Collection of information on Cyberwarfare and the recent targeted attacks (updated)

Several interesting articles and papers have appeared in the last week, all concerning cyberwarfare capabilities and intrusions on the internet. Let's have a closer look at them.

First, I was reading 'The new art of War' (Washington Post). The following section caught my eye:

The Joint Information Operations Warfare Command, located at Lackland Air Force Base in Texas, integrates elements of electronic warfare, military deception, operations security and strategic communications to ensure that cyberspace is controlled and available to friendly forces for offensive and defensive uses.

I know that there are a lot of pointing fingers at China and that the media can also be used as a tactic. The truth probably is, that 'electronic warfare' is performed by both sides. But let's have a look at the information that is out there.

At the beginning of this week, the Pentagon released their Report to Congress about the Military Power of China '08. It was interesting to read the 66-page report where the Pentagon outlines various techniques China employs in order to boost its use of technology .

But the thing we are interested in, is the section on electronic capabilities:

"Cyberwarfare Capabilities. In the past year, numerous computer networks around the world, including those owned by the U.S. Government, were subject to intrusions that appear to have originated within the PRC. These intrusions require many of the skills and capabilities that would also be required for computer network attack. Although it is unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government, developing capabilities for cyberwarfare is consistent with authoritative PLA writings on this subject.

• In 2007, the Department of Defense, other U.S. Government agencies and departments, and defense-related think tanks and contractors experienced multiple computer network intrusions, many of which appeared to originate in the PRC.

Note the last part mentions "appeared to originate in the PRC" (People's Republic of China).

Now, let's have an another view on this: Chinese Perceptions of Traditional and Nontraditional Security Threats (pdf from strategicstudiesinstitute.army.mil)

That the report is written at all is seen as evidence of American’s adherence to outdated and dangerous Cold War thinking, trying to paint China as the strategic rival that the Soviet Union once was. Major General Peng Guangqian of the Chinese People’s Liberation Army’s (PLA) Academy of Military Sciences noted that there have been only two instances where a government has publicly published reports on the military power of another country: the U.S. reports on the military strength of the former Soviet Union, and the current reports to Congress on China’s military strength. He continues, “Cooking up this kind of report on the military power of the so-called major opponent or potentially major ‘challenger’ of the future reflects typical Cold War thinking.”
While the report is no different from a standard intelligence assessment on foreign capabilities that most countries produce, its unclassified nature and broad distribution does make it unique. And the fact that the United States does not publish such assessments on any country besides China is telling about our own threat perceptions.

Commenting on the Pentagon’s “Cold War mentality” and continued propagation of the “China threat theory,” China’s Foreign Ministry spokesman noted that China was “strongly resentful and firmly opposed” to the report.

But let's get back to the hacking attempts that were reported last year and the tactics that were used. These attempts were not limited to the U.S., but included incidents in Germany, France and Britain.

If you had a look at the German intrusion, you could see that the attackers used Word documents to install Trojans in the network. If we have a look at the attacks on the Pentagon systems, the same tactic was used. That allowed attackers to send spoofed emails that appeared to come from other Pentagon personnel. After this, they managed to steal login credentials for the network, according to this article from Federal Computer Week.

Seems that social engineering is always an important part of the attack, combined with office documents containing exploits. This is consistent with tactics described by hackers like 'Wicked Rose':

Rose’s preferred method of attack is through social engineering and he says he has plenty of experience at it. First you get the sensitive information off the organization or institute’s public website. This period is called the collection stage. He notes that all the large companies maintain employee databases and that these contain the userids, passwords and mailboxes. Using the user’s identification you can search on the internet to find out where they go and what they do. It is important to do analysis on the userids of the major figures. It is possible to obtain their login and password at other sites they visit.

According to Rose, mailboxes are the most useful. You can get thousands of mailbox addresses from one database. Next, simply send out thousands of emails with Trojans attached and one or more of the employees is going to open it. (Source: The Dark Visitor).

The NCPH hacker group of which Wicked Rose is the leader, is known to have written several Word based exploit tools.

Yesterday, CNN.com also published an article on the hacker Xiao Chen. Note that there is also a video on top of the article.

But Xiao Chen says after the alleged Pentagon attack, his colleagues were paid by the Chinese government. Again, CNN has no way to independently confirm if that is true.

His allegations brought strenuous denials from Beijing. "I am telling you honestly, the Chinese government does not do such a thing," Qin said.

But if Xiao Chen is telling the truth, it appears his colleagues launched a freelance attack -- not initiated by Beijing, but paid for after the fact. "These hacker groups in my opinion are not agents of the Chinese state," says James Mulvenon from the Center for Intelligence Research and Analysis, which works with the U.S. intelligence community.

The Dark Visitor analyzed the video and found out the organization to which Xiao Chen belongs.

Next, I stumbled upon "Operational analysis of Chinese 'cyber army' penetration and recovery techniques" (spaces.icgpartners.com) dated 8 January 2008.
A wealth of information is gathered here, including the analysis of the following presentation on slideshare:

UPDATE: Some days after this post, the slides were removed. You can still download the screenshots here. And some of them are also displayed at TheDarkVisitor here (not completely though). The original poster on slideshare is unknown as are his reasons to remove it now.

From the article:

The PowerPoint China Cyber Army documents a classic, highly organized Chinese IP attack/phishing pattern that we have seen previously but China Cyber Army is the first specific unclass description that we've seen on the recent spate of Chinese attacks against France (also here), UK (also here), Germany, the US, but to name a few.

A Taiwanese-American working in the US IT sector who graduated the same year in Taiwan as did the likely author, Chung-Ping Chen, or Charlie Chen, now at National Taiwan University, and has a number of Stanford and Taiwanese friends coming from the same class as Chen had this to say about the PPT: "Those are interesting slides, and probably a known secret for a lot of Taiwanese." These foils (slides) will come as bracing news to too many complacent US and EU corporations and defense entities who believe that they are not at risk at their desk on home soil.

This site has another fascinating article from 31 May 2007: Informationalization in Chinese military doctrine affects foreign commercial and military assets.

In the absence of a US counter-cyber warfare strategy, Chinese IT technologists enter all but the most secure US systems, exceeding the limits of passive examination and surveillance. Naval Network Warfare Command (Netwarcom) and others observe:

• Chinese attacks "far outstrip other attackers in terms of volume, proficiency and sophistication, [the conflict having] reached the level of a campaign-style, force-on-force engagement"
• "Motives of Chinese hackers run the gamut, including technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD networks for future action"
• Chinese employ complex, parallel attacks including using a virus plant "as a distraction and then come in "slow and low" to hide in a system while the monitors are distracted… spear phishing, sending deceptive mass e-mail messages to lure DOD users into clicking on a malicious URL, [and innovative implementations] of more traditional hacking methods, such as Trojan horse viruses and worms"
• Attacks are so deliberate, "it’s hard to believe it’s not [Chinese] government-driven"
  

It's really worth reading. They also take a look back at the 2007, 2006 and 2005 version of Military Power of the People’s Republic of China. But take these reports from the Pentagon with a grain of salt. It's only one point of view on the whole story.

I believe there is a real threat. It doesn't matter who is behind it. What matters is that they are organized and committed to their task. Understanding their mindset and tactics is important and often overlooked.

If you are still thirsty for more information, have a look at the Dark Visitor Blog. He has a wealth of information about the World of Chinese Hackers. He also has a book which I intend to buy this week. Taosecurity already has a review of the book here.



UPDATE(13/03/2008): The Heritage Foundation also has an extensive article that dates from 8 Feb 2008: Trojan Dragon: China's Cyber Threat. An excerpt:

According to an official of Taiwan's Ministry of National Defense, in 2006, Taiwan detected 13 PLA zero-day attacks launched within Microsoft applications and experienced a total of 178 days of vulnerability between notifying Microsoft of the attacks and receiving the appropriate patches. One PowerPoint-based attack was so sophisticated that it took Microsoft engineers over two months to construct a patch.[28] In spring 2006, a certain foreign "coast guard agency" discovered a covert program imbedded in its network that systematically searched for shipping schedules and then forwarded them to an e-mail address in China.[29]