computer attack stratagems
DESCRIPTION
1. China leverages computer network attack and exploitation techniques, harvesting information critical to building a modern nation-state and "informationalized", technical military forces. 2. China adapted ancient stratagems for CNA & CNE operations. 3. China can claim plausible denial for nation-sponsored hacking activities, hiding within the sea of everyday hackers. 4. On the other hand, north Korea must take CNA & CNE operations outside its country's boundaries.TRANSCRIPT
![Page 1: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/1.jpg)
Computer Network Attack / Exploitation:
Regional ThreatsChina & North Korea
Karl Wolfgang, CISSP
![Page 2: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/2.jpg)
• People’s Republic of China: medium threat, growing• North Korea: low threat, restrained• Methodology
– National vision, objectives: military doctrine– Stratagems– Reality check:
• Capabilities• supporting infrastructure• Software / programming
– Open source analysis, “in the wild” hacker processes• Assumptions:
– Individual hackers and nations share similar processes / techniques– China and north Korea share similar processes / techniques– China: 1. more active 2. better able to operate under cloak of
plausible denial
CNO in NE Asia
![Page 3: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/3.jpg)
Jiang Zemin: 90s – Early 21st CenturyWarfare at the Speed of Electrons
• Economic, political, historical objectives– Taiwan– Infrastructure > military techno-revolution
• Regional power projection• Lessons learned – Kosovo, Iraq
– C4I fusion– preemption
• "Informationized arms . . . together with information systems, sound, light, electronics, magnetism, heat and so on, turn into a carrier of strategies."
MG Dai Qingmin
![Page 4: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/4.jpg)
NETOPS vs. The Science of Campaigns
cognitiveerrors
Multi-dimentional
Threat
PhasedOperations
![Page 5: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/5.jpg)
Civilian Assets & IW Reserves
• Dissolving boundaries– Civil-military cooperation– Civil vs. military targets
• Militia – fist of network warfare & hacker units
• Potential missions– Network offense– Network defense– Network propaganda– Electronic countermeasures– Technical recon– Maintenance
![Page 6: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/6.jpg)
Skill Sets
• Computer science graduates• Professions:
– Satellite– Telecommunications /
networking– Data communications / SW
&HW– Microwave– Programming
• Develop doctrine / training
Civilian Assets & IW Reserves
Cyber Forces
• People’s Armed Forces Department of Echeng, Ezhou, Hebi
• Chongquin Garrison• Shanxi Reserve “Network’
Fendui, Datong MSD• Shanghai• Guangzhou, Donghshan District
![Page 7: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/7.jpg)
• Ancient stratagems
• Maoist tactics• Aggressive
program of national development
China: Plausible Denial
![Page 8: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/8.jpg)
Stratagems of Information Warfare
• All warfare is based on deception. There is no place where espionage is not used. Offer the enemy bait to lure him.
• Let your rapidity be that of the wind, your compactness that of the forest.
• The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.
• Attack him where he is unprepared, appear where you are not expected.
47 China’s Electronic Strategieshttp://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm
![Page 9: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/9.jpg)
Sun Tzu – Wang Mind Meld
• IW: Complex, limited goals, short duration, less damage, larger battle space and less troop density, intense struggle for information superiority, C4I integration, new aspects of massing forces and the fact that effective strength may not be the main target.
• Principles of IW: Decapitation, blinding, transparency, quick response and survival. Wang Baocun, "A Preliminary Analysis of IW," Beijing Zhongguo Junshi Kexue, 20 November 1997
• The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.
• Attack him where he is unprepared, appear where you are not expected.
Sun Tzu
![Page 10: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/10.jpg)
Thirty-Six Stratagems: The Secret Art of War
http://www.chinastrategies.com/List.htmhttp://leav-www.army.mil/fmso/documents/china_electric/china_electric.htm
![Page 11: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/11.jpg)
Thirty-Six Stratagems: The Secret Art of War
• Fool the emperor to cross the sea
![Page 12: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/12.jpg)
Technical / Social Engineering
• e-mail from Stephen J. Moree, who reports to the office of Air Force Secretary Michael W. Wynne
• evaluates the security of selling U.S. military aircraft to other countries
• Indian government had just released request on Aug. 28,
• to a Booz Allen Hamilton executive —from “Pentagon”, list weaponry India wanted to
buy • http://www.businessweek.com/magazine/
content/08_16/b4080032218430.htm
![Page 13: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/13.jpg)
The innocent e-mail
• Poison Ivy • http://kr.youtube.com/watch?v=4fHUELZPywk • http://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml
– designed to extract data from government contractor– Remote access Trojan– Keystrokes to cybersyndrome.3322.org – Small backdoor– Encrypted, compressed communications– Registry
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2B81DA45-7941-1AAB-0607-050404050708} "StubPath“
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
![Page 14: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/14.jpg)
http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
Harvest then Exploit
![Page 15: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/15.jpg)
Expired Accounts, Spear Phishing: Compromise
• Cat & mouse game continues– 1,500 expired accounts in Korea– Security patch woes– Improvements with CAC & limiting
OWA– Email phishing
![Page 16: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/16.jpg)
• Besiege Wei to rescue Zhao
Thirty-Six Stratagems: The Secret Art of War
Supreme excellence consists in
breaking the enemy's
resistance without fighting.
Sun Tzu
![Page 17: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/17.jpg)
Supply Chain Fakes
ThreatenMiltaryReadiness
• Fake CISCO routers http://washingtondc.fbi.gov/dojpressrel/pressrel08/cisco022808.htm "Counterfeit products have been linked to the crash of mission-critical networks, and may also contain hidden 'back doors' enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].” Melissa E. Hathaway, DNI
• Counterfeit Xicor chips in F-15s• BAE, Boeing Satellite Systems, Raytheon Missile Systems, Northrop Grumman
Navigation Systems, and Lockheed Martin Missiles & Fire Control.
![Page 18: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/18.jpg)
• Kill with a borrowed sword
Thirty-Six Stratagems: The Secret Art of War
![Page 19: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/19.jpg)
• Kill with a borrowed sword
Thirty-Six Stratagems: The Secret Art of War
Slammer's most novel feature: propagation speed.
In 3 minutes;scanning rate > 55 million / second; after which the growth rate slowed because significant portions of the network had insufficient bandwidth to accommodate more growth.
![Page 20: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/20.jpg)
AutoRun Worms:Leverage Strengths, Dynamics
• The Internet– Browser & plug-in vulnerabilities. ActiveX – 85%– Cross-scripting
• Workstation: operating system “entry points”– Startup folder– Registry
• Active Setup• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
– Run, RunOnce, RunServices, and RunServicesOnce • CDs / USB Flash Drives
– AutoRun / AutoPlay– Leverage user
http://kr.youtube.com/watch?v=xgVecDefOMg
![Page 21: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/21.jpg)
AutoRun:
Fishin the sea
Mal/Generic-A [Sophos] 42 W32.SillyFDC [Symantec] 41 Packed.Generic.181 [Symantec] 5 W32.Dotex.CA [Symantec] 5 Mal/TinyDL-T [Sophos] 4 Mal/Basine-A,, Mal/Basine-CMal/Behav-160, Mal/Emogen-E, Mal/Behav-009, Mal/Basine-C
Worm.Hamweg.Gen Worm.Win32.AutoRun.eic
• Autorun #1 for first 6 months of 2008
• 8% malicious code market
• Japan: 143 in August, 347 in September, 471 in Oct.
The varieties:
The statistics:
Worm.Win32.AutoRun.eae [Kaspersky Lab]
VirTool:Win32/Vtub.WL [Microsoft]
Trojan Horse [Symantec]
HackTool.Win32.IISCrack.d [Ikarus]
Worm.Win32.AutoRun.lkx
Worm.Hamweg.Gen [PC Tools] 3
Worm.Win32.AutoRun.eic [Kaspersky Lab] 3
Worm.Win32.AutoRun.ejf [Kaspersky Lab] 3
Backdoor.Graybird!sd6 [PC Tools] 2
Mal/Dropper-MAP [Sophos] 2
TROJ_AGENT.ANFQ [Trend Micro] 4 Trojan.Win32.Agent.vkw [Kaspersky Lab] 4 VirTool.Win32.DelfInject [Ikarus] 4 W32.SillyP2P [Symantec] 4 Worm.Win32.Agent [Ikarus] 4 Worm.Win32.Agent.lz [Kaspersky Lab] 4 Worm.Win32.AutoRun.rol [Kaspersky Lab] Worm:Win32/Autorun.GR [Microsoft] 4 Worm:Win32/Hamweq.gen!C [Microsoft] 4 WORM_AUTORUN.AJX [Trend Micro
![Page 22: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/22.jpg)
• Await the exhausted enemy at your ease
– Code Red and the White House
Thirty-Six Stratagems: The Secret Art of War
![Page 23: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/23.jpg)
Thirty-Six Stratagems: The Secret Art of War
Loota
burninghouse
• The insider• Hacker exploitation
of OS vulnerability
![Page 24: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/24.jpg)
Growing Web-based Threat
• Infected web pages: 1 every 14 seconds in ’07 / 1 every 5 seconds in ’08
• 60% vulnerabilities in 2007 – web applications– 85% of these ActiveX
• Cross-site scripting– 7,000 first half 2007– 11,300 second half 2007
![Page 25: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/25.jpg)
UnpatchedIE
Malicious pageexploits browser vulnerability,Downloads code without user approvalInstallsback doorbeacon
User clicks on HTML link in Email,
User expects & receivesdownload of article on tax benefits forAmericans living overseas…
![Page 26: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/26.jpg)
Source: Korea Information Security Agency
Legitimate Sites Can Point to “Drive-by Download”
![Page 27: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/27.jpg)
Computer Network Exploitation
• Titan Rain: espionage– SANS: attacks were most likely the result of Chinese
military hackers attempting to gather information on U.S. systems.
