Computer Attack Stratagems

Computer Network Attack / Exploitation:

Regional ThreatsChina & North Korea

Karl Wolfgang, CISSP

• People’s Republic of China: medium threat, growing• North Korea: low threat, restrained• Methodology

– National vision, objectives: military doctrine– Stratagems– Reality check:

• Capabilities• supporting infrastructure• Software / programming

– Open source analysis, “in the wild” hacker processes• Assumptions:

– Individual hackers and nations share similar processes / techniques– China and north Korea share similar processes / techniques– China: 1. more active 2. better able to operate under cloak of

plausible denial

CNO in NE Asia

Jiang Zemin: 90s – Early 21st CenturyWarfare at the Speed of Electrons

• Economic, political, historical objectives– Taiwan– Infrastructure > military techno-revolution

• Regional power projection• Lessons learned – Kosovo, Iraq

– C4I fusion– preemption

• "Informationized arms . . . together with information systems, sound, light, electronics, magnetism, heat and so on, turn into a carrier of strategies."

MG Dai Qingmin

NETOPS vs. The Science of Campaigns

cognitiveerrors

Multi-dimentional

Threat

PhasedOperations

Civilian Assets & IW Reserves

• Dissolving boundaries– Civil-military cooperation– Civil vs. military targets

• Militia – fist of network warfare & hacker units

• Potential missions– Network offense– Network defense– Network propaganda– Electronic countermeasures– Technical recon– Maintenance

Skill Sets

• Computer science graduates• Professions:

– Satellite– Telecommunications /

networking– Data communications / SW

&HW– Microwave– Programming

• Develop doctrine / training

Civilian Assets & IW Reserves

Cyber Forces

• People’s Armed Forces Department of Echeng, Ezhou, Hebi

• Chongquin Garrison• Shanxi Reserve “Network’

Fendui, Datong MSD• Shanghai• Guangzhou, Donghshan District

• Ancient stratagems

• Maoist tactics• Aggressive

program of national development

China: Plausible Denial

Stratagems of Information Warfare

• All warfare is based on deception. There is no place where espionage is not used. Offer the enemy bait to lure him.

• Let your rapidity be that of the wind, your compactness that of the forest.

• The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.

• Attack him where he is unprepared, appear where you are not expected.

47 China’s Electronic Strategieshttp://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm

Sun Tzu – Wang Mind Meld

• IW: Complex, limited goals, short duration, less damage, larger battle space and less troop density, intense struggle for information superiority, C4I integration, new aspects of massing forces and the fact that effective strength may not be the main target.

• Principles of IW: Decapitation, blinding, transparency, quick response and survival. Wang Baocun, "A Preliminary Analysis of IW," Beijing Zhongguo Junshi Kexue, 20 November 1997

• The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.

• Attack him where he is unprepared, appear where you are not expected.

Sun Tzu

Thirty-Six Stratagems: The Secret Art of War

http://www.chinastrategies.com/List.htmhttp://leav-www.army.mil/fmso/documents/china_electric/china_electric.htm

Thirty-Six Stratagems: The Secret Art of War

• Fool the emperor to cross the sea

Technical / Social Engineering

• e-mail from Stephen J. Moree, who reports to the office of Air Force Secretary Michael W. Wynne

• evaluates the security of selling U.S. military aircraft to other countries

• Indian government had just released request on Aug. 28,

• to a Booz Allen Hamilton executive —from “Pentagon”, list weaponry India wanted to

buy • http://www.businessweek.com/magazine/

content/08_16/b4080032218430.htm

The innocent e-mail

• Poison Ivy • http://kr.youtube.com/watch?v=4fHUELZPywk • http://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml

– designed to extract data from government contractor– Remote access Trojan– Keystrokes to cybersyndrome.3322.org – Small backdoor– Encrypted, compressed communications– Registry

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2B81DA45-7941-1AAB-0607-050404050708} "StubPath“

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf

Harvest then Exploit

Expired Accounts, Spear Phishing: Compromise

• Cat & mouse game continues– 1,500 expired accounts in Korea– Security patch woes– Improvements with CAC & limiting

OWA– Email phishing

• Besiege Wei to rescue Zhao

Thirty-Six Stratagems: The Secret Art of War

Supreme excellence consists in

breaking the enemy's

resistance without fighting.

Sun Tzu

Supply Chain Fakes

ThreatenMiltaryReadiness

• Fake CISCO routers http://washingtondc.fbi.gov/dojpressrel/pressrel08/cisco022808.htm "Counterfeit products have been linked to the crash of mission-critical networks, and may also contain hidden 'back doors' enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].” Melissa E. Hathaway, DNI

• Counterfeit Xicor chips in F-15s• BAE, Boeing Satellite Systems, Raytheon Missile Systems, Northrop Grumman

Navigation Systems, and Lockheed Martin Missiles & Fire Control.

• Kill with a borrowed sword

Thirty-Six Stratagems: The Secret Art of War

• Kill with a borrowed sword

Thirty-Six Stratagems: The Secret Art of War

Slammer's most novel feature: propagation speed.

In 3 minutes;scanning rate > 55 million / second; after which the growth rate slowed because significant portions of the network had insufficient bandwidth to accommodate more growth.

AutoRun Worms:Leverage Strengths, Dynamics

• The Internet– Browser & plug-in vulnerabilities. ActiveX – 85%– Cross-scripting

• Workstation: operating system “entry points”– Startup folder– Registry

• Active Setup• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

– Run, RunOnce, RunServices, and RunServicesOnce • CDs / USB Flash Drives

– AutoRun / AutoPlay– Leverage user

http://kr.youtube.com/watch?v=xgVecDefOMg

AutoRun:

Fishin the sea

Mal/Generic-A [Sophos] 42 W32.SillyFDC [Symantec] 41 Packed.Generic.181 [Symantec] 5 W32.Dotex.CA [Symantec] 5 Mal/TinyDL-T [Sophos] 4 Mal/Basine-A,, Mal/Basine-CMal/Behav-160, Mal/Emogen-E, Mal/Behav-009, Mal/Basine-C

Worm.Hamweg.Gen Worm.Win32.AutoRun.eic

• Autorun #1 for first 6 months of 2008

• 8% malicious code market

• Japan: 143 in August, 347 in September, 471 in Oct.

The varieties:

The statistics:

Worm.Win32.AutoRun.eae [Kaspersky Lab]

VirTool:Win32/Vtub.WL [Microsoft]

Trojan Horse [Symantec]

HackTool.Win32.IISCrack.d [Ikarus]

Worm.Win32.AutoRun.lkx

Worm.Hamweg.Gen [PC Tools] 3

Worm.Win32.AutoRun.eic [Kaspersky Lab] 3

Worm.Win32.AutoRun.ejf [Kaspersky Lab] 3

Backdoor.Graybird!sd6 [PC Tools] 2

Mal/Dropper-MAP [Sophos] 2

TROJ_AGENT.ANFQ [Trend Micro] 4 Trojan.Win32.Agent.vkw [Kaspersky Lab] 4 VirTool.Win32.DelfInject [Ikarus] 4 W32.SillyP2P [Symantec] 4 Worm.Win32.Agent [Ikarus] 4 Worm.Win32.Agent.lz [Kaspersky Lab] 4 Worm.Win32.AutoRun.rol [Kaspersky Lab] Worm:Win32/Autorun.GR [Microsoft] 4 Worm:Win32/Hamweq.gen!C [Microsoft] 4 WORM_AUTORUN.AJX [Trend Micro

• Await the exhausted enemy at your ease

– Code Red and the White House

Thirty-Six Stratagems: The Secret Art of War

Thirty-Six Stratagems: The Secret Art of War

Loota

burninghouse

• The insider• Hacker exploitation

of OS vulnerability

Growing Web-based Threat

• Infected web pages: 1 every 14 seconds in ’07 / 1 every 5 seconds in ’08

• 60% vulnerabilities in 2007 – web applications– 85% of these ActiveX

• Cross-site scripting– 7,000 first half 2007– 11,300 second half 2007

UnpatchedIE

Malicious pageexploits browser vulnerability,Downloads code without user approvalInstallsback doorbeacon

User clicks on HTML link in Email,

User expects & receivesdownload of article on tax benefits forAmericans living overseas…

Source: Korea Information Security Agency

Legitimate Sites Can Point to “Drive-by Download”

Computer Network Exploitation

• Titan Rain: espionage– SANS: attacks were most likely the result of Chinese

military hackers attempting to gather information on U.S. systems.

– Targets: Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA

• Cyber rules of engagement differ– US: Sandia National Laboratories IA professional

tracks bad guys, loses job – China: Industry IA professionals double dip at

hackers

North Korean CNA Capabilities: Low

• Differing views of capabilities– Korean officials – NK aggressively cultivating– US – Modest skill sets centered within elite– Emphasis more on Computer Network Exploitation

(gathering information)during peactime• Computer Network Attack capabilities is

restricted• Assessment methodology:

– Objective– Doctrine– Supporting infrastructure: electricity, education,

industry

nK CNA Threat is Low

• Cyber attacks fit into DPRK’s scheme of asymmetric means to counter ROK/US advantages

“I believe that the North Koreans, whatever their limitations, have a capacity to think deeply and innovatively about military affairs…And what I have observed over the years convinces me that they are devoting considerable attention to cyber war.”

John Arquilla, RAND, 2 June 2003

“In the next war we will crush the American boors/Philistines first”

Great Leader’s IW Vision

• Kim Jong-il’s “three pillars for building a powerful state”– Ideology– Arms– Information technology

• “The future warfare will depend not on who is showered with a lot of bullets, but who grasps diverse information faster.”

Plato’s Cave: NK IW / CNA Constraints

Minimal Internet: No Sea for Fish to Swim

• Internet– Two class C blocks with virtually no activity– Official sites in Japan, China, Australia– 2002 – Pyongyang cyber café; one hour – average

worker’s weeks wage • Cannot hide state activities / Intranet

– Kwang Myoung network• Minimal gateways with outside world

• Korea Computer Center / satellite links • Preparation for gateway?

– China Telecom / fiber– 2001 Pyongyang Information Center tests FW– Increasing encryption

Infrastructure Does Not Support Formidable Threat

• electricity supply problems: antiquated, unreliable; poor frequency control, outages

• Nascent, struggling tech industries

• Basic software, biometric technology, voice recognition, automated translation programs, game programs

• Seek information on basic applications, programming

Possess Skills for Cyber Hacks

• Armed Forces – moderate capabilities– Mirim College, 100 graduates per year– Up to 1,000 elite hackers– Unit 121

• Growing software / programming expertise– applying process-oriented quality control models

• ISO9001, Capability Maturity Model Integration and Six Sigma.• http://www.gpic.nl/IT_in_NKorea.pdf

– expertise with development platforms, coding• Assembler, Cobol, C, Visual Studio .Net, Visual C/C++, Visual

Basic, Java, JBuilder, Powerbuilder, Delphi, Flash, XML, Ajax, PHP, Perl, Oracle, SQL Server and MySQL, etc.

CNA / CNE within nK Government

Kim Jong-il

NationalDefenseCommission

MPAF

GeneralStaffDepartment

ReconnissanceBureau

Unit 121

Chairman of theNational Defence Commission

KoreanWorkersParty

General Secretary

39

38

Office35

?GlobalSecurity.org + Federation of American Scientists

CNA & CNE Services

• Components of modern warfare:– IW – Recon, electronic, cyber & psychological warfare– Three-dimensional warfare– Asymmetric warfare– Non-contact– Precision strikes– Short-term

• Unit 121, Reconnaissance Bureau– Gifted students recruited, trained, Kim il Sung Military

Academy– Computing specialties Eg. networking, OS

• Room / Office 35• Nefarious cohorts in crime within the Workers’ Party • Likely works outside nK – CNE & CNA

References

• 47 China’s Electronic Strategies http://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm

• TIME, Titan Rainhttp://www.time.com/time/magazine/article/0,9171,1098961,00.html

• New E-spionage Threat http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

• U.S. Is Losing Global Cyberwar http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_817606.htm

• Dangerous Fakes http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm