Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Ni Hao Chairman Meow!’ Category

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments


Conclusions
Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities


Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.

*sadface*

Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.

K.

从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.

Enjoy.

Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace

Ni HAO!

Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

3322

Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..

Moron.

K.

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

with 2 comments

黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.

Beginnings:

Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.

Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.

From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..

The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.

Motivations for APT Attacks:

Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.

This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.

State vs. Non State Actors:

The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.

There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.

In the end, they all are state actors I think just by the nature of the regime.

Techniques:

In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing

Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.

Moving Forward:

Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.

But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:

More to come…

K.

Rising Enterprise Reports Hacking On Chinese Assets Up In 2010

leave a comment »

下载《瑞星2010中国企业安全报告》

3月10日,亚洲最大信息安全厂商瑞星公司发布《2010中国企业安全报告》,对国内企业和单位所面临的安全风险进行了深入剖析和解读。报告指出,政府、军队、教育科研等机关单位已经成为黑客攻击的重要对象;2010年,高达90%的传统企业内网(仅计算与互联网连通的企业网络)曾被成功侵入;几乎百分之百的互联网公司都遇到过渗透测试、漏洞扫描、内网结构分析等安全事件,而有85%以上曾被黑客成功获取一定权限。

瑞星安全专家表示,2010年,以百度遭到域名劫持攻击为标志,所有中国的大型公司和网站都遭到了严重的安全威胁。DDOS攻击、病毒植入、域名劫持、机密信息丢失、管理权限外泄等成为企业最易遭受的黑客攻击。

而在被攻击对象方面,软件系统不再是唯一选择,手机、U盘、移动硬盘、基础设施等都已经成为黑客的攻击目标或者跳板,企业急需量身定制全面、系统的整体安全解决方案。

政府、军队、教育科研机构等成为黑客攻击的重要对象

Translation:

March 10, Asia’s largest information security company Rising has released ” Security Report 2010, Chinese enterprises “, and units of domestic enterprises face security risks in-depth analysis and interpretation. The report notes that government, military, educational institutions and scientific research units have become an important target for hackers; by 2010, up to 90% of the traditional enterprise network (only the enterprise computing and Internet connectivity network) has been successfully invaded; almost one hundred percent of the Internet companies have encountered penetration testing, vulnerability scanning, structural analysis within the network security incidents, while 85% had been successful for certain privileges hackers.

Rising security experts said that the year 2010, Baidu has been marked by domain name hijacking, all of China’s large companies and websites have been a serious security threat. DDOS attacks, viruses implantation, domain name hijacking, loss of confidential information, disclosure and other management authority become the most vulnerable to hacker attacks.

The areas being targeted, the software system is no longer the only choice, mobile phones, U disk, mobile hard disk, infrastructure and so has become the target of hackers, or springboard, enterprises need to tailor comprehensive solutions to the overall security of the system .

Government, military, education and scientific research institutions have become an important target for hackers

Well, turn about is fair play is it not? Apparently, if you are to believe the data from this report, then it seems that China has been the target of some hacking. Of course who might it be that this report is claiming is at the top of the aggressor list?

Why the USA of course!

Now, that is convenient huh? Well, I can be sure that the USA has been trying to hack these entities in China, but, would the US be as silly as to just do it blatantly like the Chinese do? Maybe they would, maybe they wouldn’t. What it does say however is that now the game is on with the Chinese it would seem. I think though that this has been the case all along. The three letter agencies have been doing this since the start I think and as the world has become more networked, so has the spying. I mean, not only China has a corner on the cyber-espionage game.

Now, on the other hand, this report would amp up the rhetoric on the cyber-espionage topic wouldn’t it? After all, so far we have had so much attention on the likes of Night Dragon, Moonlight Maze, and Aurora as being pinned to the Chinese star. I am sure that the Chinese would love to be able to rationalize their efforts as reciprocity for the attacks by America on them. This is the game that is played and it is much like the games that the USSR used to play with America on the espionage playing field.

I guess the next question for me would be this;

Just how many servers do the alphabet agencies lease time on in other countries such as China to run recon or hack from? Obviously some of those cycles could be on the behalf of some agency or other and they would be none the wiser. A botherd is just a botherd, all that matters is that they get their money on the digital black market. I am sure too that there are plenty of nodes within the Asiatic sector as well as all over the rest of the world, that are acting as launch points for the US, not just servers within the confines of the country.

Well, at the very least this is an interesting albeit feeble attempt at attribution of attacks on China.

Attribution is a bitch and China must know that pretty well.

K.

 

Written by Krypt3ia

2011/03/16 at 20:17

Digital Kinetic Attacks: South Korean DD0S Botnets Have “Self Destruct” Sequence

leave a comment »



From McAfee Blog

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

The rest HERE

At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak

You hit the NASDAQ systems with the compromise and then burn their data

Ouch.

Interesting times….

Worm Win32/Stuxnet Targets Supervisory Systems in the U.S. and Iran

with one comment

According to ESET Virus Lab, the worm has been active for several days, lately in the U.S. and Iran withalmost 58 percent of all infections being reported in the United States, 30 percent in Iran and slightly over four percent in Russia. The cyber attacks in the U.S. and heightened activity of the worm in Iran come in the wake of persisting tensions between the two nations over nuclear ambitions of this Middle Eastern country.

“This worm is an exemplary case of targeted attack exploiting a zero-day vulnerability, or, in other words, a vulnerability which is unknown to the public. This particular attack targets the industrial supervisory software SCADA. In short – this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does,” said Juraj Malcho, head of the Virus Lab at ESET’s global headquarters in Bratislava, Slovakia.

An interesting angle to this story is how the worm spreads. “For a truly targeted attack it would have been coded to make specific checks to see that it only ran where it was supposed to and did not spread. Spreading increases the odds of detection. If the attack was aimed at only US systems, then the attacker would not want the code appearing all over the world. This fact might indicate a number of potential attackers,” said Randy Abrams, director of technical education at ESET in the U.S. “The ability to attack power grids throughout the world would be very appealing to terrorist groups,” concludes Abrams.

Full article HERE

Interesting choice of countries to attack… What would be the motivation for just those two countries in a targeted attack? Could there be some cross polinization due to the actions of one country on another? Lets say for instance, the Iran got infected by something they procured or had access to within the US? Or vice versa? My bet though, is that this is a targeted attack on the systems themselves and not country centric. Any country using like technology, likely has the new worm in their midst and may not know it.

Of course, just how many SCADA systems are prevalent today? As well, just how many have been connected to systems that face the internet in some way? That is the operative question I guess…

As for the contention that this is industrial espionage.. Well, I might think it is more groundwork for something else… Here it comes…

Cyber Warfare Oh my, I said it didn’t I huh.. The talk lately has been so back and forth between detractors and believers that no one really is getting “it” No matter what you call it, no matter who you want to attribute it to as attackers go, here is the proof of concept that even if it is not “happening successfully” yet, they are trying. That is the important thing to keep in mind. What people fail to understand is that the whole US grid need not be knocked out to make a cyber war or to be successful. All you really need is for the target of your choosing that will fulfill your desired outcome, to be taken down or subverted in whatever way you want it to be.

I am sure the bickering will continue and the government will look at this and think they have to create another agency or sub group to think about it more.. In the meantime though, we still have the problem of these systems perhaps being connected to networks that are not secure, whats worse, those networks may in fact be internet facing and thus able to be C&C’d from remote locations like mainland China.

Meanwhile….

More has come out about this 0day and the supervisory systems attack (I wonder if that is the only vuln attack here or is it just one of many coded into this effort?) It seems that the Siemens software and an old and well known SCADA password for it on the internet, has been coded into this and has been seen in the systems spoken of above.

IDG reported that Siemens issued a warning on Friday saying the virus targets clients using Simatic WinCC, one of the company’s industrial control system software offerings that runs on Windows. The virus strikes at a recently discovered Windows bug that affects every Microsoft operating system, including the recently released Windows 7.

