> Chinese cyber organizations openly acknowledge and publicize their partnerships. This openness was particularly interesting to observe and may be influenced by cultural factors, such as the Confucian emphasis on shared knowledge and a political framework that encourages collective efforts.
I or anyone outside obviously cannot verify the technical details. However, the above statement struck as particularly uninformed. As any engineer in East Asia can tell you, there is nothing especially collaborative about tech in Confucian culture; if anything, the engineers in that region admire the free speech and discussion traditionally prized in the Western culture. Calling Chinese political framework, especially in the context of national security, conducive to open public discussion was quite ironic to see.
Edit: the punchline is this. If a friend who is always secretive and deceptive about his personal life is suddenly openly discussing his life, what does that say about the details he just disclosed and/or the situation he is currently in?
source: I regularly work with engineers from that culture and studied relevant geopolitics.
> As any engineer in East Asia can tell you, there is nothing especially collaborative about tech in Confucian culture
IIRC, Bunnie (Huang) mentioned how freely data flows in Shenzhen for hardware hacking, versus pulling teeth trying to get data sheets for components from western component makers.
> source: I regularly work with engineers from that culture and studied relevant geopolitics.
> how freely data flows in Shenzhen for hardware hacking, versus pulling teeth trying to get data sheets for components from western component makers.
That's different though. Shenzhen is where electronics factories are; they get the datasheets from western companies, but because said western companies can't really enforce their IP over there, the locals get to ignore it and use the datasheets however it's convenient for them.
One other question is: how accurate are the data sheets in Shenzhen as opposed to in the US? I can't speak to China, but in the US if you publish a spec for a component and then don't deliver within that spec, you will get sued, and you will lose.
It really depends on the component. Something complex like a processor or radio will probably have errata in newer datasheets that fix errors in previous versions and those might take longer to make it out (especially if it’s someone like Qualcomm which doesn’t share all errata to all customers grumble grumble). Depending on how bad the error is and what you’re doing, that could be show stopping after you’ve sunk tons of NRE into it (DMA bugs on STM32 in the 2010s come to mind).
The provenance of the component is also really important. If it’s a ghost shift at a contract manufacturer producing the parts, they might have skimped on some part of the process (like packaging so that another subcontractor responsible for that step isn’t alerted) and the datasheet might be significantly inaccurate. I don’t know if these manufacturers ever bother to characterize their ghost shift parts enough to release their own datasheet but I assume it happens with especially popular parts. If the contract manufacturer loses the contract but keeps the ghost shift, they might be significantly out of date in revisions so you’d have to be careful to use only the datasheet they provide and not the one your engineers download from the first Google result (good luck!). In short, it’s complicated.
The most infamous example is probably the FTDI serial to usb chips that have been counterfeited for many years with varying quality, both by ghost shifts and manufacturers who reverse engineered the design to some degree.
In Shenzhen if your product doesn't perform up to spec, you just lose customers and go bankrupt. Not sure why the court has to be involved here. Isn't a free market capitalism economy supposed to work like that?
Chinese companies violate many of the norms that we take for granted, such as labelling things accurately. If a Chinese company makes things out of spec, it will not put its name on the product. If one of these companies does knowingly make an inferior product, a new brand/company might be formed just for that purpose. Also, free market capitalism works better with a means to enforce contracts such as the contents of spec sheets, because it speeds up accounting for deliberate bad behavior. Court proceedings establish facts that can communicate to the public what the company has been up to, versus possibly misleading rumors. Although the free market can eventually sort out bad information and unreliable actors, it works much better when information standards are enforced. False advertising wastes a lot of resources.
> IIRC, Bunnie (Huang) mentioned how freely data flows in Shenzhen for hardware hacking, versus pulling teeth trying to get data sheets for components from western component makers.
That’s like pointing to torrent sites as proof that US media companies are open to sharing their content.
Most of the hardware details being shared in shenhzen are stolen from western firms that have no way to enforce their IP.
It’s why you can get your iPhone storage upgraded for pennies on the dollar.
> It’s why you can get your iPhone storage upgraded for pennies on the dollar.
??? How is this related to anything IP? To get your iPhone storage upgraded, you just need to blow off the old NAND Flash and "solder" new ones. Their pinouts are in public standards and every storage vendor in this world uses the same one.
And they did this for pennies because, of course, contrary to what Apple wants people to believe, flash storage does not cost much and even with the cost of all the dirty work it's still not much.
Or do you mean that they are violating Apple's IP rights by modifying their own devices? That's just... bullshit.
I don't think it has anything to do with Confucian though. In the Confucian world, or, rather, the Confucian world crafted by and for the Ancient Chinese scholar-officials, people who have a technical mind were bluntly looked down.
> source: I regularly work with engineers from that culture and studied relevant geopolitics.
that's the problem
in 1990-2010, >80% chinese influencers are liberals
after 2010, it went down to <30%
after 2020, <10%
and most important, there's a very higher proportion of software engineers are liberals, which is easy to understand since we are followers of western
but things are changing now, when you talk with a young chinese developer now, there's a good chance that he/she is a commie
there's a simple way to validate this, if a chinese developer willing to discuss abt politics with you and 'admire the free speech and discussion traditionally prized in the Western culture', he/she is a liberal,
if he/she avoids talking abt politics with you, it's not because he/she fears to talk abt this, it's because he/she is too polite to share different opinions as yours
> No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.
Simple but effective. A good non-NSA agency should also learn from this to be able to effectively false-flag as NSA, as long as they are flexible enough to allow off-hours and overtime pay and remember to respect the US federal holidays.
> Two zero-days were used to breach any company with SunOS-exposed systems in neighbouring countries to China
SunOS? Wonder if it's because it's genuinely used still quite a bit or they simply had zero-days for it since many of those are old and unpatched?
The same strategy is used to attribute attacks against US based targets by Russian, N.Korean and Iranian and other state or state sponsored actors. Time of day, holidays, etc. are (in tandem with other evidence) considered to be surprisingly reliable.
If I were in charge of things I'd like to think that this sort of thing would be the first step I'd take to cover my tracks, but I still hear cyber security firms using it in their attributions.
The type of work the people working at an APT do, is mainly office work, while it still is very much "hands-on-keyboard" work (so you cannot set an action to automatically occur when nobody is checking the results in the middle of the night). You might want to try shuffling this up when you are in charge, but your (usually highly skilled and expensive) employees probably don't want to be working weird shifts all the time. Especially when they have families.
It also may not be worth it. Generally APT's want to stay under the radar while they are executing. But after the goals have been reached, most of the time it doesn't matter much if they get attributed. We have yet to see real consequences against any APT's. So paying your employees more to work night shifts, likely doesn't stack up against the consequences of attribution.
I have a hard time imagining these APT attacks are manual at the keyboard typing. That seems like an invention for entertainment whereas I'd expect reality to be "run script & establish an ongoing backdoor" or "run script & perform attack". You might need on-call to flag if anything has gone wrong, but I'd have a hard time imagining the entire team is involved for that so the cost of paying extra for an on-call is quite trivial vs the overall cost of the team. In industry that's not even compensated since salaried employees don't get overtime although I imagine that for government work the unions have negotiated this better.
EDIT: Huh, I guess sometimes it is like the movies: > One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 16pm EST (US working hours).
> I have a hard time imagining these APT attacks are manual at the keyboard typing.
(My perspective on this comes from doing security assessments and pentests 10+ years ago. Take that for what it's worth.)
I think of it a little bit like robotic vs. human space missions.
A robot can gather a ton of data without human intervention. It can perform repeated mindless activities. A certain amount of contingency against unforeseen issues can be engineered-in. Beyond the point of expected anomalies, though, the robot is going to fail (and perhaps expose your operation).
When it comes to reacting to rapidly changing mission conditions nothing beats a human in the loop. It's really hard to plan for all the peculiarities of any given environment. Intuition and experience play an immense role. Most of all, though, you may only get one shot before you're detected and stopped.
On-Call for mission of this size sounds fairly unlikely, doesn't it?
You wouldn't spend hundreds of thousands of dollars on large scale attacks with lots of (temporary) infrastructure and planning to then yolo it at the last minute and hope that everything goes well and you have the results back when you come back on Monday.
I wonder how APT operates. I guess it is not too different from a well funded Corporate red team, but the stake is higher and the opponents have almost unlimited amount of resources.
Do we have any probe into the state-sponsored APT world? I wouldn't be surprised if there isn't any, but would like to know.
It's a Schrödinger's false-flag! Just incompetent enough to look like a false flag. But at the same time, it's coming from the heart of US bureaucracy, which finds cash to build multi-billion dollar hidden data centers, but is also inflexible enough properly pay for overtime and off-schedule work.
I don't find the money inexplicable at all. Building multi-billion dollar data centers increases wealth for billionaires but paying overtime would benefit a middle-class pleb.
Honestly they might also totally not care about it. They might want to avoid detection while the hack is working but what is the point of covering their tracks after the thing is discovered?
It's not like China will sue them, and not like both sides can easily say that it is just reciprocal.
I assumed that much, SunOS is pretty ancient, last version was what, in early 1990s? Though, Solaris still would report a SunOS 5.$solarisver version or something like that. So I guess we can say it is a "SunOS" box if we wanted to.
> In total, 54 jump servers and 5 proxy servers were used to perform the attack coming from 17 different countries including Japan, South Korea, Sweden, Poland and Ukraine with 70% of the attacks coming from China’s neighbouring countries.
I'm guessing this is so when they do data exfiltration (and hosted MITM) it's not sending a ton of data to a single server, but spreads them out.
> SECONDDATE: This tool was allegedly used by TAO (NSA) to hack into the office intranet of the University. Attribution of SECONDDATE was discovered through collaboration with other industry partners. They found thousands of network devices running this spyware – where the communications went back to NSA servers located in Germany, Japan, South Korea and Taiwan. This tool was used to redirect user traffic to the FOXACID platform.
> SECONDDATE – Backdoor installed on network edge devices such as gateways and border routers to filter, and hijack mass amounts of data in a MiTM. This was placed on the border routers of the University to hijack traffic to redirect to NSA’s FOXACID platform.
> * One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 4pm EST (US working hours).
> * There were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri.
> * No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.
> * No attacks occurred during Christmas.
It's surprising the NSA would be this sloppy and obvious, or maybe they don't care about attribution in this situation, or maybe someone else did it. But I've read attribution of Chinese attackers using work hours and thought the attackers were sloppy and obvious.
> A key observation from the Chinese case notes was the extensive use of big data analysis, particularly in tracking “hands-on keyboard” activity. This approach enabled Qihoo 360 to identify patterns, such as the alleged absence of activity on Memorial Day, and precisely documenting the operational hours of the attackers, allowing 360 to isolate activity to Monday-Friday, EST working hours.
If the blogger's claim of experience is true, they must know about the things I've read. I wonder what they are thinking of.
Regarding unwarranted surveillance of Americans not suspected of a crime (and by extension, our allies):
Throughout my longish life, these things have not changed.
~All federal politicians support/expand it and then obfuscate their part.
News orgs don't/won't cover it (most of the time). The reason is every possible reason. Stated differently: Reluctance is a forgone conclusion; every editor/journalist has their own why.
There is an excess of voters who compulsively give Gov the benefit of the doubt. At least where Gov favors it's interests over ours. (modern version: Where Gov acts in good faith and places our interest first, wound-up voters endlessly crap all over that [because agendas].)
Never trust the law of averages. I don't want to say that the US is exceptional, but assuming it's like every other country give-or-take is a horrifically bad assumption.
If we were in Russia or China, we'd likely hear about US actions in this area quite a bit more. With allies, well, there's a lot of mutual back scrubbing going on.
I originally came here to comment how crazy it seems that DoD employees at NSA cannot be bothered to cover their tracks by working nonstandard hours/holidays (obviously Mil & Intel folks do this, they even get deployed!). But the thought occurred to me that attribution to NSA was likely a desired outcome here (“We can hack you too”) and there are probably many people at NSA working nonstandard hours/days to prevent attribution.
I think the English language aspect is much more interesting and difficult/impossible to prevent.
Technical talent with transferable skills for higher paying work aren't incentivized to work on deployment schedule. But really, why assume NSA capable of obfuscating against PRC also stacked with talent. The parsimonious answer is then why bother, everyone knows they're deep in each others networks for decades and will continue to be. So let the hackers have their weekends.
I agree, but I would go further and say (written) English language is as easy to emulate. There are technical people with great written English skills who will give away their non-Anglophone identities at the first sentence they speak.
This is really interesting. I wonder how red-teams in State sponsored teams operate in real life. I guess every one has an NDA, but would love to get a general idea.
I assume it's a jungle out there, so teams need to protect themselves 24/7/365 and I'm surprised to find no activities in holidays.
> Second date has capabilities of network eavesdropping, MiTM, and code injection
This is probably a dumb question but doesn't that require an SSL cert? Obviously the NSA can get someone to issue a cert for a domain they don't own but wouldn't that be visible?
Couldn't you have every user device log the SSL certs it sees to detect this attack? What about CT?
> The Northwestern Polytechnical University had allegedly suffered multiple breaches throughout the years where several pieces of malware uncovered in prior investigations (prior to Shadow Broker’s leak) were allegedly the same tools described in the Shadow Broker’s leak.
glad to see the same basic tradecraft from 90s hacking, only very refined and industrialized. it's a durable skill. the focus on switches and routers is very pro, as they are the most opaque infra with the fewest forensic capabilities. iot is less reliable as RE'ing cheap devices and firmware for IoCs is accessible, where almost nobody outside the IC did core gear (word to phenolit from back in the day tho).
the traffic redirection is interesting in that i would be curious if they rate limited it or used on device selectors in their implant to redirect traffic. the trade off between memory caching packets to sort on selectors vs.stealthy throughput would have been a fun design meeting.
hunting these kinds of actors would be supremely fun. the main thing that protects them is few outside massive bureaucracies really care enough or find it economical, as the rewards are more in finding new zero day and not hunting state level threat actors. the exceptions who do (p0, citizenlab etc) are attached to massive orgs and dont really led themselves to privateering. amazing write up anyway.
Thanks for sharing. You seem to have some knowledge of the APT scene. Can you please elaborate on the following points?
- the focus on switches and routers is very pro (did you mean the defenders or the attackers?)
- What kind of knowledge is a starting point to hunt these players? I assume very good Linux system admin skills that can protect the whole system well enough to maybe only allow some obscure entries, and then have enough RE/Red team knowledge to know how to focus on these entries. Does it make sense?
- How do those APTs operate? I'd imagine there are at least 3 groups of people, group 1 = people who make tools, do analysis, RE and such -- they are the support guys; group 2 = people who directly execute the operations -- they don't need very in-depth knowledge but need to a whole range of knowledge to know where to look at and how to best use the tools; group 3 = blue team who protects the whole facility. And of course there are managers, admins, etc.
> 98% of all the attacks occurred during 9am – 4pm EST (US working hours).
> There were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri.
> No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.
> No attacks occurred during Christmas.
Come on guys, if Satoshi can cover his timezones tracks, so can you.
I guess if ChatGPT told you to glue the cheese onto your pizza, you'd eat it that way.
Wechat is also the mainland version. It's always been Wechat, and in particular it was Wechat years before they kicked me off of the mainland Chinese version† for registering an American phone number. The reality is exactly what I already told you: the app's name is 微信 in Chinese and Wechat in English. This is why coverage of Wechat's extensive market penetration in China always calls it "Wechat".
Don't believe everything you read in the results of the stupidest web search you know how to run. If you try facts, you might like them!
† By the way, "version" is really stretching things. There is no difference in the app. They don't keep your data within China, you go into a different advertising segment, and by default you connect to a different in-app sticker shop.
> There's even a chat firewall between wexin and wechat.
...is there a reason you believe this? It is not true in any sense.
I'll also note that, if you believe the claims in your comment, you'll have a tough time explaining how my installation from the Google Play Store includes local payments.
It appears that if you register with a Chinese phone number, you have a Weixin account with a different service agreement [0] than a WeChat account [1], and your data is in fact hosted in China.
So the app functions differently depending on who (or an inferred "where") you are and you as the user have different terms - how would you describe that? Could "version" suffice?
> Chinese cyber organizations openly acknowledge and publicize their partnerships. This openness was particularly interesting to observe and may be influenced by cultural factors, such as the Confucian emphasis on shared knowledge and a political framework that encourages collective efforts.
I or anyone outside obviously cannot verify the technical details. However, the above statement struck as particularly uninformed. As any engineer in East Asia can tell you, there is nothing especially collaborative about tech in Confucian culture; if anything, the engineers in that region admire the free speech and discussion traditionally prized in the Western culture. Calling Chinese political framework, especially in the context of national security, conducive to open public discussion was quite ironic to see.
Edit: the punchline is this. If a friend who is always secretive and deceptive about his personal life is suddenly openly discussing his life, what does that say about the details he just disclosed and/or the situation he is currently in?
source: I regularly work with engineers from that culture and studied relevant geopolitics.
> As any engineer in East Asia can tell you, there is nothing especially collaborative about tech in Confucian culture
IIRC, Bunnie (Huang) mentioned how freely data flows in Shenzhen for hardware hacking, versus pulling teeth trying to get data sheets for components from western component makers.
> source: I regularly work with engineers from that culture and studied relevant geopolitics.
(Winces)
> how freely data flows in Shenzhen for hardware hacking, versus pulling teeth trying to get data sheets for components from western component makers.
That's different though. Shenzhen is where electronics factories are; they get the datasheets from western companies, but because said western companies can't really enforce their IP over there, the locals get to ignore it and use the datasheets however it's convenient for them.
One other question is: how accurate are the data sheets in Shenzhen as opposed to in the US? I can't speak to China, but in the US if you publish a spec for a component and then don't deliver within that spec, you will get sued, and you will lose.
It really depends on the component. Something complex like a processor or radio will probably have errata in newer datasheets that fix errors in previous versions and those might take longer to make it out (especially if it’s someone like Qualcomm which doesn’t share all errata to all customers grumble grumble). Depending on how bad the error is and what you’re doing, that could be show stopping after you’ve sunk tons of NRE into it (DMA bugs on STM32 in the 2010s come to mind).
The provenance of the component is also really important. If it’s a ghost shift at a contract manufacturer producing the parts, they might have skimped on some part of the process (like packaging so that another subcontractor responsible for that step isn’t alerted) and the datasheet might be significantly inaccurate. I don’t know if these manufacturers ever bother to characterize their ghost shift parts enough to release their own datasheet but I assume it happens with especially popular parts. If the contract manufacturer loses the contract but keeps the ghost shift, they might be significantly out of date in revisions so you’d have to be careful to use only the datasheet they provide and not the one your engineers download from the first Google result (good luck!). In short, it’s complicated.
The most infamous example is probably the FTDI serial to usb chips that have been counterfeited for many years with varying quality, both by ghost shifts and manufacturers who reverse engineered the design to some degree.
They are making these chips, so I'd say quite accurate, or else someone in the US will get sued by someone else in the US.
In Shenzhen if your product doesn't perform up to spec, you just lose customers and go bankrupt. Not sure why the court has to be involved here. Isn't a free market capitalism economy supposed to work like that?
Chinese companies violate many of the norms that we take for granted, such as labelling things accurately. If a Chinese company makes things out of spec, it will not put its name on the product. If one of these companies does knowingly make an inferior product, a new brand/company might be formed just for that purpose. Also, free market capitalism works better with a means to enforce contracts such as the contents of spec sheets, because it speeds up accounting for deliberate bad behavior. Court proceedings establish facts that can communicate to the public what the company has been up to, versus possibly misleading rumors. Although the free market can eventually sort out bad information and unreliable actors, it works much better when information standards are enforced. False advertising wastes a lot of resources.
> IIRC, Bunnie (Huang) mentioned how freely data flows in Shenzhen for hardware hacking, versus pulling teeth trying to get data sheets for components from western component makers.
That’s like pointing to torrent sites as proof that US media companies are open to sharing their content.
Most of the hardware details being shared in shenhzen are stolen from western firms that have no way to enforce their IP.
It’s why you can get your iPhone storage upgraded for pennies on the dollar.
> It’s why you can get your iPhone storage upgraded for pennies on the dollar.
??? How is this related to anything IP? To get your iPhone storage upgraded, you just need to blow off the old NAND Flash and "solder" new ones. Their pinouts are in public standards and every storage vendor in this world uses the same one.
And they did this for pennies because, of course, contrary to what Apple wants people to believe, flash storage does not cost much and even with the cost of all the dirty work it's still not much.
Or do you mean that they are violating Apple's IP rights by modifying their own devices? That's just... bullshit.
I don't think it has anything to do with Confucian though. In the Confucian world, or, rather, the Confucian world crafted by and for the Ancient Chinese scholar-officials, people who have a technical mind were bluntly looked down.
> source: I regularly work with engineers from that culture and studied relevant geopolitics.
that's the problem
in 1990-2010, >80% chinese influencers are liberals
after 2010, it went down to <30%
after 2020, <10%
and most important, there's a very higher proportion of software engineers are liberals, which is easy to understand since we are followers of western
but things are changing now, when you talk with a young chinese developer now, there's a good chance that he/she is a commie
there's a simple way to validate this, if a chinese developer willing to discuss abt politics with you and 'admire the free speech and discussion traditionally prized in the Western culture', he/she is a liberal,
if he/she avoids talking abt politics with you, it's not because he/she fears to talk abt this, it's because he/she is too polite to share different opinions as yours
Considering iPhone sales still sky high kinda doubt for now. Maybe in a few years.
There's little correlation here
[dead]
> No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.
Simple but effective. A good non-NSA agency should also learn from this to be able to effectively false-flag as NSA, as long as they are flexible enough to allow off-hours and overtime pay and remember to respect the US federal holidays.
> Two zero-days were used to breach any company with SunOS-exposed systems in neighbouring countries to China
SunOS? Wonder if it's because it's genuinely used still quite a bit or they simply had zero-days for it since many of those are old and unpatched?
The same strategy is used to attribute attacks against US based targets by Russian, N.Korean and Iranian and other state or state sponsored actors. Time of day, holidays, etc. are (in tandem with other evidence) considered to be surprisingly reliable.
If I were in charge of things I'd like to think that this sort of thing would be the first step I'd take to cover my tracks, but I still hear cyber security firms using it in their attributions.
The type of work the people working at an APT do, is mainly office work, while it still is very much "hands-on-keyboard" work (so you cannot set an action to automatically occur when nobody is checking the results in the middle of the night). You might want to try shuffling this up when you are in charge, but your (usually highly skilled and expensive) employees probably don't want to be working weird shifts all the time. Especially when they have families.
It also may not be worth it. Generally APT's want to stay under the radar while they are executing. But after the goals have been reached, most of the time it doesn't matter much if they get attributed. We have yet to see real consequences against any APT's. So paying your employees more to work night shifts, likely doesn't stack up against the consequences of attribution.
I have a hard time imagining these APT attacks are manual at the keyboard typing. That seems like an invention for entertainment whereas I'd expect reality to be "run script & establish an ongoing backdoor" or "run script & perform attack". You might need on-call to flag if anything has gone wrong, but I'd have a hard time imagining the entire team is involved for that so the cost of paying extra for an on-call is quite trivial vs the overall cost of the team. In industry that's not even compensated since salaried employees don't get overtime although I imagine that for government work the unions have negotiated this better.
EDIT: Huh, I guess sometimes it is like the movies: > One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 16pm EST (US working hours).
> I have a hard time imagining these APT attacks are manual at the keyboard typing.
(My perspective on this comes from doing security assessments and pentests 10+ years ago. Take that for what it's worth.)
I think of it a little bit like robotic vs. human space missions.
A robot can gather a ton of data without human intervention. It can perform repeated mindless activities. A certain amount of contingency against unforeseen issues can be engineered-in. Beyond the point of expected anomalies, though, the robot is going to fail (and perhaps expose your operation).
When it comes to reacting to rapidly changing mission conditions nothing beats a human in the loop. It's really hard to plan for all the peculiarities of any given environment. Intuition and experience play an immense role. Most of all, though, you may only get one shot before you're detected and stopped.
On-Call for mission of this size sounds fairly unlikely, doesn't it?
You wouldn't spend hundreds of thousands of dollars on large scale attacks with lots of (temporary) infrastructure and planning to then yolo it at the last minute and hope that everything goes well and you have the results back when you come back on Monday.
I wonder how APT operates. I guess it is not too different from a well funded Corporate red team, but the stake is higher and the opponents have almost unlimited amount of resources.
Do we have any probe into the state-sponsored APT world? I wouldn't be surprised if there isn't any, but would like to know.
>A good non-NSA agency should also learn from this to be able to effectively false-flag as NSA
It seems like such a lapse in tradecraft that, absent other indicators, I would just assume it's a crude false flag attempt.
It's a Schrödinger's false-flag! Just incompetent enough to look like a false flag. But at the same time, it's coming from the heart of US bureaucracy, which finds cash to build multi-billion dollar hidden data centers, but is also inflexible enough properly pay for overtime and off-schedule work.
I don't find the money inexplicable at all. Building multi-billion dollar data centers increases wealth for billionaires but paying overtime would benefit a middle-class pleb.
Well how convenient those plebs are down-sized right now.
I heard goldman sachs is scooping up federal talent and putting them on the bench to then rent them back out to 47 for 10x the price.
Wasn't one of the curiosities in Snowden vault7 an "attribution engineering toolkit"? That sounds quite flexible.
Honestly they might also totally not care about it. They might want to avoid detection while the hack is working but what is the point of covering their tracks after the thing is discovered?
It's not like China will sue them, and not like both sides can easily say that it is just reciprocal.
Assuming they mean Solaris, it's still technically maintained, at least in the Oracle sense (of both "technically" and "maintained").
I assumed that much, SunOS is pretty ancient, last version was what, in early 1990s? Though, Solaris still would report a SunOS 5.$solarisver version or something like that. So I guess we can say it is a "SunOS" box if we wanted to.
SunOS 4.x is the BSD lineage and SunOS 5.x the Solaris lineage, or at least was when i worked at Sun.
It seems like the most efficient way of detecting NSA tools is a regular expression of two all caps dictionary words
BadJoke LoveIt.
Similarly, 0day ABNF to identify probable NSA front companies:
[optional-firstname] <surname> [optional-adjective] <"systems">
BRILLANT SPECTRE finds your joke in bad taste (/s)
> In total, 54 jump servers and 5 proxy servers were used to perform the attack coming from 17 different countries including Japan, South Korea, Sweden, Poland and Ukraine with 70% of the attacks coming from China’s neighbouring countries.
I'm guessing this is so when they do data exfiltration (and hosted MITM) it's not sending a ton of data to a single server, but spreads them out.
> SECONDDATE: This tool was allegedly used by TAO (NSA) to hack into the office intranet of the University. Attribution of SECONDDATE was discovered through collaboration with other industry partners. They found thousands of network devices running this spyware – where the communications went back to NSA servers located in Germany, Japan, South Korea and Taiwan. This tool was used to redirect user traffic to the FOXACID platform.
> SECONDDATE – Backdoor installed on network edge devices such as gateways and border routers to filter, and hijack mass amounts of data in a MiTM. This was placed on the border routers of the University to hijack traffic to redirect to NSA’s FOXACID platform.
> 1. Attack Times
> * One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 4pm EST (US working hours).
> * There were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri.
> * No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.
> * No attacks occurred during Christmas.
It's surprising the NSA would be this sloppy and obvious, or maybe they don't care about attribution in this situation, or maybe someone else did it. But I've read attribution of Chinese attackers using work hours and thought the attackers were sloppy and obvious.
> A key observation from the Chinese case notes was the extensive use of big data analysis, particularly in tracking “hands-on keyboard” activity. This approach enabled Qihoo 360 to identify patterns, such as the alleged absence of activity on Memorial Day, and precisely documenting the operational hours of the attackers, allowing 360 to isolate activity to Monday-Friday, EST working hours.
If the blogger's claim of experience is true, they must know about the things I've read. I wonder what they are thinking of.
Given how US is attacking their enemies and at times their allies, 24/7 it is amazing how little we ever hear about it.
Regarding unwarranted surveillance of Americans not suspected of a crime (and by extension, our allies):
Throughout my longish life, these things have not changed.
~All federal politicians support/expand it and then obfuscate their part.
News orgs don't/won't cover it (most of the time). The reason is every possible reason. Stated differently: Reluctance is a forgone conclusion; every editor/journalist has their own why.
There is an excess of voters who compulsively give Gov the benefit of the doubt. At least where Gov favors it's interests over ours. (modern version: Where Gov acts in good faith and places our interest first, wound-up voters endlessly crap all over that [because agendas].)
Everyone is always attacking everyone else at all times, its not just the US.
Well, yes, but we hear quite a bit about China or Russia or North Korea or wherever attacking us.
I've quite literally seen people ask "why don't we attack them back?"
Maybe we don't hear about it because they write about it in private and/or in foreign languages lol.
Never trust the law of averages. I don't want to say that the US is exceptional, but assuming it's like every other country give-or-take is a horrifically bad assumption.
China did publish some information once for a while. But the information is usually in Chinese and lacking details.
If we were in Russia or China, we'd likely hear about US actions in this area quite a bit more. With allies, well, there's a lot of mutual back scrubbing going on.
I originally came here to comment how crazy it seems that DoD employees at NSA cannot be bothered to cover their tracks by working nonstandard hours/holidays (obviously Mil & Intel folks do this, they even get deployed!). But the thought occurred to me that attribution to NSA was likely a desired outcome here (“We can hack you too”) and there are probably many people at NSA working nonstandard hours/days to prevent attribution.
I think the English language aspect is much more interesting and difficult/impossible to prevent.
It sounds exciting and all but it’s basically a boring government office job, the employees mostly have families, expect regular work hours, etc.
Technical talent with transferable skills for higher paying work aren't incentivized to work on deployment schedule. But really, why assume NSA capable of obfuscating against PRC also stacked with talent. The parsimonious answer is then why bother, everyone knows they're deep in each others networks for decades and will continue to be. So let the hackers have their weekends.
I agree, but I would go further and say (written) English language is as easy to emulate. There are technical people with great written English skills who will give away their non-Anglophone identities at the first sentence they speak.
This is really interesting. I wonder how red-teams in State sponsored teams operate in real life. I guess every one has an NDA, but would love to get a general idea.
I assume it's a jungle out there, so teams need to protect themselves 24/7/365 and I'm surprised to find no activities in holidays.
> Second date has capabilities of network eavesdropping, MiTM, and code injection
This is probably a dumb question but doesn't that require an SSL cert? Obviously the NSA can get someone to issue a cert for a domain they don't own but wouldn't that be visible?
Couldn't you have every user device log the SSL certs it sees to detect this attack? What about CT?
> The Northwestern Polytechnical University had allegedly suffered multiple breaches throughout the years where several pieces of malware uncovered in prior investigations (prior to Shadow Broker’s leak) were allegedly the same tools described in the Shadow Broker’s leak.
