Slashdot Mirror
Security Firm Mandiant Says China's Army Runs Hacking Group APT1
judgecorp writes "The Chinese government has been accused of backing the APT1 hacking group, which appears to be part of the Chinese People's Liberation Army (PLA), according to the security firm which worked with the New York Times when it fell victim to an attack. The firm, Mandiant, says that APT1 is government sponsored, and seems to operate from the same location as PLA Unit 61398." Unsurprisingly, this claim is denied by Chinese officials. You can read the report itself online (PDF), or skim the highlights.
I would be surprised to learn of any major military power today that DOESN'T have a cyberwarfare division (and god knows how many government contractors doing it on the sly). This only exposes something publicly that every security researcher has known for over a decade.
What political party do you join when you don't like Bible-thumpers *or* hippies?
Stories like this will be used to push draconian internet control and cyber-security laws on the American public.
Don't be fooled.
I was so excited when I got my first wireless router a number of years ago that I used to check the in/out listings daily. I did not care too much about unauthorized access (who would want to monitor me?) so I just chose the Netgear defaults. I quickly found out that a number of DAILY accesses were from somewhere in China. They were not from the same places in China, but they were from China nonetheless. I quickly made the security corrections. Fortunately they do not seem to get in now. Emphasis on the words "seem to".
Now that I know what PLA is made of, I'll be printing with ABS from now on.
Get free satoshi (Bitcoin) and Dogecoins
The People's Liberation Army is part of the Chinese Communist Party, not the Chinese state.
I think this should be a wakeup call for companies to allocate finance to IT security. It’s hard to go to the board and explain that you need xx£$ for beefing up security if you have not been a target of a hack attempt/virus etc..
When all your base are so easy to belong?
-- U.S. government has receives grade of "C-"
-- DHS received a "D" for 2006, an "F" in 2005
-- DoE pulled its grade up to a "C" from an "F."
-- Department of Commerce received an "F"
http://www.technewsworld.com/story/56892.html
Join the Slashcott! Feb 10 thru Feb 17!
I would be surprised to learn of any major military power today that DOESN'T have a cyberwarfare division (and god knows how many government contractors doing it on the sly). This only exposes something publicly that every security researcher has known for over a decade.
I'm sorry, you were saying you have evidence of the United States targeting civilians, newspapers and non-military corporations by paying a third party to do it and then denied it? This isn't pot/kettle this is apples/oranges.
All of the offensive "Cyber Warfare" activities are conducted by the PLA. That's part of their mandate.
????
Y'know, I think a lot of American CEOs would be a lot more supportive of "big government" if we had a government agency that provided free industrial espionage services.
Mandiant page with appendix and hashes for their materials here.
I was reading through this last night and it contains some interesting details, but is also something of an advertisement for Mandiant's services. Some highlights:
posting anon for obvious reasons. I work for a very large tech company, and we've been trying to remove these bastards for years. YEARS. But the admins still click on cutepicture.exe in their email, and the devs always open the malicious Confidential2012salaries.ppt.... so it's like one big game of whack-a-mole. When we get more effective, sometimes we can maintain a dry environment for a good long time. Other times they throw serious resources at us and we get flooded, sometimes even tracing malicious action to short-term contractors physcially working in the US. It's like a swarm of locusts, picking through every bit of data with commercial value. I think one thing that escapes many US/EU security people is the scale of the PRC effort. When you have tens of thousands of people at your disposal, and update your overall plans every 5 years, it's never "a hack." If you do anything they're interested in, they're in your house.
But two alternate realities persist:
1. The Chinese government will continue to vapidly claim that attribution based on years of solid data are "unfounded and irresponsible" accusations. It is difficult to understand or engage with an adversary on any constructive level when their government consistently spouts predictable juvenile lies.
2. Our/your PR & legal people will steadfastly refuse to discuss the long-game nature of the Chinese intrusions, and deny they started 2-5-10 years ago and persist to this day. (We got a good chuckle out of the NYT assertion that the intruders entered only a few months ago, and that they have been eradicated from the network. I believe their corp lawyers said that. Any tech who believes either assertion it is a fool.)
Like I said weeks ago... dont you think those sshd / mail password crackers from china are all part of the chinese govt? I do... you inevitably play the numbers game... get a box... locally exploit it... get root(or in some cases get root from password cracking). From there you sniff, grab the shadow file and run jtr... Now you have more passwords. People reuse passwords, so try it on anything their user logged in from, etc... eventually you spread like a virus... All the way into the lair of your enemies.
I stand by my previous statements. Block china, and know that you are at least THAT much safer.
1. Generate fake documents with technobabbles
2. Generate fake personal identities with emails/facebook account/the whole nine yards
3. Generate VMs with fake hardware specs
4. Put 1/2/3 together and automate them, repeat until the fake information far exceeds the real one
5. Profit!
With the advent of modern weaponry, overwhelming numbers of troops being a tactical advantage became a thing of the past. No longer could you simply overwhelm your foe with bodies. One small unit with heavy machine guns or a tank or air support could take out much larger opposing forces who were not as well armed. We now see this situation reversing itself. China has an over abundance of warm bodies and they can easily throw many more people at cyber-warfare and cyber-espionage than we can. Other than gradually moving more infrastructure off the public internet and blocking massive swathes of IP address space, I don't see any solution to this that won't be so cost-prohibitive that we end up bankrupting ourselves (more) to fend them off. Even blocking IPs doesn't work now when they control botnets in our borders. The battle lines are continuously obscured. How can you defend when there is no direction to defend from? Even moving infrastructure to private networks is complicated as there is great cost associated when you need to move data or tasks to and from the public internet. China isn't going away, and they have no incentive to stop trying to hack our systems. We have nowhere near the manpower it would take to respond in kind and doing something like Stuxnet on them would likely backfire or escalate beyond our control. Maybe that escalation is the only solution. It's scary.
You're not paying attention. Don't whitewash "the West" - it's governed by corrupt sociopaths who are morally no different from the rulers of China. Our institutions are designed to be less corruptable (which is why our leaders have been changing them) but the humans in power are at least equally evil.
The series of worms the USA and Mossad introduced in Iran (presumably to keep Shiites from reaching nuclear parity with the West) caused civilian collateral damage to US and Scandinavian businesses. The Bush/Obama administration has laughed it off; the only thing they regret was giving Israel the keys to the worms, which turned out to be a scarily bad idea. They don't seem to regret the car-bombing campaign "the West" directed against civilian Iranian scientists and their families, either. This isn't any "conspiracy theory" crap, either, it's recent history. It's exhaustively documented in wikipedia at this point, as well as newspapers and books.
Here in reality [tm] all the existing countries that have the capacity to harm designated "enemies of the state" and get away with it, regardless of civilian/military status, seem quite willing to do so. That includes the Vatican and probably would include the Dalai Lama if he had the ability. Obama's administration blows up teenagers with US citizenship, and Bush's administration knowingly tortured innocent people to death for amusement. They're all evil.
Let's not forget that Hillary Clinton is Secretary of State. If Slashdotter's are not familiar with that position, that is a DIPLOMATIC position.
Her job is to NEGOTIATE with foreign governments. Public acknowledgment of such attacks might hash the negotiations.
I would prefer that she DOES HER JOB and works through diplomatic channels. Public threats will not help. Private threats might. This is doubly true for a secretive regime such as China.
It is the job of the cyber-warfare unit–part of the MILITARY. Of course, it probably is not to the military's strategic nor tactical advantage to publicly acknowledge the either.
So sorry Slashdotters, you probably won't get the public details about cyber-warfare that you might want. Don't be so surprised, you haven't be all of the details of physical warfare either.
It's better that the government does its job than keep us informed.
http://yetanotherpoliticalrant.blogspot.com
By far the largest security hole is Windows.
When the US Gov abolishes Windows, I will assume it is serious. Until then, this is political theatre.
