China Attacks and We Do? Nothing for most part

Chinese Hackers Eye US Cancer Research:

This is another outrageous attack on our companies and institutions as Chinese APT  hacker groups appear to be linked to stealing information from Cancer research


Here is a news story about espionage by Chinese paid doctors. NBCnews story about 3 scientists removed from  MD Anderson Cancer Center

FireEyE  published a report on how the Chinese

Focused attacks in healthcare to steal medical research

FireEye was the company that documented and released the Unit 61398 (China military attacking World targets since 2004) report about the APT1 group.

Since 2006 Mandiant (today a FireEye company)  has observed APT1 compromise 141 companies in 20 major industries.


So it is obvious to all people who keep up on these things, that China has stolen or can have access to many companies as many times as they want:

“Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”


So I want to ask now why would the Chinese even want to embark on this type of method to interact with the world?  Do they think they will make friends over the long term?  Are they interested in making friends? Or are they obsessed with history? The history of the Boxers rebellion and the general weakness of the Qing dynasty until the dynasty came to an end in 1911.  The weakness of the Qing dynasty and teh early days of the republic caused all kinds of things to happen which the western governments took full advantage of.

So this stealing and taking is just payback? Yes in part. It is also a fulfillment of Confucius philosophy and his understanding of Tian (or heaven), specifically the fact that only the Chinese can be close to heaven.  It does not even have to be pure Confucius thought as long as the interpretation has been accepted by most people.  Including one of the 3 great Confucian  philosophers (Xunzi) that rejects that humans are innately good.

So if the Chinese thinking is completely different than yours that is because their books are written with different philosophies.


It actually does not matter the exact thinking the Chinese have, as we will not understand it anyway.  We should not try to find nuance in Confucian philosophy, all we need to do is understand that thinking is different and we have to modify our strategic thinking.

Look at the PLA  hierarchy:

and where the unit 61398 is in the hierarchy.

The main thing I see in this diagram is a dictator and his government structure. everything else is just a confirmation of his rule. Can an underling find a few words in Confucianism to say we can do XYZ? I am sure it can be found.


We have to ‘try’ to deny the freewheeling rip-off artists so that we can keep our IP(Intellectual Property) as long as possible.


Today it is health care information, tomorrow it will be whatever is the latest technology or service to be stolen. The Chinese do not have a judiciary equal with the Chinese Communist Party(CCP). The CCP is always going to run everything in China. There are no checks and balances, there is only full power by the person on top. This to me is the definition of dictatorship.

So if we have a complaint with them, there is no court that will adjudicate with them in a position of power, unless we have power as well (military or Cyber).

So what we need is our own Cyber power, defensive and offensive. That is my suggestion to fight back against China.

As it is we do nothing as you can plainly see in the news stories.

Contact me to discuss

Why is China Trying to Steal our Stuff?

First thing I think of (being of a certain age) when someone asks why: Why ask why? Answer: Try Bud Dry!(Silly old Budweiser commercial)

So why do we need to ask why? Because it would be good to know why we are consistently being attacked by this region of the world.  It is always good to know your opponent.

In this case _we are the people_ with computers, financial information, Intellectual property, health information, and really anything that can make money (Credit Cards, information that can be used against competitors).

So money is one motivator, but hackers have other motivations, just like Anonymous like Jeremy Hammond hacktivist received a 10 year sentence. As noted in this NYpost story.

“Some breaches in Hammond’s life had been a challenge. He’d search the code on websites he wanted to target, combing through the symbols and letters of computing languages for security flaws to exploit. He’d create user accounts on the sites, and then test for ways in. It could take months of trying, and sometimes he gave up.”

“He considered hacking a means of social justice, and he did it in secret while pursuing civil disobedience and protest in public, as well.”

So hacking can be a social justice act or even a kind of civil disobedience.

Now what if you had a state apparatus with the massive resources?

Hacker News article from 2015

There are some very interesting points in this article:

According to McReynolds, China has three types of operational military units:
  • Specialized military forces to fight the network — The unit designed to carry out defensive and offensive network attacks.
  • Groups of experts from civil society organizations — The unit has number of specialists from civilian organizations – including the Ministry of State Security (its like China’s CIA), and the Ministry of Public Security (its like FBI) – who are authorized to conduct military leadership network operations.
  • External entities — The unit sounds a lot like hacking-for-hire mercenaries and contains non-government entities (state-sponsored hackers) that can be organized and mobilized for network warfare operations.
According to experts, all the above units are utilized in civil cyber operations, including industrial espionage against US private companies to steal their secrets.

It means that the Chinese have discarded their fig leaf of quasi-plausible deniability,” McReynolds said. “As recently as 2013, official PLA [People’s Liberation Army] publications have issued blanket denials such as, ‘The Chinese military has never supported any hacker attack or hacking activities.’ They can’t make that claim anymore.

The hackernews article got the information from “The Science of Military Strategy”(SMS) 2013 PLA document.

So the strategy of the Chinese is bare for all to see – they have hundreds or thousands of people in cyber warfare units.

The SMS authors also focus heavily on the central role of peacetime “network reconnaissance”—that is, the technical penetration and monitoring of an adversary’s networks—in developing the PLA’s ability to engage in wartime network operations. As the SMS puts it, since the technical principles underlying successful penetrations of an adversary’s systems are essentially the same whether the objective is reconnaissance or active disruption, at the appropriate moment “one need only press a button” to switch from reconnaissance to attack.

So now we have a stated goal of Chinese Cyber warfare units to run constant surveillance and prepare for eventual war or otherwise goals that will steal or destroy information.

This SMS ‘plan’ is in line with what China thinks of itself as New English Review article by Brandon Weichert mentions:  The concept of Tianxia the “All under the heavan”. boils down to

The choice made by all peoples to have only one political system that is the top of the world. they believe that just like in the Warring States Period the weaker competitor will give way to the more ideological and correct with the Chinese belief that the Chinese emperors possessed the mandate of heaven concept, all of the world had to pay tribute to the emperor as a symbol of his supremacy. Thus, going back to antiquity, the borders of China were fungible; always waiting for China to gain the strength needed to push to those farthest edges of the world map and bring barbarianism and chaos to civilized order.

In the narrative, China is the growing power and the US is in decline (status quo) , so the Chinese political and ideological purpose of reconnaissance  of the networks of the world. Until the systems are ready to be attacked in  the time of conflict (whenever it actually occurs).  The key with analyzing Chinese actions is to look at them from the eyes of an Asian viewpoint – not Western history examples( like Thucydides trap).

So the reason China is doing everything it can to steal our stuff is to  become a bigger power than us so that they can order us around. And because it was always meant to be that way. All old Chinese competitors were assimilated and folded into the Chinese ‘heaven umbrella’.

Remember  the mongols(Kublai Khan)? They actually conquered the Chinese 1279. But it ended in 1368:

“The Chinese always resented the foreigners and in the end revolted and drove them out. A Chinese orphan Hongwu, a peasant soldier who gave up banditry to become a Buddhist monk, led the revolt and founded the Ming dynasty in 1368.”

After that the results of the Mongol invasion has almost completely disappeared inside today’s China.

but the Mongols were always foreigners in Chinese eyes.”

Have you also noticed that all the previous kingdoms in the warring states period are all forgotten (except maybe in some movies).

there is a definite arrogance to the Chinese. As if the new upstart (USA) which only started in 1776 is such a young country and really does not belong in the top spot.  I.e. it is the impudent upstart which needs to be brought a peg or two down. And any method will do (stealing is ok).


If you think about it the “all under Heaven”  is a great motivator for young hackers in China trying to hack and steal all our IP (Intellectual Property).


Another point: The CCP (Chinese Communist Party) has complete control over major aspects of the country. There is no rule of law in China, only rule of CCP.  I.e. if CCP wants to take your property then it does.   As Drake Long discusses in his post  on the power and control of China. The CCP of which the general secretary runs the party and the President (Xi  Jinping) runs China, and Xi Jinping has complete control over China.

“China has no rule of law” says Drake.

Whatever the true Party leader says goes.

“Those observing the anti-corruption campaign could liken it to whack-a-mole: there is little changing of bureaucratic rules, instead it is a targeted campaign against high-profile politicians. This illustrates the absurdity of it all. China’s corruption is systemic, owing to the lack of legal constraints and judicial independence in its government.”

There is no accountability, all that has happened with Xi’s anti-corruption campaign is he has solidified his dictatorship.  So what happens in a dictatorship? There are mostly yes men (no women).  Everyone  else gets ‘dealt’ with.

What happens to foreign companies?

With little rule of law, they will be gobbled up inside China: “Now we are beginning to see the fruits of that relationship, which is an increasingly worrisome one. With little rule of law, foreign companies will see more of their partners unexpectedly gobbled up by Xi’s Communist Party.”

You can see where this is heading, since there is no rule of law inside China, each minister/bureaucrat can do anything they want as long as it is under the aegis of Xi’s goals. This means stealing money and information is a go. In fact it is a state-sponsored activity.

We better learn to prepare ourselves and our companies to defend against the cyberwar already being fought on the Internet.

Risk Analysis Gone Wrong?

Since a picture says a thousand words here is an attempt at explanation of Risk Analysis.

The rows are “Impact on Environment”: none, minimal, minor, significant, major, critical

The “Likelihood” or “Likely – what is % to happen” is  the columns: not likely, low, medium, medium-high, high, will happen.

These are not “real” systems in anyone’s network, only an example of different CVE (Common Vulnerabilities and Exposures) risks in a hypothetical company.  Although I picked on the IoT systems as the likely weak link (one has to update those camera or ups device software or one can be hacked). IoT systems are a weak link since they are not as easy to upgrade and require upkeep like all systems.

In the past I was trying to explain the weak links with this picture:

The problem is that when a system is hacked it now leaves the whole network with all the critical systems open.

The new image, I am trying to explain if a less important system was hacked (like the IoT vulnerabilities) which means an IoT vulnerability system which is critical but has a medium likely chance to get hacked.

Once hacked this system allows the attacker to review other targets and it may be where systems that have lower CVE’s (3-6) are canvassed and with the right vulnerabilities the hacker will now attack and set up persistent methods to stay in the network. Of course the idea is not to just stay in the network, one wants to  attack valuable targets.

“Such as having a High CVE on less critical systems ” before the final attack on a critical system at the highest level.

The ultimate and worst possible attack is a remote code execution attack, as with a simple attack one can execute an attack on the system. for a hacker it is easily done.

So explaining the attack in total gives one a further and more complete understanding of the ultimate goal . But what is even more important? To now have the ability to assess risk better. Instead of assessing each device separately with each vulnerability now one must assess the impact and likelihood with a total attack in mind.

Which means? The lower vulnerabilities can have higher impacts. How should we account for this phenomenon?

We have to become attackers (even hypothetically) to figure out which system would be nice to have with a lower vulnerability… so that the hypothetical attack  can advance through to the eventual goal.

You might be saying now – that’s all? That is all I have to do ? sort my systems, figure out the vulnerabilities, and then patch them. Well, it is not that easy since life and it’s vacations, sicknesses, labor issues, and other things coming your way. Since the vulnerabilities may come at inopportune times (they do not care if your family has an event). the hacker will hack you at Christmas without batting an eye.  The truth of it is the reasons  why people and companies get hacked is because the vulnerability management  programs do not take into account sickness and vacations. Thus labor is always pushed to ever more difficult situations. There seems to be always a push for cost containment in IT and computer security, since it is assumed all systems should be secure. A cost was not associated with computer security in the past. So this is why many companies lost their cohesion over time and then something happens and the attackers get in.

Once the attacker has a toehold, it is possible to stay undetected for months. In the meantime the patching lifecycle is front and center the reason for many systems getting hacked as well.

Notice that when a vulnerability is found by a researcher it takes many days to actually get a fix for the vulnerability and then it takes yet another few weeks before installing it in your system. It may be 60 days before the  system is safe from attack. So we are in a constant state of risk in our networks.  This is why every month with new vulnerabilities is an important report to view. And this is why we must continually test for any potential weaknesses in the network.


Now that you know the full reasons from A to Z it is easier to actually assess risk on systems.

What you need when assessing risk is to review all possible risk and decide what to focus on next.

Contact for more information or to discuss your risk assessment.

Also the latest CapitalOne hack seems to have been a misconfigured cloud configuration, including why is it storing private information in a public cloud?? Cyberscoop discusses this in more detail. The breach response may have been fast, but there was a major failure of architecture.


Interesting take on CapitalOne breach from former employee:

He says that the configuration was faulty as one IAM (Identity Access management) could be used to access all data (which is a large weak link). I.e. if a hacker can get one account username and password they have all of the data.

The thing to do is to perform threat modeling and review your architecture as well as vulnerability management.

Chinese Cyberattacks Unrelenting And Will Not Stop

It is all part of the Chinese strategy to steal technology and information as they work on being the top country in the world.

There is an excellent article on the history of China and how it pertains to today’s world by Brandon J. Weichert at New English Review.

The “trade war” is part of a complex struggle by China to come to parity and overtake the United States.


The struggle with China is also pertinent in the Cyber world, as we know from Mandiant’s report the Chinese PLA (People’s Liberation Army) has a unit that actively attacks western companies and countries to steal technology and anything else that might be important.  this was the APT1 operational attack on the world.

China is actively attacking systems (as you will see below).

The PLA units are hundreds if not thousands of attackers.

In Mandiant’s report there is some history where the APT1 was first used in 2006.  So for the last 13 years the Chinese have been systematically trying to attack and steal relevant information from Western companies.

