Sunday, November 15, 2009

Anatomy of a Cyber-Espionage Attack, likely by the Chinese Military


Our Pals, the Chinese


Several years ago, information security analysts at a large U.S. firm noticed a huge amount of corporate network traffic headed to external servers. The data was destined for computers located in the U.S. and in foreign countries.

Reacting quickly, the analysts stanched the traffic flows but not before large amounts of corporate data had been stolen by unknown attackers.

Other large companies were also targeted during the same period. The attackers were able to process huge volumes of data, but they did so very selectively. They did not "take what they could get". They selected only specific files, a characteristic of highly professional attacks.

In addition, the attackers did not bother to view the files to verify their contents before "exfiltrating" them. This suggests that prior reconaissance missions had been conducted in which directory listings had been scrutinized beforehand and used to build a list of targets.

During the nearly week-long incident, the intruders carried out a highly "complex data exfiltration operation" that indicated preparations had been ongoing for months; the attackers "patiently assembled a detailed picture of [the] network."

The characteristics of discipline, scale, preparation, patience and a multi-stage attack were consistent with a "state or military"-sponsored operation. And the attack was consistent with other incidents attributed to Chinese network intrusions, including:

• The tools used and a link from the company directly to a command center in China.

• The attackers had previously identified specific directories, file shares, servers, files, user accounts, employee names, password policies, group memberships and other relevant information, likely gathered during a comprehensive reconaissance phase.

• The intruders did not view any files prior to exfiltration, suggesting they already knew the contents or meta-data.

The attackers used two distinct groups to carry out the attacks: a breach team ("Team One") and a collection team ("Team Two"). Some of the key aspects of the attack:

• The attackers had collected "dozens" of valid employee user accounts to gain network access.

• They used RDP (Remote Desktop Protocol) to communicate with targeted hosts.

• They had accessed the network nearly 150 different times leading up to the exfiltration.

• The intruders harvested password (NTLM) hashes directly from Windows domain controllers and sometimes submitted them to authentication proxies directly. These actions appear intended to defeat two-factor authentication requirements that may have been in place.

• The attackers also repeatedly listed group memberships to determine which users were allowed to access sensitive folders.

After the reconnaissance phase, the attack unfolded in phases.

• "Staging servers" were chosen to house data for exfiltration. These appear to have been chosen for their performance and network connectivity characteristics. In this attack, all were Microsoft Exchange (mail) servers.

• All seven staging servers had communications channels opened to an external command-and-control (C2) server.

• Data selected for exfiltration was then moved to the staging servers.

• Once the data had been moved to staging, the files were compressed and encrypted into numbered RAR archives. All were exactly the same size of 650 MB, suggesting they would be stored on CDs.

The exfiltration phase of the attack was the most sensitive. Actions taken by the attackers suggest that speed of data transit outside of the network was of the highest priority. All seven staging servers were used simultaneously for this purpose. The intruders even tested the available bandwidth ahead of time by beginning a download of a video file to verify expected performance.

• A proxy for C2 communications was a compromised DSL-connected PC in the U.S.

• Large volumes of data were moved from staging servers to multiple external "drop points". Two of the drop points failed, so file remaining servers were used to house the data copied from the staging servers.

The company's security team recognized the attack and responded using intrusion prevention tools, but not before a significant amount of data had left the corporate network.


Based upon: 'Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation', Northrop Grumman Corporation [PDF]. Linked by: Jawa Report. Thanks!

No comments: