Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘APT’ Category

Attribution: Fingerprints vs. Ballistics and Inductive vs. Deductive Reasoning

with 4 comments

The Problem

In the present day where the word “Cyberwar” is all the rage, and governments as well as private sector entities are seeking to cash in on the power grab that is mostly information warfare as the Chinese actually call it (信息战) too many are forgetting a core problem to the picture. This problem, is “attribution” as it has been termed in the community. To attribute an attack to an individual, government body, or group, is something that to date, has not been discussed as much as I would like to see with regards to all of the cyberwarfare talk as well as any other inferences with regard to forensics and geopolitical ascription to acts of “war” as this is has been labeled by this terrible terminology that we have latched onto.

Nomenclature aside, there are issues around trying to determine definitively where an attack has really come from because of the nature of computer systems, varying countries that they reside in, and the potential for the actor to be anyone from nation state to individuals of a collective privately, or a single determined individual. It is my contention that “attribution” can be very hard to prove in a court of law, never mind that a country may in fact be ready to wage war against another on the grounds of what is taken to be the truth of where an attack originated from and who the actors really were. There are too many variables that may never be one hundred percent certain to be basing any of these decisions on in my view, unless one has hacked back into the core final system that originated everything and that is rarely the case today.

So, where does this leave us? How do we even attempt to attribute an attack to any one person, government, or group? Can we ever be certain of any of this information? Can we base an aggressive action against a nation based on any of it?

Fingerprints and Ballistics

Some would approach the problem of attribution of digital attacks on the methodology that began the criminal forensics process we have today. Fingerprints were the first forensic model for determining who really may have created a crime if the evidence did not consist of an eye witness attesting to the fact that “they did it” Ballistics soon followed once guns began to have lans and grooves bored into the barrels to allow for more accuracy. Both of these examples leave telltale marks on the bullets or objects to determine which person or what gun were the arbiter of whatever crime was committed. Today though, we do not have the same narrow confines of data to examine as both of these examples allow for.

Code is the medium of today and while there are certain ways to tell if code was written in the style of a person or written on a particular computer, for the most part, these do not allow for absolute certitude as to who the actor was that created the code, nor for that matter, who used said code to effect an outcome (i.e. attacks on systems) conclusively. All one really has in most cases, are pieces of code, that, with the right coder, may in fact look like anothers, or, all attributions have been stripped from, or, lastly, copied directly from open sources and then tweaked. All of these scenarios allow for a great lassitude on determination conclusively on source or origin.

Digital Fingerprints 

With all that said, the digital fingerprints are there, and with luck someone can determine if the coder was sloppy and forgot something. Interestingly, much of this was out in the open and talked about with regard to the Stuxnet infections in Iran. Once the code was audited, there were many subtle clues as to who “may” have written, and in fact there were potential red herrings left in the code such as “mytrus” and other tidbits that may in fact just been placed there to mess with those seeking to perform forensics in hopes of finding out who did it. To date, many think that the US and the UK did the work, planned the operation, created the code, and implemented it, but, there is no conclusive proof of any of that is there?

Suffice to say, that everyone does make mistakes, but, with the right amount of diligence, it an adversary can make it incredibly hard code wise, to determine who did the writing. On the other side of the coin, the digital forensics arena also looks at the network and hardware side of the equation as well. Many attacks today are not directly coming from the home systems of the adversary, but instead they are coming from proxy machines that have either been rented or, more likely, hacked previously. This too can be heavily obfuscated and be something of a problem to gather information from if those systems reside in countries unfriendly to the attacked parties. One would likely have to hack into those already compromised systems and then attempt to gather intelligence as to where they were being controlled from and by. This is of course if the system wasn’t already burned or, as in many cases, the logging had all been removed and thus there were no logs to see.

From this perspective, yet again, there is a great amount of doubt that can be injected into the picture of just who attacked because of the nature of the technologies. Unless the systems are live, and in fact the adversary is either still using them or was exceedingly sloppy, it could be very hard to in fact prove conclusively any one actor or actors carried out and attack even from the digital forensics side of the house. This leaves us with a problem that we have to solve I think in order to truly be able to “attribute” an attack even tentatively to anyone. One cannot only rely on the technologies that are the medium of the attack, one must also use reasoning, psychology, and logic as well as whatever the forensics can allude to as to the attacker. This is very much akin to the process used by CIA analysts today and should be the SOP for anyone in this field, because the field is now truly global as well as has been brought into the nation state arena of espionage and terrorism, never mind actual warfare.

Inductive vs. Deductive Reasoning

First off, I would like to address Inductive and Deductive reasoning in this effort as one of the precepts core to these attribution attempts. By using both of these in a rigorous manner, we can attempt to shake out the truths to situations that may in fact seem clear on the face of them, but, once looked into further may be discounted, or at the very least questioned. Much of this lately has been the hue and cry that APT (Advanced Persistent Threat’s) are all pretty much originating from China. While many attacks have in fact been attributed to China, the evidence has not always been plainly clear nor, in many cases, has the evidence been anywhere in the open due to classification by the government and military.

There are many “secret squirrels” out there and they all pretty much squeek “CHINA” all the time. Unhappily, or perhaps unfortunately, these same squirrels end up being the ones talking to the news media, and thus a juggernaut is born in the news cycle. It just so happens that there are many other nation states as well as other actors (private/corporate/individual) that may well be the culprits in many of the attacks we have seen over the years as well. Unfortunately, all too many times though, a flawed inductive or deductive process of determination has been employed by those seeking to lay the blame for attacks like ghostnet or ghost rat etc. Such flawed thought processes can be shown by examples like the following;

All of the swans we have seen are white, thus, All swans are white.