Every industry was attacked (just like it is easy to do as everyone is connected to everyone on the Internet).  Some industries are more important than others:

Above image is from Mandiant’s report linked above.

This is from a report in 2012 about an old attack, but today these items have not changed much.


Let’s go back to Mr Weichert’s article (“Much More Than a Trade War With China”)  where in the warring states period of Chinese history (771-475BC) was a unique time period.  In this era the Qin Dynasty was able to overcome a superior adversary in the Zhou dynasty, due to superior statecraft and mastery of strategy.

Mr Weichert brings up a quote by Jiang Zemin (Chinese leader  1995-2003) “there cannot be two suns in the sky”.  Because the history of China showed only one dynasty will eventually defeat the other and survive  to rule over all.

In here the “Barbarian-Handling” techniques are analyzed by Edward Luttwak:

  • Initially, concede all that must be conceded to the superior power, to avoid damage and obtain whatever benefits or at least forbearance that can be had from it;
  • Entangle the ruler and ruling class of the superior power in webs of material dependence that reduce its original vitality and strength, while preferring equality in a privileged bipolarity that excludes every other power;
  • Finally, when the formerly superior power has been weakened enough, withdraw all tokens of equality and impose subordination.

And then the Chinese culture assimilates the ‘Barbarian’ culture.   Such as when the Mongols invaded and eventually used Chinese methods which were eventually surpassed later.  There are many older cultures in Asia that have been completely swallowed up by China.


Whether this is a good methodology by China is not a question here (I believe it is not), we note that it is occurring and part of the “entanglement” strategy to steal technology. The technology advantage will not be significant or even an advantage over time with more and more tech thefts.

What is the easiest way to steal technology today? Over the internet!!

This is why the PLA is systematic in its actions. They attack everyone and then find the nuggets in the network stream. China’s strategy is deliberate and systematic.  In the 80s and 90s we had neighborhood kids who were trying to hack companies for the ‘fun’ of it. Today we have nation states with MASSIVE budgets and techniques.

If you do not think there is a serious Cyberattack happening you must wake up and smell the roses.  If you have something to protect, and even if you do not the wide swaths of Cyberattacks coming out out China will make your life more difficult.

The above image does not surprise me and is the number of attacks on this website in a week. And this website has no data beyond what you see on the blog (i.e. there is no customer data or other data hidden)

Contact us to review your Cyber defense strategy.

What We Can learn From Baltimore City Ransomware Attack

From WSJ article

On May 7th hackers were able to shut down a number of city of Baltimore computers. They demanded $100k worth of bitcoins to release their stranglehold. On this day that is about 13 Bitcoins (value of Bitcoins fluctuates).

So Baltimore is refusing to pay as they should. The ransomware the hackers used is called RobbinHood.

And apparently if no payment within 10 days the price goes up.  How did RobbinHood get access to the systems (and then corrupt them)? goes into some of the RobbinHood details.

Apparently this ransomware is not coming in through Spam (like many others). Arstechnica has some more details of the IT details in Baltimore City departments:

“Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface, with 113 subdomains—about a quarter of which are internally hosted—and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).”

Part of this problem seems to stem out of mismanagement of GRC (Governance, Risk, Compliance).  The IT department was underfunded, which seems obvious now, but was not earlier.  And now the decision is do we pay ransom to get back to normal?  Or suffer through a restore which is an unknown amount of time and resources. Will the restore work? If not, then we have to rebuild systems from scratch. Reinstall operating systems and applications, while also making sure this problem does not resurface (create proper procedures of installing and patching).  So all the things that were obvious in the past and had a long time to resolve, now must be done under the glare of the public eye, in a quick manner. There are plenty of stories of how real estate transactions are not closing without some department computers. So where the city wanted to be paperless, it has to reinstate paper based processes.

Needless to say Baltimore is the poster child of how not to do things.

There is a price to pay at some point for bad management decisions (underfunding IT updates or security initiatives). When you do not update systems in a sprawling campus of hundreds of systems, then it is inevitable that there will be a system that can get attacked. Hackers are ingenious and find ways in. Once they are in, the game is to elevate credentials (privileges).

Let me ask you a question: If it is relatively easy to come in and take a system (for the hacker) then elevating privileges will also be ‘easy’. As privilege escalation vulnerabilities are more numerous.

So now the hacker is in the network and can do pretty much as they please. Now the hacker will try and find the most important systems (email and file servers among others) to infect. This is  exactly what happened in the city of Baltimore campus.

Contact US to discuss GRC and prevent a disaster like this to your organization.