What is Shadow Broker, does anyone know?
https://en.wikipedia.org/wiki/The_Shadow_Brokers
> What is Shadow Broker, does anyone know?
Nyet
glad to see the same basic tradecraft from 90s hacking, only very refined and industrialized. it's a durable skill. the focus on switches and routers is very pro, as they are the most opaque infra with the fewest forensic capabilities. iot is less reliable as RE'ing cheap devices and firmware for IoCs is accessible, where almost nobody outside the IC did core gear (word to phenolit from back in the day tho).
the traffic redirection is interesting in that i would be curious if they rate limited it or used on device selectors in their implant to redirect traffic. the trade off between memory caching packets to sort on selectors vs.stealthy throughput would have been a fun design meeting.
hunting these kinds of actors would be supremely fun. the main thing that protects them is few outside massive bureaucracies really care enough or find it economical, as the rewards are more in finding new zero day and not hunting state level threat actors. the exceptions who do (p0, citizenlab etc) are attached to massive orgs and dont really led themselves to privateering. amazing write up anyway.
Thanks for sharing. You seem to have some knowledge of the APT scene. Can you please elaborate on the following points?
- the focus on switches and routers is very pro (did you mean the defenders or the attackers?)
- What kind of knowledge is a starting point to hunt these players? I assume very good Linux system admin skills that can protect the whole system well enough to maybe only allow some obscure entries, and then have enough RE/Red team knowledge to know how to focus on these entries. Does it make sense?
- How do those APTs operate? I'd imagine there are at least 3 groups of people, group 1 = people who make tools, do analysis, RE and such -- they are the support guys; group 2 = people who directly execute the operations -- they don't need very in-depth knowledge but need to a whole range of knowledge to know where to look at and how to best use the tools; group 3 = blue team who protects the whole facility. And of course there are managers, admins, etc.
> 98% of all the attacks occurred during 9am – 4pm EST (US working hours). > There were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri. > No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays. > No attacks occurred during Christmas.
Come on guys, if Satoshi can cover his timezones tracks, so can you.
It seems like the lack of operations during US holidays would be a big oversight.
I love the Windows 98 clip art.
[flagged]
> can I comment freely here
Sure, we all have the freedom of speech here. Will you have freedom after speech though, I don't know? It depends on your particular situation ;-)
[dead]
nothing it's just two biggest intelligence agencies fighting, I think keeping quiet is the safest bet
Sometimes keeping quiet isn't the best form of defense though.
So it really does depend on your situation.
> These insights stem from extensive research I did on Weixin
Someone doing extensive research on Weixin might ordinarily realize that it's called "Wechat" in English.
Wechat is the internationalized version; Weixin is for mainland China.
https://duckduckgo.com/?q=weixin+vs+wechat
sources:
https://weixin.qq.com/cgi-bin/readtemplate?lang=en_US&t=weix...
https://www.wechat.com/en/service_terms.html
I guess if ChatGPT told you to glue the cheese onto your pizza, you'd eat it that way.
Wechat is also the mainland version. It's always been Wechat, and in particular it was Wechat years before they kicked me off of the mainland Chinese version† for registering an American phone number. The reality is exactly what I already told you: the app's name is 微信 in Chinese and Wechat in English. This is why coverage of Wechat's extensive market penetration in China always calls it "Wechat".
Don't believe everything you read in the results of the stupidest web search you know how to run. If you try facts, you might like them!
† By the way, "version" is really stretching things. There is no difference in the app. They don't keep your data within China, you go into a different advertising segment, and by default you connect to a different in-app sticker shop.
That would have been great to include with your initial comment instead of seemingly picking at nits and then making inflammatory comments.
Always love the use of a dagger though, I don't see them too often online!
> There is no difference in the app
There are tons of difference. Wexin has more adware/spyware, no CallKit on iOS, local payments.
There's even a chat firewall between wexin and wechat.
> There's even a chat firewall between wexin and wechat.
...is there a reason you believe this? It is not true in any sense.
I'll also note that, if you believe the claims in your comment, you'll have a tough time explaining how my installation from the Google Play Store includes local payments.
It appears that if you register with a Chinese phone number, you have a Weixin account with a different service agreement [0] than a WeChat account [1], and your data is in fact hosted in China.
So the app functions differently depending on who (or an inferred "where") you are and you as the user have different terms - how would you describe that? Could "version" suffice?
0. https://weixin.qq.com/cgi-bin/readtemplate?lang=en_US&t=weix...
1. https://www.wechat.com/en/service_terms.html