and have created a buzzword bingo game of epic proportions. All of these companies and pundits have over used the terminology, mainly incorrectly to start, and turned it into the boogey man du jour to make sales.

“The APT is out there.. Lurking.. Waiting to get into your networks and steal your data”

While this may be true for some, it is not true for all. Over the years the Chinese have made it their business to steal a lot of data. Some of it you would readily see as important militarily or for industrial espionage. Some of the data though, is more arcane to understand as to the reasons that they would make the efforts that they have to get it. Overall though, one must understand yet again, the Eastern mind (particularly the Chinese) to conclude that they seek many “soft power” means to effect their goals. This is the key fact to understand, so yes, your company that makes the next best widget might in fact be a target of the Chinese TRB (Technical Reconnaissance Bureau)

So, yes, you must be cognisant of the APT in any business that your company carries out online. However, one thing must be accepted by you and your company to judge how you will respond.

“The Advanced Persistent Threat, will in the end, most likely win and compromise your systems. Simply because as state actors, they have the means to do so and you, the tartget, will always have someone willing to click on a link and compromise their systems”

This must be accepted and understood before you even attempt to listen to any vendor who says they can help you with your APT problems. Just as well, one must clearly understand the players here to know the danger. The media has done a very poor job of elucidating for the general populace the meaning of APT and the subtleties of how the threats manifest and their greater meanings to us all. There is far more at stake here than just your data being exfiltrated to China and many more vectors of attack than your local desktop.

The Fall Of The Bear & The Rise of the Dragon: 作者:熊暨龙升降:

Since the Soviet Union’s demise in the 90’s the Chinese have seen their chance to become the pre-eminent power in the world that once was the USSR. Though Russia has rebounded, they still lack the critical mass that they once had as a super power. China though, with its billion people, and “Tiger Mother” nature, has swiftly garnered the hard and soft powers that it sees as necessary to being “the” superpower.

Where the USSR used to take more of a hard power stance with their military might, and a second seat KGB soft power espionage plan, the Chinese went the other way and saw the soft power attack as the way to go, even with a billion people as potential military recruits. Gone were the days of Mao and the hard power of the Chinese military, instead, the Chinese would lull the West into somnambulance and stealthily acquire superpower status. A status that they are closer and closer to each day.

China now owns much of our debt here in the US. They have made business “alliances” that have allowed access to not only money, but also to control over supply chains as well as proprietary data. Data that they have obtained through many means, including the APT model that everyone is all worked up about now. In short, they have made multiple pronged attacks against other countries with subtlety with a means to an end of gaining control over other nation states that will not require military means to defeat them.

Sun Tzu would be pleased at their understanding of “The Art of War

“For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”

It is this that the general populace and many within the Infosec community seem to not understand. There is much more at work here than some industrial espionage on the likes of Pratt & Whitney for JSF engine data. The Chinese have far more subtle plans that include many other areas than just the Information Warfare (IW) of stealing plans for jets.

The Thousand Grains of Sand: 沙千粮谷类:

The Advanced Persistent Threat of China has been around for quite a long time. Before there was the Internet and the ease of just FTP’ing RAR files to Hong Kong, there was the “Thousand Grains of Sand” approach to espionage. The metaphor here is that China believes that each grain of sand is important as well as it is nearly impossible to tell one grain from the other in a macro-verse. China would approach spying, whether it be industrial or other, by not only sending people here directly as spies, but also to call upon those who still had family in China to become agents. They would either be rewarded, praised, or threatened not so subtly by the state to effect their complicity.

Espionage has three motivations as the saying goes for those who become spies;

  • Greed
  • Altruism
  • Ego

I would add a fourth, “fear” in the case of China’s apparatus. Of course many other countries have used the honeytrap (aka swallows in China) to turn someone into a spy for them, but in China, the use of relatives has been prevalent too. By using all of these means though, the Chinese would insert their spies anywhere and everywhere, and they would be hard to find because they often were only taking small parts of the bigger picture and giving them to their handlers.

This too also became the modus operandi for the Advanced Persistent Threat that is the digital companion to old school espionage. By attacking many different systems and rooting them, they would have multiple launch points to exfiltrate data and keep a command and control over the compromised networks that they had worked hard at gaining entry to. One might even say that they are recruiting the employees of each and every target as unwilling spies by targeting them with spear-phishing attacks that keep their access ongoing.

It is by this method, that thousand grains of sand, they are able to parse the data into smaller RAR files with multiple access nodes and move the data out to their drop sites.

That is a thousand grains of sand that SIEM or IDS just can’t catch.

Threat Vectors: 威胁向量:

This brings me to the threat vectors that we all should consider where China is concerned:

  • Economic Targets
  • Military Targets
  • Infrastructure Targets
  • Supply Chain Targets
  • Media Targets
  • Industrial Base Targets
  • The Patent Process and Bureau
  • The Financial Systems (Stock Exchanges and Banking systems)
  • Political Targets

All of these entities are targets for not only cyber attacks but also soft power attacks (business alliances and deals, monetary controls etc) Any influence that serves the ends of the Chinese will be used to their ends. This truly is subtle in many ways and has been overlooked for a long time by the US and the populace in general. It just seems like we don’t think along these lines. Perhaps it is an Eastern mindset, perhaps it’s the fact that generally, we in the west just don’t understand the game of ‘Go’

Putting this into the perspective of the information security and hacking community, this means that all of the companies out there who are not doing the due diligence on security are more than likely easy pickings for not only the average cracker from Ukraine, but also the Chinese, who may in fact be using the companies systems to steal their data or, to use as a drop point for others data being stolen. It is a fundamental lack of understanding of the complexities of network and information security that generally, in the US, seems to be a malaise, and we are only now catching on to.

In the case of the Chinese, they have worked very hard at developing the skill sets and assets to leverage this lack of comprehension on our part and overtake and continue to infest systems here that they wish to exploit.

The Cyber War: 该网络战争:

Another fact that seems to be missing from the news cycle is that the APT/TGOF (Thousand Grains of Sand) approach that the Chinese have been using not only covers theft of data, but alternatively just having access to systems that they could use as a precursor to war or during an event. Such networks within the DoD (NIPRNET/SIPRNET) could be very useful in delaying supply chains from functioning well and or, inserting false data into them as a ruse or IW/PSYOP device to hobble the US military.

For that matter, the use this type of attack against any critical infrastructure would be a boon to deter if not outright stop the US from action against China should something erupt say, in Taiwan. By shutting down sections of the US power grid or other major areas of infrastructure, the Chinese or any other state actor, would have great leverage to give the US pause. If anything, the arrival of Stuxnet and the aftermath should at least give us something to think about as possibilities go. Some may say its inconceivable that such an attack could work or happen. Others though, would say that it is not so far fetched, especially given the machinations that China has shown to be attempting not only through network attacks, but also soft power attacks in political and economic vectors.

