Operational analysis of Chinese 'cyber army' penetration and recovery techniques- Gordon Housworth [ 1/8/2008 - 16:24 ] # The PowerPoint China Cyber Army documents a classic, highly organized Chinese IP attack/phishing pattern that we have seen previously but China Cyber Army is the first specific unclass description that we've seen on the recent spate of Chinese attacks against France (also here), UK (also here), Germany, the US, but to name a few.
A Taiwanese-American working in the US IT sector who graduated the same year in Taiwan as did the likely author, Chung-Ping Chen, or Charlie Chen, now at National Taiwan University, and has a number of Stanford and Taiwanese friends coming from the same class as Chen had this to say about the PPT: "Those are interesting slides, and probably a known secret for a lot of Taiwanese." These foils (slides) will come as bracing news to too many complacent US and EU corporations and defense entities who believe that they are not at risk at their desk on home soil.
Readers will gain background from:
US IT infrastructure is as, likely more, vulnerable to active and passive cyberattack than Estonia, 6/1/2007
Global context
It is helpful to place China Cyber Army within the context of rising state on state cyber ops. The third annual VIRTUAL CRIMINOLOGY REPORT, CYBERCRIME: THE NEXT WAVE, points out three trends for 2008 and beyond:
- [G]rowing threat to national security as Web espionage becomes increasingly advanced, moving from curiosity probes to well-funded and well-organized operations out for not only financial, but also political or technical gain...
- [I]ncreasing threat to online services because of the growth in sophistication of attack techniques. Social engineering, for example, is now being used in conjunction with phishing techniques-making the situation even more complex and posing an increasing threat to public confidence in the Internet.
- [E]mergence of a sophisticated market in software flaws that can be used to carry out espionage and attacks on critical government infrastructure networks. The findings indicate a blurred line between legal and illegal sales of software vulnerabilities.
The states most at risk as cybertargets " are those countries which are heavily networked and reliant on the Internet as well as those countries with an unstable political environment."
The commercial and government sector seems to be unaware that a cyber cold war is underway:
The Chinese have publicly stated that they are pursuing activities in cyber-espionage and government white paper, as read by McAfee Avert Labs, they speak of technology being a large part of war in the future. The United States, United Kingdom, Germany and several other countries are likely targets for political, military, economic and technical espionage.
And other nations may have similar plans to conduct online spying operations.
"There are signs that intelligence agencies around the world are constantly probing other governments’ networks looking for strengths and weaknesses and developing new ways to gather intelligence," said Peter Sommer, an expert in information systems and innovation at the London School of Economics.
"Everybody is hacking everybody," said Johannes Ullrich, an expert with the SANS Technology Institute, pointing to Israeli hacks against the United States and French hacks against European Union partners. But it is aspects of the Chinese approach that worry him. "The part I am most afraid of is...staging probes inside key industries. It’s almost like having sleeper cells, having ways to disrupt systems when you need it if it ever came to war."
And with an estimated 120 countries working on their cyberattack commands, in 10-20 years experts believe we could see countries jostling for cyber supremacy."
Sommer warns that countries are undoubtedly gearing themselves up to launch international all-out online attacks. The present political environment is one in which countries are testing the waters to gauge the potential influence (and risks) of such assaults...
"The Chinese were first to use cyberattacks for political and military goals," said James Mulvenon, an expert on China’s military and director of the Center for Intelligence and Research in Washington. "Whether it is a battlefield preparation or hacking networks connected to the German chancellor they are the first state actor to jump feet first into the 21st century cyber warfare technology. This is becoming a more serious and open problem."
High-tech crime is no longer just a threat to industry and individuals...
China Cyber Army architecture and operation
China Cyber Army describes eight discrete operating groups placed in Beijing/TienJing, SiAnn, ShangHai, SiChuan, HuBei, JianSu, FuJian,and GuoDong. As Jun is the word for military troop, an individual group would be known as, say, HuBei Jun. (Unlike official state responses which have been reticent to name Chinese state assets as perpetrator, China Cyber Army pointedly labels China as the relevant actor.) The purpose of the groups is said to be commercial and military espionage as opposed botnet herding or site defacement. No surprise that "Motivation" is said to be "Political Control, Military Operation, and High Tech intelligent properties." Group membership is said to be drawn from university, military, criminal sources and what I would describe as global for-hire hackers, notably from Taiwan.
Hacker group roles are delineated as:
- Attacker : scan, exploit attack, get control of way-station
- Mailer: using free mail box or mass mail sender tool on way-station
- Collector: backdoor master, get useful data from victim, somehow play as internal attack via victim machine
- Operator: Stable, continuous maintain the latest data from victim
- Analyzer: depends on language
These hacker groups demonstrate intense organization. A rigorous summer operating schedule of two shifts is described for this cyber army: Start work at 0750 GMT+8, primarily entry hacking and launching data collect commands; lunch at 1200 GMT+8; recover data from the morning effort; break at 1700 GMT+8; first shift ends at 1900 GMT+8 and is replaced by second shift. Attacks are said to be "everyday" which may be interpreted as a seven day week. Encryption keys are "arranged by area," group members employ "the same tool not common seen in the public internet," Chinese military signatures are seen in the tools and extensive use is made of language experts and machine translation.
Prime human targets are in government, defense, military, foreign affairs, media plus any site containing potentially sensitive information. Data target comprise the usual suspects: contact lists, mailbox contents, databases, passwords and keys, MS Office files, Acrobat PDFs, images and internal system settings. Once this data is gathered, relationship databases are constructed, key personnel are identified to receive email Trojans and phishing attacks, malware is inserted at key points, ID-passwords and keys are examined for subsequent targeting, while potentially useful data is routed to language analyzers (machine translation).
The Chinese employ three different attack and recovery processes described as "Type 1: Direct reverse Connect, Type 2: Relay Connect, Type 3: Switching Connect." From the diagrams in the PPT and a fair use PDF:
Direct reverse Connect
Hacker to Way Station Relay Program:
(1) Hacker change the DN
(2) Remote Control the WS through 3389 (TS) or other back door
(3) Open the backdoor controller on WS for victim on 80,53,443,1863
Way Station Relay Program to Victim:
(1) Backdoor on victim, Query the Domain Names or IP
(2) Connect to the way station through normal Ports like 80,53,443,1863 etc.
Relay Connect
Hacker to Way Station Relay Program:
(1) Hacker change the DN mapping to Way-Station
(2) Start the Relay Program on WS
(3) Open the backdoor controller on Hacker’s PC listening
Way Station Relay Program to Victim:
(1) Backdoor on victim, Query the Domain Names or IP
(2) Connect to the way station through normal Ports like 80,53,443,1863 etc.
Switching Connect
Hacker to Way Station Relay Program:
(1) Hacker change the DN mapping to Way-Station
(2) Start the Switching Program on WS
(3) Start the backdoor controller & Connect to WS
(4) Pick the Victim Connection , build a tunnel * Not all the flow will pass to hacker
Way Station Relay Program to Victim:
(1) Backdoor on victim, Query the Domain Names or IP
(2) Connect to the way station through normal Ports like 80,53,443,1863 etc.
(3) Waiting For Select!
Great efforts are taken to prevent discovery and shield attack source: multiple Way Stations, "Leveling" steps involving checking importance of victims and inserting new backdoors, dynamic domain name shifting, and parallel channels for downloads.
An "independent defense analyst," Cheng Ta-chen, was quoted in translation from Taipei Times regarding China's "cyber army":
It is reliant on imports for most of its computer hardware and software. More than 90 percent of the computer operating system used by China's government and military is imported from the US. The overall security of China's informatics and Internet is lacking and it does not have security controls for imported technology and equipment. Also, economic relations between China and the US are becoming more entertwined, so if the cyber army were to wage war on the US economy, it would easily create problems for China. None of these factors are beneficial to the development of China's cyber warfare.
A state of war, or peace, is merely a cost benefit analysis:
Economic and military threads are warp and weft of the same cloth, yet too many continue to believe the fallacy that nations that trade together do not war with one another. The reality is that they trade so long as their national cost-benefit analysis tells them to continue doing so. Tipping points exist. The key is to recognize their immergence and be prepared to prosecute them. Short of that, business must address the uncertainties as their governments jostle for advantage.
Obscured provenance and unusual release mechanism
The content of China Cyber Army is as interesting as its provenance is obscured. The anonymous poster used the name DeepThroat. The poster's join date to Slideshare was October 2007 and has only shared this one slideshow. I'd conclude that this alias came up with the express purpose of posting the cyber set. There are no introductory or closing foils (pages). The foils are atypically clean, i.e., they are not burdened by the typically overwrought graphics that the feds and the military employ.
Many of the foils have rather dodgy spellings and word constructions that are not bad enough, or consistent enough, to be a machine translation but appear to be the hand of a non-native English speaker. (Certain word constructs are tantalizing and cry out for clarification.) The "Asian fan" is the background is not something that an Occidental would generally use, but when I have seen a fan the subject is Japan rather than China. There is a nice touch in having a slide transcript as footer to the foils.
We found it interesting that DeepThroat used a "no download, view only" PPT format as the release mechanism instead of a PDF posted to one of many widely read security forums. As we thought the material of value and were uncertain how long the PPT would remain active, a full screen capture was made of each foil as individual jpg files, rolled into a PDF for better examination and portability, and then posted under a fair use guideline as China Cyber - Fair Use.
