- Email: [email protected]
Shadows in the cloud: Chinese involvement in advanced persistent threats
FEATURE
Shadows in the cloud: Chinese involvement in advanced persistent threats
Danny Bradbury
Danny Bradbury, freelance journalist Advanced Persistent Threats (APTs) existed long before the evolution of consumer computing. But in the past year, they have become a significant part of the online landscape. APTs are concerted campaigns to gather intelligence on particular individuals or institutions. During the Cold War they were the stuff that spy stories were made of. Nation states would employ agents to gather information on their enemies using manual techniques. This information would be collated and cross-referenced to gain a better understanding of an enemy’s motives and movements. Now those techniques have become automated. As widespread consumer computing evolved, APTs evolved along with it. Hackers developed techniques to target individual institutions, and were able to harvest information using
everything from port scans to dumpster diving. Attacks on both companies and national institutions have made the news repeatedly in the past year and culminated recently in the publication of a report documenting a concerted intelligencegathering effort by groups apparently located in the People’s Republic of China (PRC).
“Investigating organisations are becoming more outspoken and confident about the likelihood of Chinese involvement in various cyber-espionage activities”
The geographic locations of compromised hosts. Source: Information Warfare Monitor.
16
Network Security
Called ‘Shadows in the Cloud’, the report was compiled by the Information Warfare Monitor (IWF) in conjunction with the Shadowserver Foundation, a non-profit group dedicated to furthering security online.1 It follows on from another report, published in Spring 2009, called ‘Tracking GhostNet’, and used some of the findings from that report as the basis for further investigations: these revealed yet another concerted attack on systems for the purposes of information gathering.2 GhostNet’s discovery stemmed from forensic investigation that security thinktank SecDev (a partner in the IWF) had been asked to carry out by representatives from the Office of His Holiness the Dalai Lama (OHHDL).3 They were conducting a five-day preliminary security review of systems at the OHHDL and found evidence that one of the machines had been infected with malware. This led to a broader investigation in which SecDev experts analysed the function of the malware binaries and correlated information about command and control servers that were used to administer commands to them. The GhostNet report identified a network of 1,300 infected computers across 103 countries, roughly a third of which could be considered of high value to the Chinese Government from an intelligence perspective. This report identified a large proportion of command and control servers
May 2010
FEATURE on Chinese territory, but stopped short of making direct allegations about the involvement of the Chinese Government in the enterprise.
Cyber-espionage Since then, however, investigating organisations have become more outspoken and confident about the likelihood of Chinese involvement in various cyber-espionage activities. At the start of this year, Google went public about a clandestine project that came to be known as Operation Aurora. This attack targeted at least 30 companies, of which Google was by far the most transparent about what had happened. Attackers had mounted a concerted campaign to acquire intellectual property from Google, the company said. They had exploited a zero-day vulnerability in Internet Explorer 6 using social engineering tactics. This lured victims to malicious web sites that compromised their machines.
“It makes it very difficult for Google to guarantee security for its users with any certainty, because there may be bugs in the code that no one is aware of yet” Although it was the most candid about the whole affair, Google still remained relatively tight-lipped about the details of the hack but the New York Times nevertheless carried some incendiary details. According to its report, the hackers had managed to use malicious links sent via MSN Messenger to compromise machines inside Google that were in turn used to mount an attack against the computers in the search engine giant’s development team. These in turn gave the hackers access to the source code for Gaia, the little-discussed single-sign-on system that is used to manage access to Google’s services. Short of gaining direct root access to Google’s databases, this represents the best possible outcome for the attackers. Not only have they now appropriated the intellectual property behind a hugely scalable system that is used to run a significant part of the Internet’s base of consumer services,
May 2010
The Shadow network’s command and control structure. Source: Information Warfare Monitor.
but they also have the ability to comb it for application logic errors and other bugs that could be used to exploit the system. It makes it very difficult for Google to guarantee security for its users with any certainty, because there may be bugs in the code that no one is aware of yet. And it shows just how sophisticated these attackers have become. This attack led US Secretary of State Hilary Clinton to raise the issue with the Chinese Government, which vehemently denied any involvement. But other attacks have surfaced in the press that suggest links between the PRC and hacking initiatives. For example, attacks on several oil companies came to light in January. Malware targeting ExxonMobil, Marathon Oil and ConocoPhilips was identified in an investigation, which also found that at least one of the malware strains was causing sensitive information to be sent back to China.
