Sunday, January 31, 2010

Wide Ranging Espionage by China in Britian

The Sunday Times reports on a leaked MI5 memo warning UK companies of extensive espionage by China including both traditional means and cyber attacks.

The targets are described as:
"UK defence, energy, communications and manufacturing companies in a concerted hacking campaign. It claims China has also gone much further, targeting the computer networks and email accounts of public relations companies and international law firms."

Several methods are mentioned in the article including "sexual entrapment" knowledge of "illegal activities to pressurise individuals to co-operate with them", bugging hotel rooms in China and other countries, and:

"...that undercover intelligence officers from the People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts” and “lavish hospitality”.

"The gifts — cameras and memory sticks — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers."

An important point, left to the end of the article, provides some insight into the seriousness that the UK government gives the problem:
"The growing threat from China has led [Jonathan] Evans [Jonathan Evans, the director-general of MI5] to complain that his agency is being forced to divert manpower and resources away from the fight against Al-Qaeda."

China bugs and burgles Britain

Friday, January 22, 2010

Analyzing the Google Attacks - Plenty of Room for Mistakes

SecureWorks has posted an analysis of the malicious code alleged to have been used to attack Google and other companies, collectively referred to as "Operation Aurora". SecureWorks' posting is one of the first pieces of evidence and technical analysis that goes beyond simple speculation.

The analysis centers on a somewhat unique piece of error-correcting code (called a CRC) that appears to have been developed in China and only published in Chinese language papers.

It is great that some good technical analysis is starting to come out and I recommend those interested to read the posting. It has some technical information but the main points should be accessible to non-technical readers.

However, from an investigator's point of view, there are some shortcomings in this type of analysis and it might prove interesting to discuss a few of these.

Most technical analysis focuses on answering what happened and how an incident occurs. Technicians can reverse engineer (malicious) code, analyze network traffic patterns and review logs of system activity to understand how someone gained access to a system and what they did. This analysis is a very necessary and important step. However, just knowing how an incident occurs is not enough for security professionals.

To understand the risk from these types of attacks requires more information. If our response to an attack is solely based on how it occurs then we risk wasting resources by over reacting or misapplying controls that are ineffective (one of the most common problems in information security). The current Google incident is a perfect example.

Based on the current public information there is tremendous speculation that this may be sponsored or directed by the Chinese government for the purposes of espionage. If that is true, it requires a significant reaction both in terms of spending by (potential) targets and by action from other governments. However, if this is being carried out by a group of teenagers in Romania (just using Chinese systems as a front) simply for the technical challenge, our response can and should be completely different. Therefore, understanding who the adversaries are and their motives changes the risk equation and our response to it (additionally, we need to understand capabilities but that's another topic).

We need to answer not only what happened and how but also by whom and why.

Here we often hit a brick wall: Due to the virtual nature of data and the Internet, it can be very difficult to clearly identify who and why - yet it is not impossible. Unfortunately, many technicians take the what and how information and try to infer answers to who and why- often with poor results.

Inference chains, or inference concatenates, are used by intelligence analysts, investigators and prosecutors to link data points and evidence to develop a conclusion based on what is known or to prove guilt based on evidence. Inference chains can be either weak or strong. Unfortunately, most inferences used to determine "who" perpetrates a cyber attack are weak.

With this in mind, let's go back and look at the technical analysis and where it might have some shortcomings or problems.

One example is the following quote from the SecureWorks posting:
"...outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof."
It is great to see such caution in analysis but it needs to go a little further: How do we know the PRC (People's Republic of China) IP addresses "prove" any involvement by anyone in China or their agents? It might be someone outside of China using a Chinese system. Until we know exactly who the perpetrators are, we don't know what their affiliation with the PRC is. Therefore, we would say that to infer that the perpetrator is Chinese based solely on the use of a Chinese IP address is weak: It might be true but it might not.

Another example of this problem is the conclusion that because the (legitimate) CRC used in the malicious code appears to have been developed in China, the perpetrators must be Chinese (again, using what information to infer who).

The post describes the CRC code and that it appears to have been created in China and only published in simplified Chinese (a form of written Chinese promoted by the PRC).

The inference chain then goes like this:
  1. A specialized CRC code (called CRC-16) was created in China for legitimate purposes;
  2. A simple Google search returns only references to the CRC code in simplified Chinese papers;
  3. Malicious code was developed that, in part, uses a CRC that "matches the structural implementation" of the CRC-16 code;
  4. The malicious code was used to attack Google (and others);
  5. Therefore, the "use of this unique CRC implementation in Hydraq [the malicious code] is evidence that someone from within the PRC authored the Aurora codebase".
Is this a strong inference chain? Not if other reasonable conclusions could be drawn. For example, simplified Chinese is also use in Singapore. We could also equally conclude (based solely on the inference chain above) that the perpetrator was in Singapore. Or perhaps a Chinese emigrant living in France. Within reason, we could come of up several other possibilities.

Again, it may be true, but it may not. Does this level of analysis, common in technical cyber crime studies, give us the information we need to react appropriately (technically, legally or politically) to the threat?

One additional problem with the analysis/inference is to rely solely on a simple Google search and conclude that it represents an exhaustive search of the whole space where the articles related to the CRC-16 code could have been published.

I don't want to be overly harsh on this particular analysis. As I said earlier, I think it answers some important what and how questions and, at a technical level, is an excellent piece of work: We need more like it. Likewise, it does provide some very interesting data points that can begin to be used to build the circumstantial evidence needed to answer the who and why questions. However, that will require more information (both technical and non-technical) to build strong inference chains that point to a single, reasonable conclusion. This can be done but with large international cyber cases it requires significant time, data collection and analysis of literally thousands and thousands of data points. It also requires intelligence and analysis of more than just technical information.

Unfortunately, this rarely happens.

We need to be very careful in how we infer the who and why of international cyber crimes. The consequences of making a mistake could be disastrous.


Operation Aurora: Clues in the Code

Tuesday, January 19, 2010

Attack on London Based Jewish Website

The London based Jewish Chronicle's website was defaced with anti-Semitic and pro-Palestinian messages:
"In a message posted in English and Turkish, a group calling itself the "Palestinian Mujaheeds" quotes from the Quran and attacks Jews in anti-Semitic terms."
Associated Press articles attributed the attack to a recent dispute between Turkey and Israel:
"It comes a week after the eruption of a damaging diplomatic feud between Israel and Turkey. Ankara was outraged when Israel summoned its ambassador to express anger over a Turkish television drama that depicts Israeli agents kidnapping children and shooting old men."
The Jerusalem Post attributes the attacks to Turkish "hackers" and provides some background on previous cyber attacks believed to have originated in Turkey:
"Turkish hackers are notorious for playing a major role in coordinated international Web attacks, which usually come in response to international incidents perceived as affronts by the hackers."
and;
"After Operation Cast Lead in Gaza last year, Turkish hackers took part in a coordinated assault on Israeli and Western Web sites."

Palestinian attack on JC website

Turkish group hacks 'Jewish Chronicle'

London-based Jewish newspaper attacked by hackers

Indian National Security Advisor Believes Cyber Attacks Originated from China

MK Narayanan, India's National Security Adviser, has reported that his office was subjected to attempted cyber attacks from malicious code contained in PDF files sent in emails. The attacks occurred on December 15, 2009 and coincided with similar attacks on US companies that are alleged to have originated from China.

Mr. Narayanan stated that he believed the Indian cyber attacks were from the same source:
"People seem to be fairly sure it was the Chinese. It is difficult to find the exact source but this is the main suspicion. It seems well founded."

China tried to hack our computers, says India’s security chief M.K. Narayanan

Friday, January 15, 2010

Attempted Cyberattack on Law Firm that Sued China

The U.S. law firm Gipson Hoffman & Pancione has received email with malicious code they belive originated from China. Gipson Hoffman & Pancione is the firm representing Solid Oak Software Inc., a maker of Internet filtering software that they alleged was stolen and used by Chinese companies to create the "Green Dam Youth Escort" filtering software required by the Chinese government. The lawsuit named various Chinese companies and the Chinese government.

After analyzing the malicious code, a company spokesperson said:
"We have every reason to believe they're coming out of China... We have solid indications. We can say the payloads of these Trojan e-mails were located within China and the ISP routing bears out the connections with China. But what we don't know is specifically who they were sent by, where they were sent from, and why they were sent."
The spokesperson also noted the timing of the attack in relation to Google's announcement to stop censoring Internet searches in China:
"It is difficult to believe that the timing is merely coincidental."

U.S. Law Firm That Sued China Reports Cyberattack

Thursday, January 14, 2010

Google Throws Down the Gauntlet to China - Maybe

A flood of news reports have come out concerning the looming battle between Google and China over intrusions into the accounts of human rights activists ala Ghostnet.

To add to the confusion are almost simultaneous reports of alleged attacks by Iranians on China's largest search engine, Baidu, and the inevitable counterattacks of Iranian websites with pro-Chinese graffiti. What remains to be answered is why anyone in Iran would be motivated to attack and deface the Baidu website with pro-Iranian messages and graphics. The timing of these attacks are interesting as well.

As usual, there is plenty of speculation concerning the Google - China attacks and their motivations but little factual information available for analysis. Of course there is the usual problems with accurate attribution and sourcing of attacks and determining exact motivations and potential external influences including whether the Chinese government may have a role in the breaches.

However there are many other unanswered questions in the Google - China standoff. To name a few:
  1. Are these attacks related to, or a continuation of, the Ghostnet attacks? In an official blogpost, David Drummond, Google's Chief Legal Officer, pointed specifically to the Ghostnet report but didn't explicitly link them;

  2. Mr. Drummond's post also stated that "[a]s part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted." A full list of these companies has not been made public to date but it would be very informative to understand the exact relationship between the Google attacks (believed to target human rights activists) and the other companies. Is someone in China targeting human rights activists in chemical companies?!?;

  3. What are Google's and China's next steps? It's obvious that both entities have merely set up negotiating positions: Google did not close google.cn nor has it (yet) stopped censoring Chinese Internet searches; China's initial, official responses have been muted. Obviously, both sides don't want to do anything rash and there may be other agendas in play.
One of the biggest problems in understanding these attacks is the disjointed approach to investigating. These attacks span the world (The US, China, Iran, EU countries, Japan, Taiwan...) each with its own agenda and political and economic considerations. Additionally, there is no central coordination of information or analysis. Even within the US, some victims will cooperate; others will not. Among those that cooperate, some will have good monitoring and data collection capabilities; others will not. It's most likely we will never fully understand these attacks and if we don't understand them it will be next to impossible to effectively counter them.


Iranian Hackers Deface Top China Website
Hackers in Frontline of China's Cyberwar
A New Approach to China
China gives first response to Google threat