twitter facebook rss

CrowdStrike does a Mandiant and accuses the Chinese military

Posted by on June 14, 2014.

Just three weeks after the FBI indicted five members of the Chinese military, and some 14 months after Mandiant’s initial ‘J’accuse China’ report, CrowdStrike has joined the party. While Mandiant tracked the APT1 hacking group to the Chinese military unit 61398 (“Unit 61398 is partially situated on Datong Road in Gaoqiaozhen, which is located in the Pudong New Area of Shanghai”), CrowdStrike has tracked the Putter Panda hacking group to the Chinese military unit 61486 (“headquartered in Shanghai’s Zhabei District”).

The New York Times has summarised CrowdStrike’s digital evidence:

The hackers’ tools were developed during working hours in Chinese time zones, researchers say, and Internet records show that in one case hackers used the same I.P. address as members of Unit 61398 to launch their attacks…

…The 35-year-old’s Picasa albums show photos of him in military training and celebrating his birthday with friends in military garb, and pictures of his dormitory, where P.L.A. officer hats are conspicuously in the background. And in his album labeled “office,” photos show a tall white building in Shanghai, surrounded by satellite dishes and dormitory-style residences. Researchers at CrowdStrike believe it is the headquarters for Unit 61486.
2nd China Army Unit Implicated in Online Spying

These military hats seem to be conclusive. In fact, CrowdStrike’s blog on the subject is titled Hat-tribution to PLA Unit 61486.

Slightly grainy photo showing what appear to be PLA-style military hats

Slightly grainy photo showing what appear to be PLA-style military hats

The reality, however, is that all of the evidence pinning Putter Panda to the Chinese military could easily be faked. And since it would be entirely within the NSA’s interest to take the focus off themselves and demonstrate that everyone is doing it everywhere, I cannot shake off certain doubts about the absolute veracity of CrowdStrike’s claims. It would be possible, and I say no more than ‘possible’, for an organization with the NSA’s resources to lay a false trail.

Jaime Blasco, director, AlienVault Labs

Jaime Blasco, director, AlienVault Labs

So I asked Jaime Blasco, Director AlienVault Labs, for his take on the situation. Jaime has form in this – it was he who traced the attacks on South Korean broadcasters to an origin in China. “AlienVault has come to a similar conclusion,” he told me. “Our own research implicates China in both the APT1 group and the Putter Panda groups. The only difference is that I would never publicly tie the hackers concerned directly to the Chinese military.”

I had specifically asked, “How do we know with that much certainty that it was those people in that building using those computers?” He responded with the same explanation offered by CrowdStrike, but added, “I will never in my life say that the information is 100% accurate. Every single piece of information on the internet can be changed and faked, and it is really easy to look like you are from a specific country. Basically if you have the names and addresses and so on of a specific individual then you can just create all that data to look like him. So it is really difficult sometimes to really check if this information is accurate. But in these cases (CrowdStrike and Mandiant) the email addresses on the domain names were used.”

When an attacker drops malware on a target, it calls back to a server under his control. That server is usually registered to a domain name; and when a domain is registered, it has an email address associated with the ‘owner’. Email addresses associated with both APT1 and Putter Panda were traced back, using social networking evidence, to the military units.

It also appears that in the Putter Panda case, there were signs that one of the group had attempted to hide the fact that he was the original registrant. I asked Jaime why, if such an elite hacker feared exposure, he didn’t simply abandon the suspect domain and start again.

“That’s what he should have done,” said Jaime. “But people make mistakes.” That may be so, but it doesn’t seem as if any of the NSA or GCHQ hackers have made any mistakes — if it were not for Snowden we would still be unaware of their practices. So we are asked to accept that the Chinese military, in relation to NSA and GCHQ, are simply incompetent. But Jaime made a valid point here. “If the domain has been working for years and already has a lot of victims calling home to it, if it was just abandoned then the attacker would lose contact with all of his existing successes – and would have to start over again from scratch.” That would require extreme self-discipline.

I think it fair to say that Jaime has some sympathy for CrowdStrike’s claims. There is substantial circumstantial evidence pointing to Chinese hacking groups, and that the targets involved suggest at least some government involvement. But there remains less actual publicly disclosed proof of Chinese government involvement in international cyber espionage than there is actual documentary proof of US and UK government involvement in international cyber espionage.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_hacks | Tags: , , , , , , , ,