Module 3 - PRC

Question 1

PLA Roles:

Answer 1

• Defend countries against foreign invasions
• Maintain internal security and stability
• Engage in economic development of the country

Question 2

Name of formal information warfare strategy?

Answer 2

Integrated Network Electronic Warfare

Question 3

What is the Five Year Plan?

Answer 3

2011-2015

Question 4

What is the Blue Army?

Answer 4

May 2011, small group with highly developed skills.

Question 5

China Goals

Answer 5

Political: economic and technological superiority
Political: Ensure there is one political voice
Military: Disable enemy communication; eliminate enemies’ ability to obtain, control, and use information.

Question 6

China Doctrine

Answer 6

President Hu Jintao official proclamation that PLA is to conduct cyber warfare in name of Chinese self-preservation.

Question 7

Role of State

Answer 7

Largely considered to be state-sponsored hacking

Question 8

Role of Universities

Answer 8

state-controlled universities “recruit” individuals and give training. Universities such as Science and Engineering University is tied to military.

Question 9

People’s Liberation Army (PLA)

Answer 9

Military Centers associated with cyber attacks:

• General Staff Department
• 4th Department
• General Staff Department 3rd Department
• Technical Reconnaissance Bureaus
• Information Warfare Militia Units (2002)

Question 10

State Sponsored (actors in):

Answer 10

• Universities
• PLA
• State-owned Enterprises
• Hacktivists

Question 11

Role of State-owned Enterprises

Answer 11

• Direct & indirect ties to PLA

- Cyber espionage used to gain economic advantage

Question 12

Role of Hacktivists & 4 types of operations

Answer 12

• not directly controlled by govn’t
• motives orig. aligned with government’s
• Orig targets: Taiwan & Japan
• 4 types of operations
  
  • virtual sit-ins and blockades
  • automated e-mail bombs
  • web hacks and computer break-ins
  • viruses and worms

Question 13

China History: Earliest

Answer 13

date back as far as 2001; doctrine goes back into 1990s.

Question 14

China History: 2002

Answer 14

global energy industry attacked

Question 15

China History: 2006

Answer 15

Air Force was tracking several individuals / groups.

Question 16

China History: 2010

Answer 16

Establishment of Chinese Cyber Command

Question 17

Titan Rain

Answer 17

Nov 1 2004 - Dec 14 2005
Source: Guangdong province of China
Targets: US government systems
- US DISA, Naval Ocean Systems Center, US Army Space and Strategic Defense, US Army Information Systems Engineering Command.

Question 18

State-owned Enterprises: the numbers

Answer 18

• 150 corporations that report directly to central government
• ~154,000 business where government has controlling interest through subsidiary relationships.
• SOEs with links: Huawei Technologies Co Ltd & Zhongxing Telecom Ltd (ZTE)

Lenovo purchased by IBM in May 2005.

Question 19

PLA & Hactivists

Answer 19

PLA using hacker community for clandestine attacks

Question 20

Hactivist Toolsets

Answer 20

• spam, phishing, spoofing
• pharming
• DoS, DDoS
• Viruses, Trojans, Worms, Malware (other), Spyware
• BotNets

Question 21

Advanced Persistent Threat

Answer 21

• originally term used by US Air Force in 2006 to discuss specific actors in Asia-Pacific region
• More publicly in 2008-2009 conferences
• mainstream in 2010 with Operation Aurora.
• Attacks from foreign < 2006.
• Shift in meaning from specific atacker/actor to attack with specific characteristics with no attribution

Question 22

Cloppert’s Kill Chain

Answer 22

2009
Desire to break chain as far to the left as possible.
Defensive / protective measures vs clean-up costs
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- C2
- Exfiltration

-> not effective for all characteristics of life cycle. (btw C2 & exfil lots of activity)

Question 23

Modified Kill Chain

Answer 23

• expands Cloppert’s Kill Chain to draw attention to lateral movement across network (iterative process).
  Same External (minus exfil + initial installation)
  Repeat internal
  Persistence
  Mission Fulfillment

Question 24

APT Group One

Answer 24

Tin Snake

• since 2004
• 2007 started malware (trojans, viruses)
• 2008 selling electronics but not shipping
• 2010 campaigns to penetrate US industries and defense contractors
• Windows and Unix
• keyloggers, domain parking, port relay tools
• scam / hacking cycles

Question 25

APT Group 15

Answer 25

Gold Crow

• since 2005
• attacks since 2007
• sell knock-offs / low quality goods
• hits energy sector and DoD companies, non-US based defense entities
• domains registered to Canadian addresses

Question 26

APT Group 12

Answer 26

NightDragon

• since 2010
• unencrypted HTTP for C2
• break in 2011, resumed 2012
• highly targeted, no scams or other crimes
• uses Sykipot malware (PDF exploits during phising attacks with relevant titles)
• attacks against petroleum industry in 2010 and US DoD.

Question 27

APT Group 20

Answer 27

Red Fly

• since 2005
• high yield investment schemes and e-gold scams
• targeted DoD contractors
• hardcodes C2 servers and HTTP requests in malware, with no obfuscation attempt.
• Windows\Fonts, PsExec, phishing, PDF exploits, Poison Ivy
• uses HTTP for C2

Question 28

Operation Shady RAT

Answer 28

infiltration of 72 networks
Goal: exfiltration of data
Objective: competetive advantage
Targets: US government, U.N.

Question 29

Chinese Exercises

Answer 29

2010, October 2011

- joint effort testing of offensive and defensive capabilities

Question 30

Name 4 APT Groups

Answer 30

1 (Tin Snake)
15 (Gold Crow)
12 (NightDragon)
20 (Red Fly)

Question 31

Operation Aurora

Answer 31

Operation Aurora was a cyber attack which began in mid-2009 and continued through December 2009.[1] The attack was first publicly disclosed by Google on January 12, 2010, in a blog post.[2] In the blog post, Google said the attack originated in China. The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack.

Question 32

Relative strength of connections:

Answer 32

Strong to weak

PRC and PLA
PRC and SOE
PRC and Hacktivists (weak)

Medium
Hacktivists and SOE

Weak
PLA and Hacktivists ( hard to control)
PLA and SOE

Question 33

Apt groups - name

Answer 33

1-Tin Snake
15 - Gold Crow
12 - NightDragon
20 - Red Fly