Thursday, March 28, 2013

Rep. Wolf's Flawed Approach to Supply Chain Security


According to this article in today's Politico, Rep. Wolf has inserted language in a budget stopgap bill that is "meant to ensure Chinese companies certify their independence from official Beijing before they can sell their goods to the Commerce Department, among others, during the life of the continuing resolution." Furthermore, it excludes "American companies who do assembling in China".

This provision is stunning in terms of its utter uselessness as a cyber security measure. The problem that Rep. Wolf should be worried about is how easy U.S. companies who have offices in China can be compromised by the Chinese government in ways that go far beyond what is normally reported on by the press.

Yet another problem is how quickly U.S. companies open R&D labs in China which result in technology transfer and a rapid escalation of China's own technological innovation. As an example, I just tried to contact two Microsoft Asia researchers (both Chinese) whose work focused on a specific type of data analytics that my company is interested in. Both researchers had recently left Microsoft and are now continuing their research at Huawei. This revolving door happens all the time and represents just one small part of the vast threat landscape for U.S. companies and by extension the U.S. government that extends far beyond a spear phishing attack and the APT kill chain.

Not only is Rep. Wolf's language utterly useless from a security perspective, it's detrimental to U.S.-China relations which, like it or not, we depend on. We have the ability to handle this problem in a much smarter, more effective way if legislators would invite a broader base of experts in to testify and give guidance on this issue rather than the same anti-China cheerleaders time and again.

Wednesday, March 27, 2013

APT1, Shanghai Jiao Tong university, and Xenophobia

A few things have caught my attention recently which I'd like to share with you all in a somewhat abbreviated manner (meaning I'm swamped but this is important):

A Security Engineer's Forensic Review of Mandiant's APT1 report

Please read this security engineer's forensic review of the evidence contained in Mandiant's Appendix. He's discovered a lot more evidence which casts doubt on Mandiant's conclusions.

Shanghai Jiao Tong University's Collaboration with U.S. InfoSec Companies

Shanghai Jiao Tong University School of Information Security Engineering is just that - one of many Chinese universities that teaches information security. It is not a PLA school nor does it engage in hacking attacks. If it did, then I doubt that BreakingPoint Systems, a company that conducts "cyber warrior training" and does "cyber range deployments" for the U.S. government would have signed a "strategic cooperation agreement" with them.

Mandiant CSO Richard Bejtlich's view on Hiring Foreign Nationals

While I've disagreed often with Mandiant and Richard Bejtlich's views on China, I never heard him say anything remotely as awful as this quote from the Washington Examiner. I hope he was misquoted:
Bejtlich said he opposed placement of any foreign citizen of a suspect country like China in any sensitive government position.
"If you're considering them for a job at a national lab or a government agency, I think we're at the point now where it's recognized that's probably not a good idea," he said.
If that's an accurate quote, I can only hope that U.S. companies will ignore that incredibly poor advice. I think that most intelligent people in today's globalized economy have experienced working side by side with honest, talented, and skillful "foreigners" in many high technology settings including national labs and other environments. In fact, the U.S. would be hard-pressed to continue to innovate without them. The above quote is an example of xenophobia that's not far removed from McCarthyism and other witch-hunts and it has no place in the U.S. in 2013.

Monday, March 18, 2013

Mandiant's APT1 "Mission" problem

Mandiant's APT1 report's table of proof listed six categories that Mandiant deduced tied APT1 to PLA Unit 61398. The first, which Mandiant called the Mission area, made the claim that PLA Unit 61398 "targets strategic emerging industries in China's 12th Five year Plan" (see table 12 on p.59). Earlier in the report the authors claimed that "APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan" (p.24).

The Mission evidence is particularly of interest to me because I've been mining adversary state R&D since 2009 and while knowing what a potential adversary state is after is important, it cannot be done at the 50,000 foot view which is what China's Five Year Plans do. Taia Global published a white paper almost a year ago (a copy of which was requested by one of Mandiant's executives) which provided a similar high level look at 13 nation state R&D priorities and it too was not sufficiently granular to be of much use in an attribution effort however it does make clear that certain technologies are of value to at least a half dozen threat actors (see below). And frankly, this is a very valid approach, if done properly, to help a company understand which files may be at risk. In fact, that's precisely what Taia Global's new product Chimera is being developed to do. However, it's not enough to just say that because "energy" is part of China's FYP, then it must be China whenever an energy company is attacked. France, Germany, and Russia are also spending money on Energy related research and all three of those states have engaged in industrial espionage. But even that's not sufficient evidence to blame a state actor. What's more likely in my opinion is that a professional hacker group is making money by stealing valuable IP and selling it to competitors, state-run companies, and/or the states themselves.

Here are the seven new strategic industries identified in China's 12th FYP. The report didn't disclose which 4 of 7 were targeted:
  • Energy conservation and environmental protection industries
  • New-generation IT industry
  • Biological industry
  • High-end equipment manufacturing industry
  • New energy industry
  • New material industry
  • New-energy automobile industry
Below are some of the R&D priorities for six other nation states who have engaged in industrial and cyber espionage. It's not exhaustive but it illustrates how little deviation there is at the broadest level of international R&D. We can safely say that companies in these industry segments are being targeted for their IP. We can't say that only China is doing the targeting.

