Quantcast

The Modern History of Cyber Warfare 3: Ongoing Debate on APTs

This section touches upon the tangible consequences of advanced persistent threats being utilized and the debate concerning the acceptable extent of that.

Stuxnet, Duqu and Flame as viewed by Gen. Michael Hayden

Stuxnet, Duqu and Flame as viewed by Gen. Michael Hayden

While we’re talking about groups of hackers, let’s just dive into the deep end of it: advanced persistent threats, and talk about the small history here. Everyone should be familiar with Stuxnet. You should also be familiar with Duqu, and Flame came out last year.

Flame was an awesome piece of malware, because it was written by some seriously top notch group of cryptanalysts along with other really skilled hackers, and they were basically able to generate a code signing hash that would tell your system: “Hey, this is signed by Microsoft certificate”. They didn’t have the code signing certificate to use; we shall be familiar with certain authorities being attacked to get code signing certificates. They didn’t actually have the code signing certificate, it was never issued to them. They just found an MD5 collision that would render the same signature.

So they used that and then basically scalped the code to represent it. That was really impressive. So, what happened basically is that once your system is infected, it tells your system that: “Hey, local host is Microsoft Update server”. And apparently, Windows didn’t think twice about that and said: “Oh, great, my own servers, I’ll connect to them, download and install this code in the kernel.” It was really impressive. So, I want to quote the former director of the NSA and CIA, Michael Hayden here (see image above). In this link he talks for 60 minutes on advanced persistent threats, on Stuxnet, Duqu and Flame. He says that “their authors legitimated the art of hacking as acceptable in the stage of international conflict.” He’s obviously not going to say who did it.

Attacks on Iranian facilities as of 2012

Attacks on Iranian facilities as of 2012

Which brings us to what happened after Stuxnet. After Stuxnet Iranian facilities have been hit a number of times (see left-hand image). There were rumors early last year around June that two uranium enrichment facilities in Iran were hit again. It’s unknown whether the viruses did any damage, and it was actually – after the fact that was announced it was denied. This is understandable, and we’ll talk about reasons for denying a breach, denying a hack later on – this is more or less human nature, because it makes you look really bad. It’s bad for morale of the country and whatnot.

What’s funny about this is that allegedly infected machines would lock up around midnight, turn the volume all the way up and play AC/DC’s “Thunderstruck”. So imagine a uranium enrichment facility you can no longer control which is playing Thunderstruck. That’s pretty terrifying if you imagine that scenario.

Alleged APT attack at Fordow

Alleged APT attack at Fordow

Earlier this year we talked in January how Reuters and a number of other websites reported that there was a massive explosion that felt over 3 miles away in a major metropolitan city that originated at an underground bunker at Fordow (see right-hand image). And this is the same bunker as known to be used in uranium enrichment. The reason we’re talking about this is that the resulting explosion allegedly trapped 240 people underground. So, when you’re dealing with warfare, even at the kinetics level, if you have to kill people, it’s usually never advisable to target civilians. I don’t know if these 240 people were all scientists or soldiers. But this is worth pondering.

Satellite view of the Fordow facility

Satellite view of the Fordow facility

This is basically the satellite view of that facility (image on the left). It’s completely under a mountain, so it’s immune to a bunker buster, which is why the conclusion is that if there was an explosion here, it must have been a cyber weapon, so that’s the reason I’m talking about it.

Quotes from the Mandiant report concerned

Quotes from the Mandiant report concerned

Within the last months the Mandiant report you should all have heard about came out, and it’s essentially, in 2010 the US said: “We’re officially being hacked by the Chinese government.” This is basically the smoking gun evidence. These quotes (see right-hand image) are from the beginning of this report. Essentially, this is a quote from representative Mike Rogers in 2011.

His statement was: “The Chinese economic espionage has reached an intolerable level and I believe the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put stop to this piracy. Beijing is waging a massive trade war on us all and we should band together to pressure them to stop. Combined, the US and our allies in Europe and Asia have significant diplomatic and economic leverage over China, and we should use this to our advantage to put an end to this scourge”.

