Module 3 - PRC Flashcards
PLA Roles:
- Defend countries against foreign invasions
- Maintain internal security and stability
- Engage in economic development of the country
Name of formal information warfare strategy?
Integrated Network Electronic Warfare
What is the Five Year Plan?
2011-2015
What is the Blue Army?
May 2011, small group with highly developed skills.
China Goals
Political: economic and technological superiority
Political: Ensure there is one political voice
Military: Disable enemy communication; eliminate enemies’ ability to obtain, control, and use information.
China Doctrine
President Hu Jintao official proclamation that PLA is to conduct cyber warfare in name of Chinese self-preservation.
Role of State
Largely considered to be state-sponsored hacking
Role of Universities
state-controlled universities “recruit” individuals and give training. Universities such as Science and Engineering University is tied to military.
People’s Liberation Army (PLA)
Military Centers associated with cyber attacks:
- General Staff Department
- 4th Department
- General Staff Department 3rd Department
- Technical Reconnaissance Bureaus
- Information Warfare Militia Units (2002)
State Sponsored (actors in):
- Universities
- PLA
- State-owned Enterprises
- Hacktivists
Role of State-owned Enterprises
- Direct & indirect ties to PLA
- Cyber espionage used to gain economic advantage
Role of Hacktivists & 4 types of operations
- not directly controlled by govn’t
- motives orig. aligned with government’s
- Orig targets: Taiwan & Japan
- 4 types of operations
- virtual sit-ins and blockades
- automated e-mail bombs
- web hacks and computer break-ins
- viruses and worms
China History: Earliest
date back as far as 2001; doctrine goes back into 1990s.
China History: 2002
global energy industry attacked
China History: 2006
Air Force was tracking several individuals / groups.
China History: 2010
Establishment of Chinese Cyber Command
Titan Rain
Nov 1 2004 - Dec 14 2005
Source: Guangdong province of China
Targets: US government systems
- US DISA, Naval Ocean Systems Center, US Army Space and Strategic Defense, US Army Information Systems Engineering Command.
State-owned Enterprises: the numbers
- 150 corporations that report directly to central government
- ~154,000 business where government has controlling interest through subsidiary relationships.
- SOEs with links: Huawei Technologies Co Ltd & Zhongxing Telecom Ltd (ZTE)
Lenovo purchased by IBM in May 2005.
PLA & Hactivists
PLA using hacker community for clandestine attacks
Hactivist Toolsets
- spam, phishing, spoofing
- pharming
- DoS, DDoS
- Viruses, Trojans, Worms, Malware (other), Spyware
- BotNets
Advanced Persistent Threat
- originally term used by US Air Force in 2006 to discuss specific actors in Asia-Pacific region
- More publicly in 2008-2009 conferences
- mainstream in 2010 with Operation Aurora.
- Attacks from foreign < 2006.
- Shift in meaning from specific atacker/actor to attack with specific characteristics with no attribution
Cloppert’s Kill Chain
2009 Desire to break chain as far to the left as possible. Defensive / protective measures vs clean-up costs - Reconnaissance - Weaponization - Delivery - Exploitation - C2 - Exfiltration
-> not effective for all characteristics of life cycle. (btw C2 & exfil lots of activity)
Modified Kill Chain
- expands Cloppert’s Kill Chain to draw attention to lateral movement across network (iterative process).
Same External (minus exfil + initial installation)
Repeat internal
Persistence
Mission Fulfillment
APT Group One
Tin Snake
- since 2004
- 2007 started malware (trojans, viruses)
- 2008 selling electronics but not shipping
- 2010 campaigns to penetrate US industries and defense contractors
- Windows and Unix
- keyloggers, domain parking, port relay tools
- scam / hacking cycles
APT Group 15
Gold Crow
- since 2005
- attacks since 2007
- sell knock-offs / low quality goods
- hits energy sector and DoD companies, non-US based defense entities
- domains registered to Canadian addresses
APT Group 12
NightDragon
- since 2010
- unencrypted HTTP for C2
- break in 2011, resumed 2012
- highly targeted, no scams or other crimes
- uses Sykipot malware (PDF exploits during phising attacks with relevant titles)
- attacks against petroleum industry in 2010 and US DoD.
APT Group 20
Red Fly
- since 2005
- high yield investment schemes and e-gold scams
- targeted DoD contractors
- hardcodes C2 servers and HTTP requests in malware, with no obfuscation attempt.
- Windows\Fonts, PsExec, phishing, PDF exploits, Poison Ivy
- uses HTTP for C2
Operation Shady RAT
infiltration of 72 networks
Goal: exfiltration of data
Objective: competetive advantage
Targets: US government, U.N.
Chinese Exercises
2010, October 2011
- joint effort testing of offensive and defensive capabilities
Name 4 APT Groups
1 (Tin Snake)
15 (Gold Crow)
12 (NightDragon)
20 (Red Fly)
Operation Aurora
Operation Aurora was a cyber attack which began in mid-2009 and continued through December 2009.[1] The attack was first publicly disclosed by Google on January 12, 2010, in a blog post.[2] In the blog post, Google said the attack originated in China. The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack.
Relative strength of connections:
Strong to weak
PRC and PLA
PRC and SOE
PRC and Hacktivists (weak)
Medium
Hacktivists and SOE
Weak
PLA and Hacktivists ( hard to control)
PLA and SOE
Apt groups - name
1-Tin Snake
15 - Gold Crow
12 - NightDragon
20 - Red Fly
