Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘DarkVisitor’ Category

ASSESSMENT: Stephen Su aka Stephen SuBin aka Su Bin

leave a comment »

Chinese_Department_of_National_Security

 

The Arrest:

Recent news shows that an arrest has been made in a Chinese industrial espionage campaign that started around 2009 and resulted in larger dumps of data being taken from Boeing as well as other defense base aligned companies. Stephen Su aka Stephen Subin aka Su Bin was arrested in Canada after an affidavit was put in by the FBI giving evidence that SuBin and two others had broken into Boeing and other companies stealing data on the C-17 as well as F22 Raptor and JSF projects.

Screenshot from 2014-07-14 09:42:08

Screenshot from 2014-07-14 09:51:38

While the affidavit says a lot in a roundabout way on what the FBI considered evidence for the arrest there is a gap in just how the FBI came upon this guy and his co-conspirators in the first place. There is no mention of what tip may have led the FBI to obtain the email records of SuBin at Gmail and Hotmail as well as it seems the emails of the UC1 and UC2 at Gmail as well. Perhaps the data came from something like Xkeyscore or PRISM? I don’t think that that is likely but one has to ask the question anyway.

Aside from that lack of genesis for the FBI investigation the affidavit is quite detailed as to the back and forth with the UC’s and SuBin. There are file names and screen shots of data that was passed back and forth as well as email addresses and snippets of the emails themselves. Of more note though is a timeline and a operational details that SuBin and his team were using in order to carry off the espionage and this is very interesting. SuBin and the team were taking a more hybrid approach to the industrial espionage that we commonly don’t get to see or hear about in the current throes of APT madness.

Modus Operandi:

This case of espionage is different from the usual APT stories you hear today on the news. The reason for this is that the players here may or may not have ties back to those directorates and groups that APT come from. Or, they may not. The affidavit is unclear (perhaps deliberately so) on the two UC’s connections to any of the APT activities we have all heard about but they do use the same techniques that we have heard being used by APT actors.

What is different though is the use of human assets (i.e. SuBin) as a targeter for the hackers to hone in on specific files and architectures/companies/people. This is where this becomes more of a classic MSS (Ministry of State Security) operation than the ongoing attacks we have been seeing in the news since APT became a household term. Now, whether or not SuBin is actually a trained agent or just an asset is the sixty four thousand dollar question in my book. There are allegations in the affidavit that to me, looks like he could be either. Su talks about making money on the data he has been helping to steal which makes him look like a freelancer. Meanwhile there are other aspects that make it seem more like he is a true asset for MSS. I am still not quite sure myself and perhaps someday we will hear more on this from the FBI.

Screenshot from 2014-07-14 09:06:21

A common thread in much of the MSS’ (中华人民共和国国家安全部) playbook for industrial espionage is the use of human sources that are either naturalized citizens of another country. (i.e. Americans or in this case one who was about to be Canadian) In the case of SuBin, he had his own company in China that worked with wiring in airframes. This is a perfect cutout for the MSS to get an asset with access to Western companies that may be doing business with them. In the case of Lode-Tech (Su’s company) there was evidence from the 2009 documents (emails) that showed that his company was sharing space with Boeing at an expo which likely began this whole espionage exploit.

Now another fact that seems to emerge from the affidavit is that these guys were just using Gmail and other systems that are not the most secure. I do know that in some cases the APT also use these email systems but these guys seem to be pretty open with their exchanges back and forth. This to me means that they were not professional’s for the most part. I can come down on both sides here as well after having seen some of the flagrant OPSEC failures on the part of APT in the past. Generally though my feeling is that these guys were a little too loose with their OPSEC to be professional MSS operators and may in fact all have been contractors.

Screenshot from 2014-07-14 10:02:42

On the other hand though these guys had some tradecraft that they were following and these likely worked pretty well. In the image below you can see how they were hand carrying some data to Macao and Hong Kong in order to bypass certain “diplomatic issues” as they say. Additionally, the surveillance portion (which is the first time this has come up with the APT type of activity) has ever been mentioned. In the case of SuBin, he had access to Boeing itself (an assumption as none is directly mentioned in the affidavit) via his company ostensibly and thus had a presence that a hacker is lacking in remote APT activities.

