Tuesday, June 10, 2014

Crowdstrike, PLA 61486, and the Secret Hacker Language that wasn't.

According to George Kurtz's introduction to Crowdstrike's Putter Panda report, his company has revealed the activities of PLA unit 61486, the identity of one of its employees' Chen Ping aka cpyy, and the primary location of Unit 61486 in Shanghai. By any definition of proof that you care to name, that assertion is only partially true. They located the headquarters of the PLA's General Staff Dept. 12th Bureau in Shanghai thanks to a public announcement by the PLA itself. That's the part that's true.
UPDATE 10 June 2014: The Project 2049 Institute, which Crowdstrike sourced extensively from, was the first organization to out the address of the Third Department 12th Bureau offices in its 2011 report "The Chinese Peoples Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure", not Crowdstrike.
Crowdstrike did not prove that the person they've identified as Chen Ping aka cpyy is actually named Chen Ping or is an employee of PLA unit 61486 or is even a hacker. All of that is speculation on the part of the researchers. Even the name "Chen Ping" is believed to be real because it corresponds to the "cp" of cpyy. Really? It's not possible that it would also correspond if Chen Ping was a fictitious name; just like the fictitious phone number, postal code, and email address on his WHOIS registration for cpyy.net?

Crowdstrike attempts to connect "Chen Ping" with another Chinese hacker named Linxder by pointing to a forum thread which Crowdstrike claims is "superficially about cars" but could be "a reference to hacking jobs wrapped up in car metaphors."

Nope, and let this be a PRO TIP to everyone who thinks that Google Translate is sufficient to do your "intelligence" work in. Ask a native Chinese speaker (like I did) to translate, then do a little further research and you'll learn that Linxder was talking about her yellow car which looks like a bun.

Crowdstrike refers to this report as intelligence. If it is, it's the worst kind because the authors start with a bias and then search only for evidence that confirms their bias. Even worse, they failed to prove any of their key findings:

  • Where is the proof that Chen Ping is a PLA soldier assigned to Unit 61486? 
  • Or that Chen Ping is even his real name?
  • Or that Unit 61486 has conducted even one cyber attack against a U.S. company?

Just because China is interested in satellite technology and engages in acts of cyber and industrial espionage to get it doesn't mean that Crowdstrike, Mandiant, or anyone else can play fast and loose with attribution. Yes, China does it but so do many nations along with countless independent hacker groups. If you want to prove that Col. Mustard hacked Acme Satellite Company with a Candlestick, then either prove it using accepted international standards of evidence or leave attribution out of your report altogether. 

3 comments:

  1. I think that many of these security companies that are "breaking" attribution of espionage campaigns is getting kind of ridiculous. They are doing something that governments have been trying to do for a long time and seem to have no problem making attribution statements.

    ReplyDelete
  2. I heard Chen was also behind Bitcoin.

    ReplyDelete
  3. Of course! And he's with the 14K Triad, too.

    ReplyDelete