Computer Network Attack / Exploitation: Regional Threats China & North Korea Karl Wolfgang, CISSP
Jan 21, 2015
Computer Network Attack / Exploitation:
Regional ThreatsChina & North Korea
Karl Wolfgang, CISSP
• People’s Republic of China: medium threat, growing• North Korea: low threat, restrained• Methodology
– National vision, objectives: military doctrine– Stratagems– Reality check:
• Capabilities• supporting infrastructure• Software / programming
– Open source analysis, “in the wild” hacker processes• Assumptions:
– Individual hackers and nations share similar processes / techniques– China and north Korea share similar processes / techniques– China: 1. more active 2. better able to operate under cloak of
plausible denial
CNO in NE Asia
Jiang Zemin: 90s – Early 21st CenturyWarfare at the Speed of Electrons
• Economic, political, historical objectives– Taiwan– Infrastructure > military techno-revolution
• Regional power projection• Lessons learned – Kosovo, Iraq
– C4I fusion– preemption
• "Informationized arms . . . together with information systems, sound, light, electronics, magnetism, heat and so on, turn into a carrier of strategies."
MG Dai Qingmin
NETOPS vs. The Science of Campaigns
cognitiveerrors
Multi-dimentional
Threat
PhasedOperations
Civilian Assets & IW Reserves
• Dissolving boundaries– Civil-military cooperation– Civil vs. military targets
• Militia – fist of network warfare & hacker units
• Potential missions– Network offense– Network defense– Network propaganda– Electronic countermeasures– Technical recon– Maintenance
Skill Sets
• Computer science graduates• Professions:
– Satellite– Telecommunications /
networking– Data communications / SW
&HW– Microwave– Programming
• Develop doctrine / training
Civilian Assets & IW Reserves
Cyber Forces
• People’s Armed Forces Department of Echeng, Ezhou, Hebi
• Chongquin Garrison• Shanxi Reserve “Network’
Fendui, Datong MSD• Shanghai• Guangzhou, Donghshan District
• Ancient stratagems
• Maoist tactics• Aggressive
program of national development
China: Plausible Denial
Stratagems of Information Warfare
• All warfare is based on deception. There is no place where espionage is not used. Offer the enemy bait to lure him.
• Let your rapidity be that of the wind, your compactness that of the forest.
• The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.
• Attack him where he is unprepared, appear where you are not expected.
47 China’s Electronic Strategieshttp://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm
Sun Tzu – Wang Mind Meld
• IW: Complex, limited goals, short duration, less damage, larger battle space and less troop density, intense struggle for information superiority, C4I integration, new aspects of massing forces and the fact that effective strength may not be the main target.
• Principles of IW: Decapitation, blinding, transparency, quick response and survival. Wang Baocun, "A Preliminary Analysis of IW," Beijing Zhongguo Junshi Kexue, 20 November 1997
• The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.
• Attack him where he is unprepared, appear where you are not expected.
Sun Tzu
Thirty-Six Stratagems: The Secret Art of War
http://www.chinastrategies.com/List.htmhttp://leav-www.army.mil/fmso/documents/china_electric/china_electric.htm
Thirty-Six Stratagems: The Secret Art of War
• Fool the emperor to cross the sea
Technical / Social Engineering
• e-mail from Stephen J. Moree, who reports to the office of Air Force Secretary Michael W. Wynne
• evaluates the security of selling U.S. military aircraft to other countries
• Indian government had just released request on Aug. 28,
• to a Booz Allen Hamilton executive —from “Pentagon”, list weaponry India wanted to
buy • http://www.businessweek.com/magazine/
content/08_16/b4080032218430.htm
The innocent e-mail
• Poison Ivy • http://kr.youtube.com/watch?v=4fHUELZPywk • http://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml
– designed to extract data from government contractor– Remote access Trojan– Keystrokes to cybersyndrome.3322.org – Small backdoor– Encrypted, compressed communications– Registry
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2B81DA45-7941-1AAB-0607-050404050708} "StubPath“
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
Harvest then Exploit
Expired Accounts, Spear Phishing: Compromise
• Cat & mouse game continues– 1,500 expired accounts in Korea– Security patch woes– Improvements with CAC & limiting
OWA– Email phishing
• Besiege Wei to rescue Zhao
Thirty-Six Stratagems: The Secret Art of War
Supreme excellence consists in
breaking the enemy's
resistance without fighting.
Sun Tzu
Supply Chain Fakes
ThreatenMiltaryReadiness
• Fake CISCO routers http://washingtondc.fbi.gov/dojpressrel/pressrel08/cisco022808.htm "Counterfeit products have been linked to the crash of mission-critical networks, and may also contain hidden 'back doors' enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].” Melissa E. Hathaway, DNI
• Counterfeit Xicor chips in F-15s• BAE, Boeing Satellite Systems, Raytheon Missile Systems, Northrop Grumman
Navigation Systems, and Lockheed Martin Missiles & Fire Control.
• Kill with a borrowed sword
Thirty-Six Stratagems: The Secret Art of War
• Kill with a borrowed sword
Thirty-Six Stratagems: The Secret Art of War
Slammer's most novel feature: propagation speed.
In 3 minutes;scanning rate > 55 million / second; after which the growth rate slowed because significant portions of the network had insufficient bandwidth to accommodate more growth.
AutoRun Worms:Leverage Strengths, Dynamics
• The Internet– Browser & plug-in vulnerabilities. ActiveX – 85%– Cross-scripting
• Workstation: operating system “entry points”– Startup folder– Registry
• Active Setup• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
– Run, RunOnce, RunServices, and RunServicesOnce • CDs / USB Flash Drives
– AutoRun / AutoPlay– Leverage user
http://kr.youtube.com/watch?v=xgVecDefOMg
AutoRun:
Fishin the sea
Mal/Generic-A [Sophos] 42 W32.SillyFDC [Symantec] 41 Packed.Generic.181 [Symantec] 5 W32.Dotex.CA [Symantec] 5 Mal/TinyDL-T [Sophos] 4 Mal/Basine-A,, Mal/Basine-CMal/Behav-160, Mal/Emogen-E, Mal/Behav-009, Mal/Basine-C
Worm.Hamweg.Gen Worm.Win32.AutoRun.eic
• Autorun #1 for first 6 months of 2008
• 8% malicious code market
• Japan: 143 in August, 347 in September, 471 in Oct.
The varieties:
The statistics:
Worm.Win32.AutoRun.eae [Kaspersky Lab]
VirTool:Win32/Vtub.WL [Microsoft]
Trojan Horse [Symantec]
HackTool.Win32.IISCrack.d [Ikarus]
Worm.Win32.AutoRun.lkx
Worm.Hamweg.Gen [PC Tools] 3
Worm.Win32.AutoRun.eic [Kaspersky Lab] 3
Worm.Win32.AutoRun.ejf [Kaspersky Lab] 3
Backdoor.Graybird!sd6 [PC Tools] 2
Mal/Dropper-MAP [Sophos] 2
TROJ_AGENT.ANFQ [Trend Micro] 4 Trojan.Win32.Agent.vkw [Kaspersky Lab] 4 VirTool.Win32.DelfInject [Ikarus] 4 W32.SillyP2P [Symantec] 4 Worm.Win32.Agent [Ikarus] 4 Worm.Win32.Agent.lz [Kaspersky Lab] 4 Worm.Win32.AutoRun.rol [Kaspersky Lab] Worm:Win32/Autorun.GR [Microsoft] 4 Worm:Win32/Hamweq.gen!C [Microsoft] 4 WORM_AUTORUN.AJX [Trend Micro
• Await the exhausted enemy at your ease
– Code Red and the White House
Thirty-Six Stratagems: The Secret Art of War
Thirty-Six Stratagems: The Secret Art of War
Loota
burninghouse
• The insider• Hacker exploitation
of OS vulnerability
Growing Web-based Threat
• Infected web pages: 1 every 14 seconds in ’07 / 1 every 5 seconds in ’08
• 60% vulnerabilities in 2007 – web applications– 85% of these ActiveX
• Cross-site scripting– 7,000 first half 2007– 11,300 second half 2007
UnpatchedIE
Malicious pageexploits browser vulnerability,Downloads code without user approvalInstallsback doorbeacon
User clicks on HTML link in Email,
User expects & receivesdownload of article on tax benefits forAmericans living overseas…
Source: Korea Information Security Agency
Legitimate Sites Can Point to “Drive-by Download”
Computer Network Exploitation
• Titan Rain: espionage– SANS: attacks were most likely the result of Chinese
military hackers attempting to gather information on U.S. systems.
– Targets: Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA
• Cyber rules of engagement differ– US: Sandia National Laboratories IA professional
tracks bad guys, loses job – China: Industry IA professionals double dip at
hackers
North Korean CNA Capabilities: Low
• Differing views of capabilities– Korean officials – NK aggressively cultivating– US – Modest skill sets centered within elite– Emphasis more on Computer Network Exploitation
(gathering information)during peactime• Computer Network Attack capabilities is
restricted• Assessment methodology:
– Objective– Doctrine– Supporting infrastructure: electricity, education,
industry
nK CNA Threat is Low
• Cyber attacks fit into DPRK’s scheme of asymmetric means to counter ROK/US advantages
“I believe that the North Koreans, whatever their limitations, have a capacity to think deeply and innovatively about military affairs…And what I have observed over the years convinces me that they are devoting considerable attention to cyber war.”
John Arquilla, RAND, 2 June 2003
“In the next war we will crush the American boors/Philistines first”
Great Leader’s IW Vision
• Kim Jong-il’s “three pillars for building a powerful state”– Ideology– Arms– Information technology
• “The future warfare will depend not on who is showered with a lot of bullets, but who grasps diverse information faster.”
Plato’s Cave: NK IW / CNA Constraints
Minimal Internet: No Sea for Fish to Swim
• Internet– Two class C blocks with virtually no activity– Official sites in Japan, China, Australia– 2002 – Pyongyang cyber café; one hour – average
worker’s weeks wage • Cannot hide state activities / Intranet
– Kwang Myoung network• Minimal gateways with outside world
• Korea Computer Center / satellite links • Preparation for gateway?
– China Telecom / fiber– 2001 Pyongyang Information Center tests FW– Increasing encryption
Infrastructure Does Not Support Formidable Threat
• electricity supply problems: antiquated, unreliable; poor frequency control, outages
• Nascent, struggling tech industries
• Basic software, biometric technology, voice recognition, automated translation programs, game programs
• Seek information on basic applications, programming
Possess Skills for Cyber Hacks
• Armed Forces – moderate capabilities– Mirim College, 100 graduates per year– Up to 1,000 elite hackers– Unit 121
• Growing software / programming expertise– applying process-oriented quality control models
• ISO9001, Capability Maturity Model Integration and Six Sigma.• http://www.gpic.nl/IT_in_NKorea.pdf
– expertise with development platforms, coding• Assembler, Cobol, C, Visual Studio .Net, Visual C/C++, Visual
Basic, Java, JBuilder, Powerbuilder, Delphi, Flash, XML, Ajax, PHP, Perl, Oracle, SQL Server and MySQL, etc.
CNA / CNE within nK Government
Kim Jong-il
NationalDefenseCommission
MPAF
GeneralStaffDepartment
ReconnissanceBureau
Unit 121
Chairman of theNational Defence Commission
KoreanWorkersParty
General Secretary
39
38
Office35
?GlobalSecurity.org + Federation of American Scientists
CNA & CNE Services
• Components of modern warfare:– IW – Recon, electronic, cyber & psychological warfare– Three-dimensional warfare– Asymmetric warfare– Non-contact– Precision strikes– Short-term
• Unit 121, Reconnaissance Bureau– Gifted students recruited, trained, Kim il Sung Military
Academy– Computing specialties Eg. networking, OS
• Room / Office 35• Nefarious cohorts in crime within the Workers’ Party • Likely works outside nK – CNE & CNA
References
• 47 China’s Electronic Strategies http://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm
• TIME, Titan Rainhttp://www.time.com/time/magazine/article/0,9171,1098961,00.html
• New E-spionage Threat http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
• U.S. Is Losing Global Cyberwar http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_817606.htm
• Dangerous Fakes http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm