6 August 2014

Watching the Watchers: Tracking the Activities of the Chinese Cyber Spies

August 4, 2014
Information Warfare: Chinese Hackers Are So Damn Useful
strategypage.com

While China consistently denies any knowledge of or participation in numerous Internet based attacks a growing number of Internet security firms have succeeded in developing the ability to track the activity of some 30 Chinese hacking groups believed to be working for the Chinese government. Recently one of the more capable of these groups (Deep Panda) was detected searching Western research organizations for recent data on ISIL (Islamic State of Iraq and the Levant), a terrorist group that is seizing oil fields and refineries in northern Iraq. This is of great interest to China, which is a major customer for Iraqi oil and one of the largest investors in Iraqi oil industry projects. If ISIL manages to gain control over all of Iraq, China would want to be prepared to do business with this Islamic terrorist group. ISIL would want to sell their oil and China has demonstrated a willingness to buy oil from anyone.

This indicates how China has come to treat its hacking resources as a handy intelligence tool for when there is a need for specific information that is not posted on the Internet but can be stolen via hacking organizations that are vulnerable to plundering by skilled hackers. 

Western Internet security firms have long known of Chinese hacker groups and in the last few years have often shared their knowledge with the public. For example, in early 2013 it was revealed (to the public for the first time) by Western Internet security researchers that a specific Chinese military organization, “Unit 61398,” has been responsible for over a thousand attacks on government organizations and commercial firms since 2006. China denied this, and some Unit 61398 attacks ceased and others changed their methods for a month or so. But after that Unit 61398 returned to business as usual. The Chinese found that, as usual, even when one of their Cyber War organizations was identified by name and described in detail there was little anyone would or could do about it. There was obviously a Chinese reaction when the initial news became headlines, but after a month or so it was realized that it didn’t make any difference and the Chinese hackers went back to making war on the rest of the world. Unit 61398 is believed to consist of several thousand full time military and civilian personnel, as well as part-time civilians (often contractors brought in for a specific project). Thus a year ago the Chinese thought they were safe despite this unwanted publicity for the secretive Unit 61398.

China’s Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human readable text that programmers create and then turn into smaller binary code for computers to use) and techniques for using it in hacking software used against Tibetan independence groups and commercial software sold by some firms in China. These Chinese companies are known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this. The Chinese hackers have found that it doesn’t matter. Their government will protect them.

It’s been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That’s how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect (when they are breaking in) and much more difficult to track down. Thus, the East Europeans go after more difficult (and lucrative) targets. The Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents, who often slip over to the dark side and scam Chinese. This is forbidden by the government, and these hackers are often caught and punished, or simply disappear. The Chinese hackers are, compared the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision (or some Ukrainian gangster ready to put a bullet in their head if they don’t follow orders exactly).

For Chinese hackers that behave (don’t do cyber-crimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can’t handle. The pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

Over the last decade Internet security firms (especially Kaspersky Labs, Mandiant, Crowdstrike and Symantec) have been increasingly successful at identifying the hacker organizations responsible for some of the large-scale hacker attacks on business and government networks. This has led to the identification of dozens of major hacking operations and which campaigns they were responsible for. The security firms also identify and describe major malware (software created by hackers for penetrating and stealing from target systems). 

In 2013 Kaspersky discovered a bit of malware called Red October, because it appeared to have been created by Russian speaking programmers. Red October was a very elaborate and versatile malware system. Hundreds of different modules have been discovered and Red October had been customized for a larger number of specific targets. Red October was found to be in the PCs and smart phones of key military personnel in Eastern Europe, Central Asia, and dozens of other nations (U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan, and the UAE). The Red October Internet campaign has been going on for at least five years and has been seeking military and diplomatic secrets. As a result of this discovery, Internet operators worldwide shut down the addresses Red October depended on.

Red October does not appear to be the product of some government intelligence agency and may be from one of several shadowy private hacker groups that specialize in seeking out military secrets and then selling them to the highest bidder. The buyers of this stuff prefer to remain quiet about obtaining secrets this way. In response to this publicity, the operators of Red October have apparently shut down the network. The Russian government ordered the security services to find out if Russians were involved with Red October and, if so, to arrest and prosecute them. Russia has long been a sanctuary for Internet criminals, largely because of poor policing and corruption. It may well turn out that the Red October crew is in Russia and has paid off a lot of Russian cops in order to avoid detection and prosecution. To date, the operators of Red October have not been found. All nations, except China, have become more willing to assist in finding, arresting, and prosecuting criminal hackers. While more are going to jail, it is still a very small proportion of those involved.

No comments: