Computer Attack Stratagems

Computer Network Attack / Exploitation: Regional Threats China & North Korea Karl Wolfgang, CISSP

CNO in NE Asia People’s Republic of China: medium threat, growing North Korea: low threat, restrained Methodology National vision, objectives: military doctrine Stratagems Reality check: Capabilities supporting infrastructure Software / programming Open source analysis, “in the wild” hacker processes Assumptions: Individual hackers and nations share similar processes / techniques China and north Korea share similar processes / techniques China: 1. more active 2. better able to operate under cloak of plausible denial

Jiang Zemin: 90s – Early 21 st Century Warfare at the Speed of Electrons Economic, political, historical objectives Taiwan Infrastructure > military techno-revolution Regional power projection Lessons learned – Kosovo, Iraq C4I fusion preemption "Informationized arms . . . together with information systems, sound, light, electronics, magnetism, heat and so on, turn into a carrier of strategies." MG Dai Qingmin

NETOPS vs. The Science of Campaigns cognitive errors Multi-dimentional Threat Phased Operations

Civilian Assets & IW Reserves Dissolving boundaries Civil-military cooperation Civil vs. military targets Militia – fist of network warfare & hacker units Potential missions Network offense Network defense Network propaganda Electronic countermeasures Technical recon Maintenance

Skill Sets Computer science graduates Professions: Satellite Telecommunications / networking Data communications / SW &HW Microwave Programming Develop doctrine / training Civilian Assets & IW Reserves Cyber Forces People’s Armed Forces Department of Echeng, Ezhou, Hebi Chongquin Garrison Shanxi Reserve “Network’ Fendui, Datong MSD Shanghai Guangzhou, Donghshan District

China: Plausible Denial Ancient stratagems Maoist tactics Aggressive program of national development

Stratagems of Information Warfare All warfare is based on deception. There is no place where espionage is not used. Offer the enemy bait to lure him. Let your rapidity be that of the wind, your compactness that of the forest. The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim. Attack him where he is unprepared, appear where you are not expected. 47 China’s Electronic Strategies http://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm

Sun Tzu – Wang Mind Meld IW: Complex, limited goals, short duration, less damage, larger battle space and less troop density, intense struggle for information superiority, C4I integration, new aspects of massing forces and the fact that effective strength may not be the main target. Principles of IW: Decapitation, blinding, transparency, quick response and survival. Wang Baocun, "A Preliminary Analysis of IW," Beijing Zhongguo Junshi Kexue , 20 November 1997 The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim. Attack him where he is unprepared, appear where you are not expected. Sun Tzu

Thirty-Six Stratagems: The Secret Art of War http://www.chinastrategies.com/List.htm http://leav-www.army.mil/fmso/documents/china_electric/china_electric.htm

Thirty-Six Stratagems: The Secret Art of War Fool the emperor to cross the sea

Technical / Social Engineering e-mail from Stephen J. Moree, who reports to the office of Air Force Secretary Michael W. Wynne evaluates the security of selling U.S. military aircraft to other countries Indian government had just released request on Aug. 28, to a Booz Allen Hamilton executive —from “Pentagon”, list weaponry India wanted to buy http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

The innocent e-mail Poison Ivy http://kr.youtube.com/watch?v=4fHUELZPywk http://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml designed to extract data from government contractor Remote access Trojan Keystrokes to cybersyndrome.3322.org Small backdoor Encrypted, compressed communications Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2B81DA45-7941-1AAB-0607-050404050708} "StubPath“ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Harvest then Exploit http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf

Expired Accounts, Spear Phishing: Compromise Cat & mouse game continues 1,500 expired accounts in Korea Security patch woes Improvements with CAC & limiting OWA Email phishing

Thirty-Six Stratagems: The Secret Art of War Besiege Wei to rescue Zhao Supreme excellence consists in breaking the enemy's resistance without fighting. Sun Tzu

Supply Chain Fakes Threaten Miltary Readiness Fake CISCO routers http://washingtondc.fbi.gov/dojpressrel/pressrel08/cisco022808.htm "Counterfeit products have been linked to the crash of mission-critical networks, and may also contain hidden 'back doors' enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].” Melissa E. Hathaway, DNI Counterfeit Xicor chips in F-15s BAE, Boeing Satellite Systems, Raytheon Missile Systems, Northrop Grumman Navigation Systems, and Lockheed Martin Missiles & Fire Control.

Thirty-Six Stratagems: The Secret Art of War Kill with a borrowed sword

Thirty-Six Stratagems: The Secret Art of War Kill with a borrowed sword Slammer's most novel feature: propagation speed. In 3 minutes; scanning rate > 55 million / second; after which the growth rate slowed because significant portions of the network had insufficient bandwidth to accommodate more growth.

AutoRun Worms: Leverage Strengths, Dynamics The Internet Browser & plug-in vulnerabilities. ActiveX – 85% Cross-scripting Workstation: operating system “entry points” Startup folder Registry Active Setup HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run, RunOnce, RunServices, and RunServicesOnce CDs / USB Flash Drives AutoRun / AutoPlay Leverage user http://kr.youtube.com/watch?v=xgVecDefOMg

AutoRun: Fish in the sea Mal/Generic-A [Sophos] 42 W32.SillyFDC [Symantec] 41 Packed.Generic.181 [Symantec] 5 W32.Dotex.CA [Symantec] 5 Mal/TinyDL-T [Sophos] 4 Mal/Basine-A,, Mal/Basine-C Mal/Behav-160, Mal/Emogen-E, Mal/Behav-009, Mal/Basine-C Worm.Hamweg.Gen Worm.Win32.AutoRun.eic Autorun #1 for first 6 months of 2008 8% malicious code market Japan: 143 in August, 347 in September, 471 in Oct. The varieties: The statistics: Worm.Win32.AutoRun.eae [Kaspersky Lab] VirTool:Win32/Vtub.WL [Microsoft] Trojan Horse [Symantec] HackTool.Win32.IISCrack.d [Ikarus] Worm.Win32.AutoRun.lkx Worm.Hamweg.Gen [PC Tools] 3 Worm.Win32.AutoRun.eic [Kaspersky Lab] 3 Worm.Win32.AutoRun.ejf [Kaspersky Lab] 3 Backdoor.Graybird!sd6 [PC Tools] 2 Mal/Dropper-MAP [Sophos] 2 TROJ_AGENT.ANFQ [Trend Micro] 4 Trojan.Win32.Agent.vkw [Kaspersky Lab] 4 VirTool.Win32.DelfInject [Ikarus] 4 W32.SillyP2P [Symantec] 4 Worm.Win32.Agent [Ikarus] 4 Worm.Win32.Agent.lz [Kaspersky Lab] 4 Worm.Win32.AutoRun.rol [Kaspersky Lab] Worm:Win32/Autorun.GR [Microsoft] 4 Worm:Win32/Hamweq.gen!C [Microsoft] 4 WORM_AUTORUN.AJX [Trend Micro

Thirty-Six Stratagems: The Secret Art of War Await the exhausted enemy at your ease Code Red and the White House

Thirty-Six Stratagems: The Secret Art of War The insider Hacker exploitation of OS vulnerability Loot a burning house

Growing Web-based Threat Infected web pages: 1 every 14 seconds in ’07 / 1 every 5 seconds in ’08 60% vulnerabilities in 2007 – web applications 85% of these ActiveX Cross-site scripting 7,000 first half 2007 11,300 second half 2007

Unpatched IE Malicious page exploits browser vulnerability, Downloads code without user approval Installs back door beacon User clicks on HTML link in Email, User expects & receives download of article on tax benefits for Americans living overseas…

Legitimate Sites Can Point to “Drive-by Download” Source: Korea Information Security Agency

Computer Network Exploitation Titan Rain: espionage SANS: attacks were most likely the result of Chinese military hackers attempting to gather information on U.S. systems. Targets: Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA Cyber rules of engagement differ US: Sandia National Laboratories IA professional tracks bad guys, loses job China: Industry IA professionals double dip at hackers

North Korean CNA Capabilities: Low Differing views of capabilities Korean officials – NK aggressively cultivating US – Modest skill sets centered within elite Emphasis more on Computer Network Exploitation (gathering information)during peactime Computer Network Attack capabilities is restricted Assessment methodology: Objective Doctrine Supporting infrastructure: electricity, education, industry

nK CNA Threat is Low Cyber attacks fit into DPRK’s scheme of asymmetric means to counter ROK/US advantages “ I believe that the North Koreans, whatever their limitations, have a capacity to think deeply and innovatively about military affairs…And what I have observed over the years convinces me that they are devoting considerable attention to cyber war.” John Arquilla, RAND, 2 June 2003 “ In the next war we will crush the American boors/Philistines first”

Great Leader’s IW Vision Kim Jong-il’s “three pillars for building a powerful state” Ideology Arms Information technology “ The future warfare will depend not on who is showered with a lot of bullets, but who grasps diverse information faster.”

Plato’s Cave: NK IW / CNA Constraints

Minimal Internet: No Sea for Fish to Swim Internet Two class C blocks with virtually no activity Official sites in Japan, China, Australia 2002 – Pyongyang cyber café; one hour – average worker’s weeks wage Cannot hide state activities / Intranet Kwang Myoung network Minimal gateways with outside world Korea Computer Center / satellite links Preparation for gateway? China Telecom / fiber 2001 Pyongyang Information Center tests FW Increasing encryption

Infrastructure Does Not Support Formidable Threat electricity supply problems: antiquated, unreliable; poor frequency control, outages Nascent, struggling tech industries Basic software, biometric technology, voice recognition, automated translation programs, game programs Seek information on basic applications, programming

Possess Skills for Cyber Hacks Armed Forces – moderate capabilities Mirim College, 100 graduates per year Up to 1,000 elite hackers Unit 121 Growing software / programming expertise applying process-oriented quality control models ISO9001, Capability Maturity Model Integration and Six Sigma. http://www.gpic.nl/IT_in_NKorea.pdf expertise with development platforms, coding Assembler, Cobol, C, Visual Studio .Net, Visual C/C++, Visual Basic, Java, JBuilder, Powerbuilder, Delphi, Flash, XML, Ajax, PHP, Perl, Oracle, SQL Server and MySQL, etc.

CNA / CNE within nK Government Kim Jong-il National Defense Commission MPAF General Staff Department Reconnissance Bureau Unit 121 Chairman of the National Defence Commission Korean Workers Party General Secretary ? GlobalSecurity.org + Federation of American Scientists 39 38 Office 35

CNA & CNE Services Components of modern warfare: IW – Recon, electronic, cyber & psychological warfare Three-dimensional warfare Asymmetric warfare Non-contact Precision strikes Short-term Unit 121, Reconnaissance Bureau Gifted students recruited, trained, Kim il Sung Military Academy Computing specialties Eg. networking, OS Room / Office 35 Nefarious cohorts in crime within the Workers’ Party Likely works outside nK – CNE & CNA

References 47 China’s Electronic Strategies http://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm TIME, Titan Rain http://www.time.com/time/magazine/article/0,9171,1098961,00.html New E-spionage Threat http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm U.S. Is Losing Global Cyberwar http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_817606.htm Dangerous Fakes http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm

Computer Attack Stratagems

More Related Content

Viewers also liked (20)

Similar to Computer Attack Stratagems (20)

Recently uploaded (20)

Computer Attack Stratagems