Monday, July 14, 2014

Su Bin, Lode-Tech, And Privatizing Cyber Espionage In The PRC

The criminal complaint against Chinese businessman Su Bin (aka Stephen Su, Stephen Subin) is a must-read. Be sure to read the Wall Street Journal article as well. It marks the first time that the FBI has issued an arrest warrant for a foreigner charged with an act of cyber espionage via a network attack that has until now been attributed solely to state actors like the PLA.

The complaint provides an indepth look at an EaaS (Espionage-as-a-Service) operation involving one named suspect and two unnamed co-conspirators. I've tried to reduce the 49 page complaint into its essential components and added a few missing pieces.

SU Bin (Stephen Su) 

Su's alleged role was to help his partners identify valuable military aviation technology to steal and then find buyers for the stolen data. His company's logo as portrayed on the website is almost laughably ironic: "We will track the world's aviation advanced technology." Su and his partners did exactly that, but would then attempt to steal the technology and sell it to their customers.

Su has been the owner and manager of Beijing Lode Technology Company, Ltd. since 2003. Lode-Tech is a cable harness equipment company that serves the aviation and space market. The company has offices in Beijing, Shanghai, Guangzhou, Shenzhen, Chengdu, Xi'an, Shenyang and Changchun.

Lode-Tech is also a representative and distributor of related aerospace products for a number of companies including DIT-MCO in Kansas City, MO; a company which proudly announces that its equipment "was used on the early "Hawk Missile," the first intercontinental Atlas missile, the Polaris missiles for the Navy, the Titan missiles for the Air Force, and the Patriot Missile used so successfully in the Desert Storm War, as well as almost all the aircraft used by the Air Force, Army and the Navy.”

DIT-MCO plus Lode-Tech's other business relationships in the aerospace industry (such as sharing space with Boeing at the Beijing Aviation Expo) put Su in an excellent position to identify valuable data for theft by a team of mercenary hackers who are identified in the complaint as UC1 and UC2.
NOTE: This case underscores the importance for companies in high value technologies like aerospace to (a) conduct indepth due diligence investigations on all of their vendors and (b) restrict network access by implementing least privilege rules.

Uncharged Co-Conspirator 1 and 2 (UC1, UC2)

According to the complaint, UC1 and UC2 are located in China, are hackers for hire, and are affiliated with multiple organizations and entities in the PRC. They have a diverse history of accomplishments but have chosen to focus on "military technology intelligence". They have an unidentified funding source that provided working capital in seven figures RMB, a hierarchial structure, and engage in business development. They've been working with Su since at least August, 2009.

In addition to their collaboration with Su on the Boeing C-17 project, UC1 sent several reports to UC2 which described other actions:
  • Targeted F-22 data from Lockheed Martin (LMT wasn't named in the complaint but they're building the F-22 and their sensitive documents use the classification terminology "Proprietary Information Source Selection Sensitive" which was mentioned in the complaint on p. 42).
  • Stole 20GB of data from a U.S. military contractor via the company's FTP server
  • Acquired a list of contractors and suppliers for a U.S. Unmanned Aerial Vehicle project and performed network reconnaissance.
  • Have access to a Russian-Indian joint missile development program by "controlling" the company's website and "awaiting the opportunity to conduct internal penetration".
NOTE: The name of the company is redacted in the report but it may be referring to the Brahmos 2 missile developed by Brahmos Aerospace; a joint venture between India's DRDO and Russia's NPO Mashinostroyenia.

Activities and Methodologies

  • Their target selection is informed by S&T (Science and Technologies) priorities of their potential customers. 
  • They establish "technology bases" and hop servers outside of China (i.e.; U.S., Korea, Singapore) and "machine rooms" with legal status in Macao and Hong Kong
  • Intelligence collection is done outside of the PRC (presumably at the above locations) and brought into China in person rather than electronically.
  • They focus on those U.S. and Taiwanese defense contractors which are among the Global top 50 arms companies.


While this is the first criminal complaint that describes "hackers-for-hire" or Espionage-as-a-Service it isn't new and it isn't exclusive to China. U.S. cyber security companies who research APT threat actors should study this criminal complaint closely; especially those who have spent the last 9 years defining APT solely as the Chinese government.

Threat intelligence companies worldwide need to find ways to differentiate the activities of a nation-state with those of a for-profit hacker group, criminal organization, or other alternative entities engaging in acts of cyber espionage. That may be difficult under current APT assumptions and with the limitations of purely technical indicators.

Finally, the SU-UC1-UC2 enterprise as described in this criminal complaint underscores and validates a data-centric approach to cyber security wherein a company identifies their own high value files by knowing the S&T research priorities of a given nation state and its state-owned or publicly-owned enterprises.

Friday, July 11, 2014

Airbus Defense and Space's First APT Threat Intelligence Report: Nice Work!

I've been a frequent and vocal critic of many threat intelligence reports issued by the usual players in information security. So it was very refreshing to read this report by Cassidian CyberSecurity (now a part of Airbus Defense and Space) on an APT threat actor that they named "Pitty Tiger".

I haven't studied the report yet but I did give it a quick read and want to congratulate the team of researchers including David Bizeul who did such an outstanding job in 2007 with his report on the Russian Business Network.

Here's what I really appreciated about the Pitty Tiger report:

APT Threat Actors - Not State Sponsored
Pitty Tiger is described as a Chinese group of hackers who demonstrated poor operational security (similar to the carelessness shown by members of Mandiant's APT1) as inexperienced hackers who were out to make a quick buck rather than bored or careless soldiers working for the PLA:
Pitty Tiger is probably not a state-sponsored group of attackers. The attackers lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.
This is the first time that I recall reading a security intelligence report which didn't portray the hackers as state-sponsored, state-affiliated or employed by the PLA. That in and of itself is news-worthy as far as I'm concerned.

The researchers refer to an "opportunistic business model", something that I and other security researchers like J. Oquendo and Peter Mattis have written about as well.

Use of the term "White Paper"
The authors properly categorized their threat intelligence report as a white paper, which it is because it has marketing value for the company. Many well-known cyber security companies who issue security intelligence reports fail to acknowledge that.

Responsible Attribution
The researchers exercised restraint and used cautious language in their attribution section. They didn't make baseless assumptions about "real names" or jump to any conclusions about the identities or affiliations of the hackers.

Kudos to the Airbus team for this report. Please keep them coming.

Monday, July 7, 2014

Suits and Spooks from the US, EU, Russia, The Hague to talk 0-day Regulation and other topics

Suits and Spooks London is happening on Friday Sep 12th with speakers from BAE Systems, EUROPOL, CERT-EU, Kaspersky Lab, CrySyS Lab, Goldman Sachs, PwC and other organizations. If you're looking for a security conference where you're expected to be a passive participant, don't bother coming.

If, on the other hand, you have an opinion about the relative value of attribution, the wisdom of active defense, the regulation of 0-day development and dual-use penetration testing products, and want to have an informed discussion and debate about them with people who can make a difference, then by all means join us at the top of the Blue Fin building in central London for a day of stimulating topics and discussions.

Here's a short video introduction to Suits and Spooks, if you've never attended the event.

Take advantage of our Early Bird rate of GBP135.00 ($231) before July 31st. Seating is limited to 50 attendees. You can also register by phone (855) 777-8242.