[Dailydave] Late Friday thoughts on the Kevin Mandia RSAC keynote.

[J. Oquendo]

On Mon, 24 Mar 2014, Richard Bejtlich wrote:

> ...and this is why I don't usually respond here.
> 
> It's time for me to leave the list.
> 
> Good luck,
> 
> Richard
> 

Again, with great respect, I think its only fair to keep
it on topic. You initially stated: "whatever it was I
analyzed" which happened to be whatever it was Mandiant
made public on the APT1 report. There was, and is no
sleight of hand in the video, all data came from your
company's report. Let me take it back a step for others
who don't - or may not know - about the report (APT1).

The initial data came via way of an INFRAGARD report that
was to be released the same day, which coincided with the
RSA conference. The report is labeled JIB-260425. How do
I know this? In the field of malware reversing, analysis,
it happens to be a small field, and its easy to get samples
and see data. This is how researchers secretly crowdsource
to find answers, this is not a big secret, most in compsec
circles have been doing this for years.

Prior to your APT1 report, I already had some of the
addresses you mentioned under the microscope, their tactics,
techniques, "indicators of compromise", and what exactly
they were doing. MANY of those addresses in your report
were "straddling" the line with financial based malware:
bank account/credit card theft, XSS attacks, etc. From a
"cyber psychological" perspective, it made no sense for a
"gov" sponsored team to target say the Pentagon, but on a
slight note, let me go hit up 10,000 bank accounts.

Logical "cyber psychological" deflection theory made less
sense: "they're targeting mil/gov space, but ALSO attacking
finance to make it seem like its an organized crime group"
made lesser sense. From an operational security standpoint,
here you have "the holy grail of hacks" (Fortune N's)
being attacked, unseen for 1,2,3-7 years at that [1]. Such
sophistication, yet they'd risk this to deflect attention
elsewhere? Forget that, they'd also host their C&C's and
data dump servers with known to be RBN hosts? Its akin to
a bank robber, robbing a bank, then stashing the money in
a known drug den frequented by other bank robbers. This
makes ZERO sense from any logical/common sense perspective.

Many C&C clusters, malware groups, even nation sponsored
groups are under the microscope by many researchers.
Shadowserve, Team Cymru, individual researchers. Many can,
and do collaborate to determine what is really going on.
In the instance of APT1, I found only two conclusions as
to the labeling of the data as "gov sponsored cyber
anything."

1) Mandiant's researchers relied on tell-tale identifiers
(IP address, language used in an operating system, strings)
which can easily be changed, can never identify anyone.

2) Mandiant in a rush to make RSA conference news took
the JIB report and ommitted a lot of relevant information.

On 1, I keep seeing researchers make statements such as:
we don't only rely on IP addresses, or language to determine
who to attribute the attack to. For this I beg of ANY other
researcher: "fill me on please" because I have been doing
this for a "little while" now, and I cannot find any other
mechanism of attribution outside of: "they came from X,
targeted Y, using Z tactics" which tell me little.

On 2, I "get it" security is always "business as usual"
however, this (cyber) is a bit different. When governments
have the potential for any kind of warfare, physical,
economic, etc., its a dangerous ground to point fingers
knowing there is no solid basis for it, it can push
relationships towards a negative path.

The "data I analyzed" (whatever I analyzed, which happens
to be whatever Mandiant put forth, which is also, what I
already had via the JIB report) shows ACCURATELY that the
same group(s) named as "Unit 61398" aka the Chinese
government, pointed mainly back to ONE individual.

EACH and EVERY one of those I was able to identify, have a
business and it is in ONLY one industry: Travel and tourism.
There is no variance there. They aren't from the trucking,
industry AND the defense industry AND the Chinese gov. They
were from the Travel industry. They ALL also have a
commonality with one name that popped up: "Hu Weisheng" who
is a "suspected mob boss" in China:

"300 armed police arrest suspected mob boss in Guangdong"
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20120624000053&cid=1103

Late last year, your boss Kevin Mandia was targeted [2],
and I immediately went back and thought: "Wow, what better
way to target any foreigner coming into your country, when
you have dibs on their every move. Their itineraries, their
every move can be tracked. You'd know where they're going,
where they're staying, and so forth. Do you think solely
government would want this data? Data is king period. Where
there is money to be made, is it that far fetched to think
that an organized crime group, would be in the "Espionage
as a Service" game? You know, steal everything, sell and
re-sell to the highest bidder, then re-sell it again, and
again?



[1] http://www.wired.com/threatlevel/2014/02/mask/
[2] http://www.infosecurity-magazine.com/view/35048/hackers-target-mandiant-ceo-via-limo-service/

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF