How do you know it's China?
How do you know it's China?
By now everyone knows about the computer intrusions at Google and
Adobe. Both of these intrusions and 32 more yet to be disclosed ones
are squarly being blamed on China. As the "IT Guy" in my family I had
to explain why everyone thinks it's China? Here is a PG-13 answer to
this question. [More detailed answers can be found on GhostNet paper and Northrop
Grumman China cyber security paper. Search for those keywords,
anywhere but Baidu.] Internet is not built with attribution in mind. I believe, if it were
it would not be what it is today. Attributing a cyber crime comitted
over Internet is next to impossible. Law enforcement across nations
have to work together and usually the case move at the speed of the
slowest agency. Not every country gives the same priority for a crime
comitted elsewhere. So, it's sort of a lawless but fun place to hang
out and screw around in any developing nation. China has the largest online (and offline) population on the planet.
Most of them came online when Internet is much more connected and
threats are more mature. Think your 1994 Internet access mindset in
2000. Also, piracy is quite rampant in the country so more than likely
most of these hosts are not very well protected either. Any country
with an environment like that is statistically bound to have most
numbe of infected hosts. So, yes you can blame some of these attacks
on kids havin fun or other nations using these infected hosts as
stepping stones. In a stepping stone scenario a hacker hops from one machine to another
multiple times before reaching the actual target. Therefore, from
victim's (Google or Adobe) point of view the attack came from the last
hop but the attacker is a few more hops behind-- mostly unknown to the
victim. Usually, an intrusion for the purpose of stealing trade
secrets have two routes out of the victim. One command and control
route that has many stepping stones and may last for days or month;
And the other an exfiltration route with fewer hops because the
intruder needs to get the data back to him quickly. In the case of
Google this latter route seemed to go from Google to Rackspace to
Taiwan to ... We don't know anything about command and control route
for Google's intrusion. So far nothing points towards Chinese
government involvement. - Numbers can certainly be stacked up against
the alleged involvement of Chinese government. Here is a quick quiz: suppose you're a petty thief or just a bloke
want to make a quick buck. If I told you with your new found exploit
you can either make $25K now or you have a very slim chance of making
$1,000,000 3-4 months down the line. Which one would you pick?
Apparently, the exploit used to break into Adobe's computers is a
previously unknown exploit (zero day or 0day) and works on all
versions of Windows and Internet Explorer. That's jackpot for any
exploit developer. It will make you famous and rich. From the use of
this exploit we can conclude the Adobe intruder took the latter
choice. Furthermore, the intruder at Google went after source code and
intellectual property instead of credit card numbers or other person
information of millions. No matter whether the intruder is kid in the
basement or an organized cyber-squadron if the stolen data ends up in
the hands of a state government the intrusion by definition is state-
sponsored (I am not a lawyer but feel free to ask one). This
definition, a healthy dose of speculation, and history of other
related incidents are why everyone's pointing their finger at China. There are digital forensic evidence and socio-economic evidence that
can be stacked up against China as well. Some examples, of digital
forensic evidence include:
1. Just like programs we write, exploits used to break into computers
also use Software Development Kits (SDK). These kits embed information
about primary language or country code used by the computer where a
program is developed. There have been evidence of Chinese language
SDKs used for developing exploits in the past (read that Northrop
Grumman report for more detail). Gives some idea who may be behind the
keyboard. 2. Just like software developers use debuggers exploit developers use
debuggers as well. If developing a software to do something you want
it to do without bugs is difficult imagine the difficulty of making
that software to do something it's not meant to do. Debuggers often
leave lot of useful information, like variable names, strings, file
names, etc. in the program code (and exploit). If the final result is
not carefully stripped these symbols may find their way into the final
exploit. Sure, an organized state-sponsored cyber-squadron would have
a rigorous and streamlined process to get rid of these symbols. But,
they are human and they also have deadlines. 3. Most of the time origin host's IP address is not visibile on the
victims side thanks to stepping stones in the middle. Once in a while
even the most trained person may make a mistake and type in the actual
IP address only to realize "Oopps!" That has happened in the past and
most of the time the IPs belonged to China. 4. Modus operandi of the attackers are very regimented. You will
notice the term "sophisticated" and "targeted" in the news lately
which boils down to the intruder's ability to follow through with a
predetermined path (often drawn using reconnaissance) of execution.
This comes with training and structure-- often found in military. My stop is here. I will expand on the socio-economics later.
Sent from an iPhone.
By now everyone knows about the computer intrusions at Google and
Adobe. Both of these intrusions and 32 more yet to be disclosed ones
are squarly being blamed on China. As the "IT Guy" in my family I had
to explain why everyone thinks it's China? Here is a PG-13 answer to
this question. [More detailed answers can be found on GhostNet paper and Northrop
Grumman China cyber security paper. Search for those keywords,
anywhere but Baidu.] Internet is not built with attribution in mind. I believe, if it were
it would not be what it is today. Attributing a cyber crime comitted
over Internet is next to impossible. Law enforcement across nations
have to work together and usually the case move at the speed of the
slowest agency. Not every country gives the same priority for a crime
comitted elsewhere. So, it's sort of a lawless but fun place to hang
out and screw around in any developing nation. China has the largest online (and offline) population on the planet.
Most of them came online when Internet is much more connected and
threats are more mature. Think your 1994 Internet access mindset in
2000. Also, piracy is quite rampant in the country so more than likely
most of these hosts are not very well protected either. Any country
with an environment like that is statistically bound to have most
numbe of infected hosts. So, yes you can blame some of these attacks
on kids havin fun or other nations using these infected hosts as
stepping stones. In a stepping stone scenario a hacker hops from one machine to another
multiple times before reaching the actual target. Therefore, from
victim's (Google or Adobe) point of view the attack came from the last
hop but the attacker is a few more hops behind-- mostly unknown to the
victim. Usually, an intrusion for the purpose of stealing trade
secrets have two routes out of the victim. One command and control
route that has many stepping stones and may last for days or month;
And the other an exfiltration route with fewer hops because the
intruder needs to get the data back to him quickly. In the case of
Google this latter route seemed to go from Google to Rackspace to
Taiwan to ... We don't know anything about command and control route
for Google's intrusion. So far nothing points towards Chinese
government involvement. - Numbers can certainly be stacked up against
the alleged involvement of Chinese government. Here is a quick quiz: suppose you're a petty thief or just a bloke
want to make a quick buck. If I told you with your new found exploit
you can either make $25K now or you have a very slim chance of making
$1,000,000 3-4 months down the line. Which one would you pick?
Apparently, the exploit used to break into Adobe's computers is a
previously unknown exploit (zero day or 0day) and works on all
versions of Windows and Internet Explorer. That's jackpot for any
exploit developer. It will make you famous and rich. From the use of
this exploit we can conclude the Adobe intruder took the latter
choice. Furthermore, the intruder at Google went after source code and
intellectual property instead of credit card numbers or other person
information of millions. No matter whether the intruder is kid in the
basement or an organized cyber-squadron if the stolen data ends up in
the hands of a state government the intrusion by definition is state-
sponsored (I am not a lawyer but feel free to ask one). This
definition, a healthy dose of speculation, and history of other
related incidents are why everyone's pointing their finger at China. There are digital forensic evidence and socio-economic evidence that
can be stacked up against China as well. Some examples, of digital
forensic evidence include:
1. Just like programs we write, exploits used to break into computers
also use Software Development Kits (SDK). These kits embed information
about primary language or country code used by the computer where a
program is developed. There have been evidence of Chinese language
SDKs used for developing exploits in the past (read that Northrop
Grumman report for more detail). Gives some idea who may be behind the
keyboard. 2. Just like software developers use debuggers exploit developers use
debuggers as well. If developing a software to do something you want
it to do without bugs is difficult imagine the difficulty of making
that software to do something it's not meant to do. Debuggers often
leave lot of useful information, like variable names, strings, file
names, etc. in the program code (and exploit). If the final result is
not carefully stripped these symbols may find their way into the final
exploit. Sure, an organized state-sponsored cyber-squadron would have
a rigorous and streamlined process to get rid of these symbols. But,
they are human and they also have deadlines. 3. Most of the time origin host's IP address is not visibile on the
victims side thanks to stepping stones in the middle. Once in a while
even the most trained person may make a mistake and type in the actual
IP address only to realize "Oopps!" That has happened in the past and
most of the time the IPs belonged to China. 4. Modus operandi of the attackers are very regimented. You will
notice the term "sophisticated" and "targeted" in the news lately
which boils down to the intruder's ability to follow through with a
predetermined path (often drawn using reconnaissance) of execution.
This comes with training and structure-- often found in military. My stop is here. I will expand on the socio-economics later.
Sent from an iPhone.