Mandiant’s report on APT1 - details

Mandiant’s report on APT1 – details

I’m not sure how much leverage you have if you can’t stop borrowing from them; to which the Chinese Defense Ministry replied: “It’s unprofessional and groundless to accuse the Chinese Military of launching cyber attacks without any conclusive evidence”. And thus the Mandiant report was the smoking gun as the conclusive evidence.

The report details all the traced activities of what is considered to be APT1 in the malware and incident response world (see left-hand image above). They have identified, they’ve doxed APT1 to be PLA Unit 61398. You read that in their report. Essentially they described APT1 activity as a long term campaign in industrial espionage. They have stolen hundreds of terabytes of data; cyber and physical sabotage probing and preparation. They’ve probed all the critical infrastructure weak points that they were interested in to see if they can cause failures, if they can cause destruction.

Attackers’ location pinpointed

Attackers’ location pinpointed

They’ve also had a major intention of economic theft and sabotage. They have video evidence of APT1 actors in action: essentially they hacked some of the relay points that they used to do some of their activities and just simply recorded what was going on. So there’s a lot of evidence there. And lastly, they’ve precisely pinpointed the attackers’ location: it’s a building (see right-hand image) full of dozens of hundreds of personnel that they claimed.

Now I want to pause here. I was watching a great panel at the RSA Сonference this year that happened in January, I think. And there was a panel with Whitfield Diffie, I think Ronald Rivest, those obviously huge cryptographers, and there were other really impressive people. I think Rivest said that – this is a really interesting report – however, the last part: how they attributed the physical location.

Essentially, all the analysis up to that point was traffic analysis showing that all these points were following traffic to this location. One set of IPs is located in Shanghai, this one city. Their next step to finding the building essentially is: “Well, we know how many terabytes of data they are processing every day based on their activities, and we’ve traced all their activities. So we have to find some sign that they can handle this”. Well, it just happens that there is only one building in that city that has X number of fiber pipelines going to it, and so that’s their attribution.

China accuses back

China accuses back

And so he said that you can basically take the same report, touch up the details, replace China with US and use the same logic to pinpoint some building in Fort Meade in Maryland and say: “Hey, you guys are doing it too.” So that’s what we’re talking about.

The debate on CNN

The debate on CNN

So, China naturally claimed this: “Well, just because you’ve proven that we do it, you guys do it too.” This prompted an interesting debate (see right-hand image). I was watching CNN at the time, and Fareed Zakaria was on, and he had Mike Hayden – I just previously quoted him. And this is a straight quote from the website. He said: “Mike, the Chinese will say in response – or some other Chinese will say – look, you guys do it too. You know, why are you getting so heated up? You know, you ran the CIA and the NSA. What would be your response to them?”

Michael Hayden’s reply

Michael Hayden’s reply

To which Michael Hayden replied (see left-hand image): “Right. I freely admit that all nations spy. All nations conduct espionage. But some nations, nations like ours, self-limit. We steal other nation’s secrets to keep Americans safe and free. We don’t do it to make Americans rich or to make American industry profitable. And what the Chinese are doing is industrial espionage, trade secrets, negotiating positions, stealing that kind of information on an unprecedented scale for Chinese economic advantage. And that’s why I think our response should be in the economic zone.”

Better keep things the way they are

Better keep things the way they are

So, basically, you might argue this like two kids fighting in the room: “No, you hit me harder, I got to hit you proportionally back right.” There’s a lot of news reports saying that now this is such a big deal and there’s basically spreading rumors of war. And this is a trap, this is absolutely idiotic. Hopefully we don’t go to war over this; that would be really sad, really unfortunate.

So, if we go to war with China, North Korea would ramp up its activities as well, and there’s no telling of what they would do. So it’s just all a bad idea. Things should stay the way they are. They should keep the peace.
 

Read previous: The Modern History of Cyber Warfare 2: Hacker Culture in the Western and Eastern World

Read next: The Modern History of Cyber Warfare 4: 0day Black Market and State Sponsored Attacks

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: