Recently I set myself the task of coming up with a summary or digest of the PRC’s information operations, based on what’s known rather than what’s widely assumed from the numerous reports of industrial espionage. Given the number of cases being reported and (rightly or wrongly) attributed to China, this is something everyone in the infosec field should aim to understand, but that’s easier said than done with all the background noise over APT and targeted attacks.
The Three Factors of China’s Information Operations
Logically the best place to look is the PRC itself, or the Peoples’ Liberation Army (PLA). Three central factors shaped the PRC’s current information operations strategy, it seems.
According to Global Defence: ‘China does not publish equivalents to the US National Security Strategy, National Defence Strategy, or National Military Strategy. Rather, China uses “white papers,” speeches and articles as the principal mechanisms to communicate policy and strategy publicly.’
Most the literature is contributed by influential officers within the PLA. What this indicates is the PLA’s command has a highly academic and collaborative approach to formulating long-term strategies for gaining information superiority.
Next was the unification of civilian and military telecommunications. With most nations the latter is technologically 20 years behind the civilian world, as any former signals personnel would attest. Chairman Jian Zemin recognised this gap, and in 1991 called for a common telecoms network suitable for both peacetime and military use, according to Lt. Col. Timothy L. Thomas in the Military Review (May 2001).
This is important, because the idea was the PLA would establish a reserve force to maintain the backbone of civilian comms, in particular the Internet, and that reserve would be a sizeable contingent of highly-qualified personnel that could readily assist the PLA’s information operations. In effect, ‘information warfare’ becomes a ‘peoples’ war’. I believe there are currently large reserve units (around 20,000 strong) maintaining the Golden Shield at the border gateways.
The third formative influence in the PLA/PRC’s strategy were the actions of various patriot hacker groups in response to real-world events around 1999/2000, namely the bombing of the Chinese embassy. The PLA were quick to see the benefits of enlisting these hacker groups as proxies in its information warfare efforts.
So, bringing the three factors together, this is essentially where we are now – a PLA reserve with the qualifications and experience to run civilian comms infrastructure in support of military operations, a command with high academic ability, and an unknown number of highly-skilled patriot hacker groups at its disposal to put strategy into practice.
Compare this to the situation in the west, where we’re reliant on the corporate infosec industry that’s short of actual hackers and places too much importance on policies and procedures. The PRC obviously has the advantage, skill-wise, and they’ve been working towards that for a long time.
APT Characteristics and Methods
So we come to the ‘Advanced Persistent Threat’, a term that’s become fashionable in the infosec field, even if there’s confusion over what constitutes ‘advanced’ and ‘persistent’. Often APT is automatically associated with China, in a similar way highly advanced malware is fast becoming a trademark of the United States. The way I see it, there are two defining attributes to a genuine APT:
1) Advanced – Technical skills, intelligence gathering capabilities and perhaps extensive resources provided by a government or corporation. The threat agents have the ability to develop and combine intrusion techniques specifically for the target.
2) Persistent – The threat will focus on the target and attempt to maintain access to a system undiscovered over a prolonged period, or penetrate the network to achieve some longer-term objective.
Basically APT will involve a skilled hacking group, but that group will have the backing of a government or corporation with advanced intelligence gathering capabilities, and perhaps there’ll also be a team of engineers and consultants. That’s the long and short of it.
What are the typical methods of APTs, if there are any? Corporate networks have a very large ‘attack surface’, so there’s a wide range of options available to someone attempting to penetrate them. Any network that becomes a target of an APT will get compromised, one way or another, and the idea that a commercial security product can prevent it is BS.
It seems the main thing the PRC are commonly accused of is electronic espionage, in particular the theft of ‘intellectual property’ from corporate networks. What I’ve noticed is that each round of attacks tends to focus on groups of companies operating within a single given sector, further suggesting there are multiple hacking groups being co-ordinated by one entity.
Compromising a network and maintaining persistent access requires a considerable amount of intelligence gathering, analysis, footprinting and planning. The attacker must (and probably will) evade whatever monitoring and auditing measures are in place, and do the job without raising any suspicion.
This suggests a Remote Access Tool with a very small memory footprint will be the common feature of an APT, and it would most likely be installed on a system that’s rarely booted with a static IP address – fewer connections established between the compromised system and the C&C server will vastly reduce the chances of discovery. Malware has to do something in order to be detected, so this kind of rootkit could remain dormant until needed.
The above traits are ones I’m quite certain are common across almost all true APTs. The unknown here is the method of intrusion.
The attacker doesn’t even have to compromise the target machine directly, and that would be out of the question anyway if the target is too well-protected. Using intelligence gathering or espionage, it’s possible to find employees with access to the specific machine, and infect their personal computers with malware that transfers itself to a portable device. There would be a strong chance one of those would then plug the infected device into the target.
Another possible method of intrusion is through compromising another organisation in the target’s supply chain with lower security.
The Problems of Attribution
Tracing an IP address to China, and tracing an attack to the PRC are two different things. For all we know, a corporation, or even a criminal group operating in another country might be the culprit. Attribution would require successfully tracing an attack to agents with a proven link to the government or military. Of course the lack of publicly-available evidence for this, along with the denials from Chinese government officials, mean we might never know for certain how many attacks are wrongly attributed to the PRC.
Graham Clueley of Sophos said as much:
‘If you were to investigate the IP address of the computer which sent spam into your mailbox today you’d probably find a good proportion of it came from a PC based in China. Going by the latest stats that we produced, 9.9% of spam is coming from that part of the world… You’ll probably find that a lot of it is promoting pharmaceuticals coming out of North America, Russian brides, or a cheap college diploma.’
With so many attacks being traced to China, a proxy there would provide excellent cover for anyone with the ability to translate the Chinese hosting companies’ web pages. Sure, any corporation or government could hire the translators for that, which would neatly explain why the objective seems corporate espionage. Conversely, if this fact was widely known, it would also provide decent cover for the attacks the PRC actually were sponsoring.
Attack Case Studies
Not all attacks the PRC is accused of take the form of Advanced Persistent Threats. GhostNet, named by the Information Warfare Monitor in 2009, is one of the better-known examples of what’s widely believed to be a PRC state-sponsored attack, but it wasn’t particularly advanced or persistent. The method of infection was too basic – the Trojan was sent as an email attachment, which would have raised suspicions anyway. But 1,295+ computers across 100+ countries were infected by the Trojan, with foreign embassies and the exiled Tibetan government centres reportedly being the primary targets. Overall, a substantial amount of information would have been collected during a brief period, and that may have been enough for whoever was behind it. So, GhostNet wouldn’t have been an example of APT, unless it was being used for reconnaissance for another attack we don’t know of yet.
And what about the ACAD/Medre.A virus that was discovered just a few months ago? Its purpose was to exfiltrate AutoCAD files from several Peruvian companies, which means whoever was responsible was after ‘intellectual property’ instead of something immediately sellable. It was also distributed, it is believed, through infected AutoCAD templates.
Here it was interesting because the malware wasn’t crafty enough to evade detection – it sent blueprints autonomously to a couple of email accounts. The Chinese government also apparently co-operated in this case in defeating the malware.