France:
  • Energy
  • Biotechnology
  • IT (Information Technology)
  • Space
  • Transportation
Germany:
  • Energy
  • IT and Telecommunications
  • Manufacturing
  • Biotechnology
  • Medicine
  • Climate research
Israel:
  • Telecommunications
  • Medicine
  • Chemistry
  • Information Technology
  • Biotechnology
  • Nanotechnology
Pakistan:
  • Telecommunications
  • Agriculture
  • Medicine
  • Education
Russia:
  • Energy
  • Robotics
  • Information and Telecommunications
  • Nanotechnology
  • Life sciences
  • Environment
South Korea
  • Manufacturing
  • Nanotechnology
  • Semiconductors
  • Transportation
  • Chemicals

Saturday, March 16, 2013

Please take and share this "Hacker Deception Survey" (Now Updated with Results)

When it comes to blaming cyber attacks on any given nation state, many times the evidence given includes WHOIS registration data. There's been a surprising (at least to me) amount of credibility given to registration data which corresponds to the country that individuals seek to blame. So much so that I'm beginning to wonder what the consensus really is on a very basic question - do hackers seek to disguise their location?

So I've created a simple True/False question to help me arrive at an answer. Please help me out by taking this one question survey and sharing the link with as many people as possible. No technical background is required. Thanks!

Click here to take survey

UPDATE (20 MAR 2013):
After four days, the survey received 57 responses. Here are the results:
Not surprisingly, 90% of the respondents agreed with the premise that a hacker will usually disguise his location by providing false WHOIS data. My suggestion is that if you're reviewing a report which relies on WHOIS data (partly or wholly) to prove its attribution claim, that you'd be well advised to question its findings.

Monday, March 11, 2013

China Operates the World's Most Successful HoneyPot

The Chinese government has been on a focused mission to increase its technological development for many years. One of the best and most efficient ways that it has of doing this is by making it attractive for foreign high tech companies to open R&D centers in China. In 2000 there were about 100 foreign R&D labs in China. By 2007 there were 1200. Today, Shanghai alone has over 300. In fact, many of the same companies that believe that China is responsible for the vast majority of APT attacks have helpfully delivered some of their own "crown jewels" (i.e., their R&D) inside China's borders including GE, Dell, Microsoft, HP, Intel, Boeing, and EADS to name just a few:
"General Electric Co. plans to invest more than $2 billion in China in technology and financial service ventures and research, adding 1,000 jobs in a country Chief Executive Officer Jeffrey Immelt is targeting for growth. (source)"
UPDATE 30 March 2013: General Electric Co's (NYSE: GE) healthcare unit, the world's biggest maker of medical imaging machines, plans to double its production capacity in China in the years through 2015, GE Healthcare Greater China CEO Duan Xiaoyin told Yicai.com (source via paid subscription).
"The Chicago-based aerospace giant (Boeing) recently partnered with Commercial Aircraft Corporation of China -- or Comac -- to invest in a research project aimed at energy conservation and fuel reduction. (source)" 
 "Dell will likely spend $250 billion in China on procurement and other investments over the next 10 years as it expands in the world's No 2 personal computer (PC) market, the head of its China operations said on Tuesday. (source)"
"Intel Corp. INTC -0.63%  said Tuesday it will form a joint innovation center with Chinese internet giant Tencent Holdings Ltd. (0700.HK) that will focus on developing new mobile computing products. (source)" 
"Hewlett-Packard (HPQ.NYSE) is tapping into China's engineering talent to develop global storage and networking products, as the computer maker prepares to open a research center in Beijing, Bloomberg reported. HP's CEO Leo Apotheker said the company wants to utilize China's R&D capabilities as it seeks to boost sales in other emerging markets. (source)" 
And this is just a tiny sampling. If you're wondering why companies are so willing to open research centers in China, it's because the Chinese government is making them an offer that's hard to refuse.
  • A 50 percent R&D "super deduction" in addition to the actual expense deduction for R&D spending. So if a company spends 10 million yuan ($1.6 million; 1.26 million euros) on eligible R&D it will receive a net benefit of 1.25 million yuan (12.5 percent benefit for every eligible cost);
  • A preferential corporate income tax rate of 15 percent (the standard rate is 25 percent) for companies recognized as a High New Technology Enterprise;
  • A preferential corporate income tax rate of 15 percent for companies recognized as an Advanced Technology Service Enterprise, with qualified incomes exempt from business tax;
  • Exemption from import customs duty and value-added tax on qualified R&D equipment imported by R&D centers.
Here are the industrial sectors that qualify for the above incentives:
  • New techniques or methodologies to extract minerals from complex ore bodies.
  • Improvements to water use and irrigation technologies.
  • Development of innovative functionality and improved approaches to solving software problems.
  • Application of engineering principles, previously developed in the aerospace industry, in, for example, the automotive industry.
  • Computer-aided engineering and simulation software developed as part of a larger R&D project in any industry.
  • Development of new processes and technologies to minimize adverse environmental impacts across all industries.
  • Development of new compounds with improved therapeutic properties.
  • Development of non-destructive testing techniques to analyze material fatigue with pharmaceutical products.
  • Application of off-the-shelf software products in new and previously unproven ways.

