Photo taken from http://reflectionsofchina.files.wordpress.com/2012/07/stone-walls-2.jpg

Written by Nathan Chan British Columbia Institute of Technology

Student Number: A00799452 Instructor: Rui Pereira Due: November 27, 2014

CHINA'S PEOPLE LIBERATION ARMY: THE HACKINGS, THE ESPIONAGE, AND

ANALYSIS

THE LOCKDOWN ON CHINA'S ATTACK ON US' REGIME

1

“If you know the enemy and know yourself you need not

fear the results of a hundred battles.” - Sun Tzu, great

warlord and philosopher

2

TABLE OF CONTENTS

Executive Summary……………………………………………………………………………………3

Introduction……………………………………………………………………………………………...4

China’s Guilty Act……………………………………………………………………………………….5

Data Theft of APT1……………………………………………………………………………………...7

APT1 In The News………………………………………………………………………………………8

The Hack Attack Lifecycle……………………………………………………………………………...8

The Crooks And The Crime Behind The Action…………………………………………………....11 Detection And Forensics……………………………………………………………………………...15 Recommendations From The Author………………………………………………………………..16 A Comparison Of Other Similar Cyber-crimes And Techniques………………………………….17 Conclusion……………………………………………………………………………………………...17 References……………………………………………………………………………………………..18

FIGURES AND TABLES

Unit 61398’s Position Within The PLA…………………………….………………………………….6

Unit 61398 Center Building Visible At 208 Datong………………………………………………….7

APT1’s Attack Lifecycle Model………………………………………………………………………...8

Diagram Explaining A Typical Spear Phishing Attack………………………………………………9

An APT1 Batch Script That Automates Internal Recon…………………………………………...10 Counts, Charges, Statutes, And Max Penalty………………………………………………………12 Summary Of Defendant’s Conduct Alleged In The Indictment….………………………………..13

3

Executive Summary

In this piece, you will read about one of Internet's most wanted clan for stealing US government secrets: from intellectual property to government intelligence, the PLA (People's Liberation Army). I will expose only one of China's Cyber Espionage Units, since there are too many to cover. Moreover, I will discuss the briefings of crime in which the actors have committed. The scope of the hacking teams are very large, and I will not be able to cover everything just in one report. From this report, I will narrow down my paper locking down on especially APT1 (Advanced Persistent Threat 1) also known as "Byzantine Candor". APT1 respectively have been known for conducting 141 targeted attacks, therefore consistently known as the major threat to the U.S. APT1 is part of the PLA hacking team and have conducted many breaches in many other countries (not just the US). They have been attributed as advanced threat actors since 2002. From this paper, my context will be taken from broad reaches of research, including one of the top providers of government intel, which is Mandiant, who are number one in investigating computer security breaches at hundreds of organizations around the world. From the observations of Mandiant, "it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen" (2013). Mandiant has taken forensics analysis and retraced security breaches within the system compromised by cyber espionage and have written a report called "The Mandiant Report" covering vast aspects of the case, the highly profiled APT1. The hackers who have tried to compromise the e-mail accounts of journalists to steal sensitive information is just one of the examples found in the report (Paganini, 2013). The activity, which is recorded in this report, only represents a small fraction of the cyber espionage that APT1 has conducted. APT1 has been tracked back to four large networks in Shanghai, two which are traced back to the Pudong New Area (Mandiant, 2013). Conclusions have been made that APT1, to this day, are still alive and running because they have been receiving direct government support. My research has found where the PLA's APT1 has originated and activities have been conducted in the building of Unit 61398. Simply put, I will also discuss the attack lifecycle and tools used in the trade of PLA's APT1. Their main weapon in this attack is a hacking technique called spear-phishing, which involves attaching a malicious software (backdoor), to the victim's computer. When the victim clicks and opens the backdoor disguised as a legit zip compression, his or her computer is internally compromised. This technique is king to their main arsenal of weapons, since social engineering as described by security experts, involves the weakest link being compromised. After spear-phishing, once a foothold is established, backdoors "initiate outbound connections to the intruder's 'command and control' (C2) server" (Mandiant, 2013). In itself, the PLA (People’s Liberation Army) have been an infamous organization controlling the APT1 unit below them; they have been known for being mischievous for stealing data and charges have been indicted for that since 2006. Through law analysis, I will cover a special case in which APT1 have conspired together to hack into computers of commercial entities located in the Western District of Pennsylvania and elsewhere in the United States. Centrally, they have been seeking to steal trade secrets that would be useful as competitive advantage, e-mails and related attachments that provided information about a company's financial position, etc.