This has pretty much been the mindset in the public and other areas where attacks in the recent past have been concerned. The attacks on Google for instance were alleged to have come from China, no proof was ever really given publicly to back this up, but, since the media and Google said so, well, they came from China then.. Right? While the attack may have in fact come from China, there has been no solid evidence provided, but people are willing to make inductive leaps that this is indeed the truth of it and are willing to do so on other occasions where China may have had something to gain but proof is still lacking. The same can be said with the use of deductive reasoning as well. We can deduce from circumstances that something has happened and where it may have originated (re: hacking) but, without using both the inductive method as well as the deductive with evidence to back this up, you end up just putting yourselves in the cave with the elephant trunk.

Psychology and Victimology

Another part of the picture that I believe should be added to the investigative process on attacks such as these, is the use of psychology. By using the precepts of psychological profiling as well as victimology, one can take a peek into the motivations of the attacker as well as the stance of the victim that they attacked into account on the overall picture. It is important to know the victim, their habits, their nature, and background. These factors can often lead to insights into who the adversary may in fact be. While the victimology paints the picture of the victim, it also helps flesh out the motives and possible psychology of the aggressor as well.

Of course one need not be a board certified psychiatrist or psychologist to perform a vicimtology in the way that we need to within the confines of determining who may have hacked a client. Many pentester’s do this very thing (though perhaps not enough today it seems) by profiling their targets when they are preparing for a test scenario. The good ones also not only look at what the target does, but also how they do it. They also look at how things work logically, as well as every other aspect of the business to determine how best to attack and what would have the most effect to replicate what an attacker “could” do to them. This is a key also to determining who may have actually attacked as well as why they did and this leads to another part of the puzzle, that of motives.

In trying to determine who attacked one must look at the motives for the attack. These motives can also show you the lengths that the attacker was willing to take (i.e. creating custom code and other APT style attack vectors/methods) to effect their end state goal. If there seems to be no real reason for their attack, and they have not stated it in other ways (like Anonymous and their declarations of attacks) then we are left to come to grips with seeking the reasons as well as what they took/destroyed/manipulated in the end. It is important to look at the whole picture instead of focusing on the minutiae that we in the INFOSEC field often find ourselves looking at daily in these IR events.

Hannibal Lecter: First principles, Clarice. Simplicity. Read Marcus Aurelius. Of each particular thing ask: what is it in itself? What is its nature? What does he do, this man you seek?

The Pitfalls of Attribution Theory

Another part of the picture that must also be assessed is that of the mindset of the assessor themselves. Today we seem to have quite the echo chamber going on with the likes of Beitlich and others concerning China and APT activities as I alluded to earlier. The media of course has amplified this problem threefold, but, the core problem is that we as investigators are sometimes easily tainted by the echo chamber. Thus I put it to you that the precept of “Attribution Theory” also play a key role in your assessments and that it can be a pitfall for you. In Attribution theory, one must also take into account such things as the motivations of the person doing the attributing. This means that even if you are a consultant in an IR, you too can allow your own leanings to sway your findings in such an endeavor as trying to determine who hacked whom with leading evidence but no definitive proof thereof.

Motives are key, motives of the assessor, motives of the victim, and motives of the adversary. One must take these all into account and be as impartial as possible and mindful of these things. It is my contention today, that all too often people are all too available to the idea that “China did it” is the go to assessment of a so called “APT” attack, especially so when APT is one of the most misused acronyms today in the information security field. It is just behind the term “Cyberwar” in my opinion in fact as one of the most misused and poorly constructed acronyms or terms for what is happening today.

In the end, one must take a step back and see the bigger picture as well as the minutiae that comprises its total while not being too easily swayed by our own bias or conditioning. I suggest you acquaint yourselves with these ideas and use them when involved in such cases where APT and Cyberwar are concerned.

There will Always Be “Reasonable Doubt”

In conclusion, I would like to assert that there will always be reasonable doubt in these cases. Given now that we are considering actions of war and legislation over attacks and counter attacks within the digital sphere, I would hope that those in government be made aware of the issues around attribution. I cannot conceive of going to war or launching missiles over a digital attack on some system somewhere. The only way I can see this actually becoming kinetic is if the attack is in tandem with boots on the ground or missiles fired from a distinct area of a foreign power. Unfortunately though, it seems of late, that governments are considering such actions as hacking the grid, as an acceptable trigger to kinetic response by the military. This for me is all the more scary given what I know about attribution and how hard it is in the digital world to determine who did what and when, never mind from where.

Presently I am working on a framework of this whole process model and will in the near future be presenting it as well as other aspects of determining the attribution of attacks on companies and systems at a conference in Ireland. It is my belief, with my partners in this presentation, that given more subtle cues of psychology, as well as sociological and historical inference, one can get a greater picture of the attacker as well as the motives for an attack if they are not openly stated by the aggressor. Of course none of this will eliminate “reasonable doubt” but, as CIA and other intelligence analysts have proven with such methodologies, one can make a more solid case by looking at all aspects surrounding a person, case, or incident to determine the truth.

K.

Written by Krypt3ia

2012/05/18 at 19:15

APT: What It Is and What It’s Not

leave a comment »

What APT is as defined by DoD

  • Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging and HUMINT capabilities. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from “less advanced” threats.
  • Nation State or Exceedingly Coherent and Supported Actors: APT usually means that they are Nation State actors (i.e. spies/proxies for nations seeking to infiltrate and steal data or to manipulate data/supply chains etc) This can also be non nation state actors hired by corporations or even in some cases, movements or groups who have hired out for specific operational goals.
  • Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator’s goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
  • Threat APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded.

Above from Wikipedia with changes by me.

I had a conversation on Twitter today that surprised me. The talk was about APT and what it really “meant” as well as how one determines if it is indeed APT that you are dealing with. First off, I was taken aback somewhat at the confusion by some in the security field, but then I thought about it and many have not come from the DoD space or perhaps corporate areas that have had direct exposure to APT activities. Secondly, I was amazed and the varying focal points people focused on as the “meaning” of APT.

