Cyber Kill Chain for the Chinese Dragon

Overall, the initial assessment of the APT-1 of the 2nd Bureau has the wrong physical address as the primary CyberWarfare operation center. The primary operations center is actually in the Suzhou Industrial Park in Jiangsu, where the PRC operates a signals operation center that is similar in mission and operation as the NSA Lackland RSOC in San Antonio, TX. The address on Datong Road is limited in scope, and lacks the facilities and manpower of the Jiangsu facility. While the Jiangsu facility may be used for research and initial target identification, much as the other 80+ cyber-exploitation sites in mainland China, the Jiangsu complex, is serviced by 24 single mode fiber optic cables, functioning at multi-terabyte speeds. This is not merely 24 strands, or 24 fibers, but rather 24 actual cables in various strand/fiber counts, which enter the complex in Jiangsu from four different directions. A similar operation can be found at the Tongzhou Zhongguancun Park, in Beijing, which is roughly the functional equivalent to the data center in Ft. Gordon combined with the operations facility in Suitland, MD. It is between the Tongzhou and the Jiangsu facilities where China performs the bulk of their Cyber-Exploitation operations, and network control. The more remote, smaller sites are to “explore and identify” and then to initiate exploitation, but the harvested data actually ends up in Jiangsu and Tongzhou. The facility in Nanhui District of Shanghai is primarily in support of the signals operation facilities centered at Shanghai Dianji University (36 fibers, between 3 cables), which is the operations base of Chinese exploitation of foreign networks, to include the fiber optic networks of the United States, Canada, Australia, New Zealand, and Great Britain.

Reconnaissance

Summary of Tactics and Techniques, the initial penetration by APT1 is noted to be a version of “Spear Fishing” which downloads an exploitation package onto the users machine in the form of a specially crafted .zip file.

Description of Tactics and Techniques

But, the actual reconnaissance is not this insertion, or Spear Fishing, but rather the base tactic is to merely port sweep and address sweep large segments of the Internet seeking either a responsive E-Mail servers, and/or responsive users. A secondary method, that is less detectable is to sweep ranges of IP addresses to determine the SMTP servers by way of the DNS server responses, and then to expand the scan to the try to find operable ports that are not on the SMTP server, but in nearby systems as a port scan on a HTTP server or SMTP server tends to raise a red flag right away. This initial sweep is to map out servers, services, and ports first by pushing a IP address range into a DNS server as this reduces the risk of an alert. As a HTTP and/or SMTP/E-Mail server provides a somewhat weak protection on their own due to a multitude of weaknesses on the systems must first be mapped, and actually be made to look fairly amateurish and local to the target, or “any place other then China.”

The Chinese intelligence services also map out publically known E-Mail addresses or intelligently guess at them, but they also engage in conventional penetrations of the computers of executives and key employees of companies who might be traveling to or through China, or even to gain access outside of China. There will also be attempts to bounce random user names off of an E-mail server to try to determine a list of lower level users on the system. As many/most organizations bounce and delete what they suspect to be spam, but not dangles for user name confirmation or “found here” responses.

To defend against the reconnaissance stage, an E-Mail server should not bounce a malformed user name, and should accept all E-Mail traffic, but not actually respond in any way that would either acknowledge or deny that the user has an account on the server. Further, while it is quite easy for a known, and publically available E-Mail address to be targeted in a spear fishing attempt, by using multiple E-Mail addresses for a high risk user, and suppressing the circulation of the actual E-Mail address of the high threat user so that one E-Mail that originates into the company can only circulate on the same server and all messages that originate from outside sources is automatically suspect and subject to detailed examination, but not automatically forwarded to the end user, inside the company. The use of fishing or spear-fishing is the key to this form of espionage, and in turn the careful blocking of the inbound graphics, PDF, MS or other documents will tend to block this attack vector.

Weaponization

Summary of Tactics and Techniques

Once an E-Mail address is determined to be viable, an infected payload is sent to the user either as a direct attachment or as a hyperlink to an infected document which has the sole function to deliver an exploitation payload to the target, and depending on the access of the target to spread the infection behind the firewall of the organization.

