Login  |  Register  |  Contact


Wednesday, June 19, 2013

How China Is Different

By Rich

Richard Bejtlich, on President Obama’s interview on Charlie Rose:

This is an amazing development for someone aware of the history of this issue. President Obama is exactly right concerning the differences between espionage, practiced by all nations since the beginning of time, and massive industrial theft by China against the developed world, which the United States, at least, will not tolerate.

Obama’s money quote:

Every country in the world, large and small, engages in intelligence gathering and that is an occasional source of tension but is generally practiced within bounds. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard fare and we’ve tried to prevent them from – penetrating that and they try to get that information. There’s a big difference between that and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.

I think a key issue here is whether China recognizes and understands the difference. Culturally, I’m not so sure, and I believe that’s one reason this continues to escalate.


Wednesday, April 03, 2013

Cybersh** just got real

By Rich

Huawei not expecting growth in US this year due to national security concerns (The Verge).

U.S. to scrutinize IT system purchases with ties to China (PC World):

U.S. authorities will vet all IT system purchases made from the Commerce and Justice Departments, NASA, and the National Science Foundation, for possible security risks, according to section 516 of the new law.

“Cyber-espionage or sabotage” risks will be taken into account, along with the IT system being “produced, manufactured, or assembled” by companies that are owned, directed or funded by the Chinese government.

This is how you fight asymmetric espionage. Expect the consequences to continue until the attacks taper off to an acceptable level (yes, there is an acceptable level).


Friday, February 22, 2013

Why China’s Hacking is Different

By Rich

One of the responses that keeps coming up as everyone discusses Mandiant’s report on APT1 is, “yeah, but China isn’t the only threat, and even the U.S. engages in offensive hacking”.

That is completely true, but there is a key difference.

China is one of the only nations which uses government resources to steal intellectual property and provides it to domestic business for competitive economic advantage. Of the countries that do this (France and Israel come to mind, according to rumor), China is the only one operating at such a massive scale and scope.

Most countries engage in cyberattacks for traditional espionage or, on occasion, in offensive actions like Stuxnet designed to support or obviate a kinetic (boom) response. (“Cyber Missiles” as Gal Shpantzer called it in our research meeting today). China is using the power of the government, at scale, to steal from private businesses in other countries and provide the spoils to its own businesses.

This is an important difference, and the reason the response to Chinese hacking is so complex. We can’t treat it like traditional criminal activity because there isn’t anyone to arrest. We can’t treat it as normal government espionage because private businesses are both the targets and the beneficiaries. We can’t treat it like war or offensive operations like Stuxnet, since we sort of can’t go to war with China right now. We can’t stick it back to them and do the same thanks to a combination of our laws and the different natures of our economies. We can’t write it off like we do certain other countries which also steal our IP, because the scale is so massive and the consequences (losses) have grown to measurable levels.

In other words, China is different, so the potential responses are more complex. The threat is also greater than many of the other cybersecurity (and I use that term advisedly) problems we face – again due to the scope and losses.

There are ulterior motives all over the place right now, and little is as it seems on the surface. There are vested financial interests, both at agency budget levels and within private corporations, manipulating the public dialogue.

But that doesn’t mean the threat isn’t real, or that doesn’t need a response. We just should avoid being naive about it.

(As a side note, in the same meeting today Gunnar Peterson reminded us that China isn’t doing anything that the US didn’t do back when we were a developing nation. I believe his exact words were, “the US stole everything from Britain that wasn’t nailed down”. We are seeing a natural political progression, but that doesn’t mean we should take it up the ….).


Tuesday, February 19, 2013

Mandiant Verifies, but Don’t Expect the Floodgates to Open

By Rich

Unless you have been living in a cave, you know that earlier today Mandiant released a report with specific intelligence on the group they designate as APT1. No one has ever released this level of detail about state-sponsored Chinese hackers. Actually, “state-employed” is probably a better term. This is the kind of public report that could have political implications, and we will be discussing it for a long time.

The report is an excellent read, and I highly recommend any infosec professional take the time to read it top to bottom. In information security we often repeat the trope “trust, but verify”. Mandiant has received a fair bit of criticism for pointing fingers at China without revealing supporting information, so this time they laid out their cards with a ton of specifics. They also released a detailed appendix (ZIP file) with specific, actionable data – such as domain names, malware hashes, and known malicious digital certificates.

Photo by leinadsimpson -- http://flic.kr/p/7qTUKT

Seriously – read the entire thing. Do not rely on the executive summary. Do not rely on third-party articles. Do not rely on this blog post.

I can’t express how big a deal it is that Mandiant released this information. In doing so they reduced their ability to track the attackers as APT1 (and possibly other teams) adjust their means and operational security. I suspect all the official PLA hackers will be sitting in an OpSec course next week.