Who Needs APT?

Basically China has successfully created the world's largest honeypot for acquiring foreign trade secrets and intellectual property. It's so successful at it that even companies who know better like GE (close ties with Mandiant), Dell (owns SecureWorks), and HP (owns McAfee Fortify) are still running R&D labs there. 

Legal Technology Transfer

Foreign companies who open offices in China hire Chinese engineers and other skilled employees who learn and work on their technologies and thenthey  take that knowledge with them when they leave to work at Chinese firms after a year or two. Additionally, these foreign companies must use China's telecommunications infrastructure for all of their communications (satellite, VoIP, landline, mobile, etc.), which means that all of their confidential communications traffic are subject to collection and monitoring under Chinese law. So while China certainly engages in other espionage-related activities, that isn't it's only means or even its best means to acquire high technology secrets. 

If Not China, Who?

There are many other nations who want the same technology that China wants but who don't have the same drawing power in terms of population density or cheap engineering labor to attract foreign R&D investment. For those countries, cyber espionage is a much more important option and one for which resources are available (i.e., indigenous hacker populations and freely available Chinese-made hacking tools). If companies really want to know who may be targeting their trade secrets, then they should demand to know how incident responders and/or Law Enforcement Organizations are distinguishing between the activities of different nation states; all of whom want to accelerate their technological development by raiding U.S. companies' networks.

Friday, March 8, 2013

Call for Papers: Suits and Spooks Singapore: Dec 2-3, 2013


Suits and Spooks Singapore

The Mandarin Oriental Hotel
December 2-3, 2013

Call For Papers

Taia Global's hit conference series Suits and Spooks will hold its first international conference in Singapore this December at the incredible 5 Star hotel The Mandarin Oriental Singapore. If you'd like to participate as a speaker, please send me an abstract of your proposed talk by April 30th. Some broad topics ideas include:
  • Offensive and Defensive Tactics in Information Security
  • Attribution Methodologies
  • Vulnerabilities in Critical Infrastructure; especially in Automated Systems
  • An International Look at Informatized Warfare and International Cyber Commands
  • International Law and Policy as it pertains to Cyberspace
  • Strategies to Reduce the Threat Landscape

Sponsorships

We're actively seeking corporate sponsors for this high profile event. Please contact me if you'd like more information. 

For More Information

Follow @SuitsandSpooks on Twitter or request to be added to our event mailing list.

Tuesday, March 5, 2013

Deputy Prime Minister of Russia is worried about backdoors in Western tech

In the course of writing this month's S&TI Flash Traffic report for our subscribers, I came across this interesting article which demonstrates that the U.S. isn't the only country worried about supply chain security.

I had one of our Russian-speaking contractors translate it for inclusion into our report. Here's the English version:
February 23rd – Finmarket – The first breakthrough in technologies that will be produced by the fund of advanced research will appear by the end of this year, declared deputy prime-minister Dmitry Rogozin. “I think that by the end of even this year we will have one or two new ideas, which will facilitate a breakthrough decisions for our science of warfare,” said Dmitry Rogozin at the celebratory event hosted on February 23rd in the Technology Museum. In his opinion, before the fund starts their work a few months for organizational procedures will be needed.  "We will then acquire unique innovations, among others student auditoriums and institute flexible testing stations, all of which will exist in 5-7 year, no more,” said Rogozin. Altogether, he mentioned, the fund will be powered by academic science centers, and the results of its work will be used by lead institutes of domestic industry.
In addition, appearing before members of the patriotic organization which gathered from the regions, Rogozin asserted that Russia is obligated to carefully use foreign micro-electronics and software, and better overall to develop their own technology.  “Actually, cyber security in the West is understood as bookmarks in chips and software, supplied to different countries, bookmarks, which activate at a defined moment,” – said Rogozin. “If Russia can’t product a quality electronic-component base and  supply their own satellites, buying microelectronics abroad, it’s impossible to be exactly sure how these satellites will react at hour “X” – mentioned deputy prime minister. “Who are they, and who will they transfer to? And will they work for us, or will they be worked into another group?” – questioned Rogozin. 
The Fund of Advanced Research is Russia's newly created version of the U.S. Defense Advanced Research Projects Agency (DARPA). This article demonstrates the Russian government's concern over supply chain security when it comes to their reliance upon foreign-made microchips and software. Ironically, while U.S. companies make these products, we often don't make them in the U.S. but in China; hence we have the same problem that Russia does.

Sunday, March 3, 2013

Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian
  • The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
  • Ministry of Public Security (MPS) - National Police; Domestic Intelligence
Military
  • Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
  • Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
  • Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
  • Liaison Office of the PLA General Political Department
  • Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
  • State Secrecy Bureau

Non-Traditional Channels

  • Commission of Science, Technology and Industry for National Defense (COSTIND)
  • Research Institutes
  • PRC Military-Industrial Companies
  • Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.
PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"