Suspect packets ‘Shadows in the Cloud’ is perhaps the boldest report yet in terms of linking the PRC to attacks on cyber infrastructure. The report starts in the same way as its predecessor, with a routine investigation. Just as the investigation team had found suspect packets when using Wireshark to sniff traffic the first time around, it found malicious traffic once again, this time while auditing the computers of an NGO called Common Ground.
On this occasion, however, the team sniffed traffic on a wireless network, and found that the computer of a prominent Tibetan member of parliament in the vicinity was communicating with a command and control server. The investigation team began monitoring the same workstations that it had monitored in the run-up to the original GhostNet report, and found that the workstations originally enjoined to that botnet had been joined to the new one; they were sending out beacon packets to the same command and control server that was controlling the MP’s computer. The IP address of the command and control server gave the investigators a platform from which to mount a broader investigation, and the report outlines that exploration in significant detail.
Fusion approach Perhaps one of the most significant aspects of the investigative technique is what the IWF and the Shadowserver Foundation call the fusion approach. This entails the collation and cross-referencing of different types of information from different sources to try to glean more information about the target. Technical analysis is combined with more qualitative on-the-ground analysis, in which information is gathered via interviews in the field. The investigators gain a broader understanding of activities surrounding the various targets of the advanced persistent threat. Field interviews give them
Network Security
17
FEATURE a better context in which to analyse the events arising from technical audits. This fusion-based approach can often yield results that are more suggestive than conclusive. For example, the technical analysis identified some innovative uses of Internet-based resources for command and control techniques. The attackers used a mixture of free online accounts, through services such as Yahoo Mail, as a means of controlling compromised machines and keeping them infected with updated malware.
“The technical analysis identified some innovative uses of Internet-based resources for command and control techniques” The Yahoo Mail accounts used to control bots in the network of compromised machines were registered email addresses that had been used elsewhere online. The addresses turned up in advertisements for apartment rentals in Chengdu, in China’s Sichuan province. And the accounts had been created using IP addresses that could be linked to this region using geolocation techniques. Other research has pinpointed Chengdu as a hub of hacker activity. Some prominent members of the Chinese hacking community have been linked to this region, and it also has institutional connections. For example, Chengdu is the home of one of the technical reconnaissance bureaus operated by the People’s Liberation Army, which deals with signals intelligence collection. Although such links may be circumstantial, they nevertheless provide researchers with some useful pointers as they delve further into the shadowy network underpinning this botnet. “While it would be disingenuous to ignore these correlations entirely, they are loose at best and do not meet the requirements of determining motivation and attribution,” says the report. “However, the links between the command and control infrastructure and individuals in the PRC provide a variety of scenarios that point toward attribution.” In short, the net is closing around China. 18
Network Security
Relationship between the DNS sinkhole and live command and control servers. Source. Information Warfare Monitor.
The technical analysis that represents one part of this investigation is fascinating in its own right, and can in turn be broken down into various facets, including one that the investigative team identifies as a primary mechanism for data discovery: sinkhole analysis. This involves the appropriation of domain names that have either previously been used for command and control purposes, or which are likely to be used in the future. Traffic directed at these domains from compromised machines can then be analysed as a source of intelligence about the scope and activities of the botnet.
Analysing malware Malware analysis is another technical analysis technique that plays an important part in this process. Sinkholing can often use domain names that botnets have abandoned, in a bid to pick up information from compromised machines that are still trying to communicate with them. But malware analysis can reveal other domain names that have yet to be used. These can either be hard coded into the malware binary, or they can be produced randomly by the binary using an algorithm. This is why it is possible for teams such as the IWF/Shadowserver investigators to register command and control domains that have not yet been registered by the attackers. This technique was also used to help mitigate the effects of the Conficker botnet, by cutting off
command and control servers before the criminals behind the network had a chance to register them.
“Sinkhole analysis involves the appropriation of domain names that have either previously been used for command and control purposes, or which are likely to be used in the future” Once registered, these domains can then be used to harvest information from bots, which can in turn yield data about where the compromised machines are, and potentially who owns them. This botnet’s focus is clear: India was a major target. No fewer than 35 of the 44 compromised computers that were identified during the investigation were located in India. Another five were owned by India, even though they were not located there.
A matter of intent The problem with the Shadow botnet, as with others, is that it is still difficult to directly attribute intent to any specific party. The general conclusion among researchers on this topic is that the majority of the hacking work is carried out by private citizens. Governments are either tacitly supportive, or at least tolerant when it comes to these ‘privateering’ efforts. Jeffery Carr’s Grey Goose project, for example, which applied an open source approach to researching the Russian
May 2010
FEATURE attacks on Georgia, was relatively confident in its conclusion that private hacking groups were operating at arm’s length from the Russian Government. The situation is complicated by the involvement of organised crime in botnet creation and manipulation. Researchers from SecDev have alleged that the boundary between governments and organised criminals is blurred. Botnets are often operated by organised crime syndicates. They are also used occasionally in attacks with obvious political motivation. “Drawing these different scenarios and alternative explanations together, the most plausible explanation – and the one supported by the evidence – is that the Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground,” says the ‘Shadows in the Cloud’ report. “Given the often murky relationships that can exist between this underground and elements of the state, the informa-
tion collected by the Shadow network may end up in the possession of some entity of the Chinese Government.” While state actors and their close affiliates continue to play out these scenarios, a thought should be given to collateral damage. In the past, commercial botnets have concentrated on harvesting financial details. While this data can obviously be damaging in the wrong hands, the mechanisms to redress the damage have at least been available. Credit cards whose details have been stolen can be replaced. Banks can reimburse victims. However, data theft in politically-motivated scenarios cannot be easily mitigated. Visa applications from several citizens to Indian diplomatic missions in Afghanistan were uncovered, for example, and these among other records could represent a national security risk. As the report says, data from a variety of sources can be swept up in the intelligence-gathering process when such botnets are created, and security is only as good as the weakest link in the chain.
About the author
Continued from page 2...
used by web servers to track users even if they have cookies disabled. By the time Network Security tried the site, the EFF database contained several million visitor records, among which our browser configuration matched roughly one in every 250,000. The site estimated that our browser conveyed nearly 18 bits of information. Certain parts of the configuration are more significant than others in terms of identifying the user. For example, one in 4.59 visitors’ browsers have the same HTTP_ACCEPT settings as us, but only one in 255,670 have the same combination of plug-ins or the same combination of system fonts. According to EFF’s analysis, 84% of visitors to the site could be uniquely identified. Among those that had Flash or Java installed, 94% were unique and
only 1% of configurations were seen more than twice.
Browsers uniquely identify users,
Y
our browser says a lot about you, say researchers from the Electronic Frontier Foundation (EFF). In fact, your precise browser configuration could be used to uniquely identify you.
A specially created website (panopticlick.eff.org) analyses each visitor’s browser settings, including user agent; plug-ins; HTTP_ACCEPT headers supported; time zone; screen settings; fonts; and cookie configuration. The combinations of these settings are sufficiently complex, say the researchers, to allow the unique identification of a high proportion of visitors – a fact that could be
May 2010
Danny Bradbury is a freelance technology writer who has written regularly for titles including the Guardian, the Financial Times, the National Post, and Backbone magazine in addition to editing several security and software development titles. He specialises in security and technology writing, but is also a documentary film maker and is currently working on a non-fiction book project.
References 1. ‘Shadows in the Cloud: investigating cyber espionage 2.0’, Information Warfare Monitor and Shadowserver Foundation, 6 April 2010, cyber. secdev.ca/2010/04/new-iwm-reportshadows-in-the-cloud/ 2. ‘Tracking GhostNet’, Information Warfare Monitor, 29 March 2009, secdev.ca/reports.php 3. The SecDev Group, secdev.ca/aboutsecdev.php
India fears cyberspying by China
R
evelations about China’s alleged cyber-espionage against India using the GhostNet network (see pg.16) are fuelling a dispute between the two countries that could escalate into an all-out trade war.
The Indian Government has told mobile phone operators in the country to stop doing deals with Chinese telecommunications manufacturers, say reports in The Times and the New York Times. While the Indian Government itself denies that there is a total ban, two Continued on back page...
Network Security
19
Shadows in the cloud: Chinese involvement in advanced persistent threats
Danny Bradbury
Danny Bradbury, freelance journalist Advanced Persistent Threats (APTs) existed long before the evolution of consumer computing. But in the past year, they have become a significant part of the online landscape. APTs are concerted campaigns to gather intelligence on particular individuals or institutions. During the Cold War they were the stuff that spy stories were made of. Nation states would employ agents to gather information on their enemies using manual techniques. This information would be collated and cross-referenced to gain a better understanding of an enemy’s motives and movements. Now those techniques have become automated. As widespread consumer computing evolved, APTs evolved along with it. Hackers developed techniques to target individual institutions, and were able to harvest information using
everything from port scans to dumpster diving. Attacks on both companies and national institutions have made the news repeatedly in the past year and culminated recently in the publication of a report documenting a concerted intelligencegathering effort by groups apparently located in the People’s Republic of China (PRC).
“Investigating organisations are becoming more outspoken and confident about the likelihood of Chinese involvement in various cyber-espionage activities”
The geographic locations of compromised hosts. Source: Information Warfare Monitor.
16
Network Security
Called ‘Shadows in the Cloud’, the report was compiled by the Information Warfare Monitor (IWF) in conjunction with the Shadowserver Foundation, a non-profit group dedicated to furthering security online.1 It follows on from another report, published in Spring 2009, called ‘Tracking GhostNet’, and used some of the findings from that report as the basis for further investigations: these revealed yet another concerted attack on systems for the purposes of information gathering.2 GhostNet’s discovery stemmed from forensic investigation that security thinktank SecDev (a partner in the IWF) had been asked to carry out by representatives from the Office of His Holiness the Dalai Lama (OHHDL).3 They were conducting a five-day preliminary security review of systems at the OHHDL and found evidence that one of the machines had been infected with malware. This led to a broader investigation in which SecDev experts analysed the function of the malware binaries and correlated information about command and control servers that were used to administer commands to them. The GhostNet report identified a network of 1,300 infected computers across 103 countries, roughly a third of which could be considered of high value to the Chinese Government from an intelligence perspective. This report identified a large proportion of command and control servers
May 2010
FEATURE on Chinese territory, but stopped short of making direct allegations about the involvement of the Chinese Government in the enterprise.
Cyber-espionage Since then, however, investigating organisations have become more outspoken and confident about the likelihood of Chinese involvement in various cyber-espionage activities. At the start of this year, Google went public about a clandestine project that came to be known as Operation Aurora. This attack targeted at least 30 companies, of which Google was by far the most transparent about what had happened. Attackers had mounted a concerted campaign to acquire intellectual property from Google, the company said. They had exploited a zero-day vulnerability in Internet Explorer 6 using social engineering tactics. This lured victims to malicious web sites that compromised their machines.
“It makes it very difficult for Google to guarantee security for its users with any certainty, because there may be bugs in the code that no one is aware of yet” Although it was the most candid about the whole affair, Google still remained relatively tight-lipped about the details of the hack but the New York Times nevertheless carried some incendiary details. According to its report, the hackers had managed to use malicious links sent via MSN Messenger to compromise machines inside Google that were in turn used to mount an attack against the computers in the search engine giant’s development team. These in turn gave the hackers access to the source code for Gaia, the little-discussed single-sign-on system that is used to manage access to Google’s services. Short of gaining direct root access to Google’s databases, this represents the best possible outcome for the attackers. Not only have they now appropriated the intellectual property behind a hugely scalable system that is used to run a significant part of the Internet’s base of consumer services,
May 2010
The Shadow network’s command and control structure. Source: Information Warfare Monitor.
but they also have the ability to comb it for application logic errors and other bugs that could be used to exploit the system. It makes it very difficult for Google to guarantee security for its users with any certainty, because there may be bugs in the code that no one is aware of yet. And it shows just how sophisticated these attackers have become. This attack led US Secretary of State Hilary Clinton to raise the issue with the Chinese Government, which vehemently denied any involvement. But other attacks have surfaced in the press that suggest links between the PRC and hacking initiatives. For example, attacks on several oil companies came to light in January. Malware targeting ExxonMobil, Marathon Oil and ConocoPhilips was identified in an investigation, which also found that at least one of the malware strains was causing sensitive information to be sent back to China.
Suspect packets ‘Shadows in the Cloud’ is perhaps the boldest report yet in terms of linking the PRC to attacks on cyber infrastructure. The report starts in the same way as its predecessor, with a routine investigation. Just as the investigation team had found suspect packets when using Wireshark to sniff traffic the first time around, it found malicious traffic once again, this time while auditing the computers of an NGO called Common Ground.
On this occasion, however, the team sniffed traffic on a wireless network, and found that the computer of a prominent Tibetan member of parliament in the vicinity was communicating with a command and control server. The investigation team began monitoring the same workstations that it had monitored in the run-up to the original GhostNet report, and found that the workstations originally enjoined to that botnet had been joined to the new one; they were sending out beacon packets to the same command and control server that was controlling the MP’s computer. The IP address of the command and control server gave the investigators a platform from which to mount a broader investigation, and the report outlines that exploration in significant detail.
Fusion approach Perhaps one of the most significant aspects of the investigative technique is what the IWF and the Shadowserver Foundation call the fusion approach. This entails the collation and cross-referencing of different types of information from different sources to try to glean more information about the target. Technical analysis is combined with more qualitative on-the-ground analysis, in which information is gathered via interviews in the field. The investigators gain a broader understanding of activities surrounding the various targets of the advanced persistent threat. Field interviews give them
Network Security
17
FEATURE a better context in which to analyse the events arising from technical audits. This fusion-based approach can often yield results that are more suggestive than conclusive. For example, the technical analysis identified some innovative uses of Internet-based resources for command and control techniques. The attackers used a mixture of free online accounts, through services such as Yahoo Mail, as a means of controlling compromised machines and keeping them infected with updated malware.
“The technical analysis identified some innovative uses of Internet-based resources for command and control techniques” The Yahoo Mail accounts used to control bots in the network of compromised machines were registered email addresses that had been used elsewhere online. The addresses turned up in advertisements for apartment rentals in Chengdu, in China’s Sichuan province. And the accounts had been created using IP addresses that could be linked to this region using geolocation techniques. Other research has pinpointed Chengdu as a hub of hacker activity. Some prominent members of the Chinese hacking community have been linked to this region, and it also has institutional connections. For example, Chengdu is the home of one of the technical reconnaissance bureaus operated by the People’s Liberation Army, which deals with signals intelligence collection. Although such links may be circumstantial, they nevertheless provide researchers with some useful pointers as they delve further into the shadowy network underpinning this botnet. “While it would be disingenuous to ignore these correlations entirely, they are loose at best and do not meet the requirements of determining motivation and attribution,” says the report. “However, the links between the command and control infrastructure and individuals in the PRC provide a variety of scenarios that point toward attribution.” In short, the net is closing around China. 18
Network Security
Relationship between the DNS sinkhole and live command and control servers. Source. Information Warfare Monitor.
The technical analysis that represents one part of this investigation is fascinating in its own right, and can in turn be broken down into various facets, including one that the investigative team identifies as a primary mechanism for data discovery: sinkhole analysis. This involves the appropriation of domain names that have either previously been used for command and control purposes, or which are likely to be used in the future. Traffic directed at these domains from compromised machines can then be analysed as a source of intelligence about the scope and activities of the botnet.
Analysing malware Malware analysis is another technical analysis technique that plays an important part in this process. Sinkholing can often use domain names that botnets have abandoned, in a bid to pick up information from compromised machines that are still trying to communicate with them. But malware analysis can reveal other domain names that have yet to be used. These can either be hard coded into the malware binary, or they can be produced randomly by the binary using an algorithm. This is why it is possible for teams such as the IWF/Shadowserver investigators to register command and control domains that have not yet been registered by the attackers. This technique was also used to help mitigate the effects of the Conficker botnet, by cutting off
command and control servers before the criminals behind the network had a chance to register them.
“Sinkhole analysis involves the appropriation of domain names that have either previously been used for command and control purposes, or which are likely to be used in the future” Once registered, these domains can then be used to harvest information from bots, which can in turn yield data about where the compromised machines are, and potentially who owns them. This botnet’s focus is clear: India was a major target. No fewer than 35 of the 44 compromised computers that were identified during the investigation were located in India. Another five were owned by India, even though they were not located there.