I’m generally uncomfortable with the current line between intelligence gathering and common defense. I believe more information should be made public so a wider range of organizations can protect themselves. By the same token, this data is Mandiant’s work product, and whatever my personal beliefs, it is their data to share (or not) as they see fit. Mandiant states APT1 is the most prolific of over 20 APT groups they track in China.

In other words, this is big, but just the tip of the iceberg, and we cannot necessarily expect more reports like this on other groups, because each one impacts Mandiant’s operations. That’s the part of this game that sucks: the more information is made public, the less valuable the intelligence to the team that collected it, and the higher the cost (to them) of helping their clients. I hope Mandiant shares more detailed information like this in the future, but we aren’t exactly entitled to it.

Now if it was financed with public funding, that would be a different story. Oh, wait! … (not going there today).

I strongly believe you should read the entire report rather than a summary, so I won’t list highlights. Instead, below are some of the more interesting things I personally got out of the report.

  • The quality of the information collected is excellent and clear. Yes, they have to make some logical jumps, but those are made with correlation from multiple sources, and the alternatives all appear far less likely.
  • The scale of this operation is one of the most damning pieces tying it to the Chinese government. It is extremely unlikely any ad hoc or criminal group could fund this operation and act with such impunity. Especially considering the types of data stolen.
  • Mandiant lays out the operational security failures of the attackers. This is done in detail for three specific threat actors. Because Mandiant could monitor jump servers while operations were in progress, they were able to tie down activities very specifically. For example, by tracking cell phone numbers used when registering false Gmail addresses, or usernames when registering domains.
  • It appears the Great Firewall of China facilitates our intelligence gathering because it forces attackers to use compromised systems for some of these activities, instead of better protected servers within China. That allowed Mandiant to monitor some of these actions, when those servers were available as part of their investigations.
  • Soldiers, employees, or whatever you want to call them, are human. They make mistakes, and will continue to make mistakes. There is no perfect operational security when you deal with people at scale, which means no matter how good the Chinese and other attackers are, they can always be tracked to some degree.
  • While some data in the report and appendices may be stale, some is definitely still live. Mandiant isn’t just releasing old irrelevant data.
  • From page 25, we see some indications of how data may be used. I once worked with a client (around 2003/2004) who directly and clearly suffered material financial harm from Chinese industrial espionage, so I have seen similar effects myself –

Although we do not have direct evidence indicating who receives the information that APT1 steals or how the recipient processes such a vast volume of data, we do believe that this stolen information can be used to obvious advantage by the PRC and Chinese state-owned enterprises. As an example, in 2008, APT1 compromised the network of a company involved in a wholesale industry. APT1 installed tools to create compressed file archives and to extract emails and attachments. Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel. During this same time period, major news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities.

  • Per page 26, table 3, APT1 was not behind Aurora, Nitro, Night Dragon, or some other well-publicized attacks. This provides a sense of scale, and shows how little is really public.

Most of the report focuses on how Mandiant identified and tracked APT1, and less on attack chaining and such that we have seen a lot of before in various reports (it does include some of that). That is what I find so interesting – the specifics of tracking these guys, with enough detail to make it extremely difficult to argue that the attacks originated anywhere else or without the involvement of the Chinese government.

Also of interest, Aviv Raff correlated some of this information from other data releases (by Dell SecureWorks and an anonymous pastebin dump):

I repeat: read this report, and hope we see more like it.

Photo by leinadsimpson – http://flic.kr/p/7qTUKT


Monday, January 17, 2011

Fighting the Good Fight

By Mike Rothman

Here in the US, today is Martin Luther King, Jr. Day. For many this means a day off. For others it’s a continued call to arms to right the injustice we see. For me, it’s a reminder. A reminder of how one person’s efforts can make a difference against unsurmountable odds. How passion, focus, and a refusal to fail can change the world. Not overnight and not without setbacks, personal sacrifices, and a lot of angst. But it can be done.

We in the security world seem to forget that all the time.

Make your dreams reality...Today started like most other days. I checked my email. I looked at my Twitter feed and, surprisingly enough, a bunch of folks were bitching about PCI and stupid assessors and all sorts of other negativity. Pretty much like every other day. I shut down my Twitter client and thought a bit about why I do what I do, even though it seems to make no difference most days. It’s because it’s the good fight and the mere fact that it’s hard doesn’t mean we shouldn’t continue pressing forward.

Rich summed it up very well a few weeks ago in his Get Over It post. Human nature isn’t going to change. So we’ll always be swimming upstream. Deal with it. Or find something else to do.

And to be clear, what we do isn’t hard. Fighting for civil rights is hard. Overcoming oppression and abject poverty and terrible disease is hard. Always keep that in mind. Always.

The Boss is constantly telling me there is no grey in my world. Right. Wrong. Nothing in between. And pushing to educate our kids about what they should and should not do online is right. Pushing to help our organizations understand the risks of all their business plans is right. Trying to get senior management to appreciate security, even though it makes their jobs harder at times, is right.

Doing nothing is wrong. If you are reading this blog, then you are likely very fortunate. With resources and education and opportunities that billions of people in this world don’t have. So yes, what we do is hard. But it’s not that hard.

On this day, where the US celebrates one of its true giants, a man who gave everything for what he thought was right, take a few minutes and re-dedicate yourself to fighting the good fight. Because it’s the right thing to do.

Image credit: “Martin Luther King, Jr.” originally uploaded by U.S. Embassy New Delhi

–Mike Rothman

Thursday, February 04, 2010

The NSA Isn’t Evil (Even Working with Google)

By Rich

The NSA is going to work with Google to help analyze the recent Chinese (probably) hack. Richard Bejtlich predicted this, and I consider it a very positive development.

It’s a recognition that our IT infrastructure is a critical national asset, and that the government can play a role in helping respond to incidents and improve security. That’s how it should be – we don’t expect private businesses to defend themselves from amphibious landings (at least in our territory), and the government has political, technical, and legal resources simply not available to the private sector.

Despite some of the more creative TV and film portrayals, the NSA isn’t out to implant microchips in your neck and follow you with black helicopters. They are a signals intelligence collection agency, and we pay them to spy on as much international communication as possible to further our national interests. Think that’s evil? Go join Starfleet – it’s the world we live in. Even though there was some abuse during the Bush years, most of that was either ordered by the President, or non-malicious (yes, I’m sure there was some real abuse, but I bet that was pretty uncommon). I’ve met NSA staff and sometimes worked with plenty of three-letter agency types over the years, and they’re just ordinary folk like the rest of us.

I hope we’ll see more of this kind of cooperation.

Now the one concern is for you foreigners – the role of the NSA is to spy on you, and Google will have to be careful to avoid potentially uncomfortable questions from foreign businesses and governments. But I suspect they’ll be able to manage the scope and keep things under control. The NSA probably pwned them years ago anyway.

Good stuff, and I hope we see more direct government involvement… although we really need a separate agency to handle these due to the conflicting missions of the NSA.

  • Note: for those of you that follow these things, there is clear political maneuvering by the NSA here. They want to own cybersecurity, even though it conflicts with their intel mission. I’d prefer to see another agency hold the defensive reins, but until then I’m happy for any .gov cooperation.


Monday, January 25, 2010

FireStarter: APT—It’s Called “Espionage”, not “Information Warfare”

By Rich

There’s been a lot of talk on the Interwebs recently about the whole Google/China thing. While there are a few bright spots (like anything from the keyboard of Richard Bejtlich), most of it’s pretty bad.

Rather than rehashing the potential attack details, I want to step back and start talking about the bigger picture and its potential implications. The Google hack – Aurora or whatever you want to call it – isn’t the end (or the beginning) of the Advanced Persistent Threat, and it’s important for us to evaluate these incidents in context and use them to prepare for the future.

  1. As usual, instead of banding together, parts of the industry turned on each other to fight over the bones. On one side are pundits claiming how incredibly new and sophisticated the attack was. The other side insisted it was a stupid basic attack of no technical complexity, and that they had way better zero days which wouldn’t have ever been caught. Few realize that those two statements are not mutually exclusive – some organizations experience these kinds of attacks on a continuing basis (that’s why they’re called “persistent”). For other organizations (most of them) the combination of a zero-day with encrypted channels is way more advanced than what they’re used to or prepared for. It’s all a matter of perspective, and your ability to detect this stuff in the first place.
  2. The research community pounced on this, with many expressing disdain at the lack of sophistication of the attack. Guess what, folks, the attack was only as sophisticated as it needed to be. Why burn your IE8/Win7 zero day if you don’t have to? I don’t care if an attack isn’t elegant – if it works, it’s something to worry about.
  3. Do not think, for one instant, that the latest wave of attacks represents the total offensive capacity of our opponents.
  4. This is espionage, not ‘warfare’ and it is the logical extension of how countries have been spying on each other since the dawn of human history. You do not get to use the word ‘war’ if there aren’t bodies, bombs, and blood involved. You don’t get to tack ‘cyber’ onto something just because someone used a computer.
  5. There are few to no consequences if you’re caught. When you need a passport to spy you can be sent home or killed. When all you need is an IP address, the worst that can happen is your wife gets pissed because she thinks you’re browsing porn all night.
  6. There is no motivation for China to stop. They own major portions of our national debt and most of our manufacturing capacity, and are perceived as an essential market for US economic growth. We (the US and much of Europe) are in no position to apply any serious economic sanctions. China knows this, and it allows them great latitude to operate.
  7. Ever vendor who tells me they can ‘solve’ APT instantly ends up on my snake oil list. There isn’t a tool on the market, or even a collection of tools, that can eliminate these attacks. It’s like the TSA – trying to apply new technologies to stop yesterday’s threats. We can make it a lot harder for the attacker, but when they have all the time in the world and the resources of a country behind them, it’s impossible to build insurmountable walls.