– Targets: Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA
• Cyber rules of engagement differ– US: Sandia National Laboratories IA professional
tracks bad guys, loses job – China: Industry IA professionals double dip at
hackers
![Page 28: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/28.jpg)
North Korean CNA Capabilities: Low
• Differing views of capabilities– Korean officials – NK aggressively cultivating– US – Modest skill sets centered within elite– Emphasis more on Computer Network Exploitation
(gathering information)during peactime• Computer Network Attack capabilities is
restricted• Assessment methodology:
– Objective– Doctrine– Supporting infrastructure: electricity, education,
industry
![Page 29: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/29.jpg)
nK CNA Threat is Low
• Cyber attacks fit into DPRK’s scheme of asymmetric means to counter ROK/US advantages
“I believe that the North Koreans, whatever their limitations, have a capacity to think deeply and innovatively about military affairs…And what I have observed over the years convinces me that they are devoting considerable attention to cyber war.”
John Arquilla, RAND, 2 June 2003
“In the next war we will crush the American boors/Philistines first”
![Page 30: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/30.jpg)
Great Leader’s IW Vision
• Kim Jong-il’s “three pillars for building a powerful state”– Ideology– Arms– Information technology
• “The future warfare will depend not on who is showered with a lot of bullets, but who grasps diverse information faster.”
![Page 31: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/31.jpg)
Plato’s Cave: NK IW / CNA Constraints
![Page 32: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/32.jpg)
Minimal Internet: No Sea for Fish to Swim
• Internet– Two class C blocks with virtually no activity– Official sites in Japan, China, Australia– 2002 – Pyongyang cyber café; one hour – average
worker’s weeks wage • Cannot hide state activities / Intranet
– Kwang Myoung network• Minimal gateways with outside world
• Korea Computer Center / satellite links • Preparation for gateway?
– China Telecom / fiber– 2001 Pyongyang Information Center tests FW– Increasing encryption
![Page 33: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/33.jpg)
Infrastructure Does Not Support Formidable Threat
• electricity supply problems: antiquated, unreliable; poor frequency control, outages
• Nascent, struggling tech industries
• Basic software, biometric technology, voice recognition, automated translation programs, game programs
• Seek information on basic applications, programming
![Page 34: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/34.jpg)
Possess Skills for Cyber Hacks
• Armed Forces – moderate capabilities– Mirim College, 100 graduates per year– Up to 1,000 elite hackers– Unit 121
• Growing software / programming expertise– applying process-oriented quality control models
• ISO9001, Capability Maturity Model Integration and Six Sigma.• http://www.gpic.nl/IT_in_NKorea.pdf
– expertise with development platforms, coding• Assembler, Cobol, C, Visual Studio .Net, Visual C/C++, Visual
Basic, Java, JBuilder, Powerbuilder, Delphi, Flash, XML, Ajax, PHP, Perl, Oracle, SQL Server and MySQL, etc.
![Page 35: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/35.jpg)
CNA / CNE within nK Government
Kim Jong-il
NationalDefenseCommission
MPAF
GeneralStaffDepartment
ReconnissanceBureau
Unit 121
Chairman of theNational Defence Commission
KoreanWorkersParty
General Secretary
39
38
Office35
?GlobalSecurity.org + Federation of American Scientists
![Page 36: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/36.jpg)
CNA & CNE Services
• Components of modern warfare:– IW – Recon, electronic, cyber & psychological warfare– Three-dimensional warfare– Asymmetric warfare– Non-contact– Precision strikes– Short-term
• Unit 121, Reconnaissance Bureau– Gifted students recruited, trained, Kim il Sung Military
Academy– Computing specialties Eg. networking, OS
• Room / Office 35• Nefarious cohorts in crime within the Workers’ Party • Likely works outside nK – CNE & CNA
![Page 37: Computer Attack Stratagems](https://reader031.vdocuments.us/reader031/viewer/2022012922/54bef6c44a795913398b469d/html5/thumbnails/37.jpg)
References
• 47 China’s Electronic Strategies http://www.au.af.mil/au/awc/awcgate/milreview/thomas.htm
• TIME, Titan Rainhttp://www.time.com/time/magazine/article/0,9171,1098961,00.html
• New E-spionage Threat http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
• U.S. Is Losing Global Cyberwar http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_817606.htm
• Dangerous Fakes http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm