Chinese Cyberattacks Unrelenting And Will Not Stop

It is all part of the Chinese strategy to steal technology and information as they work on being the top country in the world.

There is an excellent article on the history of China and how it pertains to today’s world by Brandon J. Weichert at New English Review.

The “trade war” is part of a complex struggle by China to come to parity and overtake the United States.

 

The struggle with China is also pertinent in the Cyber world, as we know from Mandiant’s report the Chinese PLA (People’s Liberation Army) has a unit that actively attacks western companies and countries to steal technology and anything else that might be important.  this was the APT1 operational attack on the world.

China is actively attacking systems (as you will see below).

The PLA units are hundreds if not thousands of attackers.

In Mandiant’s report there is some history where the APT1 was first used in 2006.  So for the last 13 years the Chinese have been systematically trying to attack and steal relevant information from Western companies.

Every industry was attacked (just like it is easy to do as everyone is connected to everyone on the Internet).  Some industries are more important than others:

Above image is from Mandiant’s report linked above.

This is from a report in 2012 about an old attack, but today these items have not changed much.

 

Let’s go back to Mr Weichert’s article (“Much More Than a Trade War With China”)  where in the warring states period of Chinese history (771-475BC) was a unique time period.  In this era the Qin Dynasty was able to overcome a superior adversary in the Zhou dynasty, due to superior statecraft and mastery of strategy.

Mr Weichert brings up a quote by Jiang Zemin (Chinese leader  1995-2003) “there cannot be two suns in the sky”.  Because the history of China showed only one dynasty will eventually defeat the other and survive  to rule over all.

In here the “Barbarian-Handling” techniques are analyzed by Edward Luttwak:

  • Initially, concede all that must be conceded to the superior power, to avoid damage and obtain whatever benefits or at least forbearance that can be had from it;
  • Entangle the ruler and ruling class of the superior power in webs of material dependence that reduce its original vitality and strength, while preferring equality in a privileged bipolarity that excludes every other power;
  • Finally, when the formerly superior power has been weakened enough, withdraw all tokens of equality and impose subordination.

And then the Chinese culture assimilates the ‘Barbarian’ culture.   Such as when the Mongols invaded and eventually used Chinese methods which were eventually surpassed later.  There are many older cultures in Asia that have been completely swallowed up by China.

 

Whether this is a good methodology by China is not a question here (I believe it is not), we note that it is occurring and part of the “entanglement” strategy to steal technology. The technology advantage will not be significant or even an advantage over time with more and more tech thefts.

What is the easiest way to steal technology today? Over the internet!!

This is why the PLA is systematic in its actions. They attack everyone and then find the nuggets in the network stream. China’s strategy is deliberate and systematic.  In the 80s and 90s we had neighborhood kids who were trying to hack companies for the ‘fun’ of it. Today we have nation states with MASSIVE budgets and techniques.

If you do not think there is a serious Cyberattack happening you must wake up and smell the roses.  If you have something to protect, and even if you do not the wide swaths of Cyberattacks coming out out China will make your life more difficult.

The above image does not surprise me and is the number of attacks on this website in a week. And this website has no data beyond what you see on the blog (i.e. there is no customer data or other data hidden)

Contact us to review your Cyber defense strategy.

What We Can learn From Baltimore City Ransomware Attack

From WSJ article

On May 7th hackers were able to shut down a number of city of Baltimore computers. They demanded $100k worth of bitcoins to release their stranglehold. On this day that is about 13 Bitcoins (value of Bitcoins fluctuates).

So Baltimore is refusing to pay as they should. The ransomware the hackers used is called RobbinHood.

And apparently if no payment within 10 days the price goes up.  How did RobbinHood get access to the systems (and then corrupt them)?

Bleepingcomputer.com goes into some of the RobbinHood details.

Apparently this ransomware is not coming in through Spam (like many others). Arstechnica has some more details of the IT details in Baltimore City departments:

“Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface, with 113 subdomains—about a quarter of which are internally hosted—and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).”

Part of this problem seems to stem out of mismanagement of GRC (Governance, Risk, Compliance).  The IT department was underfunded, which seems obvious now, but was not earlier.  And now the decision is do we pay ransom to get back to normal?  Or suffer through a restore which is an unknown amount of time and resources. Will the restore work? If not, then we have to rebuild systems from scratch. Reinstall operating systems and applications, while also making sure this problem does not resurface (create proper procedures of installing and patching).  So all the things that were obvious in the past and had a long time to resolve, now must be done under the glare of the public eye, in a quick manner. There are plenty of stories of how real estate transactions are not closing without some department computers. So where the city wanted to be paperless, it has to reinstate paper based processes.

Needless to say Baltimore is the poster child of how not to do things.

There is a price to pay at some point for bad management decisions (underfunding IT updates or security initiatives). When you do not update systems in a sprawling campus of hundreds of systems, then it is inevitable that there will be a system that can get attacked. Hackers are ingenious and find ways in. Once they are in, the game is to elevate credentials (privileges).

Let me ask you a question: If it is relatively easy to come in and take a system (for the hacker) then elevating privileges will also be ‘easy’. As privilege escalation vulnerabilities are more numerous.

So now the hacker is in the network and can do pretty much as they please. Now the hacker will try and find the most important systems (email and file servers among others) to infect. This is  exactly what happened in the city of Baltimore campus.

Contact US to discuss GRC and prevent a disaster like this to your organization.

How Many Companies are getting Attacked By China?

It may be hard to source some attacks, but it depends on the attack as well. We also have to decide what data to use as to who got attacked?

Following data and image is from FBI report: https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf

The answer to the question is 367 entities were attacked and reported to the FBI in 2018 from China.

So that was the amount of attacks that people reported. Do you really think that everyone who gets attacked reports the attacks to the FBI?

Total attacks: 4556 India

3970 UK

2880 Canada

1227  Australia

1144 Georgia

622 Germany

605 Brazil

591 Mexico

514 Greece

511 Phillipines

471 Russian Federation

428 France

409 South Africa

384 Italy

371 Hong Kong

371 Switzerland

367 China

331 Spain

316 Portugal

311 japan

 

Total Attacks: 20379

 

I want to also warn everyone – will this count be less this year? Will we depend on digital technologies less this year?

China and many other attack points will keep coming at us.

 

Contact US to audit your defense.

It may also be time for us to reduce our Chinese exposure, as a Chinese drone manufacturer has a security flaw that allows hackers to grab  your details.  It is almost as if this is set up on purpose – make the product easy to hack and then sell them to unsuspecting Americans.  Later hack them with more data on them.

“Chinese drone giant Da-Jiang Innovations (DJI) commands more than 70 per cent of the global market, supplying products for personal, commercial, and even military use.”  from abc.net.au

I think we need to have operational risk assessments – which may include to stop buying Chinese made IT products.

 

 

How About Adversary Based Threat Analysis?

Another Thotcon presentation was very good, unique and moves the industry forward.

Julian Cohen presented This idea:

“Understanding Your Adversaries”

In his talk: “Adversary-Based Threat Analysis”

He explained that in the traditional Threat modeling Process  the following 6 items happen.

  1. Identify Assets
  2. Create Architecture Overview
  3. Decompose an Application
  4. Identity the Threats
  5. Document the Threats
  6. Rate the Threats

 

But his method includes rating the adversaries.

He gave some examples that are well documented (the PLA or Peoples Liberation Army) in Mandiant’s report. The report is now in a “new” mandiant web location with all of their reports.   Here is an updated link: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

This famous report is explained as APT1 (Advanced Persistent Threats), the fame of this report is that Mandiant did a thorough analysis how and who did the attacking from China(PLAUnit61398), down to learning where exactly the attacks came from(which building).  You can search under APT1 in any search engine and the term is attributed to the report.

Julian discusses the adversary as they have a say (or should) in how you defend.

A discussion of the intrusion Kill Chain ensued (by Lockheed Martin) i.e.  below is the action and tools that are used.

  1. Recon: Email harvesting
  2. Weapon: Office Macros
  3. Delivery: Phishing
  4. Exploit: target runs macro
  5. install: Poison Ivy
  6. C2 – Command and Control: Poison Ivy
  7. Actions: Pivot to active directory

Here is where Julian discussed “what” the adversary is using as to how effective they actually are.  The adversary is not going to do ‘everything’ , as they will do stuff that works.

