Friday, December 26, 2014

Linguistic Analysis Proves Sony's Hackers Most Likely Russian, Not Korean

Taia Global's Chief Science Advisor Dr. Shlomo Argamon, one of the country's preeminent researchers in authorship analysis and stylometry, led a team that conducted native language identification (NLI) analysis on the 20 messages left by Sony's hackers. Their results do not support the U.S. government's charge that North Korea was responsible for the network attack against Sony Pictures Entertainment. This post is a mini-version of the full report, which can be downloaded from the Taia Global website.

The Problem

The specific question that we address in this report is to determine the (non-English) native language of the authors of the electronic messages (emails and forum posts) signed by the “Guardians of Peace,” putatively from the group that hacked into Sony Pictures Entertainment, stole their data, and posted some of it publicly.

The Data

For our analysis, we used twenty messages reported in the media and posted to Pastebin that have been attributed to the “Guardians of Peace” (GOP) group (see Appendix A in the report).

Assumptions and Caveats

To do our analysis, we must first rule out two alternate scenarios.

First, that a native English speaker or speakers wrote the messages and then intentionally inserted errors to make it appear as if a non-native English speaker(s) had written them.

Second, that the messages are the result of automatic translation of foreign-language original texts, in which case it would be difficult, if not impossible, to figure out the original language from the English texts (at least without knowing specifically what translation software had been used). See Appendix D in the report for examples of Google Translate.

Methodology

We apply a two pronged methodology to analyzing the native language of the messages’ authors.
First, we examine a number of possible candidate languages, including Korean, to see if we can rule them out, and if not, which one does seem the most likely native language.
Second, as a further check, we perform an independent test for the messages’ similarity to English written by native Korean speakers to see how similar the non-fluencies are.

The Results


We conclude that it is unlikely that the messages were written by native Korean speakers, though it is not impossible. It is far more likely that they were written by native Russian speakers. It is virtually impossible, however, that they were written by native German or Mandarin Chinese speakers.

If You'd Like To Join Our Study

This study is limited by the small number of languages that were studied, as well as by the limited comparison with L2 English samples. We plan an expanded study of the messages, comparing against a wider sample of candidate languages as well as performing statistical comparisons against L2 samples in Korean and other languages.

Taia Global is looking for linguists with academic backgrounds to join this research project commencing in early January 2015. Interested candidates should contact Dr. Shlomo Argamon.

RELATED

"New Study Adds To Skepticism Among Security Experts That North Korea Attacked Sony"
"Why You Should Demand Proof Before Believing The US Government About North Korea and Sony"
Sony, the DPRK, And The Thailand - Pyongyang Connection"

Sunday, December 21, 2014

Transcript of Kim Jong-Un's Discussions With His General About Sony

The following is a transcription which I'm certain has been captured by some agency somewhere and provided to me by an un-named, possibly government source. It takes place over several weeks and features private conversations between the DPRK Supreme Leader Kim Jon-un and the commanding officer of the DPRK's Army Unit 121.

KIM JONG-UN
Sony is making a movie about assassinating me called The Interview.
I want to destroy them. What are my options.

GENERAL
My people will do it.

KIM
Didn’t they attack the South Korean banks last year?

GENERAL
No that was South Korean Leftists.


KIM
 And weren’t your men responsible for the DDOS attacks against U.S. and South Korean government websites in 2009?


GENERAL
No, those were some Armenian kids.


KIM
So what exactly has your unit done, General?


GENERAL
We send our people to China where they steal trade secrets from the Americans and then sell them to the Russians, the Chinese, and the South Koreans. 

KIM
Good money doing that?

GENERAL
About fifty billion yuan a year.

KIM
And everyone thinks that it’s the Chinese! Brilliant! Now go attack Sony for insulting me. But make them think it’s not us.

GENERAL
Sir, who else would be offended that a movie was being made about killing you besides us?

KIM
It’s the entertainment industry. They steal from each other. They pay their people less than we pay ours just to say that they work in “the business”. Are you kidding me right now? They have more enemies than I do. 

GENERAL
But why say anything at all?

KIM
What?

GENERAL
My men are highly trained soldiers. I give them targets and they destroy them. They don’t tell anyone, let alone the target, who they are or what they’re doing.

KIM
But I thought you make up funny names for yourselves like “Dark Seoul” and leave cryptic messages in your attack code.

GENERAL
No, that’s not us. That’s the South Korean Leftists. They’re crazy people.

KIM
ARGH. I have to think. Leave me, General. I’m about to invade Snowdown with my War Poros.

As the General leaves, Kim returns to playing League of Legends and forgets about the movie.

Weeks later.

KIM 
General, someone called God’s Apostles or GOP has hacked Sony BIG TIME! Was that your people?

GENERAL
No sir. You never gave us the order. We think it was someone who used to work there for slave wages and wanted revenge. 

KIM
But why would they care about my movie?

GENERAL 
Apparently they didn’t. They just wanted Sony to pay money to the victims of its oppression. Your movie wasn’t mentioned until later.

KIM
Good. Then your people can keep making me money and not waste their time on that stupid movie.

GENERAL
How’s the assault on Snowdown coming, sir?

KIM
There’s a sale on Legacy skins. What do you think - Bad Santa Vieger or Slay Belle Katarina?

GENERAL
Katarina. Definitely.

6 days later

GENERAL
Sir, the American President says that we are to blame for the Sony attack and that there will be repercussions.

KIM(laughing) 
General, did he really say that or are you just pulling the leg?

The General holds up his iPad and plays a clip from President Obama’s press conference.

Kim jumps up and dances around his desk.

KIM
I AM THE MAN! I AM THE MAN! 

Kim cracks open a bottle of Cristal and takes a swig.

GENERAL
Sir. It gets better. The Americans are asking the Chinese to help them stop us.

Kim looks at the general wide-eyed. Then bursts into a fit of laughter, spraying Cristal all over the general’s uniform.

KIM
“Oh, General. I am truly blessed by all the Buddhas. Not only has Sony been punished, but my greatest enemy the United States government has now shown the world how incompetent and vulnerable it is. Everything has fallen into place and I’ve had to do nothing!
Kim meditates for a moment on his many blessings.

KIM
General, I have an idea. Tell the American President that we didn't do this and that we'll help him find out who did. What the hell. I'm feeling magnanimous.

- END -

RELATED:

Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony
Sony, the DPRK, and the Thailand - Pyongyang Connection
"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Friday, December 19, 2014

Sony, the DPRK, and the Thailand - Pyongyang Connection

UPDATE (19DEC2014 1725PST)
I'm top-posting this update because I've just learned of some new information about Loxley Pacific which makes me believe that the Loxley-DPRK connection should be investigated in a more rigorous fashion. This comes from Don Sambandaraksa's Bloggery article "Loxley and the Thai way of doing things":
"(I)n April 2003 a company in Japan, Meishin, attempted to export parts for nuclear centrifuges to North Korea. The intermediary was a Thai telecom company, Loxley Pacific, and the consignment was declared as telecom equipment in an attempt to avoid scrutiny."
"The sad thing was that because of the proper and elite image of Loxley in Thailand, the news blackout was almost absolute within the country. Editors did not wish to make an enemy of Loxley as their owners, the Lamsum family, have a banking, food, commercial and advertising empire that is no less omnipresent than that of True and CP owned by the Chearavanont family. Only the Lumsums prefer to keep themselves to themselves unlike the publicity hungry Chearavanonts."
"No publication would risk losing their advertising income by pointing out that they were part of North Korea’s nuclear program. No politician would dare to lose party funding by taking them on - the Lumsums were the fifth largest official donor to the Democrat party. The Chearavanonts, meanwhile, topped the 2011 list."
"The Bangkok Post’s Post Database section ran the story, but what should have been front page news on every newspaper in the country was instead run as a story on the back page of the the technology section. Such was the scale of denial."
The above is just a snippet of Don's full article which discusses Loxley, its subsidiary Loxley Pacific, and its sale to North Korea of a GSM network and an ISP. If Don is correct in his assessment about Loxley's political influence in Thailand and its deal-making with insiders, then chances are good that Loxley's own network is extremely vulnerable to being breached (who would be brave enough to tell the CEO?). Post-breach, it could be used as a vector to access North Korea's mobile and Internet networks. Anything the attackers do after that would be blamed on Pyongyang - no questions asked.

[Original Post Begins Here]
The White House appears to be convinced through "Signals intelligence" that the North Korean government planned and perpetrated this attack against Sony:
In one new detail, investigators have uncovered an instance where the malicious software on Sony’s system tried to contact an Internet address within North Korea
There is a common misconception that North Korea's ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. Those companies are:
  • Lancelot Holdings
  • Loxley Pacific 
  • Shin Satellite Corp
  • Orascom Telecomms Holding
Each offers a different service, but Loxley Pacific, a Thailand joint venture involving Loxley (Thailand), Teltech (Finland), and Jarangthai (Taiwan). 

Loxley Pacific is a subsidiary of Loxley, a Thai public company that provides a variety of products and services throughout the Asia Pacific region. According to its 2013 annual report, Loxley has 809 permanent staff and 110 contract staff. 

Loxley Pacific provides fixed-telephone lines, public payphone, mobile phones, internet, paging, satellite communications, long-distance/international services, wire or wireless in the Rajin-Sonbong Free Economic and Trade Zone. Star JV is North Korea's internet service run as a joint venture between the North Korean government and Loxley Pacific.

One of the easiest ways to compromise the Internet backbone of a country is to work for or be a vendor to the company which supplies the backbone. For the DPRK, that's Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices.


This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony's network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out "The Interview" as Pyongyang's alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific's network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK's network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government.

Under international law, "the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State" (Rule 8, The Tallinn Manual). The White House must responsibly evaluate other options, such as this one, before taking action against another nation state. If it takes such action, and is proved wrong later, which it almost certainly will be, the reputation of the U.S. government and the intelligence agencies which serve it will be harmed.

RELATED:

"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Sony, the DPRK, and the Thailand - Pyongyang Connection" by Jeffrey Carr
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Wednesday, December 17, 2014

Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony

Yesterday evening the New York Times reported that un-named American intelligence officials have concluded that the North Korean government was "centrally involved" in the massive breach against Sony (NYSE: SNE), and that the White House hasn't yet decided how it will respond.

Such a claim, if true, requires that two things should be done immediately:
  1. The identities of the intelligence officials need to be revealed, or at least the agency that they work for.
  2. Point to the proof that supports that finding.
Chances are better than 50/50 that the agency is DHS; the agency which since its inception has redefined the word incompetent.
Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database. 
A parade of high-level departures, on top of other factors, has meanwhile helped slow the rollout of key cybersecurity initiatives, including a program aimed at blocking malicious software before it can infiltrate civilian government computers, former officials say.
The Inspector General's DHS report that came out last month was highly critical as well.

But even if the NY Times source wasn't DHS, the IC is rarely unified when it comes to intelligence analysis; especially cyber intelligence.The NASDAQ investigation as reported by Bloomberg is a great example.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings. 
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
Cyber Intelligence Can Be Contradictory and Unreliable
Federal agencies' demand for cyber threat intelligence is voracious and they pay well. That demand is frequently met by companies like Mandiant, now part of FireEye - the company handling Sony's incident response. The problem is that these companies have no oversight and no standardized vetting of sources.

A recent Carnegie Mellon report on cyber intelligence tradecraft reported:
"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
It isn't hard to find examples.

SHAMOON
Cylance's last report "Operation Cleaver" claimed that Iran is a sophisticated cyber adversary and pointed to Shamoon as proof. However, technical reporting by both Kaspersky Lab and Crysys Lab noted that Shamoon's author was incompetent; that due to "silly errors" the malware was only 50% effective. If you want to make the case that Iran is a sophisticated cyber warfare actor, you shouldn't point to poorly written malware as an example.

THE XCAR FORUM
Crowdstrike's "Putter Panda" report made the claim that posts in a Chinese XCar forum were secretly coded messages used to convey information about hacking jobs when it was really just an online forum about cars. This mistake happened because Crowdstrike's researchers used Google Translate instead of native Chinese linguists. When researchers see hidden Chinese hacker messages where none exist, it makes it difficult to accept their analysis of North Korean language peculiarities.

DARK SEOUL
According to Sophos, Dark Seoul malware is not particularly sophisticated and easy to detect. Symantec referred to Dark Seoul not as malware but as a hacker group responsible for four years of attacks against South Korean websites including the DDoS attack against some U.S. government websites over Independence Day weekend in July 2009.
McAfee referred to Dark Seoul as an operational name but then changed it to Operation Troy, extended the attack to a four year campaign and, unlike Symantec, added the claim of espionage as the campaign's purpose.

Names Are Collections Of Technical Indicators, Not People
Names given to hacker groups by cyber intelligence companies don't refer to actual people (with a few notable exceptions). Instead they refer to technical indicators or TTPs (tools, techniques and procedures) that attacks have in common. There's no way to tell who belongs to any group, or if you can identify one member of a group from a certain year, where that member is today. Further, different companies assign different names to the same groups which is why you end up with names like Comment Crew, APT1, Soy Sauce, GIF89a, Shanghai Group, and Comment Panda on the unclassified side, and "Bravo Charlie" on the classified side.

This feeding of commercial cyber intelligence which hasn't been subjected to any critical scrutiny or source validation to intelligence agencies where it gets a new code name and classification is a disaster waiting to happen.

Challenge Everything
Is North Korea responsible for the Sony breach? I can't imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired.

My advice to journalists, business executives, policymakers, and the general public is to challenge everything that you hear or read about the attribution of cyber attacks. Demand to see the evidence, not scrubbed "indicators of compromise" that can't be validated. Be aware that the FBI, Secret Service, NSA, CIA, and DHS rarely agree with each other, that commercial cyber security companies are in the business of competing with each other, and that "cyber intelligence" is frequently the world's biggest oxymoron.

RELATED

"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Sony, the DPRK, and the Thailand - Pyongyang Connection" by Jeffrey Carr
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Friday, December 5, 2014

"Measure Twice. Bite Once" - Suits and Spooks DC 2015 Supports The Warrior Dog Foundation

You have 5 days left before the Early Bird rate for Suits and Spooks DC/Pentagon City ends on December 10th. For the first time, we'll be holding this event at the Ritz Carlton Pentagon City and we're going to honor the work of the Warrior Dog Foundation by hosting a dinner for them on February 4th.



Normally the tickets for the dinner are sold separately from the Suits and Spooks registration but between now and December 10th, if you register for Suits and Spooks DC/Pentagon City, we'll buy you your ticket to the dinner.

Everyone who registers for Suits and Spooks, whether you register for the dinner or not, will receive an awesome t-shirt which shows a modified Suits and Spooks playing card logo that has been integrated with the Warrior Dog Foundation "paws" and ribbon and the tag line:

MEASURE TWICE BITE ONCE


Visit the brand new Suits and Spooks website to learn more, and register before December 10th to take advantage of this great offer.

Wednesday, December 3, 2014

The One Statement That Changes Everything For A Corporation That's Been Breached

Imagine that you're a publicly-owned company that has just been hacked in a BIG way. You're now in damage control mode. You've made a preliminary announcement. You've hired a high profile and very expensive Incident Response company. That's all SOP. After a reasonable amount of time goes by there is one statement that you can make which will change the game entirely. Guess which one it is:

THE INSIDER STATEMENT: A former ACME Corporation employee named Wiley E. Coyote stole the company's plans for a Jet-Propelled Unicycle by tricking a security guard into thinking it was just a big lunch box.

THE HACKTIVIST STATEMENT: The ACME Corporation's network has been breached by a fast-running ground cuckoo called RoadRunner.

THE NATION STATE STATEMENT: The ACME Corporation is the victim of a highly sophisticated cyber attack by an elite State-sponsored group of hackers.

If you guessed The Nation State Statement, you're right. Here's why.

Companies that get pwned by hacktivists like Anonymous or LulzSec look like they're incompetent because hacktivists launch low-level attacks against low-hanging fruit that shouldn't be there in the first place. Plus, hacktivists frequently get caught and then flip on their compadres. Bottom line, your multi-billion dollar multinational corporation has just been breached by some low-rent kid with no balls and your CEO looks like a jerk.

If, on the other hand, your company was breached by an insider, it opens a huge can of worms for your General Counsel because you hired the guy and malicious insiders always, ALWAYS, give early warning signs before they rip you off, which you clearly missed. With the hacktivist, you may look like a jerk but at least you can blame someone else. If you're the victim of an insider, heads are going to roll.

But imagine if you could point the finger at foreign government; especially one that everyone hated like Iran or North Korea. For many years, China was the go-to culprit but now it's more impressive to be hacked by Russia or the DPRK. If you can blame a nation state by calling the actors "state-sponsored", then you cannot be held responsible. You'd be the victim of a military organization or an intelligence service with vast funding and sophisticated capabilities that could overcome any corporate network. Plus, everybody wins! By blaming North Korea for example you have instantly created a news story which focuses attention on that idiot in Pyongyang instead of your CEO. You've have helped the White House and Congress further their DPRK policies. Your Incident Response company's CEO is now in love with you because you've guaranteed him international headlines which might result in a lucrative acquisition down the road.

Blaming a nation state for your company's attack is WIN - WIN - WIN.

There is one caveat, however.

Because it is so wonderful to be able to claim to be the victim of hackers employed by a foreign government, you have to be careful that the evidence supports your claim. If it looks like an inside job and you claim nation-state, it might have the opposite effect. Then your "win" will vanish faster than a RoadRunner's "beep beep".

Monday, December 1, 2014

The Latest Sony Breach And Its Potential SEC Problems

Sony's (NYSE: SNE) latest network breach is also potentially one of its worst when it comes to financial impact on the company. The attackers (Guardians of Peace) stole five movies including Brad Pitt's "Fury" and released them online. "Fury" alone has had over 1.2 million downloads in the last three days according to Variety, which makes it the second most downloaded movie currently being pirated. The other movies stolen by hackers include "Annie", "Mr. Turner", "Still Alice", and "To Write Love on Her Arms".  The hackers also stole multiple terabytes of internal company financial and personal data which they released today on Pastebin. Depending upon what was stolen, this could make Sony liable for millions of dollars in penalties if includes controlled PII data.

The company's PlayStation unit had been repeatedly and successfully breached by attackers in 2011 which cost it an estimated $171 million and "affect revenues for its fiscal 2011 year" according to its IR group (investor relations). Page 8 of its 2011 Annual Report dedicated one paragraph to that event, 90% of which spoke about how "sophisticated" the hackers were (they actually weren't sophisticated at all) and how they have reinforced their security, blah blah.

The current attack against Sony Entertainment Pictures has potentially done more damage and may involve one or more insiders. Sony has engaged an IR firm to investigate the attack and is cooperating with the FBI, which is pretty standard procedure.

I looked at Sony's annual reports since 2011 and the language used in describing its cyber risk factors remains pretty much the same as this quote from its 2014 20F filing:
"Moreover, as network and information systems have become increasingly important to Sony’s operating activities, the impact that network and information system shutdowns may have on Sony’s operating activities has increased. Shutdowns may be caused by events similar to those described above or other unforeseen events, such as software or hardware defects or cyber-attacks by groups or individuals." 
"Similar events in the future may result in the disruption of Sony’s major business operations, delays in production, shipments and recognition of sales, and large expenditures necessary to enhance, repair or replace such facilities and network and information systems. Furthermore, Sony may not be able to obtain sufficient insurance in the future to cover the resulting expenditures and losses, and insurance premiums may increase. These situations may have an adverse impact on Sony’s operating results and financial condition."
"Sony makes extensive use of information technology, online services and centralized data processing, including through third-party service providers. The secure maintenance and transmission of customer information is a critical element of Sony’s operations. Sony’s information technology and other systems that maintain and transmit such information, or those of service providers or business partners, and the security of such information possessed by Sony or its business partners may be compromised by a malicious third-party or a man-made or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, customer information may be lost, disclosed, misappropriated, altered or accessed without consent. For example, Sony’s network services, online game business and websites of certain subsidiaries have been subject to cyber-attacks by groups and individuals with a wide range of motives and expertise, resulting, in some instances, in unauthorized access to and the potential or actual theft of customer information."
"In addition, Sony, third-party service providers and other business partners process and maintain proprietary Sony business information and data related to Sony’s business, commercial customers, suppliers and other business partners. Sony’s information technology and other systems that maintain and transmit this information, or those of service providers or business partners, and the security of such information possessed by Sony, third party service providers or other business partners may also be compromised by a malicious third-party or a manmade or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, Sony’s business information and customer, supplier, and other business partner data may be lost, disclosed, misappropriated, altered, or accessed without consent."

This is pretty generic stuff, evidenced by the fact that the language doesn't contain anything specific to Sony that wouldn't apply to every other public company. SEC regulations on risk disclosure require that the language to be non-generic so Sony like all registrants will need to find a way to accurately estimate their risk of a cyber attack without providing actionable intelligence to potential attackers (which I believe is entirely possible).

Sony never filed an 8-K on the 2011 breach and to date they haven't filed one on this breach (8-Ks are to be filed on material corporate events that shareholders should know about). I've left a message for their IR desk to call me back so that I can ask them why that is but so far, no joy.

A Taia Global white paper on the SEC and Cyber Risk Factors was just published last Monday and is available for download at the company website.

Thursday, November 27, 2014

Selective Listening Can Kill Your Business (Thank You Gordon Ramsay)

The problem of selective listening (hearing only what you want to hear while ignoring all else) has killed a lot of businesses, especially restaurants. In fact, I suspect that the problem is pervasive across all industries and government agencies.

On Kitchen Nightmares, I watched restauranteurs who were at the brink of closing argue with Chef Ramsay that the problem wasn't the tasteless, frozen, microwaved crap that they served in their almost empty restaurant. It couldn't be because "everyone loves my food".  "Who's everyone? Your restaurant's empty", Ramsay would say. Then there were owners like Sebastian (Sebastian's Pizza) and David (The Black Pearl) whose egos wouldn't allow them to take advice.

I credit Ramsay's series about failing restaurants for helping me avoid those traps and others while I launched and built the Suits and Spooks security event series. After all, a conference is a lot like a pop-up restaurant except with worse food.

I wanted more than anything to build something that was different and that would deliver value to my customers. Inspired by what I learned from Gordon, I picked interesting and unique venues. I imagined that I was creating a menu when I curated my speakers - selecting ones that would add a unique "flavor profile" to Suits and Spooks attendees.  I made sure that I greeted every attendee personally, and listened to their feedback - both positive and negative.

The result was that Suits and Spooks, launched in September, 2011, was sold to Wired Business Media in April, 2014, just two months before Gordon Ramsay announced that after 12 seasons and 123 episodes, Kitchen Nightmares would wrap for good.

So today, on Thanksgiving, I'd like to say thank you to Gordon Ramsay for producing a show that inspired me to build something that I was passionate about and make it a success.



Monday, November 24, 2014

SEC Risk Factors: How To Determine The Business Value Of Your Data To A Foreign Government

“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.”
- CF DISCLOSURE GUIDANCE: TOPIC NO. 2 “CYBERSECURITY”
 

EXECUTIVE SUMMARY

The SEC’s Cybersecurity Disclosure Guidance of 2011, President Obama’s Executive Order 13636 on Critical Infrastructure Cybersecurity (2013) and the launch of NIST’s Cybersecurity Framework (2014) has had a major impact on publicly traded companies and financial institutions who are struggling with quantifying their risk analysis in the new domain of cyberspace.

While the SEC has not yet codified its cybersecurity guidance (Corp Fin Disclosure Guidance: Topic No. 2), it has already issued 50 comment letters to public companies that have not adequately complied with the new guidelines. In fact, that appears to be a long-standing complaint of the SEC staff who would “like [registrants] to ... get away from mind-numbing risk factors disclosures to a more targeted discussion.”

Although the SEC’s cybersecurity guidelines aren’t yet regulations, the disclosure of risk factors such as credit and liquidity have been a requirement for many years3 and a mandatory non- generic risk factor analysis of a company’s digital assets cannot be far off. The dilemma that boards and general counsels are facing today is that too much disclosure might hurt the company’s business, while too little disclosure may, at a minimum, result in the company receiving an SEC comment letter.

This white paper will explore where the SEC is headed on this issue and propose a novel solution that’s both specific to the company and avoids the potential danger of revealing too much information about company vulnerabilities - the ability to verifiably assess the value of your intellectual property (IP) to a rival Nation State by establishing its Target Asset Value™.

You can obtain a copy by visiting the Taia Global website.

Thursday, November 13, 2014

Who Developed China's Laser Weapon and Other Things That Go Boom?

China has spent the last few days showcasing its latest military technology including this new laser weapon that can shoot down drones a mile away in 5 seconds after locating the target. However, if you're like me you'll want to know who built it and what else are they working on!

Well, now you can find out. Here's a 5 minute demo of our new REDACT Search product which tackles that very question. Enjoy!



Tuesday, November 11, 2014

Musashi's "The Way of Self Reliance" (Wilson translation)

Japanese swordsmanship has been a hobby of mine for almost 35 years, and the most famous of all Japanese swordsman is Miyamoto Musashi, author of The Book of Five Rings.

One week before his death, he wrote "The Way of Walking Alone" (Dokkodo). I read the translation written by William Scott Wilson, which like all of Wilson's work, was carefully constructed from primary documents. Then I looked online to see if there was a version of it that I could link to. Instead, I found an awful alternative translation that has been repeated ad infinitum.

So on Veterans Day and to honor the memory of one of the world's greatest swordsmen, I've reproduced what I believe is the superior translation of "The Way of Self Reliance", found in William Scott Wilson's translation of Miyamoto Musashi's The Book of Five Rings.

Enjoy.

Shrike on a Withered Branch
by Miyamoto Musashi
THE WAY OF WALKING ALONE (or The Way of Self-Reliance)

  • Do not turn your back on the various Ways of this world.
  • Do not scheme for physical pleasure.
  • Do not intend to rely on anything.
  • Consider yourself lightly; consider the world deeply.
  • Do not ever think in acquisitive terms.
  • Do not regret things about your own personal life.
  • Do not envy another's good or evil.
  • Do not lament parting on any road whatsoever.
  • Do not complain or feel bitterly about yourself or others.
  • Have no heart for approaching the path of love.
  • Do not have preferences.
  • Do not harbor hopes for your own personal home.
  • Do not have a liking for delicious food for youself.
  • Do not carry antiques handed down from generation to generation.
  • Do not fast so that it affects you physically.
  • While it's different with military equipment, do not be fond of material things.
  • While on the Way, do not begrudge death.
  • Do not be intent on possessing valuables or a fief in old age.
  • Respect the gods and Buddhas, but do not depend on them.
  • Though you give up your life, do not give up your honor.
  • Never depart from the Way of the Martial Arts.


Second Day of the Fifth Month, Second Year of Shoho [1645]
Shinmen Musashi

Saturday, November 8, 2014

"Frank Martin" of the U.S. Government Grants Department Wants To Give Me $14,566

I just ended a ridiculous but entertaining call with "Frank Martin" of the "U.S. Government Grant Department" who wanted to give me $14,566 for being a good taxpayer. I stayed on the line with him for about 20 minutes because I wanted to learn as much about the scam as I could.

Here's more or less how it went:

0823 PST my home phone rings. The caller ID reads PENNSYLVANIA 267-973-6174.

A heavily accented voice asks if this is Jeffrey Carr, and then proceeds to tell me that she's calling from the government grant department.

Oh, yes. I said. The government grant department. That's part of the U.S. Treasury, right?

"That's right Mr. Jeffrey. We just need to verify your information."

[The caller reads me my street address, city, state and zip code. All are accurate.]

"Now sir, would you like to receive your grant money on a credit card, debit card, pre-paid debit card, or in your bank account?"

Pre-paid debit card, I say, as I pull out my handy (and empty) pre-paid Visa gift card that I keep for calls just like these.

"Please read me the number, sir."

I read it off the card.

"And the last four digits of your social security number"

I invent 4 digits and give them to her.

I'm now told that I've been chosen to receive a grant of between $5,000 and $15,000. My government approval number is WA23134, and I'm to call the grant manager in Washington DC at (202) 738-4264.

We hang up. I now call the DC number.

RING RING RING RING RING RING RING RING

I must have let it ring 20 times. No answer.

A few minutes later, my home phone rings again.

The person I just spoke with is back and says that she'll try to connect me.

She tries twice and finally I get to speak with a grant manager named "Frank Martin", who's clearly of Indian descent. Mr. Martin wants to assure me that this program is very real, and asks me to write down the following information:
The Government Grants Office is located at 200 Independence Avenue, SW, Health and Human Services Building, Washington DC 20201. His government badge number is FM2586 and his phone number is (202) 738-4264.
So, not the U.S. Treasury.
"Jeffrey", Frank says, "are you at your computer?"
Yes.
"I want you to go to this website: grants.nih.gov"
[I open a sandboxed browser.]  OK, Frank. I'm there.
"Now see the search window on the right side? Type in my name - Frank Martin."
Got it.
"Now see the 2nd entry where it says Frank Martin, and where it shows how much money I've given out in grants? That's me."

[This idiot didn't notice the "," between "frank" and "martin". The "frank, martin" he pointed me to is Martin Frank, Executive Director of the American Physiological Society.]

Oh, yes. You've given out a lot of money, Frank. 
"Yes, Jeffrey, and because you've been a good taxpayer, we want to give you $14,566. Now, what is your date of birth?"
I give him a DOB a few years and a few months off from my own.
"Oh, you don't sound that old, Jeffrey. You sound like you're only 20 or 22 years old! OK, let me verify all of your information because this is a lot of money and we want to make sure that you are really who you say you are."
The line is quiet for 10 seconds while he verifies my fake DOB, fake last 4 digits of my SS, etc. 
"Very good, Jeffrey. Now may I ask what you'll be using the grant money for?"
A cruise. Is that allowed?
"A cruise? Sure. You can take a cruise, buy a car, anything you like. It's your money. Just don't use it for any illegal activities!"
Oh, no. Not me. 
"So now we are at the verification step. You must go to a store near you and send me a verification voucher. Because, you know, there are a lot of Jeffrey Carr's in the United States. We can't risk giving money to the wrong Jeffrey Carr! Do you have a Rite-Aid or something like that near you?"
How about Walmart?
"No, not Walmart. Wait, I'll check for you. OK, I see that you're close to a QFC store. How long will it take you to drive there?"
Oh, about 20 minutes.
"Do you have a cell phone?"
I can borrow one from my neighbor.

"OK, go to the store and then call me from the parking lot. I'll tell you exactly how to do the verification voucher and then I'll stay on the line until you see the money has been transferred to your pre-paid Visa card." 
"Now Jeffrey, you need to bring three things with you: a picture ID, a cell phone with a charged battery, and $275 in cash which is a fully-refundable verification fee. You understand what "fully-refundable" means, Jeffrey?" 
Um, yes. 
"So after you send us the voucher verification, your fee is then refunded back on your Visa card along with your grant money. See, we have to do it this way because it would be fraud if we asked you to send us money from your checking account or from your credit card and we aren't trying to defraud you. Only bad people ask you to send money from your bank account. That's we ask for cash."
Yes, cash is much better, Frank. Thank you.

[So now that Frank is done with his pitch, it's my turn to have some fun.]

By the way, Frank, are you at your computer?
"Yes, why?"
Well, you've been so nice sharing information about yourself, I thought you might want to see who I am. Do you know Google.com? Just type in "Jeffrey Carr". I'll be the first name that comes up.
[SILENCE]
"I'm sorry, Jeffrey. My computer doesn't seem to be working right now. "
Oh, that's OK, Frank. When your computer is working again, just go to Jeffreycarr.com, and you can read all about this little fraud of yours online.
[CLICK]
Frank? Are you there?

-------------------------------------

The FTC has a page for Free Grant Fiction here. This seems to be the latest iteration.

Wednesday, October 29, 2014

Cyber Threat Marketing and Political Expediency: STOP THE MADNESS

FireEye's APT28 report is the latest in a series of glossy marketing white papers which claim to reveal the workings of "state-sponsored actors", in this case from Russia. The paper fails to prove its claim of state-sponsorship (a confusing term that the FireEye report never defines) and evidences a few other bad habits described below.

However none of that really matters because Russia is currently on the White House's shit list, it's being hammered by sanctions, and the Kremlin has shown itself over the years to be more than willing to let its very talented hacker population engage in cyber attacks against its political enemies without repercussion. 

Last year when Mandiant came out with its APT1 report about China, guess who was on the White House's shit list then? 

From a marketing perspective, you can say-hint-imply-presume whatever you want. Proof is irrelevant. What counts is that the political interests of the U.S. and other western nations correspond with the marketing interests of cyber security companies. Timing - as Hesiod said - is everything.

However, even if the raw commercialism of this strategy doesn't bother you or is at least forgivable because after all FireEye and all of its competitors are for-profit enterprises, the report's authors have made some awful decisions in their analytic method.

Cherry-Picking The Evidence
"APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests. They do indicate parallel areas of interest to many governments and do not run counter to Russian state interests."
In other words, we've just included the evidence that supports our theory and excluded the evidence that doesn't. That's precisely the kind of bad analysis that's behind every intelligence failure that has ever happened. 

Calling Low Level Attacks "Sophisticated"
"Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations. This perception is due in part to the Russian government’s alleged involvement in the cyber attacks accompanying its invasion of Georgia in 2008, as well as the rampant speculation that Moscow was behind a major U.S. Department of Defense network compromise, also in 2008. These rumored activities, combined with a dearth of hard evidence, have made Russia into something of a phantom in cyberspace."
Speaking as someone who's been researching Russian information warfare practices and, more importantly, its ongoing research and development in information security, I can tell you that the SQL attacks against Georgian government websites during the 2008 war were not even close to "sophisticated". Same with the 2008 DOD breach. Remember that when you have to explain to your boss that some unemployed Russian kid  Russian "state-sponsored" actors stole everything you own, it better be because it was "highly sophisticated".

Unfortunately for myself and others who take a skeptical or even cynical view to every public report of a "sophisticated state-sponsored" attack, the reporting agency or corporation never shares their raw data. And whatever is shared is scrubbed. 

APT28 isn't a Person or Persons. It's a Thing
Cyber security companies that monitor networks and threat actors rely almost exclusively upon technical attributes when they establish a "group". It's not like a street gang unit at your local PD that can tell you the gangs that operate in an area, who the members are and where they go when they leave. They don't who the members are, or how many there are, or what nationality they are, or who they're working for, or how long they stay before moving on. Visit ZoneH.org and pick any hacker group that does high-profile defacements. Do a search by group name and find one with a history spanning just one year. Start with the earliest defacement and add the aliases of the group's members to a spreadsheet. Jump ahead a few months and check to see if the names have changed. Jump ahead a year. Members come and go, and when they go they take with them the tools and resources that they are comfortable with using. Or perhaps they'll discover new tools with a different group and in a few months, jump again - this time with different TTPs than they had a year ago. Are they still "APT28"?

"Stop The Madness"
To quote Mr. Wonderful, "STOP THE MADNESS!" Reports like these cannot be trusted to give a factual assessment of the real-world capabilities of any government's activities with their resident hacker populations. And they positively do not reflect the capabilities of any government's security services.

They are (1) a way to gain market share through garnering headlines and (2) a way to gain favor or secure contracts with government agencies who are catering to their customer - the Executive Office of the President.

Wednesday, October 22, 2014

"Hunting For Seeds That Remain Uncultivated, For Ideas That Lie Dormant"

From time to time I like to share gems of insight that I've discovered in the works of others in hopes that someone else will benefit besides myself. I'm always the first one awake in our house (usually before dawn) so I make a double expresso and sit down at my desk, which faces East overlooking the Hood Canal. Ellis' book is a collection of ancient Egyptian texts so it's fun to open it up randomly and see where you land. This is what I opened to this morning, around the time that dawn was breaking.

Thoth Speaks:
The ibis and the ink pot - these are blessed. For as the ibis pecks along the bank for a bit of food, so the scribe searches among his thoughts for some truth to tell. All the work is his to speak, its secrets writ down in his heart from the beginning of time, the gods' words rising upward through his dark belly, seeking light at the edge of his throat. We are made of god stuff, the explosion of stars, particles of light, molded in the presence of gods. The gods are with us. Their secrets writ only in the scrolls of men's hearts, the law of creation, death and change inscribed in the blood and seed of man's love. In the beginning and at the end, the book is opened and we see what in life we are asked to remember. 
Hear, then, my words, the ringing of my speech, as the heart and the scroll of this life fall open. Truth is the harvest scythe. What is sown - love or anger or bitterness - that shall be your bread. The corn is no better than its seed, then let what you plant be good. Let your touch on earth be light so that when earth covers you, the clods of dirt fall lightly. The soul of a man forgets nothing. It stands amazed at its own being. The heart beats the rhythm of its life. The lungs breathe the ions of its own vibration. The mind recalls its thoughts. The glands respond to its emotions.  
The body is a soul's record. And when a man's life ends, his body is given back to gods and the gods shall see what use their laws have been. They shall see the deeds its hands have made, the sparks of light its heart set in the world. They shall see whether or not their love, their powers have been wasted, whether the plants it has grown were nourishing or poison. And like the ibis, the gods shall circle about him, hunting for seeds that remain uncultivated, for ideas that lie dormant, thoughts left unexpressed.  
They shall find new seeds from the plants he has tended. And these shall be planted again in the clay of a new man and he shall be sent back to the world until all the gods have seen fit to create in man is cultivated, and then, in final death, he shall be welcomed home as one of them.
- From "Awakening Osiris: The Egyptian Book of the Dead" by Normandi Ellis, Phanes Press, Boston 1988, p.55-56 

Saturday, October 11, 2014

First Look at Suits and Spooks DC 2015: 3 Hot Workshops and over 20 talks and panels

Early bird registration is now open for Suits and Spooks DC. We've expanded it to three days so as to include one optional day of training (Wednesday Feb 4). Since this is Suits and Spooks and not your typical Security conference, you've never had training like this before:

A Cyber Intelligence Analyst's Workshop: Connecting More Dots With Carmen Medina
A Cyber Security Entrepreneur's Workshop: Transitioning from a Spook to a Suit (taught by Barbara Hunt, Rick Holland, and to-be-announced panelists)
The PRC People's Liberation Army Information Warfare Infrastructure Workshop by Mark Stokes (Project 2049 Institute)

The training will be given in a tiered classroom setting with microphones at every seat and two large projection screens behind the instructor.

On Thursday (Feb 5) and Friday (Feb 6) our DC collision event will be held with a very unique collection of speakers that include John Robb (military strategist, futurist, and author of Open Source Warfare), Zachary Tumin (Deputy Commissioner for Strategic Initiatives at the NYPD), Thomas Rid (Professor at Kings College London and author "Cyber War Does Not Exist"), John Holland (CISO of Risk Division of Credit Suisse), and Ben Milne (founder of Dwolla).

You'll also get a very rare, inside look at how one of the world's largest defense contractors defends its global network, learn about Bitcoins and how at least one international bank is dealing with them, engage in a Q&A with a US Assistant District Attorney (invited), and much, much more.

Our Early Bird discount is $675 for all three days or $575 without the workshops. GOV/MIL rates are $395/$325. This event always sells out so register early.

Friday, August 8, 2014

Israel's Power Grid Is Susceptible To A Cyber Attack. Why Hasn't It Happened?


The fighting between Israel and Hamas during Operation Protective Edge has been severe by any measure; especially as regards to the cost of human lives - over 1,800 Palestinians have been killed in the past 30 days while the IDF has lost 67 soldiers and 3 Israeli civilians [1]. Israel has been using air and ground assaults while Hamas has launched over 3,300 rockets [2].

In comparison, the cyber attacks launched against Israel haven't risen to nearly the same level. They've been nuisance attacks against Israeli government websites [3], rather than technically sophisticated attacks against Israel's critical infrastructure. Hamas has more than enough money to hire hackers with the necessary technical chops. Iran should already have the capability and manpower and they certainly have the money to invest in gaining that capability if they chose to do so. So why hasn't this happened yet? There are a few possibilities:

ONE:  ISRAEL HAS SUPERIOR CYBER DEFENSES IN PLACE
I've taken a quick survey of my contacts in the industrial control system community and we all agree that Israel's capabilities to defend its critical infrastructure against cyber attacks are second to none in the world. However, Israel Electric, the state-owned company that generates and distributes electricity throughout the country uses vendors like Siemens whose equipment can be (and has been) exploited by technically sophisticated attackers so the IEC isn't immune to attack; especially against an adversary who has them on their potential targets list.

TWO: HAMAS HAS NOT INVESTED IN OFFENSIVE CYBER WEAPON DEVELOPMENT
Cyber weapons, unlike kinetic weapons, cannot just be used at a moment's notice against any other nation's power grid. It takes advance intelligence, planning, testing and production so that if an attack is imminent, you have the capability to turn out the lights and keep them off. It's unlikely that Hamas has done that. Iran and Syria should be doing that if they aren't already. The U.S. and the PRC have been doing it for years.

THREE: HAMAS HAS TACTICAL REASONS FOR NOT DEPLOYING CYBER WEAPONS
Even if Hamas or its ally Iran has the capability to attack Israel's grid, that may not be their geopolitical goal right now. The number of civilian casualties suffered by the Palestinians in Gaza is garnering a lot of sympathy from other nations which could be leveraged towards Hamas obtaining its goal of a Palestinian state. A technically sophisticated cyber attack against Israel that would leave much of the country without power could instantly change that advantage from a positive into a negative since it would have severe humanitarian consequences. Furthermore, the IEC supplies power to the Gaza Strip so even if Hamas wanted to disrupt Israel's ability to wage war by sabotaging the IEC's ability to distribute electricity, it would be cutting off its own supply of power as well.

Alternatively, the IEC has been officially forbidden by the Israel's National Security Council to interrupt its supply of power and water to Gaza due to probable blow-back by the international community. Tony Blair has reportedly advised Netanyahu not to disconnect any West Bank or Gaza consumers from their electricity supply [4].

In fact, as of Tuesday August 5, IEC workers guarded by IDF forces were repairing portions of Gaza's electric grid that was damaged by rocket fire [5].


So while there may be several answers as to why Hamas has not utilized the asymmetric advantage offered by cyber weapons deployed against critical infrastructure, the best answer is probably that no one wants to be the first to push that particular button against such a large civilian population. 

Also for those pundits who have dismissed Iran's cyber warfare capabilities, the only capability that Iran or any nation state needs to acquire this type of weapon is the ability to write a check with a lot of zeros on it. 


[1] http://www.haaretz.com/news/diplomacy-defense/israel-gaza-conflict-2014/1.609116
[2] http://www.jpost.com/Operation-Protective-Edge/Operation-Protective-Edge-by-numbers-370161
[3] http://www.ibtimes.co.uk/inside-anonghost-pro-gaza-hacktivists-waging-cyber-war-israel-1458297
[4] http://www.al-monitor.com/pulse/security/2014/07/electricity-gaza-protective-edge-idf-humanitarian-crisis.html
[5] http://www.algemeiner.com/2014/08/06/israel-repairs-power-grids-for-gaza/

Monday, July 14, 2014

Su Bin, Lode-Tech, And Privatizing Cyber Espionage In The PRC

The criminal complaint against Chinese businessman Su Bin (aka Stephen Su, Stephen Subin) is a must-read. Be sure to read the Wall Street Journal article as well. It marks the first time that the FBI has issued an arrest warrant for a foreigner charged with an act of cyber espionage via a network attack that has until now been attributed solely to state actors like the PLA.

