Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer Page B

owned and there’s nothing they can do about it? Buhler…? Buhler…?)
    It is estimated that private systems of US government, US military, and several Cleared Defense Contractors (CDCs) unclassified systems have also been compromised by this same threat. Not much has been made public beyond this threat being attributed to Chinese cyber activity with efforts to infiltrate and maintain a persistent backdoor into sensitive US government, financial, corporate, and academic enterprise networks. This event was also mentioned in several of the cables released by WikiLeaks, inferring the threat to be targeted, run, and sponsored by components of the Chinese government, but nothing definitive has stuck to date.
    The following are some of the observables of this threat.
     
Byzantine Hades/Foothold/Candor
Observables
Objectives
Espionage
Timeliness
Precisioned and punctual
Resources
Several years’ worth of code and infrastructure development and operations
Risk tolerance
Low and high based on mission
Skills and methods
Simple and sophisticated
Actions
Remote espionage on foreign investments
Attack origination points
Globally distributed IP addresses (purportedly sponsored by the PRC)
Numbers involved in attack
Hundreds of systems
Knowledge source
Numerous online resources involving Chinese APTs
     
    Operation Aurora
    The Operation Aurora threat was discovered in late 2009, and was identified as operating undetected since mid-2009. The series of events surrounding Operation Aurora generated an ensuing “fog of war,” where multiple firms were bickering over whether this event was indeed advanced. In our professional (slightly unbiased) opinion, the overall tools and techniques of this event were not overly advanced. Only a slight portion of the events were actually advanced, specifically the Trojan Hydraq, which was proved to have been initially developed in a university in China (see a common theme?). This event has great historical significance, as giant international firms such as Google, Adobe, Juniper Networks, Northrop Grumman, Yahoo!, Symantec, Dow Chemical, and several others came forward and disclosed that they were victims of intrusions associated with Operation Aurora.
    The most significant item to take away from this APT is that it was targeted specifically at private commercial corporations and CDCs, not a government agency. This APT tipped the scales for the security industry as a whole, as everyone thought that APTs were specific to the government and financial sectors. This proved everyone very wrong.
    This was a persistent threat, in that it lasted for well over six months, using a standard command-and-control infrastructure, but only some of the tools and techniques were advanced. As noted, there was the advanced Trojan known as Hydraq, which was the backdoor that ran on the host machine and performed most of the host-level activity on the victim systems to steal the accessed information. The actual infection vectors were again those age-old techniques of socially engineered e-mail messages and drive-by-downloads (which occur when victims surf to a website and are exploited or socially engineered to download an initial Trojan).
    What rattled the world throughout the media hype of this series of events was the victims involved. Without knowing the victimology (which is the analysis of the victim’s part in the criminal offense) of these incidents and the true nature of what occurred behind the monolithic walls of each of these firms, speculation is left to many and the actual knowledge to only a few. Albeit none of us can point fingers, it was leaked in one of the WikiLeaks cables that this was a PRC-sponsored espionage event. However, there are discernable observables even to an outsider without any knowledge of the events that occurred internally within each firm, as summarized in the following table.
     
Operation Aurora
Observables
Objectives
Espionage
Timeliness
Precisioned and punctual
Resources
Several