Wednesday, October 29, 2014

Cyber Threat Marketing and Political Expediency: STOP THE MADNESS

FireEye's APT28 report is the latest in a series of glossy marketing white papers which claim to reveal the workings of "state-sponsored actors", in this case from Russia. The paper fails to prove its claim of state-sponsorship (a confusing term that the FireEye report never defines) and evidences a few other bad habits described below.

However none of that really matters because Russia is currently on the White House's shit list, it's being hammered by sanctions, and the Kremlin has shown itself over the years to be more than willing to let its very talented hacker population engage in cyber attacks against its political enemies without repercussion. 

Last year when Mandiant came out with its APT1 report about China, guess who was on the White House's shit list then? 

From a marketing perspective, you can say-hint-imply-presume whatever you want. Proof is irrelevant. What counts is that the political interests of the U.S. and other western nations correspond with the marketing interests of cyber security companies. Timing - as Hesiod said - is everything.

However, even if the raw commercialism of this strategy doesn't bother you or is at least forgivable because after all FireEye and all of its competitors are for-profit enterprises, the report's authors have made some awful decisions in their analytic method.

Cherry-Picking The Evidence
"APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests. They do indicate parallel areas of interest to many governments and do not run counter to Russian state interests."
In other words, we've just included the evidence that supports our theory and excluded the evidence that doesn't. That's precisely the kind of bad analysis that's behind every intelligence failure that has ever happened. 

Calling Low Level Attacks "Sophisticated"
"Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations. This perception is due in part to the Russian government’s alleged involvement in the cyber attacks accompanying its invasion of Georgia in 2008, as well as the rampant speculation that Moscow was behind a major U.S. Department of Defense network compromise, also in 2008. These rumored activities, combined with a dearth of hard evidence, have made Russia into something of a phantom in cyberspace."
Speaking as someone who's been researching Russian information warfare practices and, more importantly, its ongoing research and development in information security, I can tell you that the SQL attacks against Georgian government websites during the 2008 war were not even close to "sophisticated". Same with the 2008 DOD breach. Remember that when you have to explain to your boss that some unemployed Russian kid  Russian "state-sponsored" actors stole everything you own, it better be because it was "highly sophisticated".

Unfortunately for myself and others who take a skeptical or even cynical view to every public report of a "sophisticated state-sponsored" attack, the reporting agency or corporation never shares their raw data. And whatever is shared is scrubbed. 

APT28 isn't a Person or Persons. It's a Thing
Cyber security companies that monitor networks and threat actors rely almost exclusively upon technical attributes when they establish a "group". It's not like a street gang unit at your local PD that can tell you the gangs that operate in an area, who the members are and where they go when they leave. They don't who the members are, or how many there are, or what nationality they are, or who they're working for, or how long they stay before moving on. Visit and pick any hacker group that does high-profile defacements. Do a search by group name and find one with a history spanning just one year. Start with the earliest defacement and add the aliases of the group's members to a spreadsheet. Jump ahead a few months and check to see if the names have changed. Jump ahead a year. Members come and go, and when they go they take with them the tools and resources that they are comfortable with using. Or perhaps they'll discover new tools with a different group and in a few months, jump again - this time with different TTPs than they had a year ago. Are they still "APT28"?

"Stop The Madness"
To quote Mr. Wonderful, "STOP THE MADNESS!" Reports like these cannot be trusted to give a factual assessment of the real-world capabilities of any government's activities with their resident hacker populations. And they positively do not reflect the capabilities of any government's security services.

They are (1) a way to gain market share through garnering headlines and (2) a way to gain favor or secure contracts with government agencies who are catering to their customer - the Executive Office of the President.

Wednesday, October 22, 2014

"Hunting For Seeds That Remain Uncultivated, For Ideas That Lie Dormant"

From time to time I like to share gems of insight that I've discovered in the works of others in hopes that someone else will benefit besides myself. I'm always the first one awake in our house (usually before dawn) so I make a double expresso and sit down at my desk, which faces East overlooking the Hood Canal. Ellis' book is a collection of ancient Egyptian texts so it's fun to open it up randomly and see where you land. This is what I opened to this morning, around the time that dawn was breaking.

Thoth Speaks:
The ibis and the ink pot - these are blessed. For as the ibis pecks along the bank for a bit of food, so the scribe searches among his thoughts for some truth to tell. All the work is his to speak, its secrets writ down in his heart from the beginning of time, the gods' words rising upward through his dark belly, seeking light at the edge of his throat. We are made of god stuff, the explosion of stars, particles of light, molded in the presence of gods. The gods are with us. Their secrets writ only in the scrolls of men's hearts, the law of creation, death and change inscribed in the blood and seed of man's love. In the beginning and at the end, the book is opened and we see what in life we are asked to remember. 
Hear, then, my words, the ringing of my speech, as the heart and the scroll of this life fall open. Truth is the harvest scythe. What is sown - love or anger or bitterness - that shall be your bread. The corn is no better than its seed, then let what you plant be good. Let your touch on earth be light so that when earth covers you, the clods of dirt fall lightly. The soul of a man forgets nothing. It stands amazed at its own being. The heart beats the rhythm of its life. The lungs breathe the ions of its own vibration. The mind recalls its thoughts. The glands respond to its emotions.  
The body is a soul's record. And when a man's life ends, his body is given back to gods and the gods shall see what use their laws have been. They shall see the deeds its hands have made, the sparks of light its heart set in the world. They shall see whether or not their love, their powers have been wasted, whether the plants it has grown were nourishing or poison. And like the ibis, the gods shall circle about him, hunting for seeds that remain uncultivated, for ideas that lie dormant, thoughts left unexpressed.  
They shall find new seeds from the plants he has tended. And these shall be planted again in the clay of a new man and he shall be sent back to the world until all the gods have seen fit to create in man is cultivated, and then, in final death, he shall be welcomed home as one of them.
- From "Awakening Osiris: The Egyptian Book of the Dead" by Normandi Ellis, Phanes Press, Boston 1988, p.55-56 

Saturday, October 11, 2014

First Look at Suits and Spooks DC 2015: 3 Hot Workshops and over 20 talks and panels

Early bird registration is now open for Suits and Spooks DC. We've expanded it to three days so as to include one optional day of training (Wednesday Feb 4). Since this is Suits and Spooks and not your typical Security conference, you've never had training like this before:

A Cyber Intelligence Analyst's Workshop: Connecting More Dots With Carmen Medina
A Cyber Security Entrepreneur's Workshop: Transitioning from a Spook to a Suit (taught by Barbara Hunt, Rick Holland, and to-be-announced panelists)
The PRC People's Liberation Army Information Warfare Infrastructure Workshop by Mark Stokes (Project 2049 Institute)

The training will be given in a tiered classroom setting with microphones at every seat and two large projection screens behind the instructor.

On Thursday (Feb 5) and Friday (Feb 6) our DC collision event will be held with a very unique collection of speakers that include John Robb (military strategist, futurist, and author of Open Source Warfare), Zachary Tumin (Deputy Commissioner for Strategic Initiatives at the NYPD), Thomas Rid (Professor at Kings College London and author "Cyber War Does Not Exist"), John Holland (CISO of Risk Division of Credit Suisse), and Ben Milne (founder of Dwolla).

You'll also get a very rare, inside look at how one of the world's largest defense contractors defends its global network, learn about Bitcoins and how at least one international bank is dealing with them, engage in a Q&A with a US Assistant District Attorney (invited), and much, much more.

Our Early Bird discount is $675 for all three days or $575 without the workshops. GOV/MIL rates are $395/$325. This event always sells out so register early.

Friday, August 8, 2014

Israel's Power Grid Is Susceptible To A Cyber Attack. Why Hasn't It Happened?

The fighting between Israel and Hamas during Operation Protective Edge has been severe by any measure; especially as regards to the cost of human lives - over 1,800 Palestinians have been killed in the past 30 days while the IDF has lost 67 soldiers and 3 Israeli civilians [1]. Israel has been using air and ground assaults while Hamas has launched over 3,300 rockets [2].

In comparison, the cyber attacks launched against Israel haven't risen to nearly the same level. They've been nuisance attacks against Israeli government websites [3], rather than technically sophisticated attacks against Israel's critical infrastructure. Hamas has more than enough money to hire hackers with the necessary technical chops. Iran should already have the capability and manpower and they certainly have the money to invest in gaining that capability if they chose to do so. So why hasn't this happened yet? There are a few possibilities:

I've taken a quick survey of my contacts in the industrial control system community and we all agree that Israel's capabilities to defend its critical infrastructure against cyber attacks are second to none in the world. However, Israel Electric, the state-owned company that generates and distributes electricity throughout the country uses vendors like Siemens whose equipment can be (and has been) exploited by technically sophisticated attackers so the IEC isn't immune to attack; especially against an adversary who has them on their potential targets list.

Cyber weapons, unlike kinetic weapons, cannot just be used at a moment's notice against any other nation's power grid. It takes advance intelligence, planning, testing and production so that if an attack is imminent, you have the capability to turn out the lights and keep them off. It's unlikely that Hamas has done that. Iran and Syria should be doing that if they aren't already. The U.S. and the PRC have been doing it for years.

Even if Hamas or its ally Iran has the capability to attack Israel's grid, that may not be their geopolitical goal right now. The number of civilian casualties suffered by the Palestinians in Gaza is garnering a lot of sympathy from other nations which could be leveraged towards Hamas obtaining its goal of a Palestinian state. A technically sophisticated cyber attack against Israel that would leave much of the country without power could instantly change that advantage from a positive into a negative since it would have severe humanitarian consequences. Furthermore, the IEC supplies power to the Gaza Strip so even if Hamas wanted to disrupt Israel's ability to wage war by sabotaging the IEC's ability to distribute electricity, it would be cutting off its own supply of power as well.

Alternatively, the IEC has been officially forbidden by the Israel's National Security Council to interrupt its supply of power and water to Gaza due to probable blow-back by the international community. Tony Blair has reportedly advised Netanyahu not to disconnect any West Bank or Gaza consumers from their electricity supply [4].

In fact, as of Tuesday August 5, IEC workers guarded by IDF forces were repairing portions of Gaza's electric grid that was damaged by rocket fire [5].

So while there may be several answers as to why Hamas has not utilized the asymmetric advantage offered by cyber weapons deployed against critical infrastructure, the best answer is probably that no one wants to be the first to push that particular button against such a large civilian population. 

Also for those pundits who have dismissed Iran's cyber warfare capabilities, the only capability that Iran or any nation state needs to acquire this type of weapon is the ability to write a check with a lot of zeros on it. 


Monday, July 14, 2014

Su Bin, Lode-Tech, And Privatizing Cyber Espionage In The PRC

The criminal complaint against Chinese businessman Su Bin (aka Stephen Su, Stephen Subin) is a must-read. Be sure to read the Wall Street Journal article as well. It marks the first time that the FBI has issued an arrest warrant for a foreigner charged with an act of cyber espionage via a network attack that has until now been attributed solely to state actors like the PLA.

The complaint provides an indepth look at an EaaS (Espionage-as-a-Service) operation involving one named suspect and two unnamed co-conspirators. I've tried to reduce the 49 page complaint into its essential components and added a few missing pieces.

SU Bin (Stephen Su) 

Su's alleged role was to help his partners identify valuable military aviation technology to steal and then find buyers for the stolen data. His company's logo as portrayed on the website is almost laughably ironic: "We will track the world's aviation advanced technology." Su and his partners did exactly that, but would then attempt to steal the technology and sell it to their customers.

Su has been the owner and manager of Beijing Lode Technology Company, Ltd. since 2003. Lode-Tech is a cable harness equipment company that serves the aviation and space market. The company has offices in Beijing, Shanghai, Guangzhou, Shenzhen, Chengdu, Xi'an, Shenyang and Changchun.

Lode-Tech is also a representative and distributor of related aerospace products for a number of companies including DIT-MCO in Kansas City, MO; a company which proudly announces that its equipment "was used on the early "Hawk Missile," the first intercontinental Atlas missile, the Polaris missiles for the Navy, the Titan missiles for the Air Force, and the Patriot Missile used so successfully in the Desert Storm War, as well as almost all the aircraft used by the Air Force, Army and the Navy.”

DIT-MCO plus Lode-Tech's other business relationships in the aerospace industry (such as sharing space with Boeing at the Beijing Aviation Expo) put Su in an excellent position to identify valuable data for theft by a team of mercenary hackers who are identified in the complaint as UC1 and UC2.
NOTE: This case underscores the importance for companies in high value technologies like aerospace to (a) conduct indepth due diligence investigations on all of their vendors and (b) restrict network access by implementing least privilege rules.

Uncharged Co-Conspirator 1 and 2 (UC1, UC2)

According to the complaint, UC1 and UC2 are located in China, are hackers for hire, and are affiliated with multiple organizations and entities in the PRC. They have a diverse history of accomplishments but have chosen to focus on "military technology intelligence". They have an unidentified funding source that provided working capital in seven figures RMB, a hierarchial structure, and engage in business development. They've been working with Su since at least August, 2009.

