Su Bin, Lode-Tech, And Privatizing Cyber Espionage In The PRC

The criminal complaint against Chinese businessman Su Bin (aka Stephen Su, Stephen Subin) is a must-read. Be sure to read the Wall Street Journal article as well. It marks the first time that the FBI has issued an arrest warrant for a foreigner charged with an act of cyber espionage via a network attack that has until now been attributed solely to state actors like the PLA.

The complaint provides an indepth look at an EaaS (Espionage-as-a-Service) operation involving one named suspect and two unnamed co-conspirators. I've tried to reduce the 49 page complaint into its essential components and added a few missing pieces.

SU Bin (Stephen Su) 

Su's alleged role was to help his partners identify valuable military aviation technology to steal and then find buyers for the stolen data. His company's logo as portrayed on the Lode-Tech.com website is almost laughably ironic: "We will track the world's aviation advanced technology." Su and his partners did exactly that, but would then attempt to steal the technology and sell it to their customers.

Su has been the owner and manager of Beijing Lode Technology Company, Ltd. since 2003. Lode-Tech is a cable harness equipment company that serves the aviation and space market. The company has offices in Beijing, Shanghai, Guangzhou, Shenzhen, Chengdu, Xi'an, Shenyang and Changchun.

Lode-Tech is also a representative and distributor of related aerospace products for a number of companies including DIT-MCO in Kansas City, MO; a company which proudly announces that its equipment "was used on the early "Hawk Missile," the first intercontinental Atlas missile, the Polaris missiles for the Navy, the Titan missiles for the Air Force, and the Patriot Missile used so successfully in the Desert Storm War, as well as almost all the aircraft used by the Air Force, Army and the Navy.”

DIT-MCO plus Lode-Tech's other business relationships in the aerospace industry (such as sharing space with Boeing at the Beijing Aviation Expo) put Su in an excellent position to identify valuable data for theft by a team of mercenary hackers who are identified in the complaint as UC1 and UC2.

NOTE: This case underscores the importance for companies in high value technologies like aerospace to (a) conduct indepth due diligence investigations on all of their vendors and (b) restrict network access by implementing least privilege rules.

Uncharged Co-Conspirator 1 and 2 (UC1, UC2)

According to the complaint, UC1 and UC2 are located in China, are hackers for hire, and are affiliated with multiple organizations and entities in the PRC. They have a diverse history of accomplishments but have chosen to focus on "military technology intelligence". They have an unidentified funding source that provided working capital in seven figures RMB, a hierarchial structure, and engage in business development. They've been working with Su since at least August, 2009.

In addition to their collaboration with Su on the Boeing C-17 project, UC1 sent several reports to UC2 which described other actions:

• Targeted F-22 data from Lockheed Martin (LMT wasn't named in the complaint but they're building the F-22 and their sensitive documents use the classification terminology "Proprietary Information Source Selection Sensitive" which was mentioned in the complaint on p. 42).
• Stole 20GB of data from a U.S. military contractor via the company's FTP server
• Acquired a list of contractors and suppliers for a U.S. Unmanned Aerial Vehicle project and performed network reconnaissance.
• Have access to a Russian-Indian joint missile development program by "controlling" the company's website and "awaiting the opportunity to conduct internal penetration".

NOTE: The name of the company is redacted in the report but it may be referring to the Brahmos 2 missile developed by Brahmos Aerospace; a joint venture between India's DRDO and Russia's NPO Mashinostroyenia.

Activities and Methodologies

• Their target selection is informed by S&T (Science and Technologies) priorities of their potential customers. 
• They establish "technology bases" and hop servers outside of China (i.e.; U.S., Korea, Singapore) and "machine rooms" with legal status in Macao and Hong Kong
• Intelligence collection is done outside of the PRC (presumably at the above locations) and brought into China in person rather than electronically.
• They focus on those U.S. and Taiwanese defense contractors which are among the Global top 50 arms companies.

Conclusion

While this is the first criminal complaint that describes "hackers-for-hire" or Espionage-as-a-Service it isn't new and it isn't exclusive to China. U.S. cyber security companies who research APT threat actors should study this criminal complaint closely; especially those who have spent the last 9 years defining APT solely as the Chinese government.

Threat intelligence companies worldwide need to find ways to differentiate the activities of a nation-state with those of a for-profit hacker group, criminal organization, or other alternative entities engaging in acts of cyber espionage. That may be difficult under current APT assumptions and with the limitations of purely technical indicators.

Finally, the SU-UC1-UC2 enterprise as described in this criminal complaint underscores and validates a data-centric approach to cyber security wherein a company identifies their own high value files by knowing the S&T research priorities of a given nation state and its state-owned or publicly-owned enterprises.