So, I decided to put this little post together and put it out there.

Yeah.. I know.. It’s been said a zillion times huh? So, why are people still confused? Well, there are some operational details that are not really in the public space so there is that, and the DoD tend to like to make all kinds of silly acronyms… But it basically boils down to what you see above here. The definition came from Wikipedia (I know some are rolling their eyes now! Tough!) I have edited the entry with other information that was not there before and highlighted the important bits with italics and color.

Once you have read the above again… Move on to what APT is not below…

Go on… Re read the above please…

What APT Has Become In The Media and Marketing Maelstrom of Stupid

APT, the bugaboo sales buzzword that has been a wet dream for marketers of all kinds of software and appliances in security these past few years. The short and sweet of here is that APT is not the following;

  1. Phishing attacks
  2. Anonymous
  3. Common hackers looking for credit cards
  4. Your average pimple faced hacker (going with the media perception) in their mom’s basement with a commodore 64
  5. The Chinese
  6. A technical ghost in the machine that cannot be caught unless you buy my product!
  7. Able to be caught with just a SIEM solution that I am offering to you for (insert number here)

APT was in fact the acronym for state actors like China (who happen to be really really active lo these last 5 years or more) and Russia or Israel or France, who were hacking and using a full range of intelligence techniques to not only steal data but to interfere with supply chains or otherwise manipulate corporations and other nation states to their own ends.

THAT is APT.

Of course the acronym has jumped the shark as it is now a buzzword, but, the DoD types still use it as a moniker for the actors that they and others within the space see every day attempting to ex-filtrate data, mess with command and control, and otherwise (mostly silently) mess with us all. They use numerous tactics that interlock and have many teams working toward multiple goals and multiple levels of attack and operational security.

They can use the most elegant of solutions and nimbly change their tactics, they can, on the fly create/edit code to defeat the defenders tactics, and they also use the most simplistic of attacks all in the effort to gain the access they require and to not only further it but to KEEP it as long as possible to succeed in their own ends.

There you have it. It’s not a binary.. It’s a layered approach to espionage and information warfare (IW)

… And your not going to stop them with something like Symantec’s SEP solution..

Thus endeth the lecture.
K.

Written by Krypt3ia

2012/02/10 at 21:21

Posted in APT

Paper Tigers… Aren’t We All?

leave a comment »

Paper Tigers.. Paper Cuts…

A recent post that echo’s others that I have seen in the not so distant past makes a claim that China is about 13th on the preparedness scale for cyber warfare. Now, you may be thinking;

“But Krypt3ia, the news and you have said they are cleaning our clocks and stealin our data!”

Well, yes.. yes they are. However, they may not in fact be number one in “defense” in this sphere as well. Now, I am not saying they are 13th and the article does call into question the methods of gathering data and the questions asked to make this statement (China being 13th most prepared) but, still, they are at 13 here. I personally don’t ascribe to this litmus test that the survey purports to show on the state of affairs in China or anywhere else where cyber strategy is concerned.

After all.. If they asked China or anywhere else, do you REALLY think they are going to give you the God’s honest truth about their programs and readiness?

Duh.

Offense vs. Defense

Lets flip that bit too and think about offense vs. defense here. After all, it is sexier to be offense and easier right? So, how do you really correlate this “study” in any way between the extreme success that China has had with regard to cleaning our digital clock in relation to China’s own defensive posture? One does not really require that the other be commensurate really, and this is a flaw in the logic of the whole story for me. In fact, it is because we here in the US and other countries were so ill prepared for defense on this playing field really, that the Chinese have been so effective at APT types of attacks against us. It has been said in the past, and I would agree, that not all of the attacks from China have been sophisticated…

Because they did not need to be. That’s just how piss poor security has been here.

So, a concerted effort by a cabal of patriotic hackers (assets such as the Green Army) and other spook run operations (corporate/mil/gov) have been successful at ex-filtrating data from our servers here in the West. They used various methods both exotic and not, but the key to this is that they made a “concerted effort” They had operational plans, assets, and patience. All of these things are much more directed and focused than being on the defensive end of the equation. Add to this the fact that defense has been so poorly thought acted upon until now, it becomes clear why the greater story heard here is that of the offense winning the day.

On average, the common corporation has only seen security (up til now in the age of Lulz) as a cost center and because humans lack the ability to sense long term threats well (my contention) we have had a dearth of concern over the security posture of things other than saying “We have a firewall.. it’s all good” In short, because of our lack of forward thinking collectively, we have allowed this scenario to play out until such time as forces outside of the norm have forced us to pay attention…

Something akin to the panther leaping from the tree that we heard growling but decided that it was up to far to jump on us….

We have made our own beds and now, with this study, we see that a majority of the countries out there are not ready for prime time.. And those who are, are likely lying quite a bit about their readiness.

Studies With Subjective Questions and Results

Meanwhile, the “researchers” out there are making faulty suppositions using data that should not be trusted because it cannot be empirically validated. It makes me crazy to see this kind of claptrap being touted on the interent and in the news as fact, though this report did call this into question (yay them!) However, this does not stop others from doing just as shoddy work and then making great claims about how China may in fact be less of a threat because they are not as prepared on defense.

Bollocks.

China, Russia, Israel etc etc are all key players in the espionage world which now includes the 5th battlespace of information warfare carried out on the internet and within computer networks. To think anything else because someone asked them just how prepared “they” were for “cyberwar” is just appallingly stupid. From now on people, if you see these types of reports or studies, do try to think critically about the datum that is being presented.

A Brave New World

It’s a brave new world out there. We are in the age of Lulz and “cyberwar” *booga booga booga* all things that we really do not collectively have a firm grasp on as import and repercussions. There is so much going on between the Anonymous/Antisec/Anarchy as well as the manipulation of them by the likes of China and other world powers that you really need a primer to understand just what is really going on. Even then, its all so internecine and confused at times that you never really will likely have a clue of the real truth.. Ever.

We are at the cusp of so much that could go so horribly wrong and we unfortunately have people in charge who are ill equipped to understand and deal with it in our government(s) You all have seen my screeds a thousand times about all of this so you all know too. All I can really say is try and protect your little piece of digital landscape..

That’s all you can do really.

If the archology of the internet is going to be beset by crackers, spies and villains, well, there isn’t much you can do about it. Certainly not trust the government or the corporations to do the right thing.. Or even really know what to do.

You Know Who You Should Fear? Coders…

Nope, all in all, I would have to say in the end is that you need to fear the coders. The coders and the companies that they work for that are creating vulnerable software. Of course all software I think is potentially vulnerable, but, it seems that the standards out there are not being adhered to. We could be coding more securely and more keenly in the sense of not having Turing machine programs out there available to subversion but, we just aren’t there yet collectively to understand this and stop it.

The genie is out of the bottle.. No way to get it back in… We will die in the end from a thousand paper cuts…

Get your lemons out and enjoy the burn…

K.

 

Written by Krypt3ia

2012/02/09 at 21:49

The Hezbullah Cyber Army: War In HYPERSPACE!

with one comment

WAR! in HYPERSPACE: The Cyber Jihad!

A day or so ago, a story came out and made the rounds on the INFOSEC-O-Sphere about the Hezbullah Cyber Army The story, which was cub titled “Iranian Terror” was titled  “Iranian Cyber-Jihadi Cells in America plot Destruction on the Net and in Reality” Which, would get all our collective attentions right? The story goes on to tell about the newly formed Cyber Army that will be waging all out war on the US and others in “Hyperspace”

Yes, that’s right, you read that correctly.. This guy Abbasi is either trying to be clever, or, this is some bad translation. Sooo… Hyperspace it is! Well, I have a new tag line for him…

“In hyperspace.. No one can hear you giggle”

At any rate, the whole idea of a Cyber Jihad or a Cyber Hizbullah is a notion that should not just be sloughed off as rhetoric. I do think that if the VEVAK are involved (and they would want a hand in this I am sure) they could in fact get some real talent and reign in the ranks to do some real damage down the road a piece I think. So, while I may be a little tongue in cheek here at the start of this post, I want you all to consider our current threatscape (*cough* SCADA etc) and consider the amount of nuisance they could be if they made a concerted effort with the likes of the HCARMY.

So, yeah, this could be an interesting development and it is surely one to keep our eyes on collectively… But.. Don’t exactly fear for your lives here ok? After all, my opinion still applies that the bugaboo of scada does not easily fit into the so called  cyberwar unless it is effectively carried out with kinetic attacks and a lot of effort. Nope, if the HCA is going to do anything at all, it will be on the playing field of the following special warfare fronts;

  1. PSYOPS
  2. DISINFORMATION (PSYOPS)
  3. Support of terrorism (Hezbullah and others)
  4. INTEL OPS
These are the primary things I can see their being good at or being pawns of the VEVAK for.
So.. Sleep well for now because really all you have to truly worry about is that they are going to deface your page it seems (see picture at the top of the post)

Interview by IRNA with HCA

More than anything else though at the moment, the whole revealing of the HCA is more a publicity stunt than much else I think. For all of the talk in the US and other countries about mounting their own “Cyber Militia’s” it seems that Iran and Hezbullah wanted to get in on the ground floor..

Oh… Wait..

They forgot about the PLA and the Water Army!

DOH!

Oh well, sorry guys… Guess you will have to keep playing on that whole “HYPERSPACE WAR” angle to get your headlines huh? Besides, really, how much street cred is an organization like this anyway? So far I have been poking around all of their sites and find nothing (links or files) that would he helpful in teaching their “army” how to hack.

My guess.. This is kinda like putting out the inflatable tanks and planes for the Germans to bomb in place of the real ones.

The "About" Statement on HCA

Now.. Before You All Go Off Half Cocked (That means you Mass Media)

Meanwhile, I have seen the story that I linked up top scrawled all over the digital wall that is Twitter these last couple days. I am sure with everything that has been going on in Iran of late (i.e. the tendency for their bases to explode lately as well as their pulling another takeover of a consulate as well as spy roll ups) the media is salivating on this story because its juicy. It has it all really…

Cyberwar (hate that term)

HYPERSPACE!

Espionage

BOOGA BOOGA BOOGA We’re gonna activate our hackers inside your borders and attack your SCADA’s!

What’s the media not to love there?

HCA's YouTube Page Started in September

Well, let me set you all straight. This is piffle. This is Iran posturing and the proof thus far has been they have defaced a couple of sites with their logo.

THE HORROR!

This group has not even reached Anonymous standards yet! So relax.. Sit back… Watch the show. I am sure it will quickly devolve into an episode of the keystone cops really. They will make more propaganda videos for their YouTube, create a new Twitter account, and post more of their escapades on their two Facebook pages to let us all know when they have defaced another page!

… Because no one will notice unless they let us know…

Just The Persian Facts Ma’am

The real aegis here seems to be shown within the “about” statement for the group. Their primary goals seem to be to attack everyone who does not believe in their moral and religious doctrine. A translation of the statement rattles on about how the West are all foul non believers and that we are “pompous” Which really, kinda makes me think that the Iranian people, or at least this particular group, has a real inferiority complex going. More so though, it seems from the statement that they intend more of a propaganda and moral war against the west and anyone else they see fit than any kind of real threatening militant movement.

You know.. Like AQAP or AQ proper.. Or Jamaa Islamiya.

This is an ideological war and a weak rallying cry by a group funded by a government in its waning years trying to hold on to the digital snake that they cannot control forever. Frankly, I think that they are just going to run around defacing sites, claiming small victories, and trying to win over the real hackers within their country to their side of the issue.

Which… Well, I don’t think will play well. You see, for the most part, the younger set who know how to hack, already bypass the governments machinations and are a fair bit more cosmopolitan. Sorry Mamhoud, but the digital cat is already out of the bag and your recognition of this is too late. How long til the Arab Spring reaches into the heart of Tehran and all those would be hackers decide to work against you and your moral jihad?

Be afraid Mamhoud… khomeini…

All you really have is control temporarily.. You just have yet to realize it.

Tensions In The Region: Spooks & The Holiday Known as KABOOM

Now, back to the region and its current travails. I can see why this group was formed and rolled out in IRNA etc. Seems to me even with the roll up of the CIA operations there in Iran you guys still are being besot with problems that tend to explode.

  • Wayward Trojan drones filled with plastique
  • Nuclear scientists who are either being blown up or shot in the streets
  • Nuclear facilities becoming riddled with malware that eats your centrifuges.
You guys have it tough right now.
Let me clue you guys in on something… If you weren’t such a repressive and malignant regime, we might work with you on your nuclear programs to power your country. But, unfortunately, you guys are FUCKING NUTS! So, we keep having to blow your plans to shit (we as in the rest of the world other than say North Korea that is) because we are all concerned you just want a bomb. Why do you want that bomb? So you can lord it over the rest of us and use it as a cudgel to dismantle Israel say.. Or maybe to just out and out lob it over the border.
You are untrustworthy.
Oh well.. Yes we all have played games there and I agree some shit was bad. The whole Shah thing.. Our bad… Get over it.
I suspect that the reason why all of these bad things are happening to you now though sits in the PDB on the presidents desk or maybe in a secret IAEA report that says you guys are close to having a nuclear device. You keep claiming that you are just looking to use nuclear power peacefully… But then you let Mamhoud open his mouth again and shit just comes right out.
Until you guys at least try to work with others and not repress your people as much.. Expect more KABOOM.

What You Should Really Worry About From All of This

My real fear though in all of this hoo ha out of the HCA is that VEVAK and Hezbullah will see fit to work with the other terrorist groups out there to make a reality of this whole “Cyber Jihad” thing. One of these factors might in fact be the embracing of AQ a bit more and egging them on in their own cyber jihad. So far the AQ kids have been behind on this but if you give them ideas AND support, then we have a problem I think. The ideal of hit and run terror attacks on infrastructure that the government and those in the INFOSEC community who have been wringing their hands over might come to pass.

HCA Propaganda Fixating on OWS

If the propaganda war heats up and gains traction, this could embolden others and with the support of Hezbullah (Iran) they could “try” to make another Anonymous style movement. Albeit I don’t think that they will be motivated as much by the moral and religious aspects that HCA puts out there as dictum. Maybe though, they will have the gravitational force enough to spin all of this off into the other jihadist movements.

“The enemy of my enemy is my friend”

If the HCA does pull off any real hacks though (say on infrastructure) then indeed they will get the attention they seek and more than likely give the idea to other movements out there to do the same.

AND that is what worries me.

Cinch Up That Seatbelt… It’s Gonna Be A Bumpy Ride

Finally, I think that things are just getting started in Iran and its about to  get interesting. With all of the operations that seem to be going on in spook world (please don’t use PIZZA as a code word again mmkay?) and the Israeli’s feeling pressured by Tehran’s nuclear ambitions and rhetoric, I suspect something is about to give way. Add to this the chicken-hawks who want to be president (Herman I wanna touch your monkey) Caine and the others who have so recently been posturing like prima donna models on a runway over Iran and we have a disaster to come.

Oh.. and Bachmann.. *Shudder* Please remove her from the Intelligence committe!! That whole Pakistani nuclear AQ attacks thing was sooo not right!

PSSSSST BACHMANN they’re called SECRETS! (or, for your impaired and illiterate self SEKRETS) STFU ok?

OH.. Too late, now NATO is attacking into Pakistan…

It looks to me like the whole middle east is about to erupt like a pregnant festering boil and we are the nurse with the needs who has to pop it and duck.

So.. Uh yeah, sorry, got carried away there… I guess the take away is this; When you look at all the other stuff going on there, this alleged cyber army is laughable.

Yuk yuk yuk… You’re killin me Ahmed!

K.

Neuromancing The Cyberwars

leave a comment »

The Great Cyberwar to Come

Every day lately I open up the newsfeed and see more and more dire predictions of cyber doom and cyber war. Each time I read this stuff I just have to hang my head and curse under my breath all of the morons out there both reporting on it as well as those purveyors spinning the cyberwar to come. In fact, I really loathe the term “Cyberwar” as do I think, many of my compatriots in the infosec industrial complex (ooh coined a new one there huh?) Every time these people open their mouths I have to just borrow a line from Seinfeld and bellow;

“SERENITY NOW!”

Enough already of this Cyberwar lunacy! Let me tell you something, we have been in an information war for a long long time and a component of that is EW (Electronic Warfare) For years we have been manipulating warfare through information whether it be planting fake stories in the press (newspapers, tv, radio etc) to manipulating data within systems as part of disinformation campaigns. The only real difference today, and I think is the crux of the cyberwar craze are two factors:

  1. Everything seems to be connected by computers today
  2. We can now manipulate not only data, but the machines that process actual physical processes (ICS/SCADA)

So yes, there is more that potentially can be done to an enemy target electronically, but, the hoopla and hype around cyberwarfare has gotten WAY out of hand today and someone needs to bust that bubble before the morons in charge get their trigger fingers on the button. Perhaps though, its too late for that as I am looking around today and see that the military is saying they have the potential right to launch attacks after cyber attacks…

Good God… It makes one root for Skynet thinking about the great cyberwar to come.

Trust Us… We’re the Government!

What is most frightening to me is that the government and the military seem to be under many misapprehensions over “cyberwar” In the case of the government, more to the point, Congress and the House, we have two august bodies that are filled with some of the most misinformed and Luddite oriented groups of people I have ever seen… And these are the people we are going to entrust to make policy on such topics? The said same people who would have the likes of Gregory Evans speak to them about digital security?

We are doomed.

So, what do we have here? We have the people making laws led by the blind and the chicken little’s of the world. All of this over the overhyped and overblown idea that the great cyber war is a commin and no one is safe! Our power will go out because hackers will shut it all down! The gas pipelines will explode because John McClane won’t be able to get the Apple kid to the right terminal during the fire sale! The financial system will collapse because Thomas Gabriel will have jacked into the feeds and slurped ALL of our digital records on to his terabyte drives!

OH NO!

Yeah, you might be asking yourself right about now;

“Do they really believe that shit?”

Well, take a look at some of their laws lately concerning digital matters and privacy.. Then tell me they really know anything about the internet nor digital security. So, yes, I firmly believe they believe it. In fact, there is an old trope in the movies about hackers. You know the one, where the hacker just sits down and 5 seconds later they are root on the Gibson… Yeah, I really think that is how they percieve hacking and how easy it would be to hack the planet.. So to speak.

So, are you comfortable with these people deciding whether or not we actually physically (or digitally) attack another country after we get a little pwn3d?

I am not.

Attribution… We Don’t Need No Stinkin Attribution!

Back to the DoD and their recent proclamation about physical and other attacks against those who attack us with a cyber attack. I just have one word for them to chew on and contemplate;

ATTRIBUTION

You know, that pesky word meaning we actually KNOW who attacked us? Yeah, well as far as I have seen today, it’s pretty damned hard to determine most of the time who did what and where on the net. Digital forensics only get you so far, compromised machines can be tampered with in so many ways to make it look like someone did something and these guys want to launch cruise missiles against nation states over a DDoS?

Mmmm yeah… This will not end well.

Ok, so the next great cyberwar will take place pretty much like the whole premise of the Terminator films then? Will Skynet become sentient or will we just have a military and government that says “THEY DID IT” and fire off some missiles? Frankly, what I see here is a lot of posturing and hope that the reality is that people will realise that they cannot attribute anything and not fire one missile due to the lack of concrete proof.

But.. That assumes that cooler heads prevail and there are not too many hawks in the room….

Dark Prognostications of DOOM… Trust Me, I Write Blogs!

Meanwhile, we have the blogosphere and the pundits out there with slit eyed prognostications about how many more times 9/11 it would be, this cyberwar to come that McClane is not there to save us from.

“THERE ARE NO AIR GAPS TO SCADA! WE ARE DOOMED!”

“THE COLLATERAL DAMAGE WILL BE HUGE!”

“OUR WAY OF LIFE WILL BE DESTROYED!”

Blech. Look, sure, a cyber attack on key infrastructure would be bad. It could cause a real ruckus and we could have pockets of the country/world where power may be down a while, gas lines could blow, and there would be collateral damage. However, this would not be an all out war. In fact, I think it would be far worse if someone took out the core routers to the internet… I mean, at least that is doable if you do it right with kinetic attacks at key points (MAE’s etc) However, I just don’t see it as a likely scenario.

Frankly, you know what keeps me worried?

  1. Biological warfare or accidents with the materials
  2. A dirty bomb or a nuclear bomb cobbled together from illicit materials from the likes of Russia or Pakistan
  3. Mass coronal ejections causing a large EMP

Cyberwar.. Not so much.

The problem is that there are too many pundits and too many crazy opinions out there that are getting ear time with the Luddites in charge. Hell, for that matter, I am a blogger too, so I could be part of the problem as well huh? Maybe I am all wet and tomorrow China will attack at dawn… It’ll be just like Red Dawn.. Except they will hit us first with cyber attacks and then drop thousands of troops on us (Wait a minute! What a movie idea!)

CRAP! Someone beat me to it!

Oh I know! instead the Chinese will just release all our prisoners from cell blocks by using Metasploit against their ICS systems that lock the doors!!!

Heh.

Remember you heard it here first!

Reality? Nah, Just Pass Me The SymStim and Goggles!

I guess in the end, I just have to resign myself to the fact that sanity will not prevail. We will have a military with putative attribution and a Congress unqualified to rule on such things to pass the vote to attack those who attacked us with their packets and malware.

We’re screwed…

Oh well, I will just have to put in the REM and listen to the end of the world and we know it…

*Sits back…puts on shades…Hacks the Gibson*

YEEEHA!

K.

The Son of Stuxnet… Methinks The Cart Be Before Ye Horse

with 2 comments

My dear dear lord,
The purest treasure mortal times afford
Is spotless reputation—that away,
Men are but gilded loam, or painted clay.
A jewel in a ten-times barr’d-up chest
Is a bold spirit in a loyal breast.

Mowbray, Richard II Act 1 Scene 1

 

 

As fate would have it, today I saw a tweet that said Symantec had a paper coming out on “Stuxnet II” I surfed on over and read the document and what I was left with was this;

“We rushed to judgement here and wanted to get this out to get attention before anyone else did.. Here’s STUXNET REDUX!”

Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…

Code Bases and Re-Tasking

So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?

I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…

Alrighty then, we have a newly released and re-tasked version of Stuxnet that turns out to be just a recon tool to steal data. I find it interesting that they make so much of this and intone that the coders of the original are up to shenanigans again but fail to even beg the question that it could be anyone with the requisite skills to cut into the original code (after it had been laid out for everyone to look at) and re-task it with a new time frame. Please note that there are not the original 0day attacks and multiplicity factors of infection vectors as well as exfiltration schemes.

So, not really so complicated as I see it.. You?

The original code/malware was very targeted and this, well this is really just like any other APT attack that I have seen out there.. In fact, in some ways its less clever than the APT attacks out there from the past.

So, really Symantec, take a step back and mull this all over again before you release.. Say.. Just who else had the code and you were worried about that would steal your thunder here?

Pathetic.

RATS, RECON, & Targets

Speaking of the infiltration/ex-filtration picture, I see from the report that they are linking the RAT to the original worm but have not real proof that it came from DUQU! It was found in situ on the box that they analyzed and make the assumed statement that it was “likely” downloaded by the malware via its comms to the C&C.

Once again I say “Evidence Much?”

You have no basis other than assumption but you make no real clarification on this. Though there is mention of a DQ.tmp file which I assume means that it came from the RAT.. But.. Proof again please? It’s the little things that count here and I see a great failure in your haste Symantec.

Another thing that is bugging me now is that the news cycle is making connections to DUQU with attacks on power grids.

HOLY WTF?

Symantec, DO YOU HAVE EVIDENCE of what companies were “Targeted” by this malware re-hash? If so, you should come out of the closet here a bit because this is BS unless you have proof. I of course understand that you cannot name the companies, but CONFIRM OR DENY that they were all Power companies before making claims and allusions that the media will just shriek at the top of their lungs placing more FUD on the headlines.

Or… Wait.. Now that might be an advantage to you guys huh?

Ponder.. Ponder…Ponder…

Well played….

What it all boils down to for me is this:

Someone re-tasked the malware and stuck a common RAT in it. Until you (Symantec) come up with more solid evidence of more interesting and technical attacks, then I call bullshit on you.

What? No Mention Of APT Here?

Meanwhile, I see that people are assiduously avoiding the APT word… Hmmmm What does this attack really remind one of… APT!

There, I said it.

APT attacks:

  • Infiltrate
  • Seek data
  • Exfiltrate data
  • Keep access

And therein lies the rub. DUQU has a 36 day shelf life. Now, this is good from a foot-printing level AND could be excellent for setting up the next attack vector that could include the component of sustained access. So, the reality here for me is that this was a foot print attempt on whatever companies it was set upon. It was a recon mission and that was all.

NOT STUXNET..NOT SON OF STUXNET!

Had you called it a Stuxnet like attack re-purposing code then I would have had less problems with your document Symantec. Instead we got FUD in a hurry.

Baseless Claims: Pictures Or It Never Happened!

Finally, I would like to see Symantec spend some more time here as well as see others pull this all apart. I want to see more proof before you all go off half cocked and get the straights all upset over an attack that may have nothing to do with the original.

Frankly, I find your faith in rationality disturbing… Symantec…

K.

Anonymous, SCADA, LULZ, DHS, and Motivations

with 2 comments

Anonymous Is Interested In PLC’s & SCADA?

A recent .pdf bulletin put out by Homeland Security (i.e. DHS) claims that certain actors within Anonymous (and by that they mean “anonymous”, I added the distinction) have shown interest in at least Siemens SIMATIC PLC’s and how to locate them online for exploitation. It seems that DHS though warning about this threat, is not too concerned about its actually being exploited by the group because they lack the expertise to attack them. So, why the BOLO on this at all? If the collective cannot do the damage to the infrastructure that you are entrusted in keeping safe, then why report on it at all as credible intelligence? It would seem to some, myself included, that Anonymous is not the problem that they are really worried about on the macro scale, but instead, those who may claim to be Anonymous hitting small scale facilities or pockets of targets for their own purposes.

And therein lies the difference.

If indeed Anonymous the collective is looking at attacking SCADA, one has to wonder at their reasons to target such systems. After all, if Anonymous takes out the power or poisons the water, it will not look good for them PR wise. In fact, were such things to happen in the name of Anonymous, I can pretty much guarantee you all that they would be enemy #1 pretty darned quick post an attack. However, if they were to target a company such as a car maker that pollutes, then, you have a real agenda (per their social agenda of late) So, the targeting is really key here and I will cover that later on.

DHS Jumping The Shark?

The motivations of the release by DHS have also  been called into question by some as to why they chose to talk about this at all. This is especially prescient since they take pains to say that the Anonymous movement “most likely” does not have the technical means and motive to really pull of these types of attacks on the infrastructure. So why even bother? Perhaps they are just covering their bases (or asses) just in case the Anon’s actually attack? Or perhaps, they too are clued in on the fact that even if claimed to be anonymous, it could be others working against the US (Nation State Actors) who have chosen to attack and use Anonymous as a cover so as to throw off attribution.

Either way, as some look at it, it is almost like they are daring Anonymous to do it out of spite because they are calling Anonymous’  factions and actors “inept” or “unskilled” which, might get their dander up a bit. All of these scenarios pretty much do not preclude someone hitting SCADA systems in the future and it being blamed on Anonymous, which will bring on a new wave of efforts by the government to stamp them out. Reciprocity being what it is, this too will mean that Anonymous might in fact gain strength and sympathy from such actions and fallout as well.

For me though, I just see DHS covering the bases so as to not be blamed later on should something happen. Not so much am I of the opinion that they are in some kind of propaganda war here with this little missive.

Motives, Means, Technical Abilities

So lets go with the theory that certain elements of the Anonymous collective want to mess with the infrastructure. Who would they target and why? More to the point, what companies would they target that fits their agenda?

  • Telco?
  • Power?
  • Manufacturing?

Those are the three areas that I could see as potential attack vectors. Though, once again I have to say that the only two that I see as real possible would be the telco and manufacturing and even the telco would be dangerous for them to try as well. I mean, if you start messing with Ebay or Paypal that’s one thing, its quite another to mess with national infrastructure, as these two would be considered. If indeed Anonymous hit them and took them down for whatever reason, they would then be directly considered terrorists… And that would be seriously bad for their movement and its legitimacy.

Now, we do know that the  Anon’s hit the BART system but as I remember it, it was BART that took out the communications infrastructure themselves so as to prevent communication between anon’s. So, this just doesn’t seem to fit for me either. Manufacturing though, as I made the case above, could be something they would try. It’s not national infrastructure and it will not take the country down if they stop something like cars  being made.

Is it just me? Or does anyone else just see this as a non starter for Anonymous central? What I do see is the threat of other actors using the nomme de guerre of Anonymous as cover for their actions to mess with the national infrastructure. Perhaps some of these people might in fact be motivated by anonymous, but, my guess that if there were to happen, it would be nation state driven… And something I have been warning about for some time.

Anonymous, as an idea, as a movement, will be subverted by those looking to fulfil their own ends and justify their means. All the while, they will let the Anon’s take the fall for it.

Governments

Nations

Nation States

… AND.. Corporations.

You know, those with the money and the people who could pull off the technical hacks required to carry these capers off.. Not a bunch of rag tag hacktivists and hangers on.

Blowback

In the end, what I fear is that there will be a great deal of blowback on Anonymous even talking about hacking and messing with infrastructure. The same can be said for their attempts on taking down Wall Street or the NYSE with their DD0S. If they had succeeded, they would have been an annoyance really, but that would not have caused any great fluctuation in the markets I think. No, unless they hacked into NYSE itself and exposed the fact that they had root in there, I think that it would have a very minimal effect on Wall Street and the economy at large.

Not to say that everything is going ever so well now…

DHS seems to have jumped the shark a bit for me on their BOLO and the coverage of this just tends to add to the FUD concerning SCADA and PLC code. Hell, for that matter we have the new Symantec report on DUQU that yells out about it being the “Son of Stuxnet” but in reality, it is more like a clone of Stuxnet used for APT style attacks by persons uknown..

Get yer FUD here!

Same goes for this DHS warning.

Your results may vary…

K.

OPERATION SHADY RAT: Or As I like To Call It; Operation Shady Crap

with 3 comments

First, let me preface with an expletive laced rant that will be stripped for the straights at Infosecisland.. Please forgive the capslock shouting, but I cannot contain myself here!

//CUT HERE

HOLY WHAT THE FUCK?

McAffee WHAT IS THIS EPIC BULLSHIT YOU ARE PUTTING OUT THERE TO FUD THE CONGRESS INTO WANTING TO SEE IT? ARE YOU THAT FUCKING DESPERATE TO APPEAR AS TO KNOW WHAT THE FUCK IS GOING ON WITH REGARD TO APT THAT YOU PUT THIS “BOOGA, BOOGA, FEAR, FEAR, FEAR, FUD, BUY OUR PRODUCTS CUZ WE SAW SOME SHIT” LIGATT-IAN PRESS RELEASE?

YOU ARE WASTING OUR COLLECTIVE TIME AND IF YOU FUCKING GO TO CONGRESS WITH THIS BS I FULLY EXPECT TO SEE A NO CONFIDENCE VOTE IN THEM AND YOU!

NO.. WAIT…I ALREADY THINK YOUR PRODUCT IS JUST SHIT.

CONGRESS… WELL WE KNOW HOW USELESS THEY ARE TOO.. I GUESS YOU SHOULD BE FAST FRIENDS HUH?

END CUT//

Ok, now that I have that out of my system, I will now attempt to explain a few things in a civil manner on the RAT/APT situation. First off, there is nothing new here as I have said before on numerous occasions. This type of activity says more about the laxity of the targets security as well as the intent of the adversary in gathering state desired secrets on the part of China. The simple facts are these;

  1. China wants to have an edge and it finds itself using the Thousand Grains of Sand strategy to its benefit in the digital arena
  2. We have made it easy for them to compromise our systems due to lack of accountability and the short term gains seen by individuals within companies
  3. The adversary is smart and will do what it takes up to even intercepting helpdesk tickets and fielding problems to keep their persistent access!
  4. This has been going on for a long time and now is just getting out to the press.. Ok, I get that, but really, sowing FUD to win business will not help

It is readily apparent from this POS that McAffee has put out that they are just fishing for some press here for their flagging AV sales. This paper gives nothing relevant to the story around APT and as such, it should be just relegated to the dustbin of the internet and forgotten. Yes, the US was a major target but others were as well. This is a nation state working on these APT attacks, come on now! They have more interests than just the US! Just as much as you (McAffee) had access to ONE server out of many! Never mind all the others that were fleeting and pointed to by DYNDNS sites!

Really McAffee, you come off looking like rank amateurs here… Well, I guess you are really for pulling this little stunt altogether.

The adversary has been around for a long time. No one product nor service is going to protect us from them (that means you McAffee) so it is useless to try and sell us the snake oil you would like to. It is our own human natures that we have to overcome to handle the least of the problems that feed into group think and herd mentality in corporations and governments. Face the facts, they are here to stay and we need to learn the game of ‘Go’ in order to play on their field.

Unfortunately, we get dullards like these (McAffee) crying wolf and offering unctions to take our troubles away.. Unfortunately all too often there are too many willing to buy into their crap.

… And we keep losing.

K.

Written by Krypt3ia

2011/08/15 at 18:25

From Lulz to Global Espionage: The Age of the Cracker

leave a comment »

It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks  have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.

Lulzsec:

Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”

Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.

After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.

What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…

Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.

Nation State Actors:

The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)

What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.

This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.

Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.

Industrial Espionage:

This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.

In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.

Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’

Criminal Gangs:

This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.

Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.

With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.

When The Players All Meet:

It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.

In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.

More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.

Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…

K.

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

with 2 comments

黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.

Beginnings:

Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.

Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.

From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..

The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.

Motivations for APT Attacks:

Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.

This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.

State vs. Non State Actors:

The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.

There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.

In the end, they all are state actors I think just by the nature of the regime.

Techniques:

In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing

Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.

Moving Forward:

Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.

But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:

More to come…

K.