If you're playing catchup in terms of technology and your power is in ability to manufacture on a vast scale, corporate espionage makes perfect sense. It's unfortunate that here we only have technology to steal and not much in terms of production capacity. That's a substantial disadvantage.
Repots from contractors? How do we know it is not the same this time? Last time, it was so convincing too until after we spent a trillion dollars and thousands of lives.
The word "Linux" appears in the report exactly once. It appears in a link to a .pdf document about file system overlay on embedded linux. The citation says that the document was living at a Chinese university, and was last accessed on 13 February, 2013. As of today, it is 404. The word "Windows", on the other hand, appears many times in the report. Security holes in Windows seem to be the main vector of attack. This is the take-home message. Any organization with a Windows machine exposed to the world should consider themselves fundamentally unsecure. This is not to say that Linux or other *nix O/S variants are totally secure. I've been hacked through an old Sun workstation on my local network. But, in terms of low hanging fruit, getting all Windows machines behind a firewall is a pretty low hanging fruit in terms of security enhancement. My 2-cents worth.
Your post seems to be a bunch of complaining on how your company seems completely and utterly powerless to do anything about stupid behavior by its employees. Just have your mail admins deny attachments on email. For example, if it comes from external sources, don't let attachments of any kind get through or only allow certain ones. This is rather trivial to fix. I have to wonder just how smart your "large tech company" is since they seem to have no clue on how to stop this sort of thing.
While there's no doubt that there are hundreds of thousands of hackers in China (not surprising given the population there), and there is little doubt that many of them are going to be hacking the "Big Bad" (i.e., the U.S.), this is mostly a PR campaign for Mandiant and Richard Beitjich.
Beitjich has been bitching and moaning about China for years now. He won't be satisfied until the US is at war with China - not cyberwar, REAL war.
The problem is multiple:
1) First, there is my "security meme" which should be engraved on everyone's forehead:
"You can haz better security, you can haz worse security. But you cannot haz 'security'. There is no security. Deal."
This means there is no way to keep hackers out of your networks, given the state of the software and telecommunications industries in terms of software development. There is no secure software (short of some specific stuff used by the DoD - and I'm not sure about thee, as the saying goes) and no secure infrastructure. What one guy can make, another guy can break. This is history.
The consensus in infosec today is that the best you can do is try to detect a breach, react to it and contain it so the enemy doesn't get everything it's after. All attempts at "preventing" hacking are utterly futile.
2) Cybercrime is a "growth industry". It's where the narcotics industry was back in the first half of the 20th Century after the anti-drug laws were passed. It will continue to grow until the software and telecommunications industries change their development practices - and based on human resistance to change, this won't happen until cybercrime is ubiquitous and governments and corporations are nailed to a wall of loss.
3) As we used to say in Federal prison, "I hope you don't like it. What are you going to do about it?" i.e., China is a nuclear power. They have 200 or so nuclear warheads. So what is the US going to do to stop Chinese hackers from spying? Bomb them? Threaten them with trade sanctions and start a trade war - with China owning trillions of dollars of US debt and is the US biggest trading partner? The days are gone when the US can just stomp on countries they don't like. Iran is giving the US the finger over the sanctions on it. How much less is China going to be affected?
Finally, I view this whole situation as "leveling the playing field." This is related to 2) above. The U.S. has used its military and economic clout for a hundred years to overwhelm and push countries all over the world around. What is happening now is that the chickens are coming home to roost. The U.S. "intellectual property" (an oxymoron at best) regime is being looted - as it should be.
So nothing is going to change for at least the next decade, maybe two decades.
So as my meme says: Deal.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The same elite "Cyber" group in the PLA is also selling fake Rolexes. If you believe Mandiant, feel free to contact me about shares in the Brooklyn Bridge http://cybernonsense.blogspot.com/2013/02/chinese-hackers-and-security-malware_4130.html
I'm not saying the Chinese aren't doing industrial espionage. A lot of nations do and have done in the past.
I'm saying this is just an elaborate ad.
If you were going to do this in a massive scale, would you make sure the IPs trace back to you? Why not put everything in a disk (or a couple of them) and ship it back, since they are already operating on so many countries.
They're sure that they're using real Chinese people because of the language settings? As if, you really have to have Chinese menus and so on to steal documents in English, especially when the "actors" (the report's terminology) are supposedly well-versed in English. You can't just pick English(NZ).
Another thing about the people related or supposedly working for this Chinese unit is they're hiring/recruiting people with Circuit Design, English, Math and Signal Processing. That sounds more like traditional ELINT, rather than "hackers".
And about security, it's not Windows (though that's not a good start). It's people being lax and everyone pretending changing the passwords will do. You can't enforce security on the computer systems without people enforcing security on themselves.
There's lots of EAL software and systems - rigorously tested. Which corporations are using them properly?
It's not the systems. It's the people. Bring back Multics - watch Accounting go batshit crazy.
These Chinese hackers are not nearly as good as the press makes them out to be. In fact, they are on advanced amateur level at best. Instead, the security of the corporate and governmental networks they are attacking sucks badly, both from a technological side and with regard to the human angle.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I have worked for a few high tech companies over the last two decades in Canada where Chinese Nationals are quite regularly hired and thru insane Employment Equity Laws are hired in preference over Canadian citizens and with a government grant that subsidizes their wage by 50%.
Two different companies I have worked for I have witnessed the blatant open copying of technology after hours and when confronted the individual in question was told -- I'm just making a copy for a friend in China who has his own company in this area. When one brings this up with management, one gets labeled a racist. :O When did political correctness be used to cover up such theft of Intellectual Property? Is management this oblivious to IP theft?
Being on the inside of a corporation or government agency makes it even easier to breech network security measures.
some thoughts.
I agree, one company I worked for placed their source code server on the windows based firewall machine -- d'ohhhhh
But when I do, they're registered to APNIC
So we live in an age when there is no privacy. That sucks. But I don't very much mind living in an age without real governmental secrecy. I think that all the major governments can basically see each other's underpants, and I think that makes everyone feel safer. Also, it very much disincentivises massive villainous plots, because by default, you should expect them to be discovered. I think it's actually making us safer.
This story has been up all day and not one mention of the Kuang Grade Mark 11.
Any reasonable definition of "government" would include the Chinese Communist Party. The term "party" takes on different meaning in a 1-party state.
... to the contractors. This just looks like WMD in Iraq again -- you (taxpayers) paid a trillion dollar to find out the whole thing was fake and yet nobody got punished. For this one, you will spend billion$ and still won't know if it is real -- after all we can't invade China to find out. When somebody tries to sell you something hard, it must be fishy.
I just wonder why a sophisticate spy operation forgot to fake their IP addresses but leave all trails to one location, given that they have controls of their routers and gateways.
See subject
"When the US Gov abolishes Windows, I will assume it is serious. Until then, this is political theatre." - by Anonymous Coward on Tuesday February 19, @12:18PM (#42946135)
See my subject-line, & some INSIGHT into Linux's "fine security" in recent years (especially Android):
2012:
New Linux Rootkit Emerges:
https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."
---
'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:
http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/
---
Medicaid hack update: 500,000 records and 280,000 SSNs stolen:
http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444
So, what's dts.utah.gov running everyone?
LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov
What's health.utah.gov running too??
YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov
* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!
===
2011:
KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
Linux.com pwned in fresh round of cyber break-ins:
http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/
---
Mysql.com Hacked, Made To Serve Malware:
http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware
What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com
---
London Stock Exchange serving malware:
http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware
(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)
---
DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:
http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers
---
Linux Foundation, Linux.com Sites Down To Fix Security Breach:
I noticed my work PC was starting to run real slow. I tried Google searches, but came up with nothing for the file. After search of exe on hard drive, I see on properties it is Mandiant with Symantec signature: "C:\Program Files\Products\System Time\systimecmf.exe" Any idea how to slow down this program to allow my PC to run faster?