More on Chinese Cyberattacks

Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn’t mean that they’re happening with greater frequency.

Hype aside, the Mandiant report on the hackers is very good, especially the part where the Chinese hackers outted themselves through poor opsec: they logged into Facebook from their work computers.

But this is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.

In a private e-mail, Gary McGraw made an important point about attribution that matters a lot in this debate.

Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be “Gandalfed” and pin the attack on the wrong enemy.)

Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position.

Those of us who work on security engineering and software security can help educate policymakers and others so that we don’t end up pursuing the folly of active defense.

I agree.

This media frenzy is going to be used by the U.S. military to grab more power in cyberspace. They’re already ramping up the U.S. Cyber Command. President Obama is issuing vague executive orders that will result in we-don’t-know what. I don’t see any good coming of this.

EDITED TO ADD (3/13): Critical commentary on the Mandiant report.

Tags: China, cyberwar, espionage, hacking

Posted on February 21, 2013 at 12:54 PM • 56 Comments

Comments

TMG64 • February 21, 2013 1:36 PM

I disagree that it’s not cyberwar. The first act of war is usually learning what you can about your enemy. How can one “take down” an enemy without first KNOWING the enemy?

Nick P • February 21, 2013 1:46 PM

Funny that RobertT was mentioning Datong (it’s in the report) recently on this blog[1]. I’m reading the report now. It’s been interesting so far. I like how they’re attributing the attacks to Unit 61398. That kind of methodical attribution is much better than “the Chinese are coming! the Chinese are coming! there was an IP!”

[1] http://www.schneier.com/blog/archives/2013/02/more_state-spon.html#c1161557

Michael • February 21, 2013 1:48 PM

The overall aim here wasn’t to ‘take down’ an enemy. It was about economic gain through corporate espionage. It’s also questionable whether there’s even an enemy here, assuming the Chinese government were behind this – the business partnerships and displomatic relationships are still quite healthy between the US and China.

DF • February 21, 2013 1:53 PM

@TMG64 No Bruce is right. This is espionage not war. Now it can be argued that it is espionage in prelude to a war, but no destructive acts have been committed yet. The media and politicians are too apt to use the word war when describing things that are more properly defined as struggles. I.e the drug war or a war on obesity or illiteracy or whatever. Those are struggles not wars.

ph • February 21, 2013 2:13 PM

“War” has become rhetoric. It isn’t helpful. Calling it “cyberwar” does nothing to assist with understanding or dealing with real threats and issues.

ted • February 21, 2013 2:29 PM

This is not war. The Chinese are doing the same as the Soviets did, but instead of having John Walker do the gathering and sending of secrets they are doing it themselves.

Spence • February 21, 2013 2:41 PM

“Gandalfed:” cool word to indicate that you attack the wrong enemy, or attribute the attack to the wrong group.
I agree with the post that we have not solved the attribution problem. I continue to argue that during the long millisecond where the attack is active, there is no need to attribute. There is simply a need to make the attack stop. Find out where the attack originates after you halt the attack with an appropriate use of force. That use of force does not necessarily mean hacking back or other arguably illegal acts, it could mean sending cease and desist letters, or filing suit.

Take a look at orlandodoctrine.com, at our use of force continuum. We’ve been discussing this for a while, and we would appreciate your thoughts.

mm • February 21, 2013 2:54 PM

Schneier, much like the McAfee reports on Aurora, the actual evidence upon which they base their conclusions is not directly available to us, and thus we can’t criticize or reproduce their actual results, or identify the veracity of the evidence (due for example to poor or second-hand collection technique.)

Corroboration, triangulation, and actual evidence including binaries that we can strip apart ourselves is the only way to know the truth. Right now, the report is a presentation of results balanced on hidden evidence.

The fact that the public is swallowing this so completely IMO directly follows from the quality of the typesetting as much as the contents themselves.

stvs • February 21, 2013 2:56 PM

Help! Help! I’m being cyberattacked by China!!

Basic Analysis and Security Engine (BASE)
Meta Criteria: Signature “[snort] ssh: Protocol mismatch”
Src IP address         FQDN
59.47.50.85         85.50.47.59.broad.bx.ln.dynamic.163data.com.cn
210.68.175.202         h202-210-68-175.seed.net.tw
…

Nick P • February 21, 2013 3:05 PM

The Mandiant report was excellent. This is the kind of work I like reading on. I’ll ignore the stuff most people talk about in reports like this, as someone will talk about them. 😉 Here are a few things that jumped out at me.

Spear Fishing

One of my favorite highlights from the report is the fake PDF file. The picture shows PDF icon, harmless filename, .pdf, “…” and type “Application.” Mostly looks real. Mandiant comments:

“This is not a PDF file. It looks like the filename has a PDF extension but the filename actually includes 119 spaces after .pdf followed by .exe – the real extension. APT1 even went to the trouble of turning the executable’s icon to an adobe symbol to complete the ruse.”

Very nice work by the attackers. Of course, one suggested defense is sandboxing or blocking file execution. Smart as they were, that basic defense would have stopped that attack. An advanced version might ask for permission for the “executable” to do certain things, with user going “wth, this isn’t an executable?!”

APT1 Hacker Profile uglygorilla

Zhang Zhaozhong’s works “Network Warfare” and “Winning the Information War” might make interesting reading for both hackers and strategists trying to understand the opponents.

Conclusion (p60)

They conclude with sharp wit. They give China a way out, then smash it with Occam’s Razor.

@ Bruce Schneier Re Computerworld Article

I agree it should be considered espionage rather than war. These attackers infiltrated systems worldwide. They blended in. They impersonated people. They stole key information. They presumably use that information to compete in commercial and military matters. This is more Cold War than bloody war. It’s spies vs people with assets not expecting spies. Bombs don’t solve this problem.

That said, I think an active attack against the Unit is an interesting option. We know the attackers use Windows on their internal machines. We know many of their local IP’s. They also use plenty of COTS hardware and software. We can get a hold of this by buying it in the open market or using clandestine forces to acquire it. From there, the government could use a third party not too reliant on China to try to infiltrate their networks. They can map them out, try to find evidence of stolen data on client machines, maybe try to physically tap lines going to building, etc. Their options will be monitoring, exfiltration of important data, disruption, digital sabotage, and physical sabotage. We must assume all data chinese have stolen is theirs to keep. Additionally, any active attacks will only delay the inevitable and might cause retaliation that leads to unacceptable damage to national assets.

The situation is not good for English-speaking big companies.

Daniel Lawrence • February 21, 2013 3:18 PM

“This media frenzy is going to be used by the U.S. military to grab more power in cyberspace. They’re already ramping up the U.S. Cyber Command. President Obama is issuing vague executive orders that will result in we-don’t-know what.”

I’m sure the media frenzy was created for that purpose. How else can those actions be justified?

Mark • February 21, 2013 3:45 PM

I’d be happy if they’d just quit plastering the “cyber” prefix all over everything to make it sound scarier than it actually is.

Marsico • February 21, 2013 4:45 PM

The media is running with a story that suits their needs. The military is exaggerating the war analogy. Cyber___ is sexier than computer___, we have to live with that. The attacks appear to have been documented as true. If our government can’t agree on a budget to avoid the cliff then I wonder if it can manage the risk to our networks.

Simon • February 21, 2013 5:28 PM

@Mark – OK, what term would you like them to use? What is it about the word ‘cyber’ that bothers you? The word was used for many years in different contexts but no one seemed to mind. I don’t understand how attaching the ‘cyber’ to anything makes it scarier than it actually is. How about ‘electro’ or ‘inter’ or … maybe the media should use some kind of euphemism like ‘bad thing’.

Carlo Graziani • February 21, 2013 6:17 PM

The Onion, as usual, has the best take on this:

http://www.theonion.com/articles/sources-hackers-vandalized-drudge-report-for-last,31394/

Nick P • February 21, 2013 6:36 PM

@ Marsico re “cyber”

I’m a bit mixed on it myself. The main reason people oppose it is because it’s predominately used in ignorant ways by media or to promote a cyberwar agenda. That makes it a nice warning signal that BS is coming in a news piece.

On the other side, cyber has a long history before cyberwar. It’s a word that sounds pretty cool. Cyberspace was one of hackers’ nicknames for the Internet early on. You could say the word has some history. I think it’s become like the word hacker: started meaning something awesome and neutral, but media slanted it into bad usage.

Florian Grunert • February 21, 2013 7:59 PM

Hi,
Iam doing research in this field for some time at the university and we have written a paper about this which should end some endless discussion with some plausible logical arguments. The term war in this context misleads and in a lot of more cases the term cyberwar is not useful esp. if we have no attribution. The word war and the legal usage of it includes three logical requirements:

(1) It is conceptually impossible to be in a state of war without there being someone with whom one is at war. (Binary Condition/Two-place-Condition)

(2) It is conceptually impossible to be in a state of war with oneself.
(Non-Reflexivity-Condition)

(3) It is conceptually necessary that two conflicting parties are epistemically
distinct in a stage of war. (Epistemic Distinction-Condition)

[Iam writing at the moment a formalization of this requirements, so you could disproof most of these hypercyberfoopeople with some nice formalism 😛 ]

So if you accept this you cannot use the term in this context without attribution! If you want to sacrifice these concepts you will end in a bad situation.
From our paper on this topic:”And there are some protagonist in the debate hold the opinion that there is no and there will be no ‘cyberwar’ in the sense of international law for classificatory reasons. They argue that we should not talk about ‘cyberwar’ unless there is a phenomenon that deserves such a classification, for example, when a sovereign state declares war (only) in cyberspace (‘fifth domain’). They suggest that all current phenomena should only be treated as special cases of different types of conflict and should be labelled accordingly. Although we partially agree on their point, we think that this is only the second best way to acknowledge what is really at stake here. The impossibility of non-attribution make things even worse, because it causes a conceptual and not merely a classificatory problem. By providing a different approach and new line of reasoning, we draw the conclusion that under the condition of non-attribution we
cannot talk about ‘cyberwar’ given our conceptual practice and usage of ‘war’.”
If you want to read the paper A Non-Attribution-Dilemma and its Impact on Legal Regulation of Cyberwar
Michael Niekamp and Florian Grunert

Please give us some feedback.

best regards

Florian Grunert

Jeff M • February 21, 2013 8:08 PM

One overlooked aspect of the Mandiant report is that Mandiant had hacked into the hackers computers. Look at their video: Mandiant had detailed screen captures showing everything some of the hackers were doing. This is great work, and they were wise (and very brave) to include so much detail to make their points irrefutable. Until now, I had dismissed comments that the Chinese govt was involved as wild speculation.

Johnston • February 21, 2013 8:49 PM

@stvs

Taiwan isn’t part of China. Taiwan has its own (democratically elected) government, passports, currency, exchange rates, military, languages, writing system, international calling code, and ccTLD. Taiwan broke away from China in 1949, 64 years ago, when the communists took over. Anything else is just political posturing.

James R. • February 21, 2013 10:58 PM

It is cyber-espionage, but done at such a massive scale that it will have a strongly negative effect on the U.S. economy in the long-run. You could consider this a type of economic war that removes the competitive advantage from U.S. businesses and drives more production of products to Chinese businesses. So yes, the U.S. government should be doing whatever it can to limit the amount of theft of IP, business plans, contract negotiations, etc., that are occurring against U.S. businesses, particularly from China.

Clive Robinson • February 22, 2013 5:16 AM

@ Bruce,

With regards,

But this is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.

But this is the way the Pentagon want things.

It’s possibly slipped past many people but the Pentagon have a new medal comming out “The Distinquished Warfare Medal” for Cyber-warriors. And guess what they are placing it above the Purple Heart in order of merit.

So as far as the US top brass are concerned it appears the most senior of medals will nolonger be for conspicuous bravery and physical courage in the face of the enemy but for the collateral damage done against the enemy (and presumably their civillians)…

Whilst the brass are currently talking about drone pilots, the wording means that all cyber-warriors are eligible which includes those involved with the likes of Stuxnet etc…

http://www.nextgov.com/defense/2013/02/pentagon-takes-heat-elevating-cyber-warrior-medal-above-other-honors/61415/

wiredog • February 22, 2013 6:15 AM

There’s a story that’s been going around since the 80’s that when the US government discovered the Soviet government trying to steal computer control designs the US deliberately allowed the Soviets to steal some bad designs. Which resulted in a severe malfunction in gas line controls and an explosion.

I wonder if the PRC is vetting the stuff it’s stealing for disinformation?

Clive Robinson • February 22, 2013 7:23 AM

Mind you this “China APT” is not bad news for everyone, obviously the press are doing quite well on it but have you thought about those in education?

Yes new courses are starting on reverse engineering and other aspects of malware (all be it with strings attached),

http://www.computerworld.com/s/article/9237010/US_students_get_cracking_on_Chinese_malware_code?taxonomyId=85&pageNumber=1

It would appear PhD student and research assistant Wesley McGrew at Mississippi State University will be using the code recovered from attacks over the past few years to run a reverse engineering class.

He will be teaching/training 14 engineering and computer science students the ins and outs of how to analyze the malicious software.

Which is actually no bad thing, for other good and proper reasons. As I’ve been known to comment in the past CS students rarely get taught the equivalent of “testing techniques” that most engineering students get taught. The value such training will add to their abilities will provide a life long benifit and put them well ahead of other CS graduates in the market place.

However a health warning on the article it’s self it does make a couple of factually incorect statments such as,

No two files have the same MD5 hash unless they are exactly the same, which makes it a good way to identify files.

Whilst MD5 does make a good way to identify identical files, it is known that it is possible for two non identical files to have the same MD5 hash [1]

The article is also superficial in that whilst it goes into MD5 usage it does not sufficiently follow up on it.

So to fill in a bit 😉

It is interesting to note about the use of the MD5 hashes showing up that the identical malware is being used repeatedly. That is these attacks in effect look like “script kiddie” attacks, but are they?

If the attack code was actually being produced by those carrying out the attacks then it would be relativly trivial for them to change the file in a myriad of different ways such that the MD5 hashes would not match but still have identical functionality. It is not as though polymorphing malware is an unknown concept [2].

So why have they not morphed the code?

Whilst McGrew indirectly gives one possability for this,

Attackers are less likely to use their more advanced malware against a target if a simpler one suffices, since it could be detected and blocked in the future.

It misses out on the fact that generaly morphing your code reduces your detectability whilst still using the functionaly equivalent maleware. Thus would get around many AV products repeatedly with what is minimal effort on behalf of tthe attackers.

So why are the attackers not doing it?

Is it because the traditional AV products are so deficient that there is no reason to both? or is there another reason?

Whilst it is known that much AV software fails to detect upto 30% of known malware there are various types of detector that work in different ways. Essentialy you can do the more traditional “Black list” approach or the less often seen “white list” aproach.

Thus there are other possability that needs to be considered over and above the basic detectability “black list” avoidance. White listing of executables takes the opposite aproach to black listing and various organisations like Bit9 offer such systems, which in effect are secondary code signing services.

Bit9 has recently admitted to the fact that it has been attacked [3] a while ago and this resulted in the copying of atleast one code signing key. Further that the copy of the key has also been used to illicitly sign code (which I assume was malicious in some way) which hass turned up on atleast three of it’s customers systems.

This shows how easy it is to not understand the motives of an attacker based only on a limited view point of analysing what has been used to attack you. That is you don’t know if thay are A, script kiddies, B, using the same malware because it surfices, or C, Use the same code to get past other defences you may not be aware of.

So how do you improve upon this information to get a better understanding of an attackers operational motives that give rise to the seen MO?

Well it means resorting to the tools of espionage, be they old “boots on the ground” to more modern methods. The problem with either method is entrapment of those using the tools and thus reveiling “Methods and Sources”.

As others have noted the company investigating went after the supposed attackers and infiltrated their systems. There are three problems with this, firstly it’s not lawful, secondly it provides the attackers with propaganda for reprisals and further activities, thirdly it shows information about your methods.

It is the third option we need to be wary of because if the attackers systems are vulnerable it is more than likely that nearly everybodies systems are vulnerable.

And this gives us a fourth possability which is ineffect a reverse “Honey net” where the enemy deliberatly uses systems that are “standard” and by using detectable attacks invite retaliation and thus get to see how the defenders go about it and what exploits etc they use…

So on balance I find defenders going into the attackers systems to be an unwise thing to do. Not only because it’s illegal but more importantly that it is actually more likely to give more to the attackers than it will to the defenders…

[1] This is because MD5 is in effect a compression function that is the equivalent of a one way function. Thus a little thought shows that if you have a file bigger than the MD5 hash size it will hash to the same value as a file smaller or equal to the hash size. That is MD5 like any hash produces a number out that is within a fixed range, thus if you have more data than that range going into the hash function then it will map down non uniquely to a number in that range.

[2] Polmorhic code comes in various forms, some polymorhic virus code contains the morphing engine some don’t. One type uses encryption to morph which although simple has a downside in that the decryption code remains the same in the head of the virus and this can be dettected by looking for the byte pattern at a given offset from the code start point.

http://en.m.wikipedia.org/wiki/Polymorphic_code

Another method of polymorpism is to take the source code and simply rearange the position of code blocks and put snipits of unused faux code in the source.

[3] Brian Krebbs effectivly “outed” Bit9 on his web site a short while ago and has now run a couple of posts on them,

http://m.krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/

Snarki, child of Loki • February 22, 2013 7:33 AM

@Nick P
“On the other side, cyber has a long history before cyberwar. It’s a word that sounds pretty cool. Cyberspace was one of hackers’ nicknames for the Internet early on. You could say the word has some history. I think it’s become like the word hacker: started meaning something awesome and neutral, but media slanted it into bad usage.”

One the KEWL words start getting used by the uncool kidz and noobz, then they aren’t kewl any more.

I sometimes wonder if human civilization will ever progress beyond high-school. Nah.

Pigeonhole Principle • February 22, 2013 7:57 AM

@Clive re MD5:

All you needed to say there, is that MD5 like any digest function, maps an infinite number of unique possible files/messages onto one of a finite number of hash values. Collisions are obviously possible, just unlikely to happen by accident (and still rather difficult to cause on purpose).

Clive Robinson • February 22, 2013 9:25 AM

@ Pigeonhole Principle,

All you needed to say there…

What and break the habit of a life time 😉

Nick P • February 22, 2013 10:05 AM

@ Florian Grunert

Let me play devil’s advocate. I’m not sure your conditions hold. They seem sensible at first, but counterexamples come to mind. Let’s look at them.

“(1) It is conceptually impossible to be in a state of war without there being someone with whom one is at war. (Binary Condition/Two-place-Condition)”

Depends if we define war as a conflict between two or more recognized parties. Here’s a hypothetical situation. Let’s say some insurgent group wants to get at assets with a major country. They’ve begun attacking the country, trying various tactics to get the assets. The country doesn’t know their names, location, or even motive. It hasn’t caught one yet. The country might then take defensive measures to protect assets it sees at risk. It might prepare to take strong action against any identified insurgents. However, it has no solid clue who the opponent is. We’re already in a situation where one side is definitely at war with SOMEONE and the other side is at war for practical purposes, but has no identifiable opponent. Substitute these tactics for those that are deniable, maybe resembling faults, and now you have a war that’s real but looks imaginary to outsiders. It stretches the definition quite a bit.

If it sounds too hypothetical, I should note there are parallels to this in cyberwar. We often fight little skirmishes with unknown opponents/goals. Certain attacks might look like innocent activity. The evidence that the intrusion is taking place might be a computer crashing, a spike of network traffic or some other thing that can happen in a benign network. Their goal is usually access to confidential data, subversion of machines for their purposes, or sabotage. From the defenders point, though, they’re are at war with cybercrooks in general but… who specifically? what progress is being made? Harder questions to answer…

“(2) It is conceptually impossible to be in a state of war with oneself.
(Non-Reflexivity-Condition)”

This one is easier to counter. It assumes there is a such thing as “oneself” in the sense it’s one thing with one goal or set of beliefs. It’s well known that people fight with themselves over many competiting motivations, wants, etc. Certain neuroscience shows the brain’s pieces themselves compete with each other, our action emerging from it. Certain self-loathing people are at war with themselves. Strong pessimists are mentally at war with themselves, subverting every good thing they attempt. Throw in multiple personality disorder, certain schizophrenic conditions, etc. People with mental disorders, for instance, can act as if possessed or coinhabited with a malicious being that fights against their thoughts, perceptions and actions. These kinds of things supported primitive beliefs in “demonic possession.” Seeing this, it’s hard to say war is an internal self vs external entity situation.

Note that you can apply these same concepts to groups. There’s isn’t a US government, for instance. There’s actually a collection of individuals, local governments, federal bodies, agencies, special interest groups and so on that collectively form the activity we call the United States government. The US government can both be at war and not at war. The US government often wars with itself. The incorporated aspects make some of these organizations people by law, but they’re inherently like multiple personality disorder. (I know it’s called DID, but i use MPD b/c most people understand that term.) These issues are worth considering in your work because governments and corporations are key players in these things. So much that economists, psychologists and other academics try to make black/white or precise with these types of organizations is actually more probabilistic/fuzzy.

“So if you accept this you cannot use the term in this context without attribution! ”

Since (a) Premise 1 can be stretched so far it looks thin and (b) Premise 2 is broken in numerous relevant contexts, so I cannot accept the conclusion that attribution is required.

Attribution is sometimes not required at all, it’s often useful, and sometimes it’s necessary to make the best decision.

Nick P • February 22, 2013 10:15 AM

@ Snarki, child of Loki

“One the KEWL words start getting used by the uncool kidz and noobz, then they aren’t kewl any more.

I sometimes wonder if human civilization will ever progress beyond high-school. Nah. ”

Decent view. I’ve often said I learned about everything I need to know about people in high school. Sure, colleges, industries and certain groups dress up their social activities a bit. However, I find that underneath most of the motivations, tactics, personality types, etc. are either the same as or similar to what I encountered in high school. Our parents wanted us to focus on the classwork for our future. I think we would have been better off if we were pushed to master understanding the people in it. I certainly benefited from the effort I put into that.

What is the old saying? It went along the lines that all kinds of things change, but people are always people.

Re Clive comment

“@ Pigeonhole Principle,

All you needed to say there…

What and break the habit of a life time ;-)”

LOL. Yes, Clive will probably keep the long winded, technical posts so people can identify the author in the event he forgets to type his name. 😉

RobertT • February 22, 2013 10:47 AM

@NickP
I think the referenced post made it very clear that I don’t know what I’m talking about.

BTW: this is a very dangerous subject to know too much about, so I’m very happy to maintain my ignorance.