At the time of capture, DeepThroat listed only one contact in Slideshare, Jonathan Boutelle, a cofounder of Slideshare. A number of us found it curious that a phantom poster elected to cite Boutelle as a linked friend. For a variety of reasons, I'd first assumed that Boutelle was DeepThroat and had bought some room for plausible denial. I queried Boutelle with the courtesy note that I would cite his response in a forthcoming weblog entry. Boutelle replied:
Not me. But you can message that person through slideshare. Just go to their slidespace and click "send a private message". Regards, Jon [email]
Deciding against a voluntary appeal to DeepThroat to uncloak, I researched the PowerPoint text strings which led me to Charlie Chung-Ping Chen, or Charlie Chen, now at National Taiwan University.
Author search for China Cyber Army
Search for the author of China Cyber Army has focused on Associate Professor Charlie Chung-Ping Chen, or Charlie Chen, recently at University of Wisconsin-Madison and now at the Graduate Institute of Electronics Engineering, National Taiwan University, Taipei. (See personal data in the ICS Group.) Chen has potential motive and certainly has means and opportunity.
Taiwanese by birth, thereby open to an anti-mainland Chinese sentiment, Chen took a BS in computer science and information engineering from the National Chiao-Tung University, Hsinchu, Taiwan, in 1990. Moving to the US, Chen matriculated his doctorate in computer science from University of Texas, 1998.
Between 1997-1999 he was with the Intel Corporation as a senior CAD engineer with Strategic CAD Labs. He was in charge of several important interconnect and circuit synthesis projects in his microprocessor group.
Then assistant professor in the Electrical and Computer Engineer Department, University of Wisconsin-Madison, followed by the Graduate Institute of Electronics Engineering, National Taiwan University.
Searching the Chinese language blog, X-Solve, I found a likely source from an article, China Cyber Army~A!, describing Chinese predation on UK and French networks
The first response to this item is by a "Charlie Chen":
Internet Espionage: The China Cyber Army
Since 2003 Spet, we have found first big scale intrusion event, the victim
is the National Police Agency, attacked by at least 2 groups of china hackers,
from HuBei and JianSu.
2003 Oct. Taiwan Military Missile Plan Leakage. (Lw)
2004 Jan. Executive Yuan 300+ PC compromised.
2004 Apr. Fake Official Dept. E-mail with Trojan found
2004 Sep. Ministry of Foreign Affairs and embassy compromised.()
2004 Nov. DPP compromised. (Mh)
2005 May. Big scale: Gov, High-Tech,on-line banking, Science Park(200+ companies compromised)
2005 Jul. Taiwan, Ministry of Foreign Affairs again.()
2005 Sep. Taiwan, National Security council compromised. ()
2005 Nov. Taiwan, Military Central Command compromised.()
2006 Mar. Taiwan, Legislative Yaun, Reporters compromised. ()
2007 Apr. Military Operation plan leakage due to USB data collect backdoor. (h)
The seventh response is by 'Tomato X' who cites a reply made by Charlie Chen to a Securuty Focus post:
Tomato X - 11th, 2007 at 6:59
SecurityFocus
http://www.securityfocus.com/comments/articles/11485/34833#34833
—-
The story is on going everyday
Charlie Chen
2007-09-10
While Lemos' originating article in Security Focus is quite short:
China on hot seat over alleged hacks
Robert Lemos
SecurityFocus 2007-09-04
Fresh allegations surfaced on Monday that China's military has hacked other nation's networks to nab sensitive data, charges that the country denied for the second time in two weeks.
Charlie Chen's reply is fulsome with both the content and curious English phrasing reminiscent of the PPT:
the story is on going everyday 2007-09-10
Charlie Chen
Security Focus
Sept 10, 2007
Link to this comment: http://www.securityfocus.com/comments/articles/11485/34833#34833
There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)
ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.
Through incidents handling and investigation with law enforcements, we found some evidences to prove the china hackers (targeted attack/ spearing phishing) were come from government (military,intelligent dept and public security).
We have inspect the tools, from the begining trojaned e-mail, backdoor, and realy tools in the way stations.
At first, using Microsoft word (*.doc) file with exploit, to drop backdoors or download spyware from other way stations.And the backdoor connect back to way station, when hacker came from China (fixed IP or ADSL) to remote controlling victims.
What they want is to collect the contact list files (outlook, MSN ...) to build a huge database about relationships for future use,from the contact list, hackers can send a 'well-make' trojaned mail to the others in the contact list, then victims will trust the e-mail's subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the latest documents in all file types. Even steal your mail account to have a copy of your mail boxes.
From the official document shows, the cyber operation was directly sponsored or supported by General Staff Department Sec. Four. And the evidences shows they:
(1) Organized: have principle, formal check-in/out time,
in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,
then, depends on group, have night team, to hack foreign countries.
(2) the Tools. not common seen in public Internet .some hacker groups using the same military produced/purchased hacking tools.
(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.
A quick search on Charlie Chen includes Charlie Chung-Ping Chen, also known as Charlie Chen, at University of Wisconsin-Madison (his most recent position posting to National Taiwan University is far more obscure but still points to the Extended home page at Wisconsin). While there are other Charlie Chen's about, this is the only one online with the pedigree to perform the analysis shown in China Cyber Army:
Chen's posting at National Taiwan University is currently listed as on "leave of absence." The attack profile is familiar but Chen is one of the few that is writing a (semi) public analysis of recent attacks. There must be a network beyond Chen as his Security Focus comment talks about 'we' and working with the authorities. Sounds like a Baker Street Irregular group with symbiotic ties to the defense sector.
Chen is not keeping a sufficiently low profile when, with modest digging, I can get to this point. If the mainland is interested, they know this much and far more. Two emails to Chen to learn more about his research efforts in this area have yet to be answered.
US looks to military to take on cyber threats
Command centre to be offensive and defensive
Tom Young
Computing/vnunet
10 Jan 2008
Researchers map China’s underground cybercrime economy
Posted by Larry Dignan @ 4:20 am
ZDNet
December 6, 2007
Cybercrime agency faces cuts as computer raid threats grow
Rhys Blakely and Sean O'Neill
From The Times
December 4, 2007
Studying Malicious Websites and the Underground Economy on the Chinese Web
Jianwei Zhuge, Thorsten Holz, Chengyu Song, Jinpeng Guo1 Xinhui Han, and Wei Zou
Peking University Institute of Computer Science and Technology Beijing, China
University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany
Reihe Informatik. TR-2007-011
December 3, 2007
Secrets of Shell and Rolls-Royce come under attack from China’s spies
James Rossiter
From The Times
December 3, 2007
World faces "cyber cold war" threat
By Peter Griffiths
Reuters
Nov 29, 2007 8:37am EST
Mirror
Cyber war to escalate in 2008
120 countries developing ways to attack computer networks
Andrea-Marie Vassou
Computeractive/vnenet
29 Nov 2007
Nations must defend against cyber warfare
Problem is getting worse as technology improves methods of attack
Tom Young
Computing/vnunet
29 Nov 2007
VIRTUAL CRIMINOLOGY REPORT
CYBERCRIME: THE NEXT WAVE
By Ian Brown, Oxford Internet Institute; Lilian Edwards, Institute for Law and the Web (UK); Eugene Spafford et al from CERIAS center at Purdue University (US)
The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts
Commissioned by McAfee
2007
Chinese Spying No. 1 Threat To U.S. Manufacturing
By Foster Klug, Associated Press
Manufacturing.Net
November 15, 2007
Panel: China's Spying Poses Threat to U.S. Tech Secrets
By David Cho and Ariana Eunjung Cha
Washington Post
November 15, 2007; 11:57 AM
Cyber war moves up Nato agenda
Increasingly co-ordinated assaults are alarming defence ministers
Tom Young
Computing/vnunet
01 Nov 2007
China behind daily internet attacks on Germany
"Chinese cyber war" looking to bridge corporate and scientific gap
Matt Chapman
vnunet
23 Oct 2007
Malicious code infects Chinese security site
Chinese Internet Security Response Team's Web site is rigged with a malicious hidden window that can allow code to run on a visitor's PC
By Jeremy Kirk
IDG News Service
October 03, 2007
China Cyber Army
DeepThroat
Slideshare
October 2007
China says it's a cyberattack victim, not villain
Reuters
Published on ZDNet News
Sep 22, 2007 1:15:00 PM
Beware lurking PRC cyber army
By Cheng Ta-chen
Translated by Anna Stiggelbout
Taipei Times
Sep 12, 2007
France blames China for hack attacks
Chinese whispers
By John Leyden
The Register
Published Wednesday 12th September 2007 15:49 GMT
France joins Chinese hacking row
Fourth country points the finger at Chinese hackers following breaches
Matt Chapman
vnunet
10 Sep 2007
Chinese hacking row escalates
UK government accused of cover up
Iain Thomson
vnunet
06 Sep 2007
CIO Magazine on IP Theft
Posted by Richard Bejtlich at 19:17
Tao Security
August 08, 2007
Gordon Housworth
Cybersecurity Public InfoT Public Risk Containment and Pricing Public Strategic Risk Public Terrorism Public
|  | |