Screenshot from 2014-07-14 10:25:06

 

So you can see how this is a hybrid operation and something we don’t often get to see. Could this be the new paradigm in industrial espionage? Frankly this is something I would have thought was going on all along given what I know of Chinese espionage as well as having done assessments in the past that included a physical attack portion. By synergizing the APT hacking with MSS old school tradecraft these guys were pretty successful (65 gig of targeted data from Boeing alone) and maximized insider knowledge of what to look for with technical hacking exploits. If you think about it how many companies do business with China? Now ponder how much access those companies may have to networks and people in those companies… Yeah.

These are tried and true practices on the part of the MSS as well as other intelligence agencies the world over so we have to pay attention to this stuff as well as worry about the common phishing emails that come in waves as well. Overall I think that the US needs to be a bit more self aware of all of these types of activities and methods to protect their environments but to do so I imagine will be a tough sell to most corporations.

Advanced Persistent Espionage:

What this all means is the following; “Industrial espionage doesn’t just mean APT phishing emails blindly coming at you. It also means that there may be actual people and companies that you are working with that are actively gathering your data for sale as well” Another recent incident involves Pratt & Whitney with a naturalized American Iranian who stole a lot of physical documents as well as seemingly had emailed data out of their environment to Iran as part of a sale. You have to remember it’s not just all electrons boys and girls.

However, the hybridization of the methods of APT and traditional tradecraft is just beginning. I think that the Chinese have seen the light so to speak and will start to leverage these things more as the US continues to put pressure on them concerning APT attacks. The MSS will get more and more cautious and work smarter as they continue to be persistent in their espionage activities. The Russians are already pretty good at this and they leverage both now. It’s time I guess that the Chinese have decided to look to their Russian friends and steal a bit from their playbook as well.

K.

 

Written by Krypt3ia

2014/07/14 at 18:47

Sun Tzu and The Art of Cyber-War

with 2 comments

STAOW1

A mgbkf zugx sbw nrkl wqvrkvuj!

Sun Tzu and The Art of Cyber-War

A while back I decided to throw my hat in the ring for RSAC and Shmoo. I made neither’s list of presentations but I thought this still was worth putting out there for people to see. I had been talking with Jericho and Josh Corman about cyber war because of their presentation at Brucon and this idea popped up in my head because Jericho had pointed out too many people cite Sun Tzu poorly in these types of presentations. Well Jericho is right and often times not many of the tenets of Sun Tzu make it into the presentations. On average you will see maybe one or two and that’s it but The Art of War has many other chapters and quotes that map to general warfare and that includes Cyber-War (so called) Generally however the overall tactics put forth by the Art of War are applicable because this is warfare we are talking about no matter the landscape (electronic) that we are fighting it in. You still have adversaries looking to defeat one another using guile and force today just as in the day of Sun Tzu. The real issue comes down to reading between the lines of the old text and applying the ideas to the modern landscape of the electron, the malware, and the phishing attack.

All of these efforts though will lead to the age old means of kinetic warfare and this is what people seem to not understand so well today. War is war and eventually its all going to be about the guns and bombs and not so much just about the data being stolen or messed with. We have a problem today in the semantic of war in the digital age that needs to be cleared up for the general populace. I hope that this tutorial will not only be historical but also give the reader the tools needed to understand that cyber-war is not the end all be all, it is in fact just a precursor to the type of war that has been waged since man could pick up a rock and throw it.

China, Sun Tzu, & APT

On another level though, I find it amazing that more people have not had the light bulb go on about our situation today with regard to Chinese hacking and espionage. What we have seen is not cyber-war yet but the prelude, the reconnaissance to carry out war and that is all. The Chinese (and others) have begun mapping our networks, prodding our defenses, and assessing our overall readiness by using digital attacks on private and governmental networks and systems. Think of it all as spying and not just one for war footing alone. There is of course the industrial espionage as well but in the case of China in particular they are all means to an end. The “Thousand Grains of Sand” approach is doctrine in China as is the mindset they have always had having had masters like Sun Tzu as their teachers. Look at this slide deck and then take a step back and look at the APT-1 report as well as others. Note that the Chinese military is the state and that the PLA is just an arm of the military unlike in the US where the military is a little more separated and at the behest of POTUS.

Sun Tzu said it best in The Art of War;

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

It’s time to be more introspective about ourselves as well as the adversary and Sun Tzu is a good way to get there.

K.

STAOW2

STAOW3

STAOW4

STAOW5

STAOW6

STAOW7

STAOW8

STAOW9

STAOW10

STAOW11

STAOW12

Written by Krypt3ia

2013/03/07 at 21:25

Hard Power, Soft Power, Economic Power, and The Power of Economic Digital Espionage

with 3 comments

Hard power is a term used in international relations. Hard power is a theory that describes using military and economic means to influence the behavior or interests of other political bodies. It is used in contrast to soft power, which refers to power that comes from diplomacy, culture and history. While the existence of hard power has a long history, the term arose when Joseph Nye coined ‘soft power’ as a new, and different form of power in asovereign state’s foreign policy.[3] Hard power lies at the command Hegemon end of the spectrum of behaviors and describes a nation’s ability to coerce or induce another nation to perform a course of action. This can be done through military power which consists of coercive diplomacywar, and alliance using threats and force with the aim of coercion, deterrence, and protection. Alternatively economic power which relies on aidbribes and economic sanctions can be used in order to induce and coerce.

While the term ‘hard power’ generally refers to diplomacy, it can also be used to describe forms of negotiation which involve pressure or threats as leverage.

A Conversation 

Over the weekend I had a twitter conversation (140 char’s at a time, rough) about the meaning of “Soft Power” in the current parlance propounded by Joseph Nye. I have a different opinion of the nomenclature concerning the terms “Soft Power” and “Hard Power” in today’s political and economic environment. While the other party I was speaking to had a more strict version of thinking per Mr. Nye’s (he coined the term soft power) definition. I myself feel that today things are a little more complex for the terms to be so tight given that now economic “hard power” seems to have morphed into a vast array of economic digital espionage that softly, along with other soft power style moves, create a hard power outcome of directing or tricking other countries into actions that the others desire.

The primary mover and shaker of this for me is of course China and one only has to look at the news cycle to see both these types of “power” being wielded by the RPC. I think it is time to take a look at the means and the philosophies that China has been using to effect the changes that they need to become not only the predominant military force in the world, but more so an economic juggernaut that will outweigh and perhaps stealthily creep behind and slit the throats of other countries in subtle and not so subtle ways.

Hard vs. Soft Powers and Nomenclature

As seen above in the quoted text, hard power is seen as economic sanctions as well as military actions. This is all in response to the soft power of politics and the methods of carrot to the hard power stick. All of these allude to direct actions that are perceived as means to manipulate nations states and other actors into actions desired by the power that is employing them. I would put to you all that there is another form of “soft power” that the Chinese have really created over the last decade that employs a more stealthily nimble approach from the espionage arena (hard power by strict definition?) and economic strategies that, with nationalistic goals of grand scale, have wrought a new type of “power”

Perhaps this power should be called “Covert Soft Power” as it is being employed covertly both in the hacking of companies to steal their economic secrets (IP) as well as by the addition of espionage and common business tactics to buy into, and or subvert companies to facilitate access to economic secrets as well as out maneuver companies and close them out on deals etc. All of this seems logical to me (adding this meaning to the term) but perhaps I am outside the norms on this one. The way I see it though, there is a new vector here that the Chinese are leveraging and I think we could use a little thought on the matter and perhaps how to counteract it all.

China, The Hard and Soft Power via Economic Espionage and Investment

China in particular has been working at a multiply pronged and diligent attack on systems and corporations as well as governments to effect the long game strategies that they want. Instead of attacking things head on, the Chinese prefer the methods of “The Thousand Grains of Sand” where many operations and operators work to effect the larger outcomes from small pieces. The Chinese are patient, and because of the Eastern mind, seem to come at things in a more subtle way than most of us in the West tend to think about. In all, the subversion and outright theft of IP has a multipurpose goal of broadening their technical abilities, their economic abilities, and overall, their dominance in the world as a power.

What the Chinese have realized mostly though, is that the subtle knife is the best way to control the enemy, slowly, and subtly slitting the throat of the opponent without a struggle. Frankly, I admire the approach really. In terms of the argument of “soft power” I place these efforts squarely into it because in tandem with certain “political” maneuvers, they can have huge net effects. By combining the military, the economic, and the political aspects of soft and hard power, and the gray’s in between, China has become a force to be reckoned with. So, I put it to you all here, that there is room for a change within the nomenclature of Mr. Nye’s coinage and that I think, in order to better understand the mosaic that is happening, we need to re-tool some of the ideas we have pre-conceived for ourselves.

A New Battlespace, A New Set of Battles 

Finally, I would also put it to you all that the battle space is much different today than it has been in the past. Not only do we have the digital landscape, but said same digital landscape, that makes it easier to steal, also makes everything more interconnected. By interconnected, I mean that it is far easier to effect large changes to companies by the automation that we all have in place today to speed up our transactions. Today it is far easier to quickly make instant trades, and effect the bottom line of a company for the better or worse as well as steal data in minutes that in the past, would have taken days, weeks, or months to ex-filtrate from a company via conventional HUMINT means.

In the scenarios run on trades on the markets, you can see how one alleged “fat finger” incident can have a large scale and rippling effect on the whole economies of states, never mind businesses individually. So, once again, the battle space has changed greatly because of the interconnected-ness of things. It seems that the matters of state now more than before, can be changed through the soft power of the digital attack or manipulation. This is what I mean by “soft power” or perhaps the term I mentioned above “Covert Soft Power”, attacks that we are seeing now, and are having trouble truly attributing to nation-state, corporate, or individual actors are having larger and larger effects on our economy, our policies, and our long term viability as nations, companies, or groups.

At the end of the day though, I suggest that we are being manipulated by masters at the game of “Go” and we need to pay attention to every subtlety and not be so rigidly minded. It is the water that flows around and over the rock, eventually wearing it down to nothing.

K.

Written by Krypt3ia

2012/05/21 at 17:40

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments


Conclusions
Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities


Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.

*sadface*

Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.

K.

从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.

Enjoy.

Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace

Ni HAO!

Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

3322

Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..

Moron.

K.

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

with one comment

America Faced With Wave of Chinese Espionage

Defense Department officials are struggling to plan for a massive
 cyber-attack from Beijing – and fend off spies in the meantime. Tara McKelvey reports on the secret warfare.

Jul 16, 2011 9:47 AM EDT

 Deputy Defense Secretary William Lynn III never said the word China 
in his speech on Thursday
 about “Cyber Strategy,” but he didn’t have to. The
 threat of a cyber-attack from Beijing weighs heavily on the minds of 
military commanders. And while officials have not said publicly who
 was behind the newly disclosed theft of 24,000 files from a defense contractor in 
March, one of the worst cyber-assaults in Pentagon history—
it may well have been a Chinese operation. And even if Beijing
 officials were not involved in the theft, they have been implicated in 
other matters—so many, in fact, that federal officials are
 discussing publicly what do to about cyber-attacks, without saying
 explicitly who their number-one villain is.

From The Daily Beast

CYBER WAR!! CHINA TO BLAME! DIGITAL TSUNAMI IMMINENT!

So, we are going to be in for a digital wave of hacking and espionage are we? Say, have you been around lately? Like say the last oh, twenty years or so? Cuz if this is the big wave, I would hate to see what the tsunami is going to look like. Well, at least this article has some of the facts right including the issues over attribution for attacks and operations. however, it still glosses over the fact that this is nothing new. Espionage by the Chinese has been a favorite past time for them with regard to the U.S. and now that espionage is taking place within computer networks.

But.. This too has been happening for a long time (see Titan Rain or others like Moonlight Maze)

Nope, this is indeed nothing really new. The scale of it may be the new twist here and that is really because of the interconnection that has happened over the years to the internet. We have done it to ourselves and we did it without any real thought as to the security of our networks/systems/data

But, that is a screed for another day.

Since we are so connected now, and even systems that should not have (S) (NOFORN) data have been hooked up too (I know, I have seen it myself)  or said data has been placed on non cleared servers, we have been making it easier for the likes of China to get our secret sauce. China though, is not the only one doing this, but, they have made it an art form. The reason for this is that the Chinese had decided early on, that cyberspace (for lack of a less buzzworthy name) was going to be the 5th battlespace as well as the next frontier in espionage. Rightly so too.

As I said above, the networking of the world has made it that much easier to gather intelligence and in the case of the Chinese, they began to use the nascent hacker community to do it. However, old school espionage on the part of China has been going on for a long long time. If you are interested in this, then I suggest you pick up “Tiger Trap” by David Wise Suffice to say, that we have been industrially spied on at the very least by China dating back to at least WWII.

And they have been exceedingly successful.

(for more on China’s Thousand Grains of Sand and Espionage go HERE)

Back to the article and its catchy headline though, the great Cyber War has yet to come and we are woefully ill equipped to handle it right now. There have been incursions that we have found and I am sure there are more that we still don’t know about (whether or not the government has classified them, thus burying them) that paint a larger picture of the issue I am sure. So, when they cry out that we are in for the big hit yet to come, I say “heh” look at what already has happened!

Pretexts; Anonymous, China, and Cyber-Espionage:

The one area that the Beast article does not allude to that it should in my book on this subject is the current climate in the ‘cyber’ world. As you can likely tell from the header here, I personally think that Anonymous and LulzSec are the key to future attacks. Not that they are directly involved per se, at least not knowingly, but that China has latched onto their antics as a pretext for their own attacks.

Think of Anonymous, AntiSec, and LulzSec as the gift that keeps on giving any state or person who wants to carry out attacks online and have the questionable cover of it all being for the Lulz.

With all of the AntiSec/Anonymous operations ongoing, who is to say that China’s PLA has not infiltrated the infrastructure and effected the decision making process some? What better way to deflect than to use an alleged headless group of nae’r do wells to do your bidding in some larger scale attack? This is an area of thought that I have put out there before and every day I am convinced more and more that not only China is using this, but also other state actors.

…At least they would be smart to do so *wink wink nudge nudge, SAY NO MORE!*

Even if these state actors are not directly working from within the Anon’s.. At the very least they can be blamed.

Just saying… “Interesting times indeed”

Current Status China: Landlord, Banker, Petulant Child:

Beijing’s leaders have ramped up spying operations partly because they 
are angry at the United States, and they have been especially peeved
 at State Department officials; China believes that the
 Americans have tried to empower dissidents and to influence domestic 
politics. Indeed, Secretary of State Hillary Clinton has pushed for
 greater access to the Web for dissidents, giving a speech 
in February in which she called for “a global commitment to Internet 
freedom,” a phrase that officials in Beijing found particularly 
galling. The Chinese officials resented her proclamations about the Net, which they believed are an underhanded way of trying 
to meddle in their affairs. “For them, this is a very aggressive 
interventionist policy,” Fidler explains.

From The Daily Beast

To conclude though, I would also like to touch on the fact that China has always been a proud nation. In that, they have been prone to reaction to any perceived sleight by nations such as ours. Much of the proto hacking that went on in China took place over the acts of countries like Viet Nam or Taiwan and resulted in defacement of pages (in a nice and polite way as well) Today though, the tenor of the hacking has taken a bit of a darker tone and much of it is due to the hard liners in the politburo taking the reigns and directing the Green Army to act.

While China holds much of our debt, they still do not have all of our assets (IP) and as such, they want to keep us under control politically and financially. All the while giving us the rope to not just hang ourselves, but to do so for China’s best interest. The only time that I will worry that China will go all out cyber war on us is when they have nothing left to use us for.

Then we are in some deep shit. Imagine they call our markers AND hit our systems with attacks. They may not have the military capabilities hardware wise, but, they certainly could likely cause our military to falter and fail by breaking the command and control as well as supply chain with attacks today. So, I am not all that worried if they get peeved at us over Obama meeting HH Dalai Lama as much as I am their just calling our debt markers.

Sure, the Chinese leaders are worried about the Arab Spring, but they will just pull another Tienamen won’t they? After all, if they hold our debt, what are we going to do to them that isn’t going to be measured to not offend? So on it will go, we will ruffle their feathers, they will hack and steal data, and we still won’t have a debt ceiling agreement because our politicians are too self involved to care about the country.

I welcome Chairman Meow…

K

 

Written by Krypt3ia

2011/07/18 at 12:39

Team Inject0r: The Multinational Connection

with 6 comments

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3” The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337” quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com

http://www.inj3ct0r.com domain details:

Registrant:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151                     
Sid3^effectsr
4dc0reSeeMe
XroGuE
gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3


DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit – 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.