Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘China’ Category

Paper Tigers… Aren’t We All?

leave a comment »

Paper Tigers.. Paper Cuts…

A recent post that echo’s others that I have seen in the not so distant past makes a claim that China is about 13th on the preparedness scale for cyber warfare. Now, you may be thinking;

“But Krypt3ia, the news and you have said they are cleaning our clocks and stealin our data!”

Well, yes.. yes they are. However, they may not in fact be number one in “defense” in this sphere as well. Now, I am not saying they are 13th and the article does call into question the methods of gathering data and the questions asked to make this statement (China being 13th most prepared) but, still, they are at 13 here. I personally don’t ascribe to this litmus test that the survey purports to show on the state of affairs in China or anywhere else where cyber strategy is concerned.

After all.. If they asked China or anywhere else, do you REALLY think they are going to give you the God’s honest truth about their programs and readiness?

Duh.

Offense vs. Defense

Lets flip that bit too and think about offense vs. defense here. After all, it is sexier to be offense and easier right? So, how do you really correlate this “study” in any way between the extreme success that China has had with regard to cleaning our digital clock in relation to China’s own defensive posture? One does not really require that the other be commensurate really, and this is a flaw in the logic of the whole story for me. In fact, it is because we here in the US and other countries were so ill prepared for defense on this playing field really, that the Chinese have been so effective at APT types of attacks against us. It has been said in the past, and I would agree, that not all of the attacks from China have been sophisticated…

Because they did not need to be. That’s just how piss poor security has been here.

So, a concerted effort by a cabal of patriotic hackers (assets such as the Green Army) and other spook run operations (corporate/mil/gov) have been successful at ex-filtrating data from our servers here in the West. They used various methods both exotic and not, but the key to this is that they made a “concerted effort” They had operational plans, assets, and patience. All of these things are much more directed and focused than being on the defensive end of the equation. Add to this the fact that defense has been so poorly thought acted upon until now, it becomes clear why the greater story heard here is that of the offense winning the day.

On average, the common corporation has only seen security (up til now in the age of Lulz) as a cost center and because humans lack the ability to sense long term threats well (my contention) we have had a dearth of concern over the security posture of things other than saying “We have a firewall.. it’s all good” In short, because of our lack of forward thinking collectively, we have allowed this scenario to play out until such time as forces outside of the norm have forced us to pay attention…

Something akin to the panther leaping from the tree that we heard growling but decided that it was up to far to jump on us….

We have made our own beds and now, with this study, we see that a majority of the countries out there are not ready for prime time.. And those who are, are likely lying quite a bit about their readiness.

Studies With Subjective Questions and Results

Meanwhile, the “researchers” out there are making faulty suppositions using data that should not be trusted because it cannot be empirically validated. It makes me crazy to see this kind of claptrap being touted on the interent and in the news as fact, though this report did call this into question (yay them!) However, this does not stop others from doing just as shoddy work and then making great claims about how China may in fact be less of a threat because they are not as prepared on defense.

Bollocks.

China, Russia, Israel etc etc are all key players in the espionage world which now includes the 5th battlespace of information warfare carried out on the internet and within computer networks. To think anything else because someone asked them just how prepared “they” were for “cyberwar” is just appallingly stupid. From now on people, if you see these types of reports or studies, do try to think critically about the datum that is being presented.

A Brave New World

It’s a brave new world out there. We are in the age of Lulz and “cyberwar” *booga booga booga* all things that we really do not collectively have a firm grasp on as import and repercussions. There is so much going on between the Anonymous/Antisec/Anarchy as well as the manipulation of them by the likes of China and other world powers that you really need a primer to understand just what is really going on. Even then, its all so internecine and confused at times that you never really will likely have a clue of the real truth.. Ever.

We are at the cusp of so much that could go so horribly wrong and we unfortunately have people in charge who are ill equipped to understand and deal with it in our government(s) You all have seen my screeds a thousand times about all of this so you all know too. All I can really say is try and protect your little piece of digital landscape..

That’s all you can do really.

If the archology of the internet is going to be beset by crackers, spies and villains, well, there isn’t much you can do about it. Certainly not trust the government or the corporations to do the right thing.. Or even really know what to do.

You Know Who You Should Fear? Coders…

Nope, all in all, I would have to say in the end is that you need to fear the coders. The coders and the companies that they work for that are creating vulnerable software. Of course all software I think is potentially vulnerable, but, it seems that the standards out there are not being adhered to. We could be coding more securely and more keenly in the sense of not having Turing machine programs out there available to subversion but, we just aren’t there yet collectively to understand this and stop it.

The genie is out of the bottle.. No way to get it back in… We will die in the end from a thousand paper cuts…

Get your lemons out and enjoy the burn…

K.

 

Written by Krypt3ia

2012/02/09 at 21:49

Experts, Testimony, Charlatans, & Intelligence Committee’s

with 3 comments

Recently, an allegation was made by our favourite plagiarist and wantonly frivolous filer of law suits, Greg Evans, that he was going to be testifying before Congress on Cyber Security and Sino-US relations.

I know… I can’t believe this either…

However, it is entirely possible that Evans has managed to bamboozle the US House of Representatives/Congress into believing that he is in fact an expert on anything to do with cyber security.

“How did this happen?” You ask?

Well, it is possible that they saw him on FOX news or perhaps CNN of late. Perhaps his minions finally reached out to the right people who have access to the government.. Either way, we all know within the security community a couple of things that make this all the more plausible.

  1. Evans always is pimping his “cred” with all those self released PR pieces (Worlds #1 hacker)
  2. Congress Critters aren’t all that tech savvy for the most part and are easily distracted by laser pointers on the floor.

So, we do have a potential situation if indeed Evans is not just blowing smoke up our collective asses here on Twitter.

I would hope that the House Intelligence committee would in fact vet their speakers a bit better. In an effort to insure that they at least get some perspective on Mr. Evans, I have crafted the email shown above and asked Rep. Michael Rogers (Chairman of the House Intelligence Committee) to have a look into who he may in fact have planned to speak in the near future. Here is his contact information for you all out there who care to drop him a line and beg the same of him.

Rep. Michael Rogers (Chairman of House Intelligence Cmt)
133 Cannon House Office BuildingWashington, DC 20515
Phone: (202) 225-4872
mike.rogers@mail.house.gov

Contacts for the House Intelligence Committee

Capitol Visitor Center HVC-304
US Capitol Building
Washington, DC  20515-6415

Majority Staff                                   Minority Staff
Office:  (202) 225-4121                     (202) 225-7690
Fax:      (202) 225-1991                     (202) 226-5068

Ethan Weber
Defense Fellow National Security International Affairs Homeland Security U.S. House of Representatives
133 Cannon House Office Building
Washington,  DC 20515-0003
202-225-4872 or 202-225-5820
ethan.weber@mail.house.gov

Diane Rinaldo (for Mike Rogers)
U.S. House of Representatives
133 Cannon House Office Building
Washington,  DC 20515-0003
202-225-4872
diane.rinaldo@mail.house.gov

We live in “Interesting Times” as the Chinese say and we certainly do not need to have congress led further astray by those without the experience in the subject matters at hand. Lets hope that the House looks into Evans’ history and decides that he is not a subject matter expert on any of the topics at hand.

K.

EDIT: It seems that Evans is not speaking/testifying at a hearing per sources connected to the HPSCI. However, Evans may be speaking to individual congress critters, so, still email the HPSCI to get the message out to them. They then in turn can locate who may be in fact meeting with Evans.. If indeed there is any meeting at all.

 

Written by Krypt3ia

2011/10/14 at 15:34

从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.

Enjoy.

Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace

Ni HAO!

Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

3322

Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..

Moron.

K.

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

with one comment

America Faced With Wave of Chinese Espionage

Defense Department officials are struggling to plan for a massive
 cyber-attack from Beijing – and fend off spies in the meantime. Tara McKelvey reports on the secret warfare.

Jul 16, 2011 9:47 AM EDT

 Deputy Defense Secretary William Lynn III never said the word China 
in his speech on Thursday
 about “Cyber Strategy,” but he didn’t have to. The
 threat of a cyber-attack from Beijing weighs heavily on the minds of 
military commanders. And while officials have not said publicly who
 was behind the newly disclosed theft of 24,000 files from a defense contractor in 
March, one of the worst cyber-assaults in Pentagon history—
it may well have been a Chinese operation. And even if Beijing
 officials were not involved in the theft, they have been implicated in 
other matters—so many, in fact, that federal officials are
 discussing publicly what do to about cyber-attacks, without saying
 explicitly who their number-one villain is.

From The Daily Beast

CYBER WAR!! CHINA TO BLAME! DIGITAL TSUNAMI IMMINENT!

So, we are going to be in for a digital wave of hacking and espionage are we? Say, have you been around lately? Like say the last oh, twenty years or so? Cuz if this is the big wave, I would hate to see what the tsunami is going to look like. Well, at least this article has some of the facts right including the issues over attribution for attacks and operations. however, it still glosses over the fact that this is nothing new. Espionage by the Chinese has been a favorite past time for them with regard to the U.S. and now that espionage is taking place within computer networks.

But.. This too has been happening for a long time (see Titan Rain or others like Moonlight Maze)

Nope, this is indeed nothing really new. The scale of it may be the new twist here and that is really because of the interconnection that has happened over the years to the internet. We have done it to ourselves and we did it without any real thought as to the security of our networks/systems/data

But, that is a screed for another day.

Since we are so connected now, and even systems that should not have (S) (NOFORN) data have been hooked up too (I know, I have seen it myself)  or said data has been placed on non cleared servers, we have been making it easier for the likes of China to get our secret sauce. China though, is not the only one doing this, but, they have made it an art form. The reason for this is that the Chinese had decided early on, that cyberspace (for lack of a less buzzworthy name) was going to be the 5th battlespace as well as the next frontier in espionage. Rightly so too.

As I said above, the networking of the world has made it that much easier to gather intelligence and in the case of the Chinese, they began to use the nascent hacker community to do it. However, old school espionage on the part of China has been going on for a long long time. If you are interested in this, then I suggest you pick up “Tiger Trap” by David Wise Suffice to say, that we have been industrially spied on at the very least by China dating back to at least WWII.

And they have been exceedingly successful.

(for more on China’s Thousand Grains of Sand and Espionage go HERE)

Back to the article and its catchy headline though, the great Cyber War has yet to come and we are woefully ill equipped to handle it right now. There have been incursions that we have found and I am sure there are more that we still don’t know about (whether or not the government has classified them, thus burying them) that paint a larger picture of the issue I am sure. So, when they cry out that we are in for the big hit yet to come, I say “heh” look at what already has happened!

Pretexts; Anonymous, China, and Cyber-Espionage:

The one area that the Beast article does not allude to that it should in my book on this subject is the current climate in the ‘cyber’ world. As you can likely tell from the header here, I personally think that Anonymous and LulzSec are the key to future attacks. Not that they are directly involved per se, at least not knowingly, but that China has latched onto their antics as a pretext for their own attacks.

Think of Anonymous, AntiSec, and LulzSec as the gift that keeps on giving any state or person who wants to carry out attacks online and have the questionable cover of it all being for the Lulz.

With all of the AntiSec/Anonymous operations ongoing, who is to say that China’s PLA has not infiltrated the infrastructure and effected the decision making process some? What better way to deflect than to use an alleged headless group of nae’r do wells to do your bidding in some larger scale attack? This is an area of thought that I have put out there before and every day I am convinced more and more that not only China is using this, but also other state actors.

…At least they would be smart to do so *wink wink nudge nudge, SAY NO MORE!*

Even if these state actors are not directly working from within the Anon’s.. At the very least they can be blamed.

Just saying… “Interesting times indeed”

Current Status China: Landlord, Banker, Petulant Child:

Beijing’s leaders have ramped up spying operations partly because they 
are angry at the United States, and they have been especially peeved
 at State Department officials; China believes that the
 Americans have tried to empower dissidents and to influence domestic 
politics. Indeed, Secretary of State Hillary Clinton has pushed for
 greater access to the Web for dissidents, giving a speech 
in February in which she called for “a global commitment to Internet 
freedom,” a phrase that officials in Beijing found particularly 
galling. The Chinese officials resented her proclamations about the Net, which they believed are an underhanded way of trying 
to meddle in their affairs. “For them, this is a very aggressive 
interventionist policy,” Fidler explains.

From The Daily Beast

To conclude though, I would also like to touch on the fact that China has always been a proud nation. In that, they have been prone to reaction to any perceived sleight by nations such as ours. Much of the proto hacking that went on in China took place over the acts of countries like Viet Nam or Taiwan and resulted in defacement of pages (in a nice and polite way as well) Today though, the tenor of the hacking has taken a bit of a darker tone and much of it is due to the hard liners in the politburo taking the reigns and directing the Green Army to act.

While China holds much of our debt, they still do not have all of our assets (IP) and as such, they want to keep us under control politically and financially. All the while giving us the rope to not just hang ourselves, but to do so for China’s best interest. The only time that I will worry that China will go all out cyber war on us is when they have nothing left to use us for.

Then we are in some deep shit. Imagine they call our markers AND hit our systems with attacks. They may not have the military capabilities hardware wise, but, they certainly could likely cause our military to falter and fail by breaking the command and control as well as supply chain with attacks today. So, I am not all that worried if they get peeved at us over Obama meeting HH Dalai Lama as much as I am their just calling our debt markers.

Sure, the Chinese leaders are worried about the Arab Spring, but they will just pull another Tienamen won’t they? After all, if they hold our debt, what are we going to do to them that isn’t going to be measured to not offend? So on it will go, we will ruffle their feathers, they will hack and steal data, and we still won’t have a debt ceiling agreement because our politicians are too self involved to care about the country.

I welcome Chairman Meow…

K

 

Written by Krypt3ia

2011/07/18 at 12:39

Team Inject0r: The Multinational Connection

with 6 comments

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3” The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337” quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com

http://www.inj3ct0r.com domain details:

Registrant:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151                     
Sid3^effectsr
4dc0reSeeMe
XroGuE
gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3


DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit – 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

with 2 comments

黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.

Beginnings:

Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.

Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.

From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..

The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.

Motivations for APT Attacks:

Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.

This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.

State vs. Non State Actors:

The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.

There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.

In the end, they all are state actors I think just by the nature of the regime.

Techniques:

In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing

Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.

Moving Forward:

Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.

But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:

More to come…

K.

RSA Tokens, Lockheed Martin, APT, OH MY!

leave a comment »

When @stiennon first re-tweeted the Cringley blog post that claimed LMCO had been hacked using EMC/RSA algorithms that were stolen in March, I thought oh shit, here we go. Little did I know that the actual flap would not be the fact that LMCO had been under attack and potentially accessed via the RSA hack fallout, but instead that many people in the ‘community’ said EMC/RSA had nothing to do with it… Some rather vociferously in fact…

Having been in the defence contractor arena myself, I decided to touch base with someone I trust and who is usually in the know about this shortly after the twitter storm began over this incident. That person’s answer to my question of whether or not the RSA angle was true was “It has merit” So, for me, the word of this person (who is a DIB partner) is enough to surmise that what they knew at the time was in fact true. It would seem that the RSA tokens may have been used in an attempt to gather data from LMCO. What’s more, now we are learning that the attackers had access for approximately 24 hours before they were shut down. Those 24 hours gave plenty of time for certain types to grab what they want because they already know the lay of the landscape usually.

Yes.. You know who I am talking about.. An Advanced Persistent Threat aka China.

I can hear certain people in the community now groaning at the use of the APT acronym but let me put it to you all straight. If there was a hack on LMCO, maker of the JSF and numerous black type projects to boot, then it was likely China or another nation state’s actors that would be considered APT under the definition put forth by the military. Sick of APT as a sales tool you say? I agree, but in this case you moan or whine about this descriptor in this case and you are just setting yourselves up to look uninformed about the defence contractor security space.

While the full facts of the attack vector may never fully be known to anyone outside of the DIB (Defence Industrial Base) partners and certain cleared people, it is safe to assume that the attack was, as it has been described by LMCO, as tenaciously prosecuted by the attackers. This means that whoever it was wanted in and was ‘persistent’ enough to really make a go of it. LMCO has been the target before to such attacks and in fact in this case, people are beginning to wonder why they did not follow other defence base partners and scrap their RSA tokens for another solution post the EMC hack. That they didn’t, may in fact be the reason that the aggressors decided it was time to try this attack. If they had carried it off as explained with a combination of phishing emails and key logging, they could have had much greater access to the LMCO network persistently and for longer had they not been caught.

My money is on the Chinese as the aggressor here and I suspect they wanted even more data on the JSF (other than the 20 gig they got back a while ago) to round out their collection. It is no coincidence that just before an air show recently the Chinese showed off a stealth aircraft of their own that had some striking similarities to hardware we have been working on. The Chinese want the superiority and they are willing to easily steal it from us, and when I say easily, I really do mean that.

We are a soft target and its unfortunate that the US is only learning that fact now.

Time will tell what we find out about the hack on LMCO, I am willing to bet that we will never know everything.. But, I should think that at the very least there may be some more of the DIB partners scrapping their RSA solution for something else.

K.

Written by Krypt3ia

2011/05/31 at 17:47

The PrimorisEra Affair: Paradigms In Social Networking and SECOPS

with 5 comments

EDIT 5.24.2011

As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.

See below:

K.

From Wired:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.

“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”

This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.

Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.

Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.

Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.

Time will tell.

Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983

Site with SEG photo (1983)

The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.

There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?

So, people forget and really, this is still all relatively new isn’t it? There are no maps here.

Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.

Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?

Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.

Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.

We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.

I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.

Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….

Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.

For me it comes down to this;

1) If you sign up for these places hide as much of your data as you can.

2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.

3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.

4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.

5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.

6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.

7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!

Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.

K.

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

with 13 comments

From Wikipedia

Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of cyber espionage, but applies equally to other threats such as that of traditional espionage or attack.[1] Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[2]

Advanced Persistent Threats Are Not New: 先进的威胁不是持久性的新功能:

The news cycle has been abuzz again as to how China is capable of beating the pants off of us in the hacking sphere and that we should be worried. I say, this is not news in any way and those of you who read this blog should already know this fact. For those of you who are not so familiar with the DoD space, the knowledge of what has been called APT has been around for quite some time. In fact, the term was coined in 2006 by the Air Force, but the attack structure of how the Chinese and other state actors had been using similar tactics on DoD infrastructure goes back to the 90’s (Moonlight Maze, Titan Rain)

So, hello world outside of the insular DoD and Infosec sphere, They have been around quite a while. In fact, one could make the extension that the Chinese line of thought called “The Thousand Grains of Sand” has been around far longer and has been used as their model of espionage for a very long time. Obviously the connections can also be made to Sun Tzu and his precepts on warfare, which, just happen to involve a fair amount of espionage as the means to winning a war. It is little surprise to anyone who knows the Chinese mind and the teachings of Sun Tzu, that China would apply these same precepts to another battle space (cyberspace) the fifth domain as the US military calls it now.

APT and Buzzword Bingo: APT和Buzzword的宾果:

Since the Aurora operation’s being publicised, the media and the Infosec industry have latched onto the term like a pit-bull on a gravy covered bone. Many companies have leveraged the term without really knowing the true meaning and have created a buzzword bingo game of epic proportions. All of these companies and pundits have over used the terminology, mainly incorrectly to start, and turned it into the boogey man du jour to make sales.

“The APT is out there.. Lurking.. Waiting to get into your networks and steal your data”

While this may be true for some, it is not true for all. Over the years the Chinese have made it their business to steal a lot of data. Some of it you would readily see as important militarily or for industrial espionage. Some of the data though, is more arcane to understand as to the reasons that they would make the efforts that they have to get it. Overall though, one must understand yet again, the Eastern mind (particularly the Chinese) to conclude that they seek many “soft power” means to effect their goals. This is the key fact to understand, so yes, your company that makes the next best widget might in fact be a target of the Chinese TRB (Technical Reconnaissance Bureau)

So, yes, you must be cognisant of the APT in any business that your company carries out online. However, one thing must be accepted by you and your company to judge how you will respond.

“The Advanced Persistent Threat, will in the end, most likely win and compromise your systems. Simply because as state actors, they have the means to do so and you, the tartget, will always have someone willing to click on a link and compromise their systems”

This must be accepted and understood before you even attempt to listen to any vendor who says they can help you with your APT problems. Just as well, one must clearly understand the players here to know the danger. The media has done a very poor job of elucidating for the general populace the meaning of APT and the subtleties of how the threats manifest and their greater meanings to us all. There is far more at stake here than just your data being exfiltrated to China and many more vectors of attack than your local desktop.

The Fall Of The Bear & The Rise of the Dragon: 作者:熊暨龙升降:

Since the Soviet Union’s demise in the 90’s the Chinese have seen their chance to become the pre-eminent power in the world that once was the USSR. Though Russia has rebounded, they still lack the critical mass that they once had as a super power. China though, with its billion people, and “Tiger Mother” nature, has swiftly garnered the hard and soft powers that it sees as necessary to being “the” superpower.

Where the USSR used to take more of a hard power stance with their military might, and a second seat KGB soft power espionage plan, the Chinese went the other way and saw the soft power attack as the way to go, even with a billion people as potential military recruits. Gone were the days of Mao and the hard power of the Chinese military, instead, the Chinese would lull the West into somnambulance and stealthily acquire superpower status. A status that they are closer and closer to each day.

China now owns much of our debt here in the US. They have made business “alliances” that have allowed access to not only money, but also to control over supply chains as well as proprietary data. Data that they have obtained through many means, including the APT model that everyone is all worked up about now. In short, they have made multiple pronged attacks against other countries with subtlety with a means to an end of gaining control over other nation states that will not require military means to defeat them.

Sun Tzu would be pleased at their understanding of “The Art of War

“For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”

It is this that the general populace and many within the Infosec community seem to not understand. There is much more at work here than some industrial espionage on the likes of Pratt & Whitney for JSF engine data. The Chinese have far more subtle plans that include many other areas than just the Information Warfare (IW) of stealing plans for jets.

The Thousand Grains of Sand: 沙千粮谷类:

The Advanced Persistent Threat of China has been around for quite a long time. Before there was the Internet and the ease of just FTP’ing RAR files to Hong Kong, there was the “Thousand Grains of Sand” approach to espionage. The metaphor here is that China believes that each grain of sand is important as well as it is nearly impossible to tell one grain from the other in a macro-verse. China would approach spying, whether it be industrial or other, by not only sending people here directly as spies, but also to call upon those who still had family in China to become agents. They would either be rewarded, praised, or threatened not so subtly by the state to effect their complicity.

Espionage has three motivations as the saying goes for those who become spies;

  • Greed
  • Altruism
  • Ego

I would add a fourth, “fear” in the case of China’s apparatus. Of course many other countries have used the honeytrap (aka swallows in China) to turn someone into a spy for them, but in China, the use of relatives has been prevalent too. By using all of these means though, the Chinese would insert their spies anywhere and everywhere, and they would be hard to find because they often were only taking small parts of the bigger picture and giving them to their handlers.

This too also became the modus operandi for the Advanced Persistent Threat that is the digital companion to old school espionage. By attacking many different systems and rooting them, they would have multiple launch points to exfiltrate data and keep a command and control over the compromised networks that they had worked hard at gaining entry to. One might even say that they are recruiting the employees of each and every target as unwilling spies by targeting them with spear-phishing attacks that keep their access ongoing.

It is by this method, that thousand grains of sand, they are able to parse the data into smaller RAR files with multiple access nodes and move the data out to their drop sites.

That is a thousand grains of sand that SIEM or IDS just can’t catch.

Threat Vectors: 威胁向量:

This brings me to the threat vectors that we all should consider where China is concerned:

  • Economic Targets
  • Military Targets
  • Infrastructure Targets
  • Supply Chain Targets
  • Media Targets
  • Industrial Base Targets
  • The Patent Process and Bureau
  • The Financial Systems (Stock Exchanges and Banking systems)
  • Political Targets

All of these entities are targets for not only cyber attacks but also soft power attacks (business alliances and deals, monetary controls etc) Any influence that serves the ends of the Chinese will be used to their ends. This truly is subtle in many ways and has been overlooked for a long time by the US and the populace in general. It just seems like we don’t think along these lines. Perhaps it is an Eastern mindset, perhaps it’s the fact that generally, we in the west just don’t understand the game of ‘Go’

Putting this into the perspective of the information security and hacking community, this means that all of the companies out there who are not doing the due diligence on security are more than likely easy pickings for not only the average cracker from Ukraine, but also the Chinese, who may in fact be using the companies systems to steal their data or, to use as a drop point for others data being stolen. It is a fundamental lack of understanding of the complexities of network and information security that generally, in the US, seems to be a malaise, and we are only now catching on to.

In the case of the Chinese, they have worked very hard at developing the skill sets and assets to leverage this lack of comprehension on our part and overtake and continue to infest systems here that they wish to exploit.

The Cyber War: 该网络战争:

Another fact that seems to be missing from the news cycle is that the APT/TGOF (Thousand Grains of Sand) approach that the Chinese have been using not only covers theft of data, but alternatively just having access to systems that they could use as a precursor to war or during an event. Such networks within the DoD (NIPRNET/SIPRNET) could be very useful in delaying supply chains from functioning well and or, inserting false data into them as a ruse or IW/PSYOP device to hobble the US military.

For that matter, the use this type of attack against any critical infrastructure would be a boon to deter if not outright stop the US from action against China should something erupt say, in Taiwan. By shutting down sections of the US power grid or other major areas of infrastructure, the Chinese or any other state actor, would have great leverage to give the US pause. If anything, the arrival of Stuxnet and the aftermath should at least give us something to think about as possibilities go. Some may say its inconceivable that such an attack could work or happen. Others though, would say that it is not so far fetched, especially given the machinations that China has shown to be attempting not only through network attacks, but also soft power attacks in political and economic vectors.

I will leave this topic with this question;

“How much of our technology today is made in China?”

All of this need not be involving anything near a war scenario either, they may just use these attacks to subtly manipulate the affected countries into actions that they desire. Soft power also means the ability to manipulate your target without really unhinging them. All of these attacks, whether they be full on or subtle will serve to affect the outcome of any military engagement without ever having to fire a shot. A well planned and executed plan could in fact win the war before it even begins. Of course on the other hand, these attacks could just be used as a first stage to a series of kinetic attacks by the agressor (i.e. cyber attacks in tandem with physical IED’s at critical sites for maximum effect and destruction)

Any way you look at it, unless we get our collective act together here in the ever increasingly networked world we live in, we will be at a great disadvantage, especially against such an aggressor as China.

Meet The Players: 满足玩家:

To bring this article full circle, I will now give you the known and suspected state actors that may have been running operations such as Aurora. The Chinese were ahead of the game in connecting not only with the People’s Liberation Army, but also the nascent hacker communities in their country. Using a combination of leveraging companies like Huawei to tap into their technical staff and the patriotism on the part of the PLA and the hacker communities, China has forged a solid directorate for electronic warfare and espionage.

The Chinese Military (PLA) —–> Leverage many corporations that the military actually has majority stock in to gain access to technology and assets

The Chinese Hacker Community —-> Sell and work for the PLA creating 0day and performing hacks for money as well as patriotism

Chinese Corporations —-> Often used as cutouts to gain access economically and intelligence wise to assets in other countries

Often, the corporations, which are many times, sponsored or majority owned by the PLA are the training grounds and the operative section for soft power operations for China. By using financial deals and alliances, China often attempts to gain the upper hand by having assets connections inside of companies that they wish to affect or to steal from. No longer is it needed to install spies within when the company is partially owned or has access granted because they are working “together”

It is the Chinese hacking community that is of most interest to many in my field however. Many of these people are still in universities and are often times motivated by their nationalistic tendencies ostensibly. Some of these groups have become actual companies producing security software or offering security services. Of course they are still likely to be assets for the PLA and probably the tip of the spear operators for China in operations. The reason for this simply would be that they are expendable in the sense of hacking as a nation state would cause international issues. Hacking as a hacking group though could be seen as their own initiative and they could be burned without losing face.

Within this amalgam of groups we then see the attack “teams” who crack the systems, then other teams perform recon, and still others, keep the access open and retrieve data. All in all, they have a slick operation and we would be wise to pay attention to how they operate.

I’m Afraid Our Lunch Has Already Been Eaten: 我怕我们的午餐已经被吃掉了:

So it is that I end here with the title above.  I think that we have become too lax in our stint as a superpower and frankly have dropped the ball. Our companies are unmotivated to do the right thing where security is concerned. Our government is clueless on how to deal with the technologies and overly ossified in it’s operations to even cut a budget for the country without nearly closing down. America has to collectively come to the conclusion that not only does China own much of our debt, but they have outplayed us continually in the game of soft power.

All too much of our infrastructure is unprotected while much too much of our manufacturing and R&D has gone out of the country.

In short, our lunch is being eaten and the Chinese also want our milk money. Unless we rectify things our time as a superpower are numbered.. In single digits. Meanwhile, the vendors out there and the media keep on spinning half tales and misinforming the public. We are on a verge here.. And it’s time to get our act together.

K.

Reading Materials: 阅读材料:

54hack.org

Coolswallow: Hacker thought to be behind Aurora

The Green Army Chinese hacking group known to operate for the state

janker.org Chinese hacking collective

nfocus.net hacking collective and alleged security company aligned with PLA

xfocus.org Chinese hacking group and security software maker aligned with PLA

NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved Report_16Oct2009 (1)

The National Security Implications of Investments and Products from The PRC in the Telecommunications Sector

Anonymous #HQ: Inside The Anonymous Secret War Room

with 7 comments

John Cook and Adrian Chen — Dissident members of the internet hacktivist group Anonymous, tired of what they call the mob’s “unpatriotic” ways, have provided law enforcement with chat logs of the group’s leadership planning crimes, as well as what they say are key members’ identities. They also gave them to us.

The chat logs, which cover several days in February immediately after the group hacked into internet security firm HBGary’s e-mail accounts, offer a fascinating look inside the hivemind’s organization and culture.

  • Sabu
  • Kayla
  • Laurelai,
  • Avunit,
  • Entropy,
  • Topiary,
  • Tflow
  • Marduk
  • Metric
  • A5h3r4

So, Hubris/A5h3r4/Metric have broken into the inner circle of at least one cell of Anonymous. I say cell because I do not think that these users are the actual full scale leaders of Anonymous, instead, as I have said before, there are cell’s of Anon’s that perform operations sporadically. These folks, if the chat transcripts are true, are the ones just behind the HBGary hack and at least one of them, with the Gawker hack.

Once again, I will reiterate here that I think Anonymous is more like a splinter cell operation than anything else. There is an aegis from the whole as an idea, but, they break off into packs for their personal attacks, or whatever turns them on. They coalesce into a unit when they feel moved to, but, they do not overall, just get together and act without direction on the part or parts of leaders.

The example below of the transcripts for #HQ show that these characters though, are a little high on themselves after the hack on HBG… And you know what happens when you don’t pay attention to the hubris factor. You get cocky and you get burned. As you can see below, some of them are at least nervous about being popped or infiltrated.. Those would be the smart ones…

04:44 <&Sabu> who the fuck wrote that doc
04:45 <&Sabu> remove that shit from existence
04:45 <&Sabu> first off there is no hierachy or leadership, and thus an operations manual is not needed

[snip]

04:46 <&Sabu> shit like this is where the feds will get american anons on rico act abuse and other organized crime laws
04:47 <@Laurelai> yeah well you could have done 100 times more effective shit with HBgary
04:47 <@Laurelai> gratted what we got was good
04:47 <&Sabu> if you’re so fucking talented why didn’t you root them yourselves?
04:47 <@Laurelai> but it could have been done alot better
04:47 <&Sabu> also we had a time restraint
04:48 <&Sabu> and as far as I know, considering I’m the one that did the op, I rooted their boxes, cracked their hashes, owned their emails and social engineered their admins in hours
04:48 <&Sabu> your manual is irrelevent.

[snip]

04:51 <&Sabu> ok who authored this ridiculous “OPERATIONS” doc?
04:51 <@Laurelai> look the guideline isnt for you
04:51 <&Sabu> because I’m about to start owning nigg3rs
04:51 <&marduk> authorized???
04:52 <@Laurelai> its just an idea to kick around
04:52 <@Laurelai> start talking
04:52 <&Sabu> for who? the feds?
04:52 <&marduk> its not any official doc, it is something that Laurelai wrote up.. and it is for.. others
04:52 <&marduk> on anonops
04:52 <&Sabu> rofl
04:52 <@Laurelai> just idea
04:52 <@Laurelai> ideas
04:52 <&Sabu> man
04:52 <&marduk> at least that is how i understand it
04:52 <@Laurelai> to talk over
04:53 <&Sabu> le sigh
04:53 <&marduk> mmmm why are we so in a bad mood?
04:53 <&Sabu> my nigga look at that doc
04:53 <&Sabu> and how ridiculous it is

[snip]

04:54 <&marduk> look, i think it was made with good intentions. and it is nothing you need to follow, if you dont like it, it is your good right
04:55 <&Sabu> no fuck that. its docs like this that WHEN LEAKED makes us look like an ORGANIZED CRIME ORGANIZATION

My observations though have always been that the groups would be infiltrated by someone and then outed. It seems that this may indeed be the case here if the data is indeed real. It seems to me that a certain j35t3r said much the same before, that he could and did indeed infiltrate the ranks, and had their data. Perhaps J has something to do with this? Perhaps not… Still, the principle is sound.

  1. Infiltrate
  2. Gather INTEL
  3. Create maps of connections
  4. Report

It would seem also that these guys are liminally aware of the fact that their actions can be seen as a conspiracy and that the government will not only get them on hacks potentially, but also use the conspiracy angle to effectively hogtie them in court. Let me tell you kids, there is no perfect hack… Well unless the target is so inept as to have absolutely no logging and does not even know for a very long time that they had been compromised.. Then the likelihood of being found out is slimmer, but, you guys popped and then outed HBG pretty darn quick.

I am willing to bet there are breadcrumbs.. And, those said breadcrumbs are being looked at by folks at some three letter agencies as I write this. You see kids, you pissed in the wrong pool when it comes to vindictiveness. I agree that HBG was up to bad shit and needed to be stopped, but, look at the types of things they were planning. Do you really think that they are above retaliation in other ways than just legal? After all, they were setting up their own digital plumbers division here huh?

Anyway… Just sayin…

Back on topic here with the Backtrace folks and the logs. I have looked at the screen names given and have come to the conclusion that they are all generic enough that I could not get a real lock on anything with Maltego. I had some interesting things pop up when you link them all together, but, overall not enough to do anything meaningful. The other issue is that Maltego, like any tool using search engines and data points, became clogged with new relational data from the articles going wide. I hate it when the data is muddied because of this.

So, yeah, these names are not unique enough to give solid hits. Others though who have been re-using nicks online as well as within the confines of Anonops, well that is another story. I just have this feeling that there are larger drift nets out there now hoovering all you say and do on those anon sites, even if they are in the .eu space. I still have to wonder if any of those IRC servers have been compromised yet by certain intelligence agencies.

One wonders too if China might also be playing in this area… How better to sow discontent and destabilize than to use a proxy like Anonymous for operations?

For that matter.. How about the CIA?

NSA?

Think on it… Wouldn’t Anonymous make a perfect false flag cover operation?

For now, I am going to sit and watch. I would like to see the full chat transcripts though. Now that would be interesting.

“May you live in interesting times”

Indeed.

K.