(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Our Chinese Overlords’ Category

Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach

with one comment




CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)

The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.

I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.

As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”

I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?


The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.

In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.


Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.

The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.


Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?

Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?


OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.

It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.


All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?

I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.


Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.

We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..

Put it in the syllabus!


China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments

Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities

Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.


Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.


从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.


Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace


Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?


Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..



The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

with 2 comments

黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.


Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.

Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.

From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..

The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.

Motivations for APT Attacks:

Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.

This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.

State vs. Non State Actors:

The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.

There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.

In the end, they all are state actors I think just by the nature of the regime.


In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing

Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.

Moving Forward:

Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.

But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:

More to come…


Digital Kinetic Attacks: South Korean DD0S Botnets Have “Self Destruct” Sequence

leave a comment »

From McAfee Blog

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

The rest HERE

At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak

You hit the NASDAQ systems with the compromise and then burn their data


Interesting times….

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

with one comment

Night Dragon Chinese hackers go after energy firms

Latest revelations from McAfee highlight large scale covert attacks emanating from the region
Phil Muncaster, 10 Feb 2011

Just over a year after the Operation Aurora Chinese hacking revelations shook the world, security vendor McAfee has uncovered another large-scale, covert and targeted attack likely to have originated in the region, dubbed Night Dragon.

Dating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a competitive advantage to another party.

The attacks use methodical but far from sophisticated hacking techniques, according to McAfee’s European director of security strategy, Greg Day.

First the hackers compromise extranet web servers using a common SQL injection attack, allowing remote command execution.

Commonly available hacking tools are then uploaded to the compromised web servers, allowing access to the intranet and therefore sensitive desktop and internal servers.

Password cracking tools then allow the hackers to access further desktops and servers, while disabling Internet Explorer proxy settings allows direct communication from infected machines to the internet, said McAfee.

The hackers then use the specific Remote Access Trojan or Remote Administration Tool (RAT) program to browse through email archives and other sensitive documents on various desktops, specifically targeting executives.

Night Dragon hackers also tried spear phishing techniques on mobile worker laptops and compromising corporate VPN accounts in order to get past the corporate firewall and conduct reconnaissance of specific computers.

Although there is no clear evidence that the attacks were carried out by the state, individuals or corporations, there are clear links to China, said McAfee.

For example, it was from several locations in China that individuals ” leveraged command-and-control servers on purchased hosted services in the US and compromised servers in the Netherlands”, said the security vendor in a white paper entitled Global Energy Cyberattacks: Night Dragon (PDF).

In addition, many of the tools used in the attacks, such as WebShell and ASPXSpy, are commonplace on Chinese hacker sites, while the RAT malware was found to communicate to its operator only during the nine to five working hours of Chinese local time.

McAfee said that researchers had seen evidence of Night Dragon attacks going back at least two years.

“Why is it only now coming to light? Well, the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility,” Day explained.

“Only really in the last few weeks have we been able to get enough intelligence together to join the dots up, so our goal now is to make the public aware.”

Day advised any company which suspects it may have been targeted to go back and look through anti-virus and network traffic logs to see whether systems have been compromised.

Low level day-to-day problems can often be tell-tale signs of a larger, more concerted attack, he added.

William Beer, a director in PricewaterhouseCooper’s OneSecurity practice argued that the revelations show that traditional defences just don’t work.

“The cost to oil, gas and petrochemical companies of this size could be huge, but important lessons can be learned to fend off further attacks,” he added.

“More investment and focus, as well as support and awareness of the security function, is required from business leaders. Across companies of any size and industry, investment in security measures pays for itself many times over.”

Lately there has been a bit of a hullabaloo about Night Dragon. Frankly, coming from where I do having been in the defense contracting sector, this is nothing new at all. In fact, this is just a logical progression in the “Thousand Grains of Sand” approach that the Chinese have regarding espionage, including the industrial variety. They are patient and they are persistent which makes their operations all the more successful against us.

The article above also has a pdf file from Mcaffee that is a watered down explanation of the modus operandi as well as unfortunately, comes off as a sales document for their AV products. Aside from this, the article and pdf make a few interesting points that are not really expanded upon.

1) The attacks are using the hacked systems/networks own admin access means to exfiltrate the data and escalate access into the core network. This has effectively bypassed the AV and other means of detection that might put a stop to a hack via malware.

2)  The data that the Chinese have exfiltrated was not elaborated on. Much of the data concerns future gas/oil discovery. This gives the Chinese a leg up on how to manipulate the markets as well as get their own foot in the door in places where new sources of energy are being mined for.

All in all, a pretty standard operation for the Chinese. The use of the low tek hacking to evade the tripwire of AV is rather clever, but then again many of us in the industry really don’t feel that AV is worth the coding cycles put into it. Nothing too special here really. Mostly though, this gives more insight into a couple of things;

1) The APT wasn’t just a Google thing

2) Energy is a top of the list thing, and given the state of affairs today with the Middle East and the domino effect going on with regime change, we should pay more attention.

Now, let me give you a hint at who is next… Can you say wheat? Yep, take a look at this last year’s wheat issues.. Wouldn’t be surprised if some of the larger combines didn’t have the same discoveries of malware and exfiltration going on.


Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

with one comment

“Operation Aurora, GhostNet, Titan Rain. Reactions were totally different in the US and in Asia. While the US media gave huge attention, Asia find it unbelievable and interesting, that cyber warfare and government-backed commercial espionage efforts that have been well established and conduced since 2002, and have almost become a part of people’s lives in Asia, caused so much “surprise” in the US.

Here we’ll call this organization as how they’ve been properly known for the past eight years as the “Cyber Army,” or “Wang Jun” in Mandarin. This is a study of Cyber Army based on incidences, forensics, and investigation data since 2001. Using facts, we will reconstruct the face of Cyber Army (CA), including who they are, where they are, who they target, what they want, what they do, their funding, objectives, organization, processes, active hours, tools, and techniques.”

Full article Here:

“We’ve been hacked! Oh wait, you’re in Paris… You can’t help us.. CLICK”

Color me not surprised to see that this talk was yanked off of the BlackHat schedule. This is specifically in light of the fact that the presenter is from Taiwan, a protectorate of China and likely if the talk went ahead, then the speaker and his company would have been sanctioned by the Chinese government. Though, it could be that there are other players here that may not want some bits of information out in the open but who’s to say at this juncture? Suffice to say that something in this iteration (and there have been others of this same talk given) got them spooked.

The other comment that struck me was the red text above that mirrors what I have been saying all along since the whole Google APT thing erupted onto the media stage here in the states.

This is nothing new.

The Chinese have been at this for some time just as other countries had been doing the same thing. It is just perhaps the scale and the persistence that has been the key to the difference here. The Chinese have the 1000 grains of sand approach that is culturally specific to them. They took that notion, the game of “Go” and and what they learned from Sun Tzu then applied it to their cyber warfare/inforwar stratagem. Its only a natural progression really given their culture and history. What really takes me aback is just how little the West (ala the US) seems to be so ignorant of this that it has me wondering just what navel they have been gazing at all of this time while the Chinese ate our collective lunches.

So here we are, months later after the Google revelations and years after the successful attacks that no one dare name for fear of national security or perhaps national egg on the collective national face with regard to incursions in the past on sensitive networks. You see, yes Virginia, there have been other incursions and much more has been stolen via networking infrastructure as well as HUMINT by the likes of China in the past. Its just that its either classified, hush hush, or, more likely, the targets have no idea that they had been compromised and their data stolen. It’s all just a matter of the security awareness that we have had.. Well, where that has been nationally has been in the toilet really, so extrapolate from that the amount of data that has been stolen ok? Lets use the JSF as an example of this as its been in the news.

Trending Lately.. APT+JSF = Chinese Love

Now, given that this type of talk has been the “du jour” lately on the security and government circuit, lets move the target further out and to the left a bit ok? I have been noticing something in the news that has direct connection to my last employer, so I will be judicious with my speech here.. How shall I start….

Ok… Lets name the players…

Lockheed Martin: Hacked and about 2TB of data taken out of the systems… Inclusive on the JSF project

(Undisclosed company that makes hot object integral to flight) : Nothing in the news…. wink wink nudge nudge..

The FAA: Hacked and back channeled through trusted networks into Lockheed and ostensibly other companies

The JSF itself.. Well the congress wants to keep the program afloat while the main military brass want to kill it. You see, its been compromised already and I suspect well enough, that the technical advantages that it was supposed to have, are pretty much gone now. You see, all those hacked systems and terabytes of data exfiltrated out were enough to compromise the security of the ship herself and give the enemy all they needed to defeat her “stealth” systems.

Somewhere in China there’s a hangar, a runway, and a Chinese version of the JSF sitting on the tarmac doing pre-flight I think.

So the latest scuttlebut out there with regard to the cost overruns and the problems with the JSF are just one part of the picture I think. Sure, there is political intrigue and backstabbing going on too, but, were I the military and my new uber plane was no longer uber, nor cost efficient, I would be killing it too and looking for something else to use in theater.

So how did this happen?

Causality: Trusted Networks, Poor Planning, Poor Technical and Procedural Security, and The Human Equation

The method of attack that compromised the networks in question involved a multi-layer strategy of social hacks as well as technical ones. The Chinese used the best of social engineering attacks with technical precision to compromise not only the more secured networks, but also to use trust relationships between companies working on the JSF to get the data they wanted. You see, all of these companies have to talk to each other to make this plane. This means that they will have networked connections either via VPN or directly within their infrastructures to pass data. By hitting the lesser secured network/company/individuals they can eventually escalate privilege or just hop right onto the networks that they want in a back door manner.

Hit the weakest point and leverage it.

In the case of the JSF, the terabytes of data were never really elaborated on but I can guess that not only was it flight traffic data, but integrally, the flight recording data concerning all of the systems on board as the plane was tested. Inclusive to this, if the APT got further into Lockheed and other companies that make the plane, they might have data on the level of actual CAD drawings of parts, chemical analysis and composition details, as well as the actual code written to operate the systems on board the plane for it to function.

In short, all of the pieces of the puzzle on how to make one.

Sure, there must be gaps, I am sure that they did not gain access to some ITAR/EAR data but, given the nature of the beast, they can infer on some things and in other areas perhaps get analogous or dual use technologies to fill in the gaps. The two terabytes are the only terabytes that we “know of” or shall I say allowed to be known of. It is highly likely that that data is not the only stuff to be taken. Its just a matter of finding out if it has.. And in some cases, they can’t even tell because of the poor security postures of those companies involved.

The reasons for these companies (with the exception of Lockheeds) lack of insight into their security is simply because they have not been corporately aware enough to care about it… Yet. Perhaps now they are getting better post the hacks on Lockheed and others, but it has been my experience that even after a big hack is exposed in the news, many corporate entities take a “it can’t happen to me” attitude and go on about BAU until they get popped and put on the news. What’s more, the Chinese know this and use it to their advantage utterly.

You see, its not just all about super technical networking. It’s also because they don’t even have solid policies, procedures, response plans, and other BASIC security measures in place or being tested and vetted regularly. This negates the super cool technical measures that they might have bought from the likes of IBM and CISCO because Johnny Bonehead C level exec says he MUST have a 4 character password and ADMIN access to his machine.

All against policy… If they do indeed have one on that…

Failure is imminent unless the sum of the parts are in working order. This means the dogma of policy, security education, incident response, RBAC, etc, the CIA triad are in place and have acceptance from the upper echelon of the company. All too often this is not the case and thus easy compromise occurs.

Circling Back To The BlackHat Talk:

Ok, circling back now after my diatribe… My bet is that both parties (China and US) did not want this talk to go on depending on the data that was within. Some red faces would likely have ensued and or would have given people ideas on where to attack in future also. It’s a win win for all concerned if the talk was made to go away and well, it did didn’t it? Unless this guy says he quits his job, moves away from Taiwan and then gives the talk anyway. I doubt that is going to happen though.

In the end, the cyber “war” has been going on for years… Well more like cyber “espionage” but in todays long view I see them as the same thing. After all, a good cyber warfare strategem includes compromise of key systems and data in order to make them useless at the right time.

The Cyber War has been raging since the 90’s. It’s just that the American people and media have only recently heard of the “internents” being vulnerable.

Wakey wakey…