Description of Tactics and Techniques

The downloaded malicious executable file is referred to as “WEBC2-TABLE”, and the infecting of Microsoft and Adobe documents, but the source code to do this did not originate in China, but rather was purchased from a company in London, England in 2002 and 2003, and then modified by the Chinese. Indeed, the source code to do this was originally published in Boston in 1995, and then in Colorado in 1996, then in New York in 1997, who then sold it to the company in London, who then resold it in modified form to China. The key to this function is to trick a target into downloading or opening a Microsoft or Adobe file, which is capable of penetrating or evading the firewall of the target. This weaponization may be a simple beachhead, or a more complex deeper penetration.

Delivery

Summary of Tactics and Techniques

The delivery mechanism may be a simple as an infected attachment, or the direct delivery of an executable that is not attached to a document.

Description of Tactics and Techniques

The “Web C2” provides a primitive bootstrap mechanism, but the non-“Web C2” backdoor cloaks commands and responses as standard http traffic. All of this cloaked traffic can be fairly easy trapped at the borders of the organization by connecting a query from a user that is outbound to a matching inbound response that should match the initial inquiry expectations. The most interesting side of this transaction is the location to where the user machine is sending data, and if the destination is suspect to not forwarding the traffic. Additionally, when a users machine is active outside of the hours where it should not be active it is fairly simple kick out an alarm and to lockout that switch port, and to block further traffic until anomalous activity can be reconciled.

By the use of dumping password hashes from victim computers, the operator of the APT1 attack can derive username and password combinations, and then use these to escalate privileges to gain access to secondary machines and accounts.

Exploitation/Installation

Summary of Tactics and Techniques

Once the intelligence is located, (which can be a fairly arduous task for the spy to successfully complete) the collected files must be packages and exfiltrated from the originating machine.

Description of Tactics and Techniques

In order to exfiltrate the data that is of interest to the Chinese spy, the collected data for a given machine needs to be packed into a compressed archive file, creating a RAR archive, but these archives are fairly easy to detect as they move across the network or across the border routers and gateways. If these are actually moved as an RAR they are easy to detect either by the file extension or file headers and footers.

One mechanism that the is often not mentioned, but which has been used with popularity is the use of the BitTorrent network to exfiltrate collected files, and to “stage” these files to a single internal machine from multiple internal machines, and then to publish these password locked files provided the targeted network allows such traffic.

Either by detecting RAR archives, FTP traffic, or BitTorrent traffic, and a myriad of other formats the switch port(s) on which the traffic appears can be blocked until the matter can be investigated further. Typically any form of FTP activity must be logged, and any FTP attempt on the inbound side should lock out the originator.

Merely blocking traffic from the known IP blocks in China is a exercise in futility as the traffic may originate in China, but it will be routed through multiple levels of cloaking to conceal the true requestor and recipient, which in China will be one entity that launches, another that controls, one that harvests, and yet another who creates a cloud of stolen files. But, China does not merely cloak based on split up various elements of the operation, there is also a split up based on geography and national boundaries where China will use systems behind cable modems in the United States to further hide, and the systems outside of China may be used to cascade multiple layers of cloaking. These are often listed as hop points, but they can be far more than just a hop, relay, or zombie in that they command and control the flow to a central drop of site, and then draw from this relay point and direct to the ultimate storage location as the handlers of the network are not moving data, but rather they are moving commands, a subtle, but important difference.

To defang the value of this dragon, there must be a fairly covert program instituted within high value networks and locations to respond to the initial reconnaissance efforts and to draw the efforts of the foreign spies into a spider trap of sorts where bait servers, and bait networks which appear to contain proprietary or classified data are used to divert attention, and then to apply the controls to a select series of switches and routers. But, there also must be a certain percentage of sacrificial networks, systems, servers, and connections; because of “everything just goes dark” this mode of espionage will merely shift to evade detection.

Of course it does bear mentioning that the United States does the same thing to China, as does Canada, NZ, and every other nation, who spies upon not only their adversaries, but also on each other, and allies are just as likely to spy on each others as adversaries.

Command and Control Communications (C2)

Summary of Tactics and Techniques, as these APT1 modes of attack, explorations, and exploitations reach a point, they will require some degree of command and control, although in future incarnations the C2 function could be relatively automated.

Description of Tactics and Techniques

At present HTRAN is used as the nexus of control where it connects to the backdoors of exploited machines and networks, and coordinates the movement of data for exfiltration of not merely the machines and networks of the target, but to exfiltration the data to a final collection point. But, a network of this nature is acutely vulnerable in that once the end points are detected they can be recognized in an act of sabotage, and not merely a cybernetic attack. Rather, the fiber connection themselves can be sabotaged, in the very limited number of connections that are available to the Chinese, as it only take a small number of Navy SEALS to visit the undersea trench and conduit just off shore, and not merely slice the cable, but to sabotage the various fiber optic repeater sites that are the below the worlds oceans and to crush the spine of the dragon.

But, this works two ways, because if the Chinese can not see us, then we can not see them, and at the core of this issue we must keep in mind that espionage is a two way street as we need the Chinese and Taiwanese fiber as much as they need it for their own espionage.

Actions of Objections/Objectives

Summary of Tactics and Techniques, the ATP1 is not as effective, nor as dangerous as it could be, and it is drastically outdated, and more moderns methods must be assumed to be in use. Technology has dramatically improved over the last decade, and essentially all the ATP1 system is doing it mirroring the zombie attack methods that became popular on the 90’s in launching distributed denial of service attacks, where ATP1 is merely a distributed infiltration/exfiltration system.

Description of Tactics and Techniques

The ultimate end points of the ATP1 system appears to be four blocks of IP addresses in Hong Kong and Shanghai (and Beijing), but these blocks of networks are deceptive as the while the block may be assigned to Beijing, the actual end point may be over 1000 miles away, a mile under a mountain. Indeed, the Chinese fiber landings, operation centers in and near major cities, and what would appear “clouds in which the dragon flies” (the data centers) the true dragons hide under mountains, far from the cities, and well away from military bases and naval ports. China also practices a “very Soviet method” of transporting vast troves of digital data whereby computer networks are only one mechanism of exploitation, and actual physical hand carriage of data on hard drives by a network of couriers, is more a more reliable method of moving data over international boundaries.

Overview

There is a subtle, but very important matter which does warrant discussion. First it must be recognized that the intelligence services of various nations often work closely with one another, and while they never actually trust each other, they do have “interests in common.” Thus, the United States cooperates with Canada, Australia, New Zealand, and Great Britain to provide a machine of international espionage, and each of these nations has alternative allies. For example, Britain is a close ally of German and France, on par with their relationship with the United States. While Taiwan is a declared ally of the United States, and adversary of China, the two neighbors do share a mutual distrust of the United States. Which brings us to the table of domains, and media “look alike domains” of not only media inside the United States is given, but also Canadian, and British media outlets. While a U.S. citizen may quickly recognize CNN or a related U.S. media source, an Australian may quickly recognize their own, and so would the British subject. Thus, these tables reveals the nations that are of greatest interest to the Chinese government, as they are trying to slip fake domains past computer users in their respective countries.

Many of these networks of zombies deposit their collected data onto Amazon Web Services servers in the past few years, under a large number of domains and IP addresses (A family member of the dragon would appear to be fond of Amazon).

It is also profoundly amusing that an intelligence agency in China would be so reliant on Gmail, Hotmail, and Yahoo E-Mail addresses to set up and control a complex espionage operation, when they would also know that everything associated with those addresses would instantly fall under investigation, within hours of it being used for an espionage operation such as this.

The Chinese intelligence organizations are profoundly fond of conventional burglary, wiretapping, cell phone penetration, and the same methods and means used by their international adversaries. Just like the intelligence agencies of the United States, Canada, Great Britain and other the Chinese are also fond of blackmail, bribes, pay offs, and all potential means of twisting and turning a resource to squeeze them for their intelligence apparatus. If ATP1 is of use by the PLA, it is likely only an indirect tool, based on older methods, which are less effective than more modern tools.