Home page logo

funsec logo funsec mailing list archives

Chinese Army link to hack no reason for cyberwar
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 20 Feb 2013 10:41:05 -0500

(Thanks to GEM on another list)


Security vendor Mandiant's 60-page report on Chinese cyberespionage,
which offers proof that it is coming from a Chinese military unit
housed in a building in the Pudong district of Shanghai, adds new fuel
to two hotly debated cybersecurity questions.

First, does this mean the quest for 100% certainty in "attribution" of
intrusions has been achieved? And second, does that mean the U.S. is
justified in taking what government officials like to call "active
defense" measures -- what most others call "retaliation" or "offense"?

Security experts are divided on the issue. Gary McGraw, CTO at Cigital
and a vocal opponent of active defense, notes that Mandiant finding
the source of advanced persistent threats (APT) in real time is good,
but vastly different from being able to pinpoint the source of a
cyberattack that takes place in a fraction of a second.

McGraw also urged that it is a gross exaggeration to call these
attacks acts of war. "This is not cyberwar," he said. "That involves
blowing things up, or taking things down for an extended period. This
is espionage. There is a big difference, and we should not be
conflating the two."

James Arlen, a senior consultant with Leviathan Security Group, said
most organizations are not remotely prepared to launch any kind of
effective attack against a perceived adversary. "We've spent the last
decade of infosec riding around the driveway in training wheels, and
people are talking about how awesome we're going to be at piloting
M1A2 tanks across the battlefield," he said.

Arik Hesseldahl at All Things D wrote in "Cyberwar with China is here,
like it or not" that since China has been hacking companies involved
in remote access tools that are used to control SCADA (supervisory
control and data acquisition) systems, they are preparing to attack
the nation's critical infrastructure.

Joel Harding, a retired military intelligence officer and information
operations expert who says he is a longtime believer in active
defense, thinks a proportionate response is perfectly reasonable. "Why
not find a way to infiltrate it and turn the tables?" he said, given
the U.S. knows the building where the attacks have been originating.
"We can infiltrate virtually or in the real world. We can target it
with viruses, Trojans, worms -- all kinds of APTs, and continue to
make life miserable for them."

Stewart Baker, first assistant secretary for policy at the Department
of Homeland Security under President George W. Bush and now a partner
at the law firm Steptoe & Johnson, wrote last fall: "We will never
defend our way out of the current cybersecurity crisis. That's because
putting all the burden of preventing crime on the victim rarely
succeeds. The obvious alternative is to identify the attackers and
punish them."

Mandiant's report contends that it is certain about the location and
source of what it calls the "most prolific" of more than 20 APT groups
originating in China. "APT1 (also labeled "Comment Crew") is a single
organization of operators that has conducted a cyber espionage
campaign against a broad range of victims since at least 2006," the
report said.

Mandiant has observed attacks since then against nearly 150 victims in
a broad range of industries, that it has stolen terabytes of data from
companies like Coca-Cola, and that it manages this campaign because
"it receives direct government support."

It is not just commercial firms that are targets either. Mandiant said
one was a company with remote access to more than 60% of oil and gas
pipelines in North America. It said APT1 also attacked computer
security firm RSA, which protects confidential corporate and
government databases.

And while there was no proof yet of China being behind it, Apple said
today that unknown hackers had infected the computers of some of its
workers when they visited a website for software developers that had
been infected with malware.

"In seeking to identify the organization behind this activity, our
research found that People's Liberation Army (PLA's) Unit 61398 is
similar to APT1 in its mission, capabilities, and resources. PLA Unit
61398 is also located in precisely the same area from which APT1
activity appears to originate," the Apple report said.

China's defense ministry issued a carefully worded denial that it was
behind the attacks, calling any such accusations "unprofessional and
groundless ... without any conclusive evidence."

But the government reacted very quickly when a BBC crew started taking
video of the 12-story building where the Mandiant report said Unit
61398 is housed. Andrew Pugh, writing for the Press Gazette, said the
Chinese military detained the crew and confiscated their video

Even assuming the attribution is accurate in this case, however,
doesn't mean the overall problem has been solved. John Worrall, chief
marketing officer at Cyber-Ark, calls attribution "a very difficult

"Very few organizations are up to the task. If you don't do it
completely, you're on thin ice," he said. "And the bigger challenge is
that very few have the ability to launch a counter attack, even if
they've got the right target."

Other experts note that Mandiant has been investigating APT1 and other
groups for years, and most organizations don't have the time or
expertise to do even that much. And several posts during the day on
Twitter said they expect other hacking groups to launch attacks using
APT1 methods, to make it look like it comes from them.

Harding said that should not be a problem. "Our analysts are smart
enough to use other indicators to tell the script kiddies from 61398,"
he said.

How should the U.S. respond?

Still, the debate rages on over how the U.S. should respond. U.S. Rep.
Mike Rogers (R-Mich.) chairman of the House Intelligence Committee,
told the New York Times that, "right now there is no incentive for the
Chinese to stop doing this. If we don't create a high price, it's only
going to keep accelerating."

Gary McGraw agrees that there should be a high price, but said it
should be done through what he calls "proactive defense."

"If we in the U.S. build our systems better so these sorts of attacks
don't work very well, or people get caught, then that can be a
deterrent," he said. "But it involves heavy lifting security
engineering. We need to spend the money and time to harden our systems
-- build them right."

Aaron Higbee, CTO of PhishMe, said companies that try to counterattack
might be inviting retaliation themselves. "The worry is there are
attackers in our most trusted networks right now," he said. "This is
the persistent part of APT. We do not know what offensive retaliation
will do."

Arlen said there is yet another reason the U.S. should be careful
about counter attacks: The U.S. itself does not have entirely clean
hands. He and others note that the U.S. and Israel were behind the
Stuxnet worm used to attack Iranian nuclear facilities.

"What Mandiant does not say, and which I think is important for
readers to remember, is that APT0 is the United States of America," he
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
  • Chinese Army link to hack no reason for cyberwar Jeffrey Walton (Feb 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]