I’d just say one last thing: 12 story buildings are very useful for attacking with high gain antennas and wifi. the emergence of Ultrabooks with no Ethernet port, means that open wifi/Ethernet bridge ports are appearing in even the most secure buildings, luckily the guys with the power to ignore the rules sit in the corner window offices.

It’s like stealing candy from a baby….

RobertT • February 22, 2013 11:16 AM

@CliveR
“And this gives us a fourth possability which is ineffect a reverse “Honey net” ”

“Reverse Honey nets” What sneaky little so’n’so’s, surely the US has passed a law against this sort of behavior, it’s down right anti-social.

I wonder if we would be reading this story if the attack had been traced to some hut in western Pakistan, maybe just a side note about a successful drone attack….so what makes China different? why do they think they can get away with ignoring the US’s will?

Clive Robinson • February 22, 2013 11:20 AM

@ RobertT, Nick P,

It’s like stealing candy from a baby…

Yes it is, there are places in London where WiFi just does not work due to the simple fact that the density of AP’s exceeds any kind of usability.

If however you find yourself in London one day and fancy a visit to the Greenwich Observatory to visit the Meridian line (as many tourists do) glance across to the HSBC building and all those others surounding it and think hmm “target rich environment”…

As I know from experiance there are one heck of a lot of insecure networks etc over there, and some traffic would count as insider dealing….

But that’s just the start of the possibilities, unfortunatly I lost my ignorance a long time ago and whilst clocks might become old and jaded with time they still tend not to go backwards 🙁

The Grumpy Hacker • February 22, 2013 11:43 AM

Simple solution to the attribution problem: All parties need to be RFC 3514 compliant.

M • February 22, 2013 10:00 PM

@Bruce

Dude, you’re doing a bit of disservice to the US here. Yeah, it may not be war in the traditional sense, but it is going to be ‘death by a thousand cuts’. The major difference between normal ‘economic espionage’ and what we are seeing from China in this Mandiant report, is that these thefts appear to have the backing of the entire Chinese government, which ultimately controls the Chinese economy. This would be the equivalent of the NSA stealing information from BMW, and then giving that information to Ford or GM for economic benefit … which is ridiculous. Now, perhaps shady characters in the automotive industry are engaging in such economic espionage against their competitors, but unlike what we see here, they do not have the backing of their government for this activity. In China, the government controls the banks, manufacturing, distribution, service, etc etc etc. Their plan in this regard is long-term, and they will win. Saying these attacks happen on the time and are the normal course of countries relationships with each other is BS. There is no way our US intel community is providing economically beneficial information to US companies. But that is what we see China doing here by targeting businesses across all sectors of the economy. You have an issue with the word ‘war’, fine. But don’t downplay it. It’s a game of Chess, and we are losing.

ugly superhard dota • February 23, 2013 5:53 AM

The Mandiant report comes across as commercial self-promotion. While it has some very interesting content its attribution of APT1 to Unit 61398 seems very thin–more along the lines of a plausible hypothesis than legal proof. The report could stand some rigorous peer review.

Howard • February 23, 2013 11:27 AM

The New York Times just has its panties in a bunch because they were attacked directly. They were happy to watch, and — if they really had to — report on, attacks on other targets for years … but when it was their own assets, it became personal. That’s why we see a media frenzy.

I agree, we should expect better behavior from our news sources. They should have been reporting on Chinese attacks all along with the same consistency since, as Bruce said, the consistency and character of attacks hasn’t changed.

Perhaps that’s just the way it is. It reminds me of the high-profile American journalist who admitted that, after another journalist had been killed by an Iraqi IED, it made the war “real” for them … thus also admitting that seeing hundreds of American soldiers killed by such IED’s didn’t bring near the emotional connection.

Or try Google: they weren’t happy with their relationship with China, but they tried what they could. Then they caught China attacking their own assets (Gmail), and enough was enough. So they moved to Hong Kong.

Nick P • February 23, 2013 11:59 AM

@ ugly superhard dota

“The Mandiant report comes across as commercial self-promotion. While it has some very interesting content its attribution of APT1 to Unit 61398 seems very thin–more along the lines of a plausible hypothesis than legal proof. The report could stand some rigorous peer review.”

Let’s be fair, here. This isn’t an investigation of some normal business or agency with full LEO power. Mandiant was investigating an organization dedicated to covert operations without trying to subvert them, infiltrate them, or do other illegal activity. Most covert activities go untracked in entirety. Their designed to prevent attribution by LEO’s with full power. Mandiant had a fraction of LEO capability, yet presented plenty of good evidence of the identity of APT attackers.

I give them props for both great research and presenting it in a way even lay people can appreciate. Maybe errors will be found. Maybe their conclusion will turn out wrong. However, as far as covert organizations go, they have more information than you’d typically expect.

ugly superhard dota • February 23, 2013 4:42 PM

@Nick P
Let’s take the Symantec reports on Stuxnet as a baseline. Symantec was/is in the same position with regard to Stuxnet as Mandiant is with regard to APT1, and just as Kaspersky was/is in the same position with regard to Red October.
I read the three reports with great interest and certainly give credit to the Mandiant report for being an excellent introduction to hacking methodology for say a University course in hacking from the Law Enforcement and risk minimization perspective. Ditto the other two studies, which in some respects are just a little too technical to be good introductions.
However, and here is my first point, of the three studies, only Mandiant’s conveyed to me an air of commercial self-promotion. Maybe the other two reports were just as self-promotional but did it with a lighter hand but to me they seemed far more objectively scientific (“Just the facts, Ma’am.”).
Second, Mandiant is making some very strong flat allegations that a series of hacks are the direct responsibility of Unit 61398 of the Chinese PLA. That’s a pretty serious allegation with potential international repercussions. But what struck me was that the evidence was thinner than I expected. After all the mission of Unit 61398 is consistent with a defensive cyber mission and photographs of their headquarters carry as much weight for attribution of APT1 to them as photographs of Fort Meade carry for attribution of Stuxnet to the NSA.

joequant • February 23, 2013 11:06 PM

There are some useful posts on this on Jeffrey Carr’s blog

http://jeffreycarr.blogspot.hk/2013/02/mandiant-apt1-report-has-critical.html

joequant • February 23, 2013 11:12 PM

M: There is no way our US intel community is providing economically beneficial information to US companies.

Former Director of Central Intelligence James Woolsey disagrees…..

http://cryptome.org/echelon-cia2.htm

joequant • February 23, 2013 11:18 PM

Why do they think they can get away with ignoring the US’s will?

Because they can……

It might have something to do with the $100 billion or so in US Treasuries that China buys each year or the $1 trillion in US debt that China holds or the hundred billion or so in foreign direct investment that China gets.

joequant • February 23, 2013 11:29 PM

Michael: The overall aim here wasn’t to ‘take down’ an enemy. It was about economic gain through corporate espionage.

I don’t think this is the primary aim at all…. Ask yourself this, what possible economic gain could the Chinese government get by hacking the New York Times, the Wall Street Journal, or the Washington Post. For that matter, what commercially useful information does the Chinese government get by hacking Facebook, Google, Twitter, or Apple?

Answer: None at all…. The only company that I’ve listed that has any commercially useful information is Apple and maybe Google, and if the PLA wants that, they can get it from Apple’s Chinese suppliers.

It’s not mainly a commercial spying operation, its a domestic security operation. The NYT does not have any technology information that the Chinese government would be interested in. Names of dissidents and confidential sources however……

Also, even without getting any information, the Ministry of State Security has done something useful. There is no chance now that any dissident in China is going to talk to the NYT.

joequant • February 23, 2013 11:40 PM

Re: Hong Kong

Hong Kong is part of China, and it’s an example of why the difference between the Chinese military and the civilian spying agencies is important.

Under Chinese law, the Chinese military has full power to conduct military operations in Hong Kong (they have a garrison and there a tall office in Admiralty).

The Chinese police and spying agencies don’t. So if you have information that is of interest to the Chinese police (i.e. the names of dissidents) you can move your servers to Hong Kong and be safe. If you have information that is of interest to the Chinese military (plans for a high performance fighter or invasion plans), you have no safety at all of you move to HK, since the PLA has full national defense powers in HK.

joequant • February 24, 2013 12:53 AM

You could consider this a type of economic war that removes the competitive advantage from U.S. businesses and drives more production of products to Chinese businesses.

No you can’t.

The trouble is that this assumes that the world is separated nicely into US businesses and Chinese businesses when outside of a few industries it isn’t. A lot of businesses headquartered in the US are in joint ventures and cross-licensing agreements with Chinese businesses, and US businesses often depend on China for profits. Conversely, you have Chinese businesses that are depend on the United States.

The other thing is that some industries are heavily “networked” in which any sort of production takes place across twenty or thirty countries.

The Chinese government owns a small portion of Apple, Coca-Cola, Morgan-Stanley, and Citibank.

http://online.wsj.com/article/SB10001424052748703427704575052303975503216.html

I don’t know what this is, but it’s not war.

joequant • February 24, 2013 1:07 AM

. Until now, I had dismissed comments that the Chinese govt was involved as wild speculation.

That some agency of the Chinese government is hacking US computers is rather well known knowledge among anyone that has anything to do with China. Any group that has anything minimally to do with China has be the target of attempted hacking, and it’s gone on for so long, that “it’s not news.”

The fact that China does engage in both overt and covert methods for getting US technology is also not news. In fact, most high technology companies in the United States are heavily in the business of selling said technology to China.

The only reason it made it in the NYT is that they discovered that they were hacked. The only real question is “which part of the Chinese government is doing the hacking and why?” and I think that the NYT massively dropped the ball on this one because they aren’t thinking clearly.

One point here is that misattributing attacks to the PLA is a bit dangerous. If you have low-grade information that is of interest to the Ministry of State Security, then you’ll be able to get by with low-grade security. The MSS hackers will check if you’ve left your doors unlocked and if not, they’ll move to another target. If you have high-grade information that the PLA really does care about, then you shouldn’t have any machines connected to the internet at all

Clive Robinson • February 24, 2013 2:31 AM

@ Howard,

I agree, we should expect better behavior from our news sources. They should have been reporting on Chinese attacks all along with the same consistency…

Please remember it’s not just the Chinese but ALL capable nations…

It realy annoys me that it’ “China this” and “China that” while everyone else gets a free pass in the Politicos and Journo’s eyes, and it’s extreamly damaging.

Other major offenders are Russia and Israel (and most other Western Nations plus a whole heap more). We know they “are at it” atleast as much as China is supposed to be.

The fact that it’s not reported has two serious consiquences,

1, It blinds Sysadmins and their seniors all the way up into walnut corridor and above.

2, It encorages lack of proper investigation.

Of the two the second is currently the most worrying, because you have people who should know better talking about “Cyber-War” in one breath and “Going Kinnetic” in the next breath.

Whilst I am by no means saying China is not cracking peoples security and systems I’m definatly saying they are but one of many, and ignoring/hiding this fact is going to hurt us big time at some point unless we are very careful.

It’s one of the reasons I’m very oposed to the idea of “military and Quasi-military” organizations being even remotly involved with Cyper-policing. The Military for all their worth in their respective roles have certain limitations and are unlikely to be impartial with respect to their other objectives for various reasons.

As has been pointed out on this blog a number of times in the past, the fact that the US Press and Journalists keeps banging on about China not only gives other countries a pass, it activly encorages them to use China as a smoke screen for their activities.

