Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer Page A

offline for a period of time, which is also known as a distributed denial-of-service (DDOS) attack.
    The following are some of the observables of this event.
     
Stormworm
Observables
Objectives
Espionage
Timeliness
Automated and manual operations
Resources
Several years’ worth of code and infrastructure development and operations
Risk tolerance
Very low; numerous updates made to ensure persistence
Skills and methods
First massive true peer-to-peer botnet
Actions
Operators regularly monitored and responded to threats
Attack origination points
Global IP addresses
Numbers involved in attack
Millions
Knowledge source
Numerous online resources regarding the threat
     
    GhostNet
    The GhostNet event was identified after an almost year-long investigation by the Information Warfare Monitor (IWM), a group of security industry researchers, experts, and analysts from around the world. This APT was discovered to be focusing its activity on international governments and their diplomatic systems.
    GhostNet had purportedly compromised the embassy systems of well over 20 countries across the world. The delivery again was the age-old technique of social engineering, based on e-mail messages that were considered targeted (also known as spear phishing).
    Most security experts have pointed fingers at Chinese-based hackers, as almost all of the command-and-control servers that GhostNet used had IP addresses based in China, some even owned by the Chinese military. The Trojan itself was a simple customized remote administration tool (RAT) that provided the operators with the ability to remotely control the victims’ systems in real time without the victims’ knowledge. This type of access provided the attackers with the ability to enable several forms of logging, including video and audio recordings of the victims and those around them, if the appropriate hardware was available on the victim’s system.
    When considering the following observables of this threat, you will see how advanced and persistent it truly was from an operational perspective.
     
GhostNet
Observables
Objectives
Espionage
Timeliness
Precisioned and punctual
Resources
Several years’ worth of code and infrastructure development and operations
Risk tolerance
Low to remain persistent as long as possible
Skills and methods
Sophisticated injection skills and communications methods
Actions
Remote espionage on a foreign intelligence service
Attack origination points
Globally distributed IP addresses (some belonging to Chinese military)
Numbers involved in attack
Hundreds of systems
Knowledge source
Numerous online resources regarding the threat
     
    Byzantine Hades/Foothold/Candor/Raptor
    As you can see by the title of this section, there is more than one name for the Byzantine Hades series of events. This represents multiple cyber attacks on international and US systems for the primary purpose of espionage (among other things). It has been said this threat is related to ongoing efforts by Chinese hackers (purportedly state-sponsored) to steal sensitive information and advanced technologies in order to artificially advance their many sectors of technology and other industries where stealing information increases success. Although there are numerous publicly disclosed reports of this threat, and many fingers point to Chinese-based hackers, no public documents can be found that definitively attribute the APT to the People’s Liberation Army (for now).
    It has been said that the US government sees this APT as the largest cyber-espionage effort in recorded history. Simply searching online will enlighten you to the many levels of US government agencies that have publicly admitted to having knowledge of this threat, yet there has been little to no direct attribution of the masterminds of this series of events. To date, no arrests have been made, and the reported victims have not filed any charges against any specific intruder. (Who would want to admit their entire network has been