The complaint provides an indepth look at an EaaS (Espionage-as-a-Service) operation involving one named suspect and two unnamed co-conspirators. I've tried to reduce the 49 page complaint into its essential components and added a few missing pieces.

SU Bin (Stephen Su) 

Su's alleged role was to help his partners identify valuable military aviation technology to steal and then find buyers for the stolen data. His company's logo as portrayed on the Lode-Tech.com website is almost laughably ironic: "We will track the world's aviation advanced technology." Su and his partners did exactly that, but would then attempt to steal the technology and sell it to their customers.


Su has been the owner and manager of Beijing Lode Technology Company, Ltd. since 2003. Lode-Tech is a cable harness equipment company that serves the aviation and space market. The company has offices in Beijing, Shanghai, Guangzhou, Shenzhen, Chengdu, Xi'an, Shenyang and Changchun.

Lode-Tech is also a representative and distributor of related aerospace products for a number of companies including DIT-MCO in Kansas City, MO; a company which proudly announces that its equipment "was used on the early "Hawk Missile," the first intercontinental Atlas missile, the Polaris missiles for the Navy, the Titan missiles for the Air Force, and the Patriot Missile used so successfully in the Desert Storm War, as well as almost all the aircraft used by the Air Force, Army and the Navy.”

DIT-MCO plus Lode-Tech's other business relationships in the aerospace industry (such as sharing space with Boeing at the Beijing Aviation Expo) put Su in an excellent position to identify valuable data for theft by a team of mercenary hackers who are identified in the complaint as UC1 and UC2.
NOTE: This case underscores the importance for companies in high value technologies like aerospace to (a) conduct indepth due diligence investigations on all of their vendors and (b) restrict network access by implementing least privilege rules.

Uncharged Co-Conspirator 1 and 2 (UC1, UC2)

According to the complaint, UC1 and UC2 are located in China, are hackers for hire, and are affiliated with multiple organizations and entities in the PRC. They have a diverse history of accomplishments but have chosen to focus on "military technology intelligence". They have an unidentified funding source that provided working capital in seven figures RMB, a hierarchial structure, and engage in business development. They've been working with Su since at least August, 2009.

In addition to their collaboration with Su on the Boeing C-17 project, UC1 sent several reports to UC2 which described other actions:
  • Targeted F-22 data from Lockheed Martin (LMT wasn't named in the complaint but they're building the F-22 and their sensitive documents use the classification terminology "Proprietary Information Source Selection Sensitive" which was mentioned in the complaint on p. 42).
  • Stole 20GB of data from a U.S. military contractor via the company's FTP server
  • Acquired a list of contractors and suppliers for a U.S. Unmanned Aerial Vehicle project and performed network reconnaissance.
  • Have access to a Russian-Indian joint missile development program by "controlling" the company's website and "awaiting the opportunity to conduct internal penetration".
NOTE: The name of the company is redacted in the report but it may be referring to the Brahmos 2 missile developed by Brahmos Aerospace; a joint venture between India's DRDO and Russia's NPO Mashinostroyenia.

Activities and Methodologies

  • Their target selection is informed by S&T (Science and Technologies) priorities of their potential customers. 
  • They establish "technology bases" and hop servers outside of China (i.e.; U.S., Korea, Singapore) and "machine rooms" with legal status in Macao and Hong Kong
  • Intelligence collection is done outside of the PRC (presumably at the above locations) and brought into China in person rather than electronically.
  • They focus on those U.S. and Taiwanese defense contractors which are among the Global top 50 arms companies.

Conclusion

While this is the first criminal complaint that describes "hackers-for-hire" or Espionage-as-a-Service it isn't new and it isn't exclusive to China. U.S. cyber security companies who research APT threat actors should study this criminal complaint closely; especially those who have spent the last 9 years defining APT solely as the Chinese government.

Threat intelligence companies worldwide need to find ways to differentiate the activities of a nation-state with those of a for-profit hacker group, criminal organization, or other alternative entities engaging in acts of cyber espionage. That may be difficult under current APT assumptions and with the limitations of purely technical indicators.

Finally, the SU-UC1-UC2 enterprise as described in this criminal complaint underscores and validates a data-centric approach to cyber security wherein a company identifies their own high value files by knowing the S&T research priorities of a given nation state and its state-owned or publicly-owned enterprises.

Friday, July 11, 2014

Airbus Defense and Space's First APT Threat Intelligence Report: Nice Work!

I've been a frequent and vocal critic of many threat intelligence reports issued by the usual players in information security. So it was very refreshing to read this report by Cassidian CyberSecurity (now a part of Airbus Defense and Space) on an APT threat actor that they named "Pitty Tiger".

I haven't studied the report yet but I did give it a quick read and want to congratulate the team of researchers including David Bizeul who did such an outstanding job in 2007 with his report on the Russian Business Network.

Here's what I really appreciated about the Pitty Tiger report:

APT Threat Actors - Not State Sponsored
Pitty Tiger is described as a Chinese group of hackers who demonstrated poor operational security (similar to the carelessness shown by members of Mandiant's APT1) as inexperienced hackers who were out to make a quick buck rather than bored or careless soldiers working for the PLA:
Pitty Tiger is probably not a state-sponsored group of attackers. The attackers lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.
This is the first time that I recall reading a security intelligence report which didn't portray the hackers as state-sponsored, state-affiliated or employed by the PLA. That in and of itself is news-worthy as far as I'm concerned.

Espionage-As-A-Service
The researchers refer to an "opportunistic business model", something that I and other security researchers like J. Oquendo and Peter Mattis have written about as well.

Use of the term "White Paper"
The authors properly categorized their threat intelligence report as a white paper, which it is because it has marketing value for the company. Many well-known cyber security companies who issue security intelligence reports fail to acknowledge that.

Responsible Attribution
The researchers exercised restraint and used cautious language in their attribution section. They didn't make baseless assumptions about "real names" or jump to any conclusions about the identities or affiliations of the hackers.

Kudos to the Airbus team for this report. Please keep them coming.