Clive Robinson • February 24, 2013 4:03 AM

@ M,

This would be the equivalent of the NSA stealing information from BMW, and then giving that information to Ford or GM for economic benefit … which is ridiculous.

Sorry to burst your bubble but various national Intel organisations have been stealing “commercialy sensitive” information and handing it on to their own “trusted” rivals. It’s a big fat part of what is covered by “Economic National Security”

Tthe head of the French bureau upset the apple cart years ago when being interviewd by a well known US news network and gave a very candid answer that R&D was expensive compared to spying.

The Russias are well known to have used spying on US commodity traders phones to manipulate the world grain price when their crops had failed thus saving billions of dollars.

The US once bugged a Japanese diplomatic plane when involved with a trade mission for purely economic data for negotiations.

The US are known to have spied on various other major defence electronics companies and supplied the intel to TRW.

It sometimes goes wrong, as seen once at the Paris Air Show where the Russian “Koncordski” rip off of the Franco-British Concorde crashed, it appears that a French fighter surveillance plane might have “jet washed” it and caused it to crash.

When I used to work for a military communications equipment manufacture we used to discover strange interference happening when ever we were running trials for large National Contracts that the French were also bidding for. We tracked it down and found a group of technicians putting out jamming signals. The local police rounded them up but had to let them go because they had French CD passports.

As for Israel, per head of population they perform more theft of commercialy sensitive information than the Chinese do, and much of it mysteriously turns up in little start up companies who (unsurprisingly) have a Director or two who are Ex IDF / Mossad.

When I used to work for an electronic lock company that was a major player in the Hotel industry, we got a slightly odd request from what was supposadly a part of IBM. I was suspicious and did some background checking. It turned out IBM had no such office etc. Further checking showed it was a front organisation. One of our employees was Jewish and he concluded after a further investigation that of the three or four people fronting the supposed IBM organisation they were all practicing Jews even though they spoke with accents from other nations. He demonstrated this in the office when we had a couple of them in, he deliberatly set up one of them with a glass of water that could easily be knocked over, and then at an appropriate time called out a warning softly in Hebrew, and the person fell into the trap… Further checking through other contacts showed that the supposed IBM company had been operating as a “Technology Front” for “hotel security” products. Basicaly Mossad needs such intel for carrying out various activities such as kidnaping and assasination.

And yes even the UK Government has been caught out in the economic espionage game on more than one occassion. Basicaly the idea was “Intel swaps” a company that had trade links with “certain nations of interest” would get a discrete visit at director level asking if the companies sales reps going over to these nations could produce “background information” about what they saw. In return the company would get discrete information about forign competitors and various contracts that they would be considered “prefered bidders” on. Unfortunatly the cosy relationship went wrong with one company when the lose cannon that was UK Customs and Excise decided to prosecute them for what was in effect arms trading. It all went horribly wrong and quite a bit of info about these cosy relationships came out.

It is also well known that the NSA used to supply “Special Advice” to a Swiss Crypto company, we assume to put “technical backdoors” in the products they sold to various “nations of interest”.

Examination of US mechanical field cipher equipment showed it had issues in that some keys were strong whilst others weak. Further information sugests this was known to those who supplied US troops with their KeyMat. It has been suggested that any nation copying such devices (and quite a few did or purchased them through untill the 1970’s) would be very likely to use the keys randomly thus use the weak with the strong and giving the likes of the NSA a nice little entry into the countries “secret communications”.

Put simply “there is no moral high ground” in espionage everyone spys on every one else when they can. The biggest constraint on such activities being financial and other resources. The number one country on supplying these resources in the past is the US to it’s favourd agency that Never Say Anything…

Clive Robinson • February 24, 2013 4:12 AM

@ Joequant,

With regards,

why do they think they can get away with ignoring the US’s will

I’ts a sarcastic joke, not a serious comment.

Speaking of which,

@ Johnston

Likewis so was @stvs comment on being attacked from Taiwan AKA Republic of China (ROC) and famous for ripping of technology in the later part of the last century. For it was they who put “China” in the expression “Chinese knock off”.

Clive Robinson • February 24, 2013 4:44 AM

@ RobertT,

Sorry I missed your comment,

I wonder if we would be reading this story if the attack had been traced to some hut in western Pakistan, maybe just a side note about a successful drone attack..

As it was tucked away beneath your other comment.

You actually raise an interesting point, both China and Pakistan are Nuclear States, so are assumed to sit politicaly on the same “Top Table”.

However China is not land locked and has proven long range rocket capability Pakistan however is land locked and does not have proven long range rocket capability….

Therefor like any Super Power China can “project power” out to other super powers from subsea and space, whilst Pakistan cannot. Thus it could be said that as far as the US are concerned the top table has tiers and Packistan is on a lower one than China…

Which raises the question of how the US are going to treat North Korea, from now on… Now it would appear from the events of the past three months that N.Korea has rockets of “Space launch capability” for “appropriate sized payloads”, and if commentators are to be believed a uranium based nuclear device that is under the appropriate sized payload. Thus could in theory drop one on Washington if they so wished… Likewise we also know that North Korea is not land locked and does have it’s own submarine capabilities…

Hmm all of which is probably making a lot of people somewhat nervous as it means North Korea is within a hairs bredth or two of meeting one of the requirments for being a Super Power…

Anon10 • February 24, 2013 11:39 PM

@Clive

Another posted stated this.
“This would be the equivalent of the NSA stealing information from BMW, and then giving that information to Ford or GM for economic benefit … which is ridiculous.” Your examples of numerous other countries do not demonstrate what the US does. The US is different, according to Woolsey http://cryptome.org/echelon-cia2.htm. Most of your examples of the NSA, without more details, could fall under their mission of gathering intelligence on foreign governments. Regarding Japan, there is a world of difference between spying on diplomatic trade negotiations and stealing trade secrets. You shouldn’t equate the two.

Clive Robinson • February 25, 2013 12:06 AM

@ Anon10

…there is a world of difference between spying on diplomatic trade negotiations and stealing trade secrets. You shouldn’t equate the two.

Why not they are both spying for economic gain, and both done unders the excuse of Economic National Security?

As some people have remarked this sort of activity is one thing or another, you have either done the deed of spying for economic gain or you have not, because you can’t be “a little bit pregnant”.

stvs • February 25, 2013 10:36 AM

Likewis so was @stvs comment on being attacked from Taiwan AKA Republic of China (ROC)

Yes, a tongue-in-cheek comment, but I also expected that Mandiant’s report would outline the geographic extent of APT1’s C2s. Unsurprisingly, .tw represents one of the countries with the most servers outside .cn, only behind .us and .kr (Figure 23).

Also glaringly obvious from the report: APT1 is all about pwning Windows and Microsoft Exchange Server. Search in vain for keyword “bsd” “unix” “linux” “os x”, or even “apple” in the context of privilege escalation tools, rather than decoy FQDNs. Just one example of Windows pwnage from Table 6:

cachedump
This program extracts cached password hashes from a system’s registry
fgdump
Windows password hash dumper
gsecdump
Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets
pwdump7
Dumps password hashes from the Windows registry

And so on.

Who can say Google was wrong to ban Microsoft Windows machines from their premises? Why doesn’t everyone take this precaution?

Anon10 • February 25, 2013 8:05 PM

@Clive

Both events are economic espionage, but from the economic competition view, any analysis that doesn’t delve into the types of economic espionage is superficial.

From a privacy or civil libertarian perspective, very few people will be involved in trade negotiations at a high level, but almost anyone could work at private company developing something of commercial value.

itgrrl • February 25, 2013 9:09 PM

@Nick P: “The US government can both be at war and not at war.”

I like that idea. “Schrödinger’s Cyberwar.” 🙂

Atavistic Jones • February 26, 2013 6:56 AM

The media is going nuts on this because China hacked a lot of the main media players in the US and all of this comes out at the same time.

Journalists do not like being hacked. It goes against their business. It says for them to shut up, that they are being watched.

Journalists have always liked the China hacking issue, further, because China is totalitarian and anti-journalist therefore.

And China has been hacking human rights activists and free speech activists for many years.

But, China has been hacking corporations and government for many years now and excessively so.

I do not see much negative on these media reports. They are actually very good work, for being open source.

A great deal of evidence has been presented over the past few months on China’s hacking.

Even extremely intelligent people have a tendency to accept conspiracy theory stories with far, far less evidence.

Getting caught is incompetent in espionage. It is unprofessional. Does this mean China is unprofessional? Is China bad at espionage because they have been caught so frequently?

Are they the computer espionage hacking scapegoats, the dummies in the room, while the rest of the world is spinning wheels around them?

No.

They think they have nothing to lose from this mass, global campaign they have been doing for years. What is reported is just the tip of the iceberg.

They are wildly successful and have been for years.

They have a tiniest strain of plausible deniability about all of this. And their economic and political situation is very strong. Who can argue with them?

On top of all the noise, the loud hacks, there are definitely the quiet hacks.

Is any of this the best way to go about global cyber espionage? The best way is just to hook into the major global communication hubs and spread out from there.

Target people at their homes, not at their businesses where security is higher.

Stealing innovation is not true power, stealing people’s hearts, knowing their inner secrets and being able to use those to manipulate them to your ends — that is true power.

Henry • February 27, 2013 11:59 AM

I’m not a military nomenclature expert, but I’m not sure one can clearly state this is not a “war.” It seems clear that there is primarily only information gathering at this point. However, in regard to the Chinese’s use of that information, they are 100% acting on it. Not to do direct harm to people/ infrastructure, like shutting off power and water systems, but they are using the information to do damage economically. Their government is stealing our IP, and giving it to Chinese private companies and SOEs. So there is serious harm done and this makes the current situation different in at least scale/ impact than years past; in terms of the use of information from economic espionage. The PRC did not have the capability until relatively recently to act on the economic espionage that they have been gathering. Plus, as others have said, this is just a precursor to what is coming (with actual attacks on infrastructure).

Although I’m not a military expert, I am a bit of a China expert. And anyone who knows the Chinese, knows that they will continue to escalate the situation until we stop them dead in their tracks. That is a fact, whether one likes it or not. I don’t like “vague” exec orders or getting into a cyber arms race either, but the US certainly needs to do something more “drastic” in response to the situation. I think the developed world should put strong sanctions or threaten to pull the PRC out of the WTO. If people think it’s too late to isolate China economically, as pressure to stop their cybercrimes, then we have already lost the real “war” that has yet to begin.

Henry • February 27, 2013 12:24 PM

@ Bruce S

In follow-up to my last message: I suppose that if, like many wars that are based on a fight over resources, this is not much different in terms of definition. I would say that war has yet to be declared, but we are very close to it. A cyber arms race would be no different in escalating to declaration than a traditional arms race. So I understand your position. But what do we do? -It’s the Chinese we’re talking about here.

This is not like a traditional war where shots get fired and a declaration of war is made. There will be massive amounts of economic carnage before then (there probably already has been). The slight plausibility that China’s denials are true give them an out to justify what they are doing. They are not going to stop, until someone stops them. When the US & allies try stopping them, through sanctions, etc. China will point the finger and retaliate, and the escalation to war starts. I might argue that our government knows the Chinese mindset as well as I do, and that they have already decided that a cyber arms race is the best approach. At least then we have a chance to defend our infrastructure.

I don’t see a good ending here. If you didn’t know, there is never a win-win situation with the Chinese. They believe they can only win if you lose. 

More on Chinese Cyberattacks

Comments

Leave a comment Cancel reply