Chinese cyber-attacks
Hello, Unit 61398
AN AMERICAN information-security firm has identified a secretive Chinese military unit as the likely source of hacking attacks against more than a hundred companies around the world. In a report made public on Tuesday, the firm, Mandiant, based in Alexandria, Virginia, said it could now back up suspicions it first reported in more qualified form in 2010.
The firm had said then the Chinese government may have authorised the hacking activity it had traced to China, but that there was “no way to determine the extent” of official involvement. In its new report, Mandiant upgrades its assessment. “The details we have analysed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them,” the report said.
China’s government has denied the allegations. Hong Lei, a spokesman for China’s foreign ministry, said on February 19th that China has itself been a victim of cyber-attacks, and that it enforces laws that ban such activity. “Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem," he said of the Mandiant report.
According to the report, a Shanghai-based unit of the People’s Liberation Army General Staff Department, known as Unit 61398, is staffed by hundreds and possibly thousands of people specially trained in network security, digital signal processing, covert communications and English linguistics. The unit’s 12-storey building (pictured above) has been equipped with special fibre-optic communications infrastructure “in the name of national defence”.
Mandiant said that since 2006, it has observed attacks from this unit against at least 141 companies spanning 20 major industries, including four of the seven strategic emerging industries that China has identified in its current five-year plan.
The New York Times, which hired Mandiant to investigate China-based cyber-attacks against its news operations, was the first to report on the firm’s findings. Mandiant concluded that the attacks against the newspaper had come from a different Chinese source.
In the case of the attacks described in the new report, Mandiant said it could not prove that the attacks came from within the military building it identified. But it concluded that this was the most plausible explanation for its findings. “Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighbourhood,” Kevin Mandia, the founder and chief executive of the company told the paper.
Chinese cyber-attacks
How to steal a trillion
ON FEBRUARY 19th Mandiant, a security firm, released a report alleging that hackers from a Chinese military outfit known as Unit 61398 were probably behind attacks against more than a hundred companies and government agencies around the world. Without delving into the geopolitics of the the incident, involvement in which the Chinese authorities vehemently deny (and which we write about here), Babbage decided to examine what is known about the hackers' methods.
In fact, Mandiant's detailed account of a group it dubs APT1 (after the term Advanced Persistent Threat) will not strike internet-security wonks as particularly Earth-shattering. It reveals the use of well-known techniques coupled with publicly available software—though some proprietary software, apparently perfected over many years, was also used. What has turned heads is the duration of the attacks and the range of the group's "ecosystem" of remote-control software. This combination allowed the hackers to siphon terabytes, or trillions of bytes, of data from their victims.
In many ways, the attacks resembled those criminal groups and spammers deploy against individuals and businesses. A "spearphishing" e-mail is sent, which attempts to get members of an organisation to open an attachment that appears to originate from a colleague or business partner, and contains some typical business data. Rather than a file, though, the attachment is a piece of malware. When opened, it exploits system flaws to install backdoor access to the computer. This allows remote command-and-control servers anywhere on the internet to install additional software, capture keystrokes and images on the screen, and ferret around the local network.
Mandiant says the hackers sometimes used malicious remote-access toolkits readily available on the "dark side" of the internet (if not through your average Google search). But mostly they either developed or acquired at least 42 "families" of proprietary remote-access tools. Some have dates imprinted in them which indicate they were initially programmed as early as 2004, with updates added over the subsequent six years. The attacks, in other words, were carefully planned and premeditated.
To fool firewalls and other software, some remote-control malware mimicked traffic patterns of legitimate internet services, like the Jabber/XMPP chat system used by Google and Facebook, among others. This allowed them to send information to and from the infected machines without raising suspicions. A lot of the insidious traffic was encrypted, but this too is commonplace for many websites and services, including Twitter and standard e-mail.
APT1 tried hard to retrieve password-related information, often using common cracking tools. Before being stored a password is usually fed into an algorithm called a hash function. This converts it into an obscure string of symbols, or a "hash", that offers no clue as to the original input. The function is irreversible, so you cannot work back from a hash to the password. You can, however, run different words through a hash function and compare the resulting hash with the one stored. Many such "brute-force" attacks use large dictionaries of common and less common passwords. As a number of companies discovered last year, poor passwords make for easy pickings. Some clever tools actually let an attacker log into a system using the encrypted form of a password, dispensing with the need to crack it.
There is also evidence of hackers gleaning network information in order to make connections within a network and infect more machines. Some of the backdoors captured credentials for virtual private networks (VPNs), which allow direct remote access to a network without having to rely on a single compromised computer. Once in, the eavesdroppers used e-mail-extraction tools, which Mandiant says are unique to the group, to pull messages or attachments of interest from a user's inbox, both current and archived. Many of these exploits remain in place, sometimes in multiple forms in case one is found and removed. Hackers stuffed any files deemed of interest into compressed archive formats and added password protection before whisking them away.
For all their sophistication, however, the hackers could display incredible insouciance. For example, APT1 registered domain names for some of its systems and used either a Shanghai mailing address or included an e-mail address tracked via a simple Google search to a Shanghai-based organisation. Remote-access sessions using a Microsoft tool nearly always originated from hacker machines using the simplified Chinese keyboard layout. Backdoor software included "path" information, revealing details about folder organisation on programmers' computers, as well as the date software was written.
Most absurdly, perhaps, some hackers used the remote sessions on compromised machines to access their personal Facebook, Twitter or Gmail accounts. Among others, Mandiant has fingered a certain Wang Dong, who uses the handle Ugly Gorilla and who registered one of the command-and-control domains. It also included a screen shot of a Gmail inbox of another hacker. Mandiant is bracing for reprisals.
Дата добавления: 2015-11-04; просмотров: 30 | Нарушение авторских прав
| <== предыдущая лекция | | | следующая лекция ==> |
| C.05.1固定支腿上的锁紧装S. 13 | | | Государственное бюджетное образовательное учреждение дополнительного образования детей Дворец детского (юношеского) творчества Красногвардейского района Санкт-Петербурга «На Ленской». |