I will leave this topic with this question;

“How much of our technology today is made in China?”

All of this need not be involving anything near a war scenario either, they may just use these attacks to subtly manipulate the affected countries into actions that they desire. Soft power also means the ability to manipulate your target without really unhinging them. All of these attacks, whether they be full on or subtle will serve to affect the outcome of any military engagement without ever having to fire a shot. A well planned and executed plan could in fact win the war before it even begins. Of course on the other hand, these attacks could just be used as a first stage to a series of kinetic attacks by the agressor (i.e. cyber attacks in tandem with physical IED’s at critical sites for maximum effect and destruction)

Any way you look at it, unless we get our collective act together here in the ever increasingly networked world we live in, we will be at a great disadvantage, especially against such an aggressor as China.

Meet The Players: 满足玩家:

To bring this article full circle, I will now give you the known and suspected state actors that may have been running operations such as Aurora. The Chinese were ahead of the game in connecting not only with the People’s Liberation Army, but also the nascent hacker communities in their country. Using a combination of leveraging companies like Huawei to tap into their technical staff and the patriotism on the part of the PLA and the hacker communities, China has forged a solid directorate for electronic warfare and espionage.

The Chinese Military (PLA) —–> Leverage many corporations that the military actually has majority stock in to gain access to technology and assets

The Chinese Hacker Community —-> Sell and work for the PLA creating 0day and performing hacks for money as well as patriotism

Chinese Corporations —-> Often used as cutouts to gain access economically and intelligence wise to assets in other countries

Often, the corporations, which are many times, sponsored or majority owned by the PLA are the training grounds and the operative section for soft power operations for China. By using financial deals and alliances, China often attempts to gain the upper hand by having assets connections inside of companies that they wish to affect or to steal from. No longer is it needed to install spies within when the company is partially owned or has access granted because they are working “together”

It is the Chinese hacking community that is of most interest to many in my field however. Many of these people are still in universities and are often times motivated by their nationalistic tendencies ostensibly. Some of these groups have become actual companies producing security software or offering security services. Of course they are still likely to be assets for the PLA and probably the tip of the spear operators for China in operations. The reason for this simply would be that they are expendable in the sense of hacking as a nation state would cause international issues. Hacking as a hacking group though could be seen as their own initiative and they could be burned without losing face.

Within this amalgam of groups we then see the attack “teams” who crack the systems, then other teams perform recon, and still others, keep the access open and retrieve data. All in all, they have a slick operation and we would be wise to pay attention to how they operate.

I’m Afraid Our Lunch Has Already Been Eaten: 我怕我们的午餐已经被吃掉了:

So it is that I end here with the title above.  I think that we have become too lax in our stint as a superpower and frankly have dropped the ball. Our companies are unmotivated to do the right thing where security is concerned. Our government is clueless on how to deal with the technologies and overly ossified in it’s operations to even cut a budget for the country without nearly closing down. America has to collectively come to the conclusion that not only does China own much of our debt, but they have outplayed us continually in the game of soft power.

All too much of our infrastructure is unprotected while much too much of our manufacturing and R&D has gone out of the country.

In short, our lunch is being eaten and the Chinese also want our milk money. Unless we rectify things our time as a superpower are numbered.. In single digits. Meanwhile, the vendors out there and the media keep on spinning half tales and misinforming the public. We are on a verge here.. And it’s time to get our act together.


Reading Materials: 阅读材料:

Coolswallow: Hacker thought to be behind Aurora

The Green Army Chinese hacking group known to operate for the state Chinese hacking collective hacking collective and alleged security company aligned with PLA Chinese hacking group and security software maker aligned with PLA

NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved Report_16Oct2009 (1)

The National Security Implications of Investments and Products from The PRC in the Telecommunications Sector

Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach

with one comment




CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)

The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.

I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.

As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”

I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?


The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.

In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.


Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.

The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.


Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?

Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?


OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.

It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.


All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?

I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.


Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.

We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..

Put it in the syllabus!


Sun Tzu and The Art of Cyber-War

with 2 comments


A mgbkf zugx sbw nrkl wqvrkvuj!

Sun Tzu and The Art of Cyber-War

A while back I decided to throw my hat in the ring for RSAC and Shmoo. I made neither’s list of presentations but I thought this still was worth putting out there for people to see. I had been talking with Jericho and Josh Corman about cyber war because of their presentation at Brucon and this idea popped up in my head because Jericho had pointed out too many people cite Sun Tzu poorly in these types of presentations. Well Jericho is right and often times not many of the tenets of Sun Tzu make it into the presentations. On average you will see maybe one or two and that’s it but The Art of War has many other chapters and quotes that map to general warfare and that includes Cyber-War (so called) Generally however the overall tactics put forth by the Art of War are applicable because this is warfare we are talking about no matter the landscape (electronic) that we are fighting it in. You still have adversaries looking to defeat one another using guile and force today just as in the day of Sun Tzu. The real issue comes down to reading between the lines of the old text and applying the ideas to the modern landscape of the electron, the malware, and the phishing attack.

All of these efforts though will lead to the age old means of kinetic warfare and this is what people seem to not understand so well today. War is war and eventually its all going to be about the guns and bombs and not so much just about the data being stolen or messed with. We have a problem today in the semantic of war in the digital age that needs to be cleared up for the general populace. I hope that this tutorial will not only be historical but also give the reader the tools needed to understand that cyber-war is not the end all be all, it is in fact just a precursor to the type of war that has been waged since man could pick up a rock and throw it.

China, Sun Tzu, & APT

On another level though, I find it amazing that more people have not had the light bulb go on about our situation today with regard to Chinese hacking and espionage. What we have seen is not cyber-war yet but the prelude, the reconnaissance to carry out war and that is all. The Chinese (and others) have begun mapping our networks, prodding our defenses, and assessing our overall readiness by using digital attacks on private and governmental networks and systems. Think of it all as spying and not just one for war footing alone. There is of course the industrial espionage as well but in the case of China in particular they are all means to an end. The “Thousand Grains of Sand” approach is doctrine in China as is the mindset they have always had having had masters like Sun Tzu as their teachers. Look at this slide deck and then take a step back and look at the APT-1 report as well as others. Note that the Chinese military is the state and that the PLA is just an arm of the military unlike in the US where the military is a little more separated and at the behest of POTUS.

Sun Tzu said it best in The Art of War;

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

It’s time to be more introspective about ourselves as well as the adversary and Sun Tzu is a good way to get there.













Written by Krypt3ia

2013/03/07 at 21:25

Peter the Great Versus Sun Tzu: DEATH MATCH!

with one comment


“Douchery, it seems, like life, always finds a way”

Even in the shallowest of pools, the most vile of biological sludge can dwell.. And so it seems that the friendly folks at Trend Micro have decided to put out a little pdf on how the different kinds of APT act, rating them against greater entities from history. In other words, they put out a pile of crap and think that they have done the world a great service in laying said pile of crap where you can trod in it.

The paper, “Peter the Great Versus Sun Tzu” alleges that a comparison can be made between the varying actors in malware creation and use today. They have broken this down into a battle royal between the “Asians” (i.e. China) and the “Eastern Europeans” (i.,e. The Russians) which, is just patently stupid, but, lets choke down the bile for a bit to really look at their “research” shall we? Let’s look first at the players in this game, well the ones other than an AV firm looking to get their horse into the APT game that is…

First off, the paper is co-mingling and APT vs Crimeware activities while trying to compare the two which is somewhat dubious in my opinion. Why? Because as there are different goals here and widely different time tables as well as assets available. Crimeware may have come a long way, but, it is not at all at the level of the espionage game being played not only by China, but also Russia as well as a host of other countries in the game today. So, just to focus on these two is rather short sighted to start, but wait, it gets worse! They go on to look at the structure of the orgs as well comparing each to a thought leader in their country, thus we have Sun Tzu and Peter The Great.. Which, uhh, well, Peter The Great? Really? I’da gone with Rasputin or something like that but ok…

Secondly, the paper then goes on to talk about infrastructures and timetables of each group’s modus operandi claiming that there was extensive research into it. Of course the only research that they link to was a paper on the Chinese syndicates on their blog. They do link to a couple other studies on past malware packages but really, where’s the love for the Russians here? What’s more, the author then goes on to talk about how the players are like mercenaries (Russia) and Foot Soldiers (China) which in a stretch can be almost made, but, there is much more complexity to this issue of operations than an eight page document allows for. Sorry, but you are glossing over so many salient facts that must be talked about here that it all just makes the point of the exercise laughable.

What’s more here, uhh how is this going to help anyone looking for help with APT with your product Trend? Do you have some magical “Sun Tzu Difference Engine” that we don’t know about yet? Look, it’s all good that you want to investigate the players and you think that you can look to be better equipped as an AV company to deal with these threats, but nothing in this document has anything to do with real world countermeasures or, for that matter, solid information or understanding of the mindset’s of the players here.

Not to mention, like I alluded to above, they are not the only players here. So… What was your point again? I mean, even your “tactical comparisons” were weak and only part of a larger and more complex picture that you just don’t seem to have a handle on. Otherwise I think you would have thought better than to release this on the internet.

“Sun Tzu is Angry…”

Ahh, well, here we have another aspect of this paper that I have a bone to pick with. I have had this discussion with Jericho on more than one occasion and to whit, anyone trying to kulge Sun Tzu into any cyberwar or cyber cyber cyber argument had better be well versed in two things.

1) Being able to think like a tactician

2) READ and have UNDERSTOOD all of Sun Tzu and The Art of War

All too often people wing out a single maxim and BANG! They are experts on this subject! No, no, you’re not there cowboy, now sit down and shut up mmmkay? In this instance, Sun Tzu’s name is used but not really related to at all within the document as a whole. No explanations on how the author conceived how Sun Tzu’s teachings about warfare at all affected or shaped the Chinese APT/Hackers/Malware Writers at all. Not. One. Word. So, exactly how does Sun Tzu fit in here other than a catchy title one wonders… I am going to hazard a guess that the author has not read and understood Sun Tzu… And I am further going to make a statement that that is just really douchey.

While the paper does have some inkling of the idea that there are different classes of hackers within China, they really have yet to emote any other understanding than that. It’s akin to saying there are many cats in the world.. “So many that there are all kinds!” Yeah, thank you, please sit down and learn with the class there Clyde… Look, there are many reasons for hackers and malware writers to be active. Many psychological reasons that are innumerable, but, there are some broader stroke ideas that can be made, and yes, some of them are political. See, we are all a product of our upbringing and in China, they are rather nationalist as a country, so sure, there would be a great swath of players out there doing it for their country or their pride. But, that’s not the whole picture nor are any others really written about in this paper.

Additionally, I nearly choked when the paper cited the “Thousand Grains of Sand” without any real preface or explanation thereof afterwards. All I’m saying here is that you need a better understanding of China, the MSS, and the players as a whole (Green Army to today’s patriotic outfits) as well as the Nation State players before you just release such drivel upon the world Trend.

Go read… Maybe talk to some hackers… Eight pages to explain the Chinese! HA! Do you know that they have 26k characters in their language right? Eight pages…

Sun Tzu is pissed and he will send the clay army after you soon.

“Peter The Great is pissed too!”

This brings me to the illusory statement about the Russian hackers being “Mercenaries” and on equal footing like the days of Peter when he removed the egalitarian nature of the army to allow for officers of any class to be made…


It’s twattle and you should be beaten around the head and neck with a rubber fish for that one. How the hell do you get from there to the criminal gangs today? Hell, how do you even try to equate that to FSB/KGB/GRU activities being perpetrated by these groups? I mean, ok, sure, highest bidder for services and small groups of thugs sure, maybe the moniker of mercenary is apro pos but they are more like thugs and gangs than anything else.

Sure, they want to keep their trade secrets to sell to the highest bidder as well. So they take more time and patients with their infrastructure and coding. It only makes sense, but once again, what has this to do with your AV product? Do you have some sort of “Semiotics Engine” you are selling here? It’s all just backfill and not really fully fleshed out with, oh, facts and such. You know, citations maybe?

Yes the Russians have quite the syndicate of malware writer gangs and yes, they make lots of money… But if I wanted to know more about that, I’d talk to Brian Krebbs because, oh, he has experience and cites facts in his articles…

Just sayin…


In the end, I read this paper with increasing amounts of bile rising out of my duodenum with each word. It’s great that you want to take up this “research” and all, but, really, what’s it got to do with Sun Tzu, tactics, Peter the Great, or for that matter, your AV product? Will all this unsolicited and unsupported conjecture really give me an edge with your product line? Will the “Semiotics Engine” stop the next wave of crimeware phishing emails coming at me that try to connect to Turkish servers? Will that in fact tell me that it is really the Russians or the Baltic players? Or maybe this is all some sort of “Attribution Engine” you are developing for us all to understand the adversary better as you shrug your shoulders, palms up, and say “Sorry, our product didn’t stop that malware”

Do us all a favor and go make an engine that really works. Come up with a means to really protect our end users from phishing emails and their own stupidity (CLICK CLICK CLICK! HEY WHY WON’T THIS SCREENSAVER WORK?) because this paper, as you call it, is useless to me and everyone else out here in the real world looking for some kind of solution.

… And don’t come out of your lab til you have a real workable solution…

Why? Cuz Sun Tzu said so THAT’s WHY!


Written by Krypt3ia

2012/09/21 at 19:38

Hard Power, Soft Power, Economic Power, and The Power of Economic Digital Espionage

with 3 comments

Hard power is a term used in international relations. Hard power is a theory that describes using military and economic means to influence the behavior or interests of other political bodies. It is used in contrast to soft power, which refers to power that comes from diplomacy, culture and history. While the existence of hard power has a long history, the term arose when Joseph Nye coined ‘soft power’ as a new, and different form of power in asovereign state’s foreign policy.[3] Hard power lies at the command Hegemon end of the spectrum of behaviors and describes a nation’s ability to coerce or induce another nation to perform a course of action. This can be done through military power which consists of coercive diplomacywar, and alliance using threats and force with the aim of coercion, deterrence, and protection. Alternatively economic power which relies on aidbribes and economic sanctions can be used in order to induce and coerce.

While the term ‘hard power’ generally refers to diplomacy, it can also be used to describe forms of negotiation which involve pressure or threats as leverage.

A Conversation 

Over the weekend I had a twitter conversation (140 char’s at a time, rough) about the meaning of “Soft Power” in the current parlance propounded by Joseph Nye. I have a different opinion of the nomenclature concerning the terms “Soft Power” and “Hard Power” in today’s political and economic environment. While the other party I was speaking to had a more strict version of thinking per Mr. Nye’s (he coined the term soft power) definition. I myself feel that today things are a little more complex for the terms to be so tight given that now economic “hard power” seems to have morphed into a vast array of economic digital espionage that softly, along with other soft power style moves, create a hard power outcome of directing or tricking other countries into actions that the others desire.

The primary mover and shaker of this for me is of course China and one only has to look at the news cycle to see both these types of “power” being wielded by the RPC. I think it is time to take a look at the means and the philosophies that China has been using to effect the changes that they need to become not only the predominant military force in the world, but more so an economic juggernaut that will outweigh and perhaps stealthily creep behind and slit the throats of other countries in subtle and not so subtle ways.

Hard vs. Soft Powers and Nomenclature

As seen above in the quoted text, hard power is seen as economic sanctions as well as military actions. This is all in response to the soft power of politics and the methods of carrot to the hard power stick. All of these allude to direct actions that are perceived as means to manipulate nations states and other actors into actions desired by the power that is employing them. I would put to you all that there is another form of “soft power” that the Chinese have really created over the last decade that employs a more stealthily nimble approach from the espionage arena (hard power by strict definition?) and economic strategies that, with nationalistic goals of grand scale, have wrought a new type of “power”

Perhaps this power should be called “Covert Soft Power” as it is being employed covertly both in the hacking of companies to steal their economic secrets (IP) as well as by the addition of espionage and common business tactics to buy into, and or subvert companies to facilitate access to economic secrets as well as out maneuver companies and close them out on deals etc. All of this seems logical to me (adding this meaning to the term) but perhaps I am outside the norms on this one. The way I see it though, there is a new vector here that the Chinese are leveraging and I think we could use a little thought on the matter and perhaps how to counteract it all.

China, The Hard and Soft Power via Economic Espionage and Investment

China in particular has been working at a multiply pronged and diligent attack on systems and corporations as well as governments to effect the long game strategies that they want. Instead of attacking things head on, the Chinese prefer the methods of “The Thousand Grains of Sand” where many operations and operators work to effect the larger outcomes from small pieces. The Chinese are patient, and because of the Eastern mind, seem to come at things in a more subtle way than most of us in the West tend to think about. In all, the subversion and outright theft of IP has a multipurpose goal of broadening their technical abilities, their economic abilities, and overall, their dominance in the world as a power.

What the Chinese have realized mostly though, is that the subtle knife is the best way to control the enemy, slowly, and subtly slitting the throat of the opponent without a struggle. Frankly, I admire the approach really. In terms of the argument of “soft power” I place these efforts squarely into it because in tandem with certain “political” maneuvers, they can have huge net effects. By combining the military, the economic, and the political aspects of soft and hard power, and the gray’s in between, China has become a force to be reckoned with. So, I put it to you all here, that there is room for a change within the nomenclature of Mr. Nye’s coinage and that I think, in order to better understand the mosaic that is happening, we need to re-tool some of the ideas we have pre-conceived for ourselves.

A New Battlespace, A New Set of Battles 

Finally, I would also put it to you all that the battle space is much different today than it has been in the past. Not only do we have the digital landscape, but said same digital landscape, that makes it easier to steal, also makes everything more interconnected. By interconnected, I mean that it is far easier to effect large changes to companies by the automation that we all have in place today to speed up our transactions. Today it is far easier to quickly make instant trades, and effect the bottom line of a company for the better or worse as well as steal data in minutes that in the past, would have taken days, weeks, or months to ex-filtrate from a company via conventional HUMINT means.

In the scenarios run on trades on the markets, you can see how one alleged “fat finger” incident can have a large scale and rippling effect on the whole economies of states, never mind businesses individually. So, once again, the battle space has changed greatly because of the interconnected-ness of things. It seems that the matters of state now more than before, can be changed through the soft power of the digital attack or manipulation. This is what I mean by “soft power” or perhaps the term I mentioned above “Covert Soft Power”, attacks that we are seeing now, and are having trouble truly attributing to nation-state, corporate, or individual actors are having larger and larger effects on our economy, our policies, and our long term viability as nations, companies, or groups.

At the end of the day though, I suggest that we are being manipulated by masters at the game of “Go” and we need to pay attention to every subtlety and not be so rigidly minded. It is the water that flows around and over the rock, eventually wearing it down to nothing.


Written by Krypt3ia

2012/05/21 at 17:40

How Not to Recruit Spies Online and Off… Listen to Ira Winkler.

with 2 comments

RSA 2011 How to Recruit Spies on the Internet… Absolute tripe.

A twitter message aimed at me this morning contained the link above and I felt compelled to take a look as it was the infamous Ira Winkler. I had never really heard or seen him before, but, I had heard about him in such places as and in the comments by others (who then spat on the ground after they spoke his name, like a curse) So I already had the notion that this was going to be bad.

How little I knew how bad it would be…

Within the first minutes of this presentation at RSA 2011 I was besieged by his whining about how he had been placed on a schedule adjacent another talk on online espionage. After watching a little bit more (at about marker 2:59) he then goes on to say how he would like to Assassinate Julian Assange himself.

*blink… blink*

Holy what the?… I mean I don’t agree with Julian really on a lot of things, but calling for assassination of him? Even in jest…


Well, that should have been my warning like the ones on old maps (There be dragons here) but I decided to press on and watch this horrid presentation as he droned on about how he knows this or that spy (2 of them actually, one ex KGB *alleged* and One CIA *alleged*) as well as how he hates the term “Social Engineering” Basically, it is a waste of 50 minutes of anyone’s time AND if you were in that audience and took anything away from this talk, it should have been; “Never listen to this guy again”

Take a look for yourselves gentle readers and decide… For me though, his inane ramblings made me want to correct the misinformation he spat out and to clearly put out there some information concerning espionage.


Espionage vs. Digital Espionage vs. Skiddies

Espionage, the term used for “spying” has been around since… Well, forever I suspect. For many years the techniques of spycraft have been honed by the likes of the US and other countries. In fact, there are more than a few innovations today that came out of necessities that spies had and gadgetry were created for. Today though, the technologies of today have pushed the bounds of tradecraft away from more interaction with people in person to a more technical espionage where some social interaction is needed, but, mostly can be taken care of through vulnerabilities in systems and predictability of companies/governments/sysadmins. Much of the “cyberwar” everyone seems to be bellowing about today is in fact espionage activities and not so much “warfare” in reality. Gone (mostly) are the old days of cold war spying.. One might think.. But, I would say that those days are alive and well as well as may come to be even more important given the technologies and their rapid pace of change.

So, this article has been written by me to clear the air a bit for those who have little understanding of the “spook world” First though, I would like to further define the players and the game here within the title above. I have covered the “espionage” here, but now lets look at the “Digital” twist we have today.

Digital Espionage: Is a term that I think I have coined sorta kinda. I am sure others came up with it before but I am putting it down here and now. When I speak of digital espionage, I am talking about the infamous “APT” that we all have heard about ad nauseum. These are the players who are actually either supported by a nation state, or perhaps by corporations. The espionage is mostly technology based (i.e. hacking/phishing/vishing etc) and also may include social engineering exploits to gain access and or information for the operation in play.

When any type of espionage is being carried out at this level, there are goals and plans that they want to carry out for an objective. I submit to you here that APT equals espionage and both digital and traditional forms of it use a combination of technical and social means to get what they desire. The new overlay of technology only means that perhaps you do not have to meet your asset somewhere to trade data, pull a brush pass, or leave a mark on a lamp post to set up a meeting date.

Skiddies: In the talk that Ira presented (poorly) at RSA he talks about “hackers” in the context of espionage. He was wrong to even mention this in the presentation and it should be laid out here, that the common criminal hacker and or at this time, Anonymous, has yet to reach the breadth, scope, and patience that a real spy operation would accept as the SOP. Skiddies will use technology to make the quick hit and exfiltrate data, but, 99% of the time they do not do the foot printing and other assessment activities that spies do.

Nation State vs. Corporate

I just wanted a quick word on the nature of nation state actors versus corporate spies. In the history of espionage it has been shown that the two have been intertwined really since the early days of corporations. However, once things like telephones and cables came into existence, it became a cozy relationship at times where governments and companies started to work together for their own ends in the espionage world. Today, it is rather hard to tell where the corporation ends and the state function begins. Often times, NOC (Non Operation Cover) operatives are sent out by such services as the CIA under the guise of being employees of either faux companies or real ones that have taken on the agent as an “employee” (case in point: Valerie Plame and Brewster Jennings)

However, companies in and of themselves have been known to hire out boutique firms that spy for a fee. These companies go out and get “competitive intelligence” for corporations, and they get paid pretty well. Often, these firms are staffed by ex spooks from all over the world and all different services/countries. This too also brings the corporate and the state sponsored types of espionage together once again, and in fact often cross pollinate between the two.

Today’s APT could be either and one should take this into account when they start pointing fingers at countries and yelling “wolf”

APT vs. Old School

Going back to the notion of the changing landscape of espionage, I would like to make mention again the difference between the new digital means as opposed to the old days of smuggling microdots of “documents” and the use of brush passes. Today much of the espionage can be carried out without having to leave one’s back office and this is a real paradigm shift in the business. It has also been a problem for the nation state actors since technology has become too relied upon and the ways of HUMINT slacked as we found out post 9/11.

It turns out, that HUMINT is very important, as is having linguists… You can’t just re-task a keyhole and get everything you need it turns out. It also seems to be still a learning curve today as we read about the roll up of assets in Iran and Palestine because the handlers for the agents on the ground re-used the code word and the meet site (pizza and a pizza hut) thus giving the assets away and causing great damage to our network in the area.

It seems that even today, we (USA) are not teaching enough HUMINT techniques (Moscow Rules etc) to our agents and thus mistakes are being made. It is my contention, and others, that we need to get back into the old school methods even with the advent of all this technology. After all, people are still the easiest thing to exploit as well as the insider is one of the best sources/means of obtaining information that one might want.

Terms and Nomenclature

One of the things that I noted in the presentation that Winkler made was that he was at a loss to really describe espionage in the common nomenclature. Thus, I have decided to list terms that you all should be familiar with when talking about espionage operations.

dead drop – A secret location where materials can be left in concealment for another party to retrieve. This eliminates the need for direct contact in hostile situations.

dead telephone – A signal or code passed with the telephone without speaking.

in the black – Surveillance-free for a time span greater than a few seconds.

in the gap – Surveillance-free for a few seconds but not as long as a minute.

in the wind – When a target of surveillance has escaped and left for parts unknown.

provocateur – An operative sent to incite a target group to action for purposes of entrapping or embarrassing them.

provocative – A harassing act or procedure designed to flush out surveillance.

put up a signal – To clandestinely signal another operative or secret source, as in putting up a signal like a chalk mark on a light pole.

rabbit – The target in a surveillance operation

Roll-out – a surreptitious technique of rolling out the contents of a letter without opening it. It can be done with two knitting needles or a split chopstick.

rolled up – When an operation goes bad and the agent is arrested.

rolling car pickup – A clandestine car pickup executed so smoothly that the car hardly stops at all and seems to have kept moving forward.

RYBAT – A code word meaning that the subject matter is extremely sensitive.

SDR – Surveillance detection run; a route designed to erode or flush out surveillance without alerting them to an operative’s purpose.

signals – Any form of clandestine tradecraft using a system of marks, signs, or codes for signaling between operatives.

silver bullet – The special disguise and deception tradecraft techniques developed under Moscow rules to help the CIA penetrate the KGB’s security perimeter in Moscow.

SIS – Senior Intelligence Service of the CIA, which assigns the executive ranks equivalent to a general in the military. So an SIS-1 is equal to a one-star general.

SITREP – Situation report, sent to CIA headquarters during an operation or crisis.

smoking-bolt operation – A covert snatch operation in which a special entry team breaks into an enemy installation and steals a high-security device, like a code machine, leaving nothing but the “smoking bolts.”

staff agent – A CIA staff officer without access to CIA secure facilities or classified communications.

stage management – Managing the operational stage in a deception operation, so that all conditions and contingencies are considered: point of view of the hostile forces and the casual observers, physical and cultural environments, etc.

star-burst maneuver – A countersurveillance ploy in which more than one target car or target officer is being followed and they suddenly go in different directions, forcing the surveillance team to make instant choices about whom to follow.

Surreptitious Entry Unit – Unit in OTS whose specialty was opening locks and gaining access to enemy installations for the purpose of supporting bugging operations.

swallow – A female operative who uses sex as a tool.

timed drop – A dead drop that will be retrieved if it is not picked up by the intended recipient after a set time.

tosses (hand, vehicular) – Tradecraft techniques for placing drops by tossing them while on the move.

tradecraft – The methods developed by intelligence operatives to conduct their operations.

walk-in – A defector who declares his intentions by walking into an official installation, or otherwise making contact with an opposition government, and asking for political asylum or volunteering to work in place. Also known as a volunteer.

warming room – A location out of the weather where a surveillance team can go to keep warm and wait for the target.

watcher team – A surveillance team usually assigned to a specific target.

window dressing – Ancillary materials that are included in a cover story or deception operation to help convince the opposition or casual observers that what they are observing is genuine.

There are many more and you can see them here. This sampling though gives you a window into just how the lingo works and the technical terms that each service uses. Its a language unto itself really and if you decide to read more on the topic, this primer could be useful.


Tradecraft applies traditionally to the tools and techniques of espionage. Things like surveillance and counter surveillance as well as secret writing etc etc. However, today, you can also add the technical aspects of hacking as well. Another aspect though would also include the social elements of spying, recruiting spies, and on the hacking end, tricking people into giving you data as you would in any other spook op. The difference being that often times in the hacking scenario, you are not directly interfacing with them of late, you are sending an email.

All in all though, tradecraft is exceedingly important in both spheres of influence and must be kept up with. In the case of the “illegals” who were popped last year in America, their tradecraft was ok, in fact pretty good in most cases, but, their use of new technology caused certain failures that helped in their capture. (see the story about the laptops and the wifi adhoc connections) Meanwhile tradecraft failed at least one of the operatives physically, as the operative left the password to their system on a post it note…

Yep they did… Know why? Because the password was 15 chars… Too long to remember.


Tradecraft, like I said, needs to be practiced.

Social Engineering & Rapport Building a.k.a. Recruiting and Running an Asset

Within the presentation by Winkler, his aegis for the whole thing (by the title) was to talk about how to recruit online spies. Something that he really fails to talk about ironically. I believe much of this is because he loathes “social engineering” and NLP it seems as well. In fact, he pretty much says a lot that is counter to what you really need to be skilled at to obtain the complicity of an end user, or an employee in general and make them an asset for you. Ira pretty much glosses over all this, instead talking erratically about how he watched hackers on IRC…

Anyway, the point is that if you want to gain the complicity of a target you have some choices to make.

  • Flattery (pride)
  • Pity
  • Patriotism
  • Money
  • Sex
  • Revenge

Those are pretty much the motivators for people to betray their companies or countries. Often times, these all take some cajoling on the part of the operative to get them to work for them but, nine times out of ten, you can get someone to give you what you want by simple manipulation or cash. Ira touched on these things, poorly, but the gist of it is that agents for foreign powers as well as corporations often are very skilled at social engineering.

You have to be.. Because you are manipulating people and their emotions.

One also has to be very calculating and able to separate ones self from the asset emotionally. Often times, you may have to burn an asset. In fact, most often, the assets who were recruited to sell out their own countries (i.e. Russia in the cold war) did not actually get exfiltrated out to Russia to live out comfortable lives… Unless they were high level defectors (like Philby, who in the end did not live so richly in the workers paradise) who might actually be exfiltrated and treated moderatly well.. Until their usefullness is gone.

Nope, over all, this is a cutthroat business and you need to have great people skills as well as be able to step outside of those skills emotionally.

It’s all about manipulation.

Honey Traps and Swallows: The Art of Blackmail and El Amor

Another topic that was given a glancing mention by Winkler was the use of sex and blackmail as a means to an end in espionage. It’s quite true that this technique was a favorite of the Russians specifically, but all the services have used this ploy to get what they want. China has become somewhat infamous of late for also using this type of exploit to get someone to give them information or technology. So much so, that they have the term “swallows” for them.

There have been recent cases where government officals in China on visits have been approached by Chinese women who later on physically steal their computers or other technical equipment as they walk out the door. This particular attack is augmented by the fact that often the Chinese set up tight and full schedules for visitors that comprise of many site visits as well as night time dinners that include much drink. This has been especially true for any of the nucelar physicists who visit China…

And that’s how secrets leak out, through lips loosened by fatigue and a couple drinks.

Back to the Russians and others, but primarily them, they have been known to use sex quite well to get their desired targets complicity. Often times, the Russians would set up cameras behind walls/glass (today just plant a wireless) and tape record the sexual encounters for playing later to the target. Often times, this too was used against those who were homosexual as this type of attention would ruin lives. Additionally, they often would ask for something small, then string the new asset along for bigger things later. This too also allowed the target to perhaps become more emotionally tied to the bait and thus, make them a willing agent for Russia.

Overall, the use of sex in espionage has been around since the dawn of time (Cleopatra etc) So, its nothing new..

But it bears some more description than the long and winding road of dribble that Winkler uttered on it at RSA.

China/Israel/Russia/UK/US All Have Different Methods…

Another thing to consider is that each of the services out there has different methods and bents toward recruitment and espionage in general. With the right research one can see how they play differently and what to look for should you ever be confronted with an operative or operation from a specific country. I thought it prudent to just have a short list of a few of their particular preferences per country.

  • Russia: They favor the blackmail approach as mentioned above. They also are adept at inserting players into the environment who are deep cover like the illegals program. Though, in the case of “deep cover” I would not claim that for the illegals that were popped in the US completely. Anna was pretty much out there as a Russian as were a couple of the others.
  • China: Patient and approach the game from the “Thousand Grains of Sand” approach. Many assets high and low value that pass data to the homeland and they use it all. China also favors “soft power” as opposed to Russia and their strong approach to diplomacy.
  • Israel: The Mossad is an agency that one would not want to tangle with. For the most part, the Mossad is known for their assassination teams. (see the recent events in Dubai)
  • CIA: The CIA’s clandestine branch uses many techniques… But of late seems to be out of step with HUMINT per our recent failures. As stated above, the technology has replaced the HUMINT and that needs to be shifted again.

I would suggest some reading for anyone interested. Do some Googling and take a look around… AND if you are in the DC area, check out the Spy Museum


Within the espionage space there are a lot of terms and methods of plying their trade. I would like to take this chance to delineate further the differences between types of intelligence gathering. Primarily though, I have talked about HUMINT, which was ostensibly what Winkler was to talk about (recruitment of assets) However, there are many other types of collection. Here are some of them.

SIGINT: Signals Intelligence involves intercepted signals from communications and electronic emissions; the National Security Agency (NSA) is responsible for SIGINT collection and reporting

MASINT: Measurement and Signature Intelligence  involves a highly technical, multi-disciplinary approach to intelligence collection to provide detailed characteristics of targets including radar signatures of aircraft and telemetry of missiles; the Directorate for MASINT and Technical Collection (DT) at the Defense Intelligence Agency (DIA) is responsible for MASINT

PHOTINT: Photographic Intelligence involves the assessment of photographic media for intelligence purposes (think old school assessment of satelite photos or pictures from a high altitude plane)

ELINT: intelligence derived from electromagnetic radiations from foreign sources (other than radioactive sources)

GEOINT: Geospacial Intelligence  involves the collection of information related to the earth from imagery, imagery intelligence, and geospatial information; the National Geospatial Agency (NGA) is responsible for geospatial intelligence collection management

IMINT: Imagery Intelligence nvolves representation of objects reproduced by optically or by electronic means from a variety of sources including radar, infrared sources and electro-optics; the National Geospatial-Intelligence Agency (NGA) is responsible for allimagery intelligence collection activities

OSINT: Open Source Intelligence information gathered from non-classified, non-secret sources including news media, the internet and commercial databases to name a few; the Open Source Center (OSC) in the Office of the Director of National Intelligence (ODNI) and the National Air and Space Intelligence Center (NASIC) are the major collectors of open-source intelligence

HUMINT:  A abbreviation of the words HUMan INTelligence, refers to intelligence gathering by means of interpersonal contact, as opposed to the more technical intelligence gathering disciplinessuch as SIGINTIMINT and MASINTNATO defines HUMINT as “a category of intelligence derived from information collected and provided by human sources.”

Typical HUMINT activities consist of interrogations and conversations with persons having access to pertinent information.

The Moral of The Story… Don’t Listen to This Buffoon

I guess overall though, I wanted to shed some more light on espionage and the changing landscape to anyone who might not have a good feel for it. It seems today with the advent of the term APT, the explanation of the nuances have flown out the door. Either this is because people don’t understand them, or, they are unable to connect the dots between APT and espionage. It does seem though, that most vendors and media don’t get it though.

APT unfortunately only means China to the masses.. And this is a failure on the part of the security community as well as the Defense community at large. I recently had a conversation with someone that gets to the heart of this in fact. APT spawned from the DIB (Defense Industrial Base) as well as the DoD. Much of this terminology and the actual events that created them cannot be talked about because they are marked as “secret” by the companies and the military. So, it can be readily seen that when talking about them in the open, they omit much of what really happened and only allude to certain things. This makes it all seem mysterious and alluring to talk about.. And many do.. Who have no clue what they are talking about.

The same can be said about espionage and running/recruiting agents when you have someone like Ira Winkler speaking at a conference like RSA. At best, Ira Winkler wrote a book long ago about industrial espionage that may have been researched. Today the picture has changed dramatically and Ira has failed to follow up on what’s going on. Nor doe sit seem that he has a solid grasp of old school precepts of espionage and the players involved. At least that is my take away from this YouTube of his…

To conclude, I would like to say this.. Espionage both digital and other is the way of things today. The fact that technology that is compromiseable has permeated every part of our lives today makes us all targets of spying. Whether that spying be the local kid next door looking at your porn collection on your PC to the NSA looking at your emails and conversations. Just as much, it is important to know that your job, no matter what job you hold, is also a potential target for a spook to be interested in you and your data. If nothing else. one must look at the range and breadth of companies and entities being broken in to by the likes of China to see that no one is exempt.

Know the ins and outs of the technolgy as well as the spook landscape.. Especially if you work in INFOSEC today.. Lest you become the next target who has to report that they were compromised and data stolen.


Written by Krypt3ia

2011/12/21 at 15:27

Posted in Espionage

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments

Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities

Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.


Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.


从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.


Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace


Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?


Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..



OPERATION SHADY RAT: Or As I like To Call It; Operation Shady Crap

with 3 comments

First, let me preface with an expletive laced rant that will be stripped for the straights at Infosecisland.. Please forgive the capslock shouting, but I cannot contain myself here!








Ok, now that I have that out of my system, I will now attempt to explain a few things in a civil manner on the RAT/APT situation. First off, there is nothing new here as I have said before on numerous occasions. This type of activity says more about the laxity of the targets security as well as the intent of the adversary in gathering state desired secrets on the part of China. The simple facts are these;

  1. China wants to have an edge and it finds itself using the Thousand Grains of Sand strategy to its benefit in the digital arena
  2. We have made it easy for them to compromise our systems due to lack of accountability and the short term gains seen by individuals within companies
  3. The adversary is smart and will do what it takes up to even intercepting helpdesk tickets and fielding problems to keep their persistent access!
  4. This has been going on for a long time and now is just getting out to the press.. Ok, I get that, but really, sowing FUD to win business will not help

It is readily apparent from this POS that McAffee has put out that they are just fishing for some press here for their flagging AV sales. This paper gives nothing relevant to the story around APT and as such, it should be just relegated to the dustbin of the internet and forgotten. Yes, the US was a major target but others were as well. This is a nation state working on these APT attacks, come on now! They have more interests than just the US! Just as much as you (McAffee) had access to ONE server out of many! Never mind all the others that were fleeting and pointed to by DYNDNS sites!

Really McAffee, you come off looking like rank amateurs here… Well, I guess you are really for pulling this little stunt altogether.

The adversary has been around for a long time. No one product nor service is going to protect us from them (that means you McAffee) so it is useless to try and sell us the snake oil you would like to. It is our own human natures that we have to overcome to handle the least of the problems that feed into group think and herd mentality in corporations and governments. Face the facts, they are here to stay and we need to learn the game of ‘Go’ in order to play on their field.

Unfortunately, we get dullards like these (McAffee) crying wolf and offering unctions to take our troubles away.. Unfortunately all too often there are too many willing to buy into their crap.

… And we keep losing.


Written by Krypt3ia

2011/08/15 at 18:25

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

with one comment

America Faced With Wave of Chinese Espionage

Defense Department officials are struggling to plan for a massive
 cyber-attack from Beijing – and fend off spies in the meantime. Tara McKelvey reports on the secret warfare.

Jul 16, 2011 9:47 AM EDT

 Deputy Defense Secretary William Lynn III never said the word China 
in his speech on Thursday
 about “Cyber Strategy,” but he didn’t have to. The
 threat of a cyber-attack from Beijing weighs heavily on the minds of 
military commanders. And while officials have not said publicly who
 was behind the newly disclosed theft of 24,000 files from a defense contractor in 
March, one of the worst cyber-assaults in Pentagon history—
it may well have been a Chinese operation. And even if Beijing
 officials were not involved in the theft, they have been implicated in 
other matters—so many, in fact, that federal officials are
 discussing publicly what do to about cyber-attacks, without saying
 explicitly who their number-one villain is.

From The Daily Beast


So, we are going to be in for a digital wave of hacking and espionage are we? Say, have you been around lately? Like say the last oh, twenty years or so? Cuz if this is the big wave, I would hate to see what the tsunami is going to look like. Well, at least this article has some of the facts right including the issues over attribution for attacks and operations. however, it still glosses over the fact that this is nothing new. Espionage by the Chinese has been a favorite past time for them with regard to the U.S. and now that espionage is taking place within computer networks.

But.. This too has been happening for a long time (see Titan Rain or others like Moonlight Maze)

Nope, this is indeed nothing really new. The scale of it may be the new twist here and that is really because of the interconnection that has happened over the years to the internet. We have done it to ourselves and we did it without any real thought as to the security of our networks/systems/data

But, that is a screed for another day.

Since we are so connected now, and even systems that should not have (S) (NOFORN) data have been hooked up too (I know, I have seen it myself)  or said data has been placed on non cleared servers, we have been making it easier for the likes of China to get our secret sauce. China though, is not the only one doing this, but, they have made it an art form. The reason for this is that the Chinese had decided early on, that cyberspace (for lack of a less buzzworthy name) was going to be the 5th battlespace as well as the next frontier in espionage. Rightly so too.

As I said above, the networking of the world has made it that much easier to gather intelligence and in the case of the Chinese, they began to use the nascent hacker community to do it. However, old school espionage on the part of China has been going on for a long long time. If you are interested in this, then I suggest you pick up “Tiger Trap” by David Wise Suffice to say, that we have been industrially spied on at the very least by China dating back to at least WWII.

And they have been exceedingly successful.

(for more on China’s Thousand Grains of Sand and Espionage go HERE)

Back to the article and its catchy headline though, the great Cyber War has yet to come and we are woefully ill equipped to handle it right now. There have been incursions that we have found and I am sure there are more that we still don’t know about (whether or not the government has classified them, thus burying them) that paint a larger picture of the issue I am sure. So, when they cry out that we are in for the big hit yet to come, I say “heh” look at what already has happened!

Pretexts; Anonymous, China, and Cyber-Espionage:

The one area that the Beast article does not allude to that it should in my book on this subject is the current climate in the ‘cyber’ world. As you can likely tell from the header here, I personally think that Anonymous and LulzSec are the key to future attacks. Not that they are directly involved per se, at least not knowingly, but that China has latched onto their antics as a pretext for their own attacks.

Think of Anonymous, AntiSec, and LulzSec as the gift that keeps on giving any state or person who wants to carry out attacks online and have the questionable cover of it all being for the Lulz.

With all of the AntiSec/Anonymous operations ongoing, who is to say that China’s PLA has not infiltrated the infrastructure and effected the decision making process some? What better way to deflect than to use an alleged headless group of nae’r do wells to do your bidding in some larger scale attack? This is an area of thought that I have put out there before and every day I am convinced more and more that not only China is using this, but also other state actors.

…At least they would be smart to do so *wink wink nudge nudge, SAY NO MORE!*

Even if these state actors are not directly working from within the Anon’s.. At the very least they can be blamed.

Just saying… “Interesting times indeed”

Current Status China: Landlord, Banker, Petulant Child:

Beijing’s leaders have ramped up spying operations partly because they 
are angry at the United States, and they have been especially peeved
 at State Department officials; China believes that the
 Americans have tried to empower dissidents and to influence domestic 
politics. Indeed, Secretary of State Hillary Clinton has pushed for
 greater access to the Web for dissidents, giving a speech 
in February in which she called for “a global commitment to Internet 
freedom,” a phrase that officials in Beijing found particularly 
galling. The Chinese officials resented her proclamations about the Net, which they believed are an underhanded way of trying 
to meddle in their affairs. “For them, this is a very aggressive 
interventionist policy,” Fidler explains.

From The Daily Beast

To conclude though, I would also like to touch on the fact that China has always been a proud nation. In that, they have been prone to reaction to any perceived sleight by nations such as ours. Much of the proto hacking that went on in China took place over the acts of countries like Viet Nam or Taiwan and resulted in defacement of pages (in a nice and polite way as well) Today though, the tenor of the hacking has taken a bit of a darker tone and much of it is due to the hard liners in the politburo taking the reigns and directing the Green Army to act.

While China holds much of our debt, they still do not have all of our assets (IP) and as such, they want to keep us under control politically and financially. All the while giving us the rope to not just hang ourselves, but to do so for China’s best interest. The only time that I will worry that China will go all out cyber war on us is when they have nothing left to use us for.

Then we are in some deep shit. Imagine they call our markers AND hit our systems with attacks. They may not have the military capabilities hardware wise, but, they certainly could likely cause our military to falter and fail by breaking the command and control as well as supply chain with attacks today. So, I am not all that worried if they get peeved at us over Obama meeting HH Dalai Lama as much as I am their just calling our debt markers.

Sure, the Chinese leaders are worried about the Arab Spring, but they will just pull another Tienamen won’t they? After all, if they hold our debt, what are we going to do to them that isn’t going to be measured to not offend? So on it will go, we will ruffle their feathers, they will hack and steal data, and we still won’t have a debt ceiling agreement because our politicians are too self involved to care about the country.

I welcome Chairman Meow…



Written by Krypt3ia

2011/07/18 at 12:39