A matter of intent The problem with the Shadow botnet, as with others, is that it is still difficult to directly attribute intent to any specific party. The general conclusion among researchers on this topic is that the majority of the hacking work is carried out by private citizens. Governments are either tacitly supportive, or at least tolerant when it comes to these ‘privateering’ efforts. Jeffery Carr’s Grey Goose project, for example, which applied an open source approach to researching the Russian
May 2010
FEATURE attacks on Georgia, was relatively confident in its conclusion that private hacking groups were operating at arm’s length from the Russian Government. The situation is complicated by the involvement of organised crime in botnet creation and manipulation. Researchers from SecDev have alleged that the boundary between governments and organised criminals is blurred. Botnets are often operated by organised crime syndicates. They are also used occasionally in attacks with obvious political motivation. “Drawing these different scenarios and alternative explanations together, the most plausible explanation – and the one supported by the evidence – is that the Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground,” says the ‘Shadows in the Cloud’ report. “Given the often murky relationships that can exist between this underground and elements of the state, the informa-
tion collected by the Shadow network may end up in the possession of some entity of the Chinese Government.” While state actors and their close affiliates continue to play out these scenarios, a thought should be given to collateral damage. In the past, commercial botnets have concentrated on harvesting financial details. While this data can obviously be damaging in the wrong hands, the mechanisms to redress the damage have at least been available. Credit cards whose details have been stolen can be replaced. Banks can reimburse victims. However, data theft in politically-motivated scenarios cannot be easily mitigated. Visa applications from several citizens to Indian diplomatic missions in Afghanistan were uncovered, for example, and these among other records could represent a national security risk. As the report says, data from a variety of sources can be swept up in the intelligence-gathering process when such botnets are created, and security is only as good as the weakest link in the chain.
About the author
Continued from page 2...
used by web servers to track users even if they have cookies disabled. By the time Network Security tried the site, the EFF database contained several million visitor records, among which our browser configuration matched roughly one in every 250,000. The site estimated that our browser conveyed nearly 18 bits of information. Certain parts of the configuration are more significant than others in terms of identifying the user. For example, one in 4.59 visitors’ browsers have the same HTTP_ACCEPT settings as us, but only one in 255,670 have the same combination of plug-ins or the same combination of system fonts. According to EFF’s analysis, 84% of visitors to the site could be uniquely identified. Among those that had Flash or Java installed, 94% were unique and
only 1% of configurations were seen more than twice.
Browsers uniquely identify users,
Y
our browser says a lot about you, say researchers from the Electronic Frontier Foundation (EFF). In fact, your precise browser configuration could be used to uniquely identify you.
A specially created website (panopticlick.eff.org) analyses each visitor’s browser settings, including user agent; plug-ins; HTTP_ACCEPT headers supported; time zone; screen settings; fonts; and cookie configuration. The combinations of these settings are sufficiently complex, say the researchers, to allow the unique identification of a high proportion of visitors – a fact that could be
May 2010
Danny Bradbury is a freelance technology writer who has written regularly for titles including the Guardian, the Financial Times, the National Post, and Backbone magazine in addition to editing several security and software development titles. He specialises in security and technology writing, but is also a documentary film maker and is currently working on a non-fiction book project.
References 1. ‘Shadows in the Cloud: investigating cyber espionage 2.0’, Information Warfare Monitor and Shadowserver Foundation, 6 April 2010, cyber. secdev.ca/2010/04/new-iwm-reportshadows-in-the-cloud/ 2. ‘Tracking GhostNet’, Information Warfare Monitor, 29 March 2009, secdev.ca/reports.php 3. The SecDev Group, secdev.ca/aboutsecdev.php
India fears cyberspying by China
R
evelations about China’s alleged cyber-espionage against India using the GhostNet network (see pg.16) are fuelling a dispute between the two countries that could escalate into an all-out trade war.
The Indian Government has told mobile phone operators in the country to stop doing deals with Chinese telecommunications manufacturers, say reports in The Times and the New York Times. While the Indian Government itself denies that there is a total ban, two Continued on back page...
Network Security
19