4

According to the U.S.C. (United States Code), APT1 has breached a substantial amount of laws, which relate to the CFAA (Computer Fraud and Abuse Act), including 18 U.S.C. § 1030(a)(2)(C), 1030(a)(5)(A), 1030(b), 18 U.S.C. § 1028A, 18 U.S.C. § 1831(a)(2), (a)(4), and 18 U.S.C. § 1832(a)(2), (a)(4), just to name a few. They have been indicted, but not yet trialed, as the process is still occurring. “It is not clear when or how the five Chinese officers charged by the U.S. Department of Justice will ever actually be brought to justice”, states Kerner (2014). Because systems, including human and non-human, can be easily compromised by social engineering, malicious exploits and backdoors, we should reflect that both machine and non-machines need to be patched critically to prevent future crackers from gaining access to them. Like a famous bandit and now security expert, Kevin Mitnick, once said, "The weakest link in the security chain is the human element", we must too learn to prevent people in this neo-security chain from being compromised. According to Social Engineering: The Art of Human Hacking, a social engineer can use weaknesses in the wetware to trick a target into trusting the engineer and divulging sensitive information through manipulation as their secret tactic (InfoSec Institute, 2013). There are many different ways in which a system can be compromised within and lastly, I will conclude with my last topic: which is the different comparisons of cyber-crimes and techniques with spear-phishing. In this case, social engineering can come in many forms such as pretexting, dumpster diving, phishing, IVR, shoulder surfing, or phone phishing -- just to name a few techniques in which professional, underground hackers use.

Introduction

The APT1 (Advanced Persistent Threat) is a group known to be the 2nd Bureau of the People’s Liberation Army, which has appropriately been known under military operations as Unit 61398. This undercover operation continues to be a top-secret operation particularly described as the main hub for computer network hacking operations. Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area, where Unit 61398 is based. This group is infamous and known to have compromised 141 companies spanning 20 major industries, and also systematically known to have stolen hundreds of terabytes of data. Some of the loot know to have been captured and taken over by APT1 include broad categories of intellectual property, including “technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and email and contact lists from victim organizations’ leadership” (Mandiant, 2013). Some of hacking tools they utilize include GETMAIL and MAPIGET, which are used to steal e-mails. Under their network, they are connected with heavy arsenal which includes 1,000 servers. Covered in this report, I will be discussing how the breach of the data has been occurred and procured including the reasoning behind the theft. I will also cover the tedious process of the attack cycle. Just like every sophisticated hacking group has an attack lifecycle, so does APT1 of the People’s Liberation Army. Their methodologies have been honed over years designed to steal massive quantities (hundreds of terabytes of data) of intellectual property. To every castle that has been captured, the intruder must gain a strong foothold into the castle’s territory, and I will explain how they have entered that castle through the backdoor.

5

APT uses quite the tactics of a “command and control” server to zombified computers. APT’s arsenal includes the following: beachhead backdoors, standard backdoors, covert communications, privilege escalation, and internal reconnaissance. Moreover, I will cover the infrastructure behind the attack. There is evidentiary information from Mandiant that suggests that APT1 manually controls thousands of computers in support of their attacks. I will also describe how APT1 conducts their attack for spear phishing attacks and the implementation of Command and Control software. Diverging from the PLA APT1’s research faction, I will explain how social engineering is the weakest link out of the “Internet food-chain”. Any machine can be easily compromised by an attacker such as an APT1 hacker or attacker. I will also pave out some social engineering techniques that are also used commonly in the hacker underground, which may inspire some of you to be better aware and secure yourselves from the wild, wild, Internet ecosystem.

China’s Guilty Act

According to everything filed under record on Mandiant’s report, research has shown that China’s PLA did commit systematic cyber espionage and data breaches including theft against organizations around the world, including the US. To confirm that it was actually China and specifically, Beijing, behind the act, I will show evidence including photos and details of the Unit 61398 facilities. China’s expertise of hacking and cyber espionage have been proven also by the unit’s training and coursework requirements. These details will be particularly relevant when we discuss APT1’s gifted expertise, personnel, location, infrastructure, which are one in the same of that of Unit 61398. Like all crimes committed, the verdict cannot be guilty until proven in full confidence.