Airbus Defense and Space's First APT Threat Intelligence Report: Nice Work!

I've been a frequent and vocal critic of many threat intelligence reports issued by the usual players in information security. So it was very refreshing to read this report by Cassidian CyberSecurity (now a part of Airbus Defense and Space) on an APT threat actor that they named "Pitty Tiger".

I haven't studied the report yet but I did give it a quick read and want to congratulate the team of researchers including David Bizeul who did such an outstanding job in 2007 with his report on the Russian Business Network.

Here's what I really appreciated about the Pitty Tiger report:

APT Threat Actors - Not State Sponsored
Pitty Tiger is described as a Chinese group of hackers who demonstrated poor operational security (similar to the carelessness shown by members of Mandiant's APT1) as inexperienced hackers who were out to make a quick buck rather than bored or careless soldiers working for the PLA:

Pitty Tiger is probably not a state-sponsored group of attackers. The attackers lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.

This is the first time that I recall reading a security intelligence report which didn't portray the hackers as state-sponsored, state-affiliated or employed by the PLA. That in and of itself is news-worthy as far as I'm concerned.

Espionage-As-A-Service
The researchers refer to an "opportunistic business model", something that I and other security researchers like J. Oquendo and Peter Mattis have written about as well.

Use of the term "White Paper"
The authors properly categorized their threat intelligence report as a white paper, which it is because it has marketing value for the company. Many well-known cyber security companies who issue security intelligence reports fail to acknowledge that.

Responsible Attribution
The researchers exercised restraint and used cautious language in their attribution section. They didn't make baseless assumptions about "real names" or jump to any conclusions about the identities or affiliations of the hackers.

Kudos to the Airbus team for this report. Please keep them coming.

Suits and Spooks from the US, EU, Russia, The Hague to talk 0-day Regulation and other topics

Suits and Spooks London is happening on Friday Sep 12th with speakers from BAE Systems, EUROPOL, CERT-EU, Kaspersky Lab, CrySyS Lab, Goldman Sachs, PwC and other organizations. If you're looking for a security conference where you're expected to be a passive participant, don't bother coming.

If, on the other hand, you have an opinion about the relative value of attribution, the wisdom of active defense, the regulation of 0-day development and dual-use penetration testing products, and want to have an informed discussion and debate about them with people who can make a difference, then by all means join us at the top of the Blue Fin building in central London for a day of stimulating topics and discussions.

Here's a short video introduction to Suits and Spooks, if you've never attended the event.

Take advantage of our Early Bird rate of GBP135.00 ($231) before July 31st. Seating is limited to 50 attendees. You can also register by phone (855) 777-8242.

Have Lunch on K Street with Execs from Microsoft, BAE, Cognizant, Huawei USA, and the IC - Updated 7/14/14

UPDATE (July 14, 2014): We have room for six more cyber security startups to join our lunch however registrations will close by end-of-day July 15, 2015.

If you're a cyber security startup, chances are good that you may have a product or service of interest to the U.S. government but do you know the complexities that come with that? If you attend our Security Startup Lunch in DC on July 22, you can ask Hendrik van der Mueler, Barbara Hunt, and Lewis Shepherd for their advice.

If you'd like to be a vendor for one or more prime defense contractors, you can chat with JC Dodson, BAE Systems Global CISO about your product or service and receive his recommendations on how to go about it.

On July 22, at PJ Clarke's in Washington, DC, our Suits and Spooks Security Startup Speed Lunch will help startups find customers, VCs find startups, and give executives a chance to hear about cutting edge technologies person-to-person - over lunch.

You won't be pitching a room full of people. You'll be meeting 1:1 in six minute rounds with decision-makers from multinational companies and other organizations, and you'll enjoy a delicious lunch in the Sidecar at PJ Clarke's.

Here's who you'll be meeting with:

• Lewis Shepherd, Director and GM, Microsoft Institute for Advanced Technology in Governments (MSI). Lewis joined Microsoft in December 2007 from the Defense Intelligence Agency, where he accepted a position as Chief of Requirements & Research (or R2).
• Barbara Hunt, President and CTO, CuttingEdge CA. Ms. Hunt is a retired Central Intelligence Agency (CIA) Executive Technical Expert and program manager with over 20 years of experience in the fields of cyber, information, and telecommunications technology and operations. She also served as Director of Capabilities, Tailored Access Operations Group at NSA.
• Henry Shiembob is VP and Chief Security Officer at Cognizant Technology Solutions, and was formerly the Deputy Chief Security Officer and Executive Director of Cyber Security and Fraud Operations at Verizon.
• Jeffrey C Dodson, VP Cybersecurity, Global CISO, BAE Systems
• Andy Purdy, CSO, Huawei USA. Andy formerly served as the 'Cyber Czar' of the United States from 2004 to 2006, in his role heading the Department of Homeland Security’s National Cyber Security Division and US-CERT.
• Hendrik van der Meuler - Retired senior CIA officer in three foreign countries and CIA Operations Officer during six tours of duty in the Middle East, Africa, and Europe, 1981-2000. Since retiring from the CIA in October 2010, he has worked for the Monitor Group and MonitorQuest, with an emphasis on Social Media issues.
• Edward V. Marshall, Vice President - Private Banking North America, Credit Suisse; formerly with the U.S. Department of State.
• LaToya Staten: Cyber Collaboration Manager, MD Dept.of Econ Dev., Cyber Development at Maryland Department of Business and Economic Development

You can attend if you meet one of these three categories:

1. You are employed at the Director level or higher with a medium-sized or larger corporation.
2. You're employed with a cyber security start-up that is no more than 5 years old and has not yet raised more than a Series A funding round.
3. You're employed by a Venture Capital firm or an investment bank.

It wasn't easy getting these outstanding executives together for three hours to meet with a group of startups and I doubt that I'll be able to get them all together a second time so don't miss this opportunity. The registration fee is $199 if paid before July 1st and seats are limited!

Visit the Suits and Spooks website for more information or call (855) 777-8242 ext. 3 with any questions.

Hank Crumpton on Wolfowitz: "What was he smoking?"

I read Hank Crumpton's book "The Art of Intelligence: Lessons from a Life in the CIA's Clandestine Service" in about six hours spread over two flights between NY and Seattle. It's a great book which I highly recommend everyone read.The recent attempt by Paul Wolfowitz to rewrite his colossal fuck-up on the Iraq war or to even have the audacity to provide advice prompted me to go back and find this relevant section:

Chapter: "Afghanistan, Strategy"
pp. 187-188

A few days later, Tenet and I were in the White House Situation Room. National Security Advisor Rice chaired the meeting. Rumsfeld, Card, Secretary of State Colin Powell, Deputy Secretary of Defense Paul Wolfowitz, Chairman of the Joint Chiefs of Staff General Myers, and others attended. 

<cut for brevity> 

Rice asked Tenet to provide an update, followed by General Tommy Franks, who piped in via secure video from CENTCOM HQS in Tampa. Others added their views. There were some questions about Afghanistan, and I provided some short ansers. I was cautious in my responses. I did not know this environment. 

It was making sense. All of the people here were sticking to their roles as I had imagined them. They were all calm and polite. They were rational. 

Then it got weird. 

With no prelude, prompt, or reference point that I could fathom, Wolfowitz launched into a monologue. 

"Iraq. We must focus on Iraq - 9/11 had to be state-sponsored. Iraq is central to our counterterrorism strategy." He spoke with great emphasis. There was a short pause, with no response. So he lectured in this vein for another couple of minutes. Then he stopped as abruptly as he had started. 

There was a heavy silence around the table. 

I looked around the room. Still nobody said anything. 

What was he smoking? I wondered. 

There was nothing in our intelligence collection or analysis that implicated Iraq in 9/11. On the contrary, Saddam Hussein was a secular despot with no affinity for AQ ideology or for AQ as an ally of convenience. White Saddam was a terrorist and supported terrorist groups, especially those in the radical Palestinian networks, he saw AQ as more of a threat than an ally. Moreover, AQ had organized, trained, and plotted the 9/11 attack from Afghanistan, not Iraq. 

I sat mum. It seemed too strange to warrant a response, particularly from me, the new guy, policy rookie, field spook. But neither did anybody else challenge Wolfowitz. I dismissed the commentary as temporary contorted logic, an aberration of an otherwise intelligent and responsible policy leader. I had no idea what would unfold in the next couple of years.

 Amazing.

Crowdstrike's PLA 61486 Report - Using Photoshopped Pictures? No. (Updated 6/16/14 6:45pm)

This post has been updated from the original thanks to some criticism that I received on Twitter for suggesting that Chen's photos were either photoshopped by Chen or taken from somewhere other than the PLA base. That criticism helped me resolve problems that I and others had with Chen's pictures. Here's my update. The original post is below.

UPDATE (6/16/14): Here are Google Earth images which show just how close the Pearl Tower and the Jin Mao tower are (the two illuminated buildings in the background. The World Financial Center is slightly left and behind the Jin Mao tower).

The red line in the above picture originated from the PLA base as seen below.

And here's the full site path from Google Earth.

Based upon this site line, the Jin Bao tower and the World Financial Center should appear slightly to the right of the Pearl tower which is in line with Chen's photo. Therefore my suspicion and those who also felt that Chen had taken the photos from a different location or had doctored them, were wrong.

However that doesn't change any of the problems that Crowdstrike has in proving its allegation that the person they identified as Chen Ping is responsible for any hacking attacks. As I wrote in my post of June 10th, they failed to prove that Chen Ping or whatever his real name is has breached the network of a foreign company while under orders of the PLA. Those failings and Crowdstrike's failure to even acknowledge them, doesn't inspire confidence. And while no one likes to have their findings criticized, there aren't nearly enough critical reviewers when it comes to cyber intelligence reports generated by for-profit companies.

------

(Original post with some edits) There's something wrong with those dramatic pictures of military satellite dishes contained in the Crowdstrike report on Chen Ping and PLA 61486. This is especially troubling since they play such a big role in Crowdstrike's attribution theory.

First, here's the picture from the Crowdstrike report on page 19:

Click to enlarge

Now here's the original photo from CPYY's online photo album with some labeling provided by one of Taia Global's Hong Kong-based consultants:

Click to enlarge

Notice that in the original photo you can see the Pearl Tower and the World Financial Center (labeling added). That part of the photo was cropped out of the Crowdstrike version. The distance from the PLA base to the Oriental Pearl Tower is 6.4 km but in the photo they seem to be half that distance.

Furthermore, to have taken this picture from the base, CPYY-Chen would have to be looking West. From that angle, the World Financial Center should be to the right of the Pearl Tower rather than to its left as it is in this photo.

On page 20 of the report, Crowdstrike features another satellite dish photo which shows the Pearl Tower in the background.

Click to enlarge

As before, the World Financial Center is on the wrong side of the Pearl Tower; which clearly cannot be the case unless this photo was doctored. And if you look at this image at its full size, it really doesn't take a trained eye to see that something isn't quite right. It's almost as if the satellite dish was layered on top of a different picture.

RELATED:

"Crowdstrike, PLA 61486, and the Secret Hacker Language that wasn't"

Crowdstrike, PLA 61486, and the Secret Hacker Language that wasn't.

According to George Kurtz's introduction to Crowdstrike's Putter Panda report, his company has revealed the activities of PLA unit 61486, the identity of one of its employees' Chen Ping aka cpyy, and the primary location of Unit 61486 in Shanghai. By any definition of proof that you care to name, that assertion is only partially true. They located the headquarters of the PLA's General Staff Dept. 12th Bureau in Shanghai thanks to a public announcement by the PLA itself. That's the part that's true.

UPDATE 10 June 2014: The Project 2049 Institute, which Crowdstrike sourced extensively from, was the first organization to out the address of the Third Department 12th Bureau offices in its 2011 report "The Chinese Peoples Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure", not Crowdstrike.

Crowdstrike did not prove that the person they've identified as Chen Ping aka cpyy is actually named Chen Ping or is an employee of PLA unit 61486 or is even a hacker. All of that is speculation on the part of the researchers. Even the name "Chen Ping" is believed to be real because it corresponds to the "cp" of cpyy. Really? It's not possible that it would also correspond if Chen Ping was a fictitious name; just like the fictitious phone number, postal code, and email address on his WHOIS registration for cpyy.net?

Crowdstrike attempts to connect "Chen Ping" with another Chinese hacker named Linxder by pointing to a forum thread which Crowdstrike claims is "superficially about cars" but could be "a reference to hacking jobs wrapped up in car metaphors."

Nope, and let this be a PRO TIP to everyone who thinks that Google Translate is sufficient to do your "intelligence" work in. Ask a native Chinese speaker (like I did) to translate, then do a little further research and you'll learn that Linxder was talking about her yellow car which looks like a bun.

Crowdstrike refers to this report as intelligence. If it is, it's the worst kind because the authors start with a bias and then search only for evidence that confirms their bias. Even worse, they failed to prove any of their key findings:

• Where is the proof that Chen Ping is a PLA soldier assigned to Unit 61486? 
• Or that Chen Ping is even his real name?
• Or that Unit 61486 has conducted even one cyber attack against a U.S. company?

Just because China is interested in satellite technology and engages in acts of cyber and industrial espionage to get it doesn't mean that Crowdstrike, Mandiant, or anyone else can play fast and loose with attribution. Yes, China does it but so do many nations along with countless independent hacker groups. If you want to prove that Col. Mustard hacked Acme Satellite Company with a Candlestick, then either prove it using accepted international standards of evidence or leave attribution out of your report altogether.