The virus transmits itself through infected USBs. When the USB is plugged in to a computer, the virus copies itself into any other connected USBs and, if it recognizes Siemens’ software, it tries to log in to the computer using a default password.

Read more: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/07/19/BUBC1EDTIS.DTL#ixzz0uPyQ8AGn

Now this article has language from Siemens that alleges industrial espionage and not so much prelude to attacks on a networked system such as the grid. One wonders just what the straight story is here. In either case, the incursion of the worm and the accessing of a known pass/log to a SCADA system is not a good thing for those of us trying to protect said systems. Would not one looking at this on the face of it think that it was an attempt to gain a foothold as well as intel on SCADA systems for future use?

Better keep your eyes peeled…

Just sayin…

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

with one comment

“Operation Aurora, GhostNet, Titan Rain. Reactions were totally different in the US and in Asia. While the US media gave huge attention, Asia find it unbelievable and interesting, that cyber warfare and government-backed commercial espionage efforts that have been well established and conduced since 2002, and have almost become a part of people’s lives in Asia, caused so much “surprise” in the US.

Here we’ll call this organization as how they’ve been properly known for the past eight years as the “Cyber Army,” or “Wang Jun” in Mandarin. This is a study of Cyber Army based on incidences, forensics, and investigation data since 2001. Using facts, we will reconstruct the face of Cyber Army (CA), including who they are, where they are, who they target, what they want, what they do, their funding, objectives, organization, processes, active hours, tools, and techniques.”

Full article Here:

“We’ve been hacked! Oh wait, you’re in Paris… You can’t help us.. CLICK”

Color me not surprised to see that this talk was yanked off of the BlackHat schedule. This is specifically in light of the fact that the presenter is from Taiwan, a protectorate of China and likely if the talk went ahead, then the speaker and his company would have been sanctioned by the Chinese government. Though, it could be that there are other players here that may not want some bits of information out in the open but who’s to say at this juncture? Suffice to say that something in this iteration (and there have been others of this same talk given) got them spooked.

The other comment that struck me was the red text above that mirrors what I have been saying all along since the whole Google APT thing erupted onto the media stage here in the states.

This is nothing new.

The Chinese have been at this for some time just as other countries had been doing the same thing. It is just perhaps the scale and the persistence that has been the key to the difference here. The Chinese have the 1000 grains of sand approach that is culturally specific to them. They took that notion, the game of “Go” and and what they learned from Sun Tzu then applied it to their cyber warfare/inforwar stratagem. Its only a natural progression really given their culture and history. What really takes me aback is just how little the West (ala the US) seems to be so ignorant of this that it has me wondering just what navel they have been gazing at all of this time while the Chinese ate our collective lunches.

So here we are, months later after the Google revelations and years after the successful attacks that no one dare name for fear of national security or perhaps national egg on the collective national face with regard to incursions in the past on sensitive networks. You see, yes Virginia, there have been other incursions and much more has been stolen via networking infrastructure as well as HUMINT by the likes of China in the past. Its just that its either classified, hush hush, or, more likely, the targets have no idea that they had been compromised and their data stolen. It’s all just a matter of the security awareness that we have had.. Well, where that has been nationally has been in the toilet really, so extrapolate from that the amount of data that has been stolen ok? Lets use the JSF as an example of this as its been in the news.

Trending Lately.. APT+JSF = Chinese Love

Now, given that this type of talk has been the “du jour” lately on the security and government circuit, lets move the target further out and to the left a bit ok? I have been noticing something in the news that has direct connection to my last employer, so I will be judicious with my speech here.. How shall I start….

Ok… Lets name the players…

Lockheed Martin: Hacked and about 2TB of data taken out of the systems… Inclusive on the JSF project

(Undisclosed company that makes hot object integral to flight) : Nothing in the news…. wink wink nudge nudge..

The FAA: Hacked and back channeled through trusted networks into Lockheed and ostensibly other companies

The JSF itself.. Well the congress wants to keep the program afloat while the main military brass want to kill it. You see, its been compromised already and I suspect well enough, that the technical advantages that it was supposed to have, are pretty much gone now. You see, all those hacked systems and terabytes of data exfiltrated out were enough to compromise the security of the ship herself and give the enemy all they needed to defeat her “stealth” systems.

Somewhere in China there’s a hangar, a runway, and a Chinese version of the JSF sitting on the tarmac doing pre-flight I think.

So the latest scuttlebut out there with regard to the cost overruns and the problems with the JSF are just one part of the picture I think. Sure, there is political intrigue and backstabbing going on too, but, were I the military and my new uber plane was no longer uber, nor cost efficient, I would be killing it too and looking for something else to use in theater.

So how did this happen?

Causality: Trusted Networks, Poor Planning, Poor Technical and Procedural Security, and The Human Equation

The method of attack that compromised the networks in question involved a multi-layer strategy of social hacks as well as technical ones. The Chinese used the best of social engineering attacks with technical precision to compromise not only the more secured networks, but also to use trust relationships between companies working on the JSF to get the data they wanted. You see, all of these companies have to talk to each other to make this plane. This means that they will have networked connections either via VPN or directly within their infrastructures to pass data. By hitting the lesser secured network/company/individuals they can eventually escalate privilege or just hop right onto the networks that they want in a back door manner.

Hit the weakest point and leverage it.

In the case of the JSF, the terabytes of data were never really elaborated on but I can guess that not only was it flight traffic data, but integrally, the flight recording data concerning all of the systems on board as the plane was tested. Inclusive to this, if the APT got further into Lockheed and other companies that make the plane, they might have data on the level of actual CAD drawings of parts, chemical analysis and composition details, as well as the actual code written to operate the systems on board the plane for it to function.

In short, all of the pieces of the puzzle on how to make one.

Sure, there must be gaps, I am sure that they did not gain access to some ITAR/EAR data but, given the nature of the beast, they can infer on some things and in other areas perhaps get analogous or dual use technologies to fill in the gaps. The two terabytes are the only terabytes that we “know of” or shall I say allowed to be known of. It is highly likely that that data is not the only stuff to be taken. Its just a matter of finding out if it has.. And in some cases, they can’t even tell because of the poor security postures of those companies involved.

The reasons for these companies (with the exception of Lockheeds) lack of insight into their security is simply because they have not been corporately aware enough to care about it… Yet. Perhaps now they are getting better post the hacks on Lockheed and others, but it has been my experience that even after a big hack is exposed in the news, many corporate entities take a “it can’t happen to me” attitude and go on about BAU until they get popped and put on the news. What’s more, the Chinese know this and use it to their advantage utterly.

You see, its not just all about super technical networking. It’s also because they don’t even have solid policies, procedures, response plans, and other BASIC security measures in place or being tested and vetted regularly. This negates the super cool technical measures that they might have bought from the likes of IBM and CISCO because Johnny Bonehead C level exec says he MUST have a 4 character password and ADMIN access to his machine.

All against policy… If they do indeed have one on that…

Failure is imminent unless the sum of the parts are in working order. This means the dogma of policy, security education, incident response, RBAC, etc, the CIA triad are in place and have acceptance from the upper echelon of the company. All too often this is not the case and thus easy compromise occurs.

Circling Back To The BlackHat Talk:

Ok, circling back now after my diatribe… My bet is that both parties (China and US) did not want this talk to go on depending on the data that was within. Some red faces would likely have ensued and or would have given people ideas on where to attack in future also. It’s a win win for all concerned if the talk was made to go away and well, it did didn’t it? Unless this guy says he quits his job, moves away from Taiwan and then gives the talk anyway. I doubt that is going to happen though.

In the end, the cyber “war” has been going on for years… Well more like cyber “espionage” but in todays long view I see them as the same thing. After all, a good cyber warfare strategem includes compromise of key systems and data in order to make them useless at the right time.

The Cyber War has been raging since the 90’s. It’s just that the American people and media have only recently heard of the “internents” being vulnerable.

Wakey wakey…

CoB