There is another matrix which reviews Attacker Cost (Likelihood) focusing on these

  1. Weapon- office macros
  2. Delivery – phishing
  3. Install – Poison Ivy
  4. C2 – Poison Ivy

We all know Phishing works for them, since we are getting inundated with spam that tries their hardest to trick and get access to their machine.

Then also reviewed what is effective for defenders

  1. Delivery – Phishing
  2. Install – Poison Ivy
  3. C2 – Poison Ivy

He also mentioned this comment:

“Adversaries don’t think about winning once. They build repeatable, scalable playbooks that are cost effective at achieving their objectives over and over again against a series of targets. Adversaries don’t think about winning at all, they think about a steady stream of targets.”

Attacker efficiency: Attackers determine the least costly and most valuable attacks based on

  • Who are the targets
  • Required success rate
  • Speed of conversion

Defenses to APT1 are the following

Detect, Deny, Disrupt, Degrade, Deceive, Destroy.

All attackers are resource constrained and all attackers have a boss and a budget.

Likelihood versus Input   (in a risk calculus)

In most cases issues should be treated on likelihood alone

Do not make impact  High.

Get the most up-to-date research data to drive the likelihood information in your matrix

He is talking about this matrix I have shown in the past(in this graph likelihood = probability):

In the presentation this is the matrix he showed:

Notice the similarities even though the impact and likelihood were switched in axis, which does not actually mean much.

There is a profound meaning in this realization.

The reality is that since the attackers are not just going after you, but templates of defenders, you have to have a profile that makes you more difficult to crack. With a focus on phishing defenses, and defending against Poison Ivy the tool.

You should not just create a threat model of your systems and software, also pay attention to the attackers which are doing specific things, so that you can focus on high risk items and the likelihood of attacks on your infrastructure.

 

 

Burnout in Infosec Means All is Lost?

Thotcon (Chicago’s Hacking Conference)  thoughts…

Saw several good Cybersecurity presentations while one of the keynotes “Josh Corman” discussed the burnout of the infosec opsec community.  This is a problem for our industry as I have discussed before in past posts.  It has to do with the 3 following topics:

1. Workload  to most infosec people is 50-60 hours minimum on a regular week, and more during emergencies.  Josh mentioned 80 hours as a regular work week for many  this high workload leads to exhaustion.

2. What happens when there is no relief and it is a constant way of life to say you will work 80 hours a week forever???   Now we get to a negativity or cynicism. The constant pressure is creating a kind of relief psychology of defense by cynicism.

3. Efficacy or reduced effectiveness due to constant pressures.

What was really on Josh’ mind was the increasing number of suicides by a number of his friends.

Picture is a moment during Josh’ lecture on White hat motivations.

So Josh would like to do something about this phenomenon.  He gave an example of a Psychologist saying that the other profession with similar characteristics is nursing (high workload, and cynicism leads to lower efficacy).

He also said to not follow the herd and do not put down your fellows/ colleagues.

Above is a picture of the beginning of the second day where the Thotcon organizer was having some fun in a Wookie costume.

The main problem is to get more help so that infosec people will not burn out completely and do things that we all will regret.  Another problem is that infosec people are hard to find (or at least competent ones).

So the true issue is to get resources and eyeballs, attention of the C-suite, and generally a different level of attention.

Believe it or not for companies this is taken care of in GRC – Governance, Risk, and Compliance.

GRC – Governance, Risk, Compliance

Governance is different than just IT department run by CFO, or the CEO. The issue with Governance is that the goals of the organization are kept in mind (which is not just the mind of one person). It is the codification of the goals. WRITTEN goals and thus the group of people in charge of GRC can work toward this written goal using Risk and compliance as a way to manage things. So, the staffing of the IT department (which includes opsec or infosec) is a risk to be measured. You should not have a single person running the IT department, nor should you have 80 hours of work for 1 person. For 80 hours of work, there should be 2 people.

Setting up GRC in an organization might take a while, but once set up it can help an organization manage the compliance and regulatory risks by giving a proper Governance controlled by the people who are supposed to run the company with proper human resource goals as well.