The Communist Party of China

The PLA’s cyber command is fully funded within the Communist Party of China and able to draw within the enterprises to support its operations (Mandiant, 2013). Speculations have been passed that the PLA’s strategic cyber command is situated at the PLA’s General Staff Department, specifically it’s 3rd department. The 3rd department’s main focus and specializations are with signals intelligence, foreign language proficiency, and defense information systems. In addition, “The Mandiant Report” researchers thinks that the GSD 3rd department, 2nd bureau, is the APT group that is known and tracked as APT1. The below figure shows how close the 2nd bureau sits to the highest levels of the CPC. At this level, the 2nd bureau sits above a large-scale organization of subordinate offices.

6

Figure 1: Unit 61398’s position within the PLA

Verifying GSD 3rd Department, 2nd Bureau as Unit 61398

It is estimated that the Unit 61398’s physical infrastructure is housed by hundreds, and perhaps thousands of army units. Based on public disclosures from within China describing the location and physical installations associated with Unit 61398, it is by hearsay that the PLA is situated there. For example, public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai, which is referred to as the main “Unit 61398 Building). This building is can fit approximately 2,000 people at its fullest.

7

Figure 2: Unit 61398 Center Building Visible At 208 Datong

Data Theft Of APT1

APT1 has stolen a huge range of data from its victims; the type of information usually relates to: product development and use, including some of the major blueprints filed as confidential, which include product development and use – narrowing that down to test results, system designs, product manuals, parts lists, and simulation technologies. Some of the other things they have stolen include manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes. They have also unjustly stolen business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions. In addition to this, they have infiltrated policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel. Emails of high-ranking employees and user credentials and network architecture information were also looted (Mandiant, 2013). Mandiant has reported that it is extremely difficult to trace out how much an estimate of how much data APT1 has stolen in whole during their intrusions for several reasons. APT1 secretly deletes the compressed archives after they thieve them, leaving solely trace evidence that is usually overwritten during normal business activities. Here is another reason why – pre-existing network security monitoring rarely records or identifies data theft. The duration of time between the data theft and Mandiant’s investigation contains evidence of data theft that is overwritten during the normal course of business. Sometimes the impact of the breach is too

8

high that the victims will focus on assigning resources to restore the security of their network instead of investigating and understanding the impact of the security breach. Mandiant has observed APT1 stealing a vast amount of information from a single organization from over a ten-month period. Given the scope of APT1’s and their mainly social engineering hacking operations, they have clearly indicated that they are clearly able to steal from any single organization. They are extremely apt at what they do stealing hundreds of terabytes from their victims.

APT1 In The News

The news, recently, still have been reporting APT1’s cyber espionage activity. Journalists and information security analysts have been referring to APT1 to different various names. Three nicknames, which are commonly used within the hacking process include Comment Crew, Comment Group, and Shady Rat. All of these nicks also have their Chinese translations, since they were used in committing the crime in Beijing.

The Hack Attack Lifecycle

The APT1 have honed their attack methodologies since its presumed inception since 2002. And, it’s main purpose was to steal a huge amount of intellectual property. First, the process begins with spear phishing, then proceed to deploy custom digital weapon (hacker tools and tactics), and then ending off by exporting compressed intelligence to China, before beginning its cycle again. Within their stash of attack weapons are socially engineered e-mails; they have evolved their digital weapons for more than seven years, usually upgrading their software code as part of their software release cycle. APT1 also adapts like a chameleon to their natural environments and spreads across systems, which makes them effective in their enterprise trust relationships with other APT1 members. Like every hacker group, including, the infamous “Anonymous” hacking group, APT1 also has a hack attack lifecycle.

Figure 3: APT1’s Attack Lifecycle Model

The Initial Compromise

The initial tactic is to penetrate the target’s organization network. Spear phishing is the most common deadly technique to penetrate the organization. The spear phishing emails

9

contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are targeted and crafted usually to the recipient. APT1 also creates webmail accounts using real peoples’ names – names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. Sometimes the attachments used in spear phishing include sending malicious ZIP files. Some of the malicious