In addition to their collaboration with Su on the Boeing C-17 project, UC1 sent several reports to UC2 which described other actions:
  • Targeted F-22 data from Lockheed Martin (LMT wasn't named in the complaint but they're building the F-22 and their sensitive documents use the classification terminology "Proprietary Information Source Selection Sensitive" which was mentioned in the complaint on p. 42).
  • Stole 20GB of data from a U.S. military contractor via the company's FTP server
  • Acquired a list of contractors and suppliers for a U.S. Unmanned Aerial Vehicle project and performed network reconnaissance.
  • Have access to a Russian-Indian joint missile development program by "controlling" the company's website and "awaiting the opportunity to conduct internal penetration".
NOTE: The name of the company is redacted in the report but it may be referring to the Brahmos 2 missile developed by Brahmos Aerospace; a joint venture between India's DRDO and Russia's NPO Mashinostroyenia.

Activities and Methodologies

  • Their target selection is informed by S&T (Science and Technologies) priorities of their potential customers. 
  • They establish "technology bases" and hop servers outside of China (i.e.; U.S., Korea, Singapore) and "machine rooms" with legal status in Macao and Hong Kong
  • Intelligence collection is done outside of the PRC (presumably at the above locations) and brought into China in person rather than electronically.
  • They focus on those U.S. and Taiwanese defense contractors which are among the Global top 50 arms companies.


While this is the first criminal complaint that describes "hackers-for-hire" or Espionage-as-a-Service it isn't new and it isn't exclusive to China. U.S. cyber security companies who research APT threat actors should study this criminal complaint closely; especially those who have spent the last 9 years defining APT solely as the Chinese government.

Threat intelligence companies worldwide need to find ways to differentiate the activities of a nation-state with those of a for-profit hacker group, criminal organization, or other alternative entities engaging in acts of cyber espionage. That may be difficult under current APT assumptions and with the limitations of purely technical indicators.

Finally, the SU-UC1-UC2 enterprise as described in this criminal complaint underscores and validates a data-centric approach to cyber security wherein a company identifies their own high value files by knowing the S&T research priorities of a given nation state and its state-owned or publicly-owned enterprises.

Friday, July 11, 2014

Airbus Defense and Space's First APT Threat Intelligence Report: Nice Work!

I've been a frequent and vocal critic of many threat intelligence reports issued by the usual players in information security. So it was very refreshing to read this report by Cassidian CyberSecurity (now a part of Airbus Defense and Space) on an APT threat actor that they named "Pitty Tiger".

I haven't studied the report yet but I did give it a quick read and want to congratulate the team of researchers including David Bizeul who did such an outstanding job in 2007 with his report on the Russian Business Network.

Here's what I really appreciated about the Pitty Tiger report:

APT Threat Actors - Not State Sponsored
Pitty Tiger is described as a Chinese group of hackers who demonstrated poor operational security (similar to the carelessness shown by members of Mandiant's APT1) as inexperienced hackers who were out to make a quick buck rather than bored or careless soldiers working for the PLA:
Pitty Tiger is probably not a state-sponsored group of attackers. The attackers lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.
This is the first time that I recall reading a security intelligence report which didn't portray the hackers as state-sponsored, state-affiliated or employed by the PLA. That in and of itself is news-worthy as far as I'm concerned.

The researchers refer to an "opportunistic business model", something that I and other security researchers like J. Oquendo and Peter Mattis have written about as well.

Use of the term "White Paper"
The authors properly categorized their threat intelligence report as a white paper, which it is because it has marketing value for the company. Many well-known cyber security companies who issue security intelligence reports fail to acknowledge that.

Responsible Attribution
The researchers exercised restraint and used cautious language in their attribution section. They didn't make baseless assumptions about "real names" or jump to any conclusions about the identities or affiliations of the hackers.

Kudos to the Airbus team for this report. Please keep them coming.

Monday, July 7, 2014

Suits and Spooks from the US, EU, Russia, The Hague to talk 0-day Regulation and other topics

Suits and Spooks London is happening on Friday Sep 12th with speakers from BAE Systems, EUROPOL, CERT-EU, Kaspersky Lab, CrySyS Lab, Goldman Sachs, PwC and other organizations. If you're looking for a security conference where you're expected to be a passive participant, don't bother coming.

If, on the other hand, you have an opinion about the relative value of attribution, the wisdom of active defense, the regulation of 0-day development and dual-use penetration testing products, and want to have an informed discussion and debate about them with people who can make a difference, then by all means join us at the top of the Blue Fin building in central London for a day of stimulating topics and discussions.

Here's a short video introduction to Suits and Spooks, if you've never attended the event.

Take advantage of our Early Bird rate of GBP135.00 ($231) before July 31st. Seating is limited to 50 attendees. You can also register by phone (855) 777-8242.