As I said in Yes Virginia, China Is Spying and Stealing Our Stuff, advanced attacks from a patient, persistent, dangerous actor have been going on for a few years, and will only increase over time. As Richard noted, we’ve seen these attacks move from targeting only military systems, to general government, to defense contractors and infrastructure, and now to general enterprise.

Essentially, any organization that produces intellectual property (including trade secrets and processes) is a potential target. Any widely adopted technology services with private information (hello, ISPs, email services, and social networks), any manufacturing (especially chemical/pharma), any infrastructure provider, and any provider of goods to infrastructure providers are on the list.

The vast majority of our security tools and defenses are designed to prevent crimes of opportunity. We’ve been saying for years that you don’t have to outrun the bear, just a fellow hiker. This round of attacks, and the dramatic rise of financial breaches over the past few years, tells us those days are over. More organizations are being deliberately targeted and need to adjust their thinking. On the upside, even our well-resourced opponents are still far from having infinite resources.

Since this is the FireStarter I’ll put my recommendations into a separate post. But to spur discussion, I’ll ask what you would do to defend against a motivated, funded, and trained opponent?


Wednesday, January 13, 2010

Yes Virginia, China Is Spying and Stealing Our Stuff

By Rich

Guess what, folks – not only is industrial espionage rampant, but sometimes it’s supported by nation-states. Just ask Boeing about Airbus and France, or New Zealand about French operatives sinking a Greenpeace ship (and killing a few people in the process) on NZ territory.

We’ve been hearing a lot lately about China, as highlighted by this Slashdot post that compiles a few different articles. No, Google isn’t threatening to pull out of China because they suddenly care more about human rights, it’s because it sounds like China might have managed to snag some sensitive Google goodies in their recent attacks.

Here’s the deal. For a couple years now we’ve been hearing credible reports of targeted, highly-sophisticated cyberattacks against major corporations. Many of these attacks seem to trace back to China, but thanks to the anonymity of the Internet no one wants to point fingers.

I’m moving into risky territory here because although I’ve had a reasonable number of very off the record conversations with security pros whose organizations have been hit – probably by China – I don’t have any statistical evidence or even any public cases I can talk about. I generally hate when someone makes bold claims like I am in this post without providing the evidence, but this strikes at the core of the problem:

  1. Nearly no organizations are willing to reveal publicly that they’ve been compromised.
  2. There is no one behind the scenes collecting statistical evidence that could be presented in public.
  3. Even privately, almost no one is sharing information on these attacks.
  4. A large number of possible targets don’t even have appropriate monitoring in place to detect these attacks.
  5. Thanks to the anonymity of the Internet, it’s nearly impossible to prove these are direct government actions (if they are).

We are between a rock and a hard place. There is a massive amount of anecdotal evidence and rumors, but nothing hard anyone can point to. I don’t think even the government has a full picture of what’s going on. It’s like WMD in Iraq – just because we all think something is true, without the intelligence and evidence we can still be very wrong.

But I’ll take the risk and put a stake in the ground for two reasons:

  1. Enough of the stories I’ve heard are first-person, not anecdotal. The company was hacked, intellectual property was stolen, and the IP addresses traced back to China.
  2. The actions are consistent with other policies of the Chinese government and how they operate internationally. In their minds, they’d be foolish to not take advantage of the situation.
  3. All nation-states spy, includig on private businesses. China just appears to be both better and more brazen about it.

I don’t fault even China for pushing the limits of international convention. They always push until there are consequences, and right now the world is letting them operate with impunity. As much as that violates my personal ethics, I’d be an idiot to project those onto someone else – never mind an entire country.

So there it is. If you have something they want, China will break in and take it if they can. If you operate in China, they will appropriate your intellectual property (there’s no doubt on this one, ask anyone who has done business over there).

The problem won’t go away until there are consequences. Which there probably won’t be, since every other economy wants a piece of China, and they own too much of our (U.S.) debt to really piss them off.

If we aren’t going to respond politically or economically, perhaps it’s time to start hacking them back. Until we give them a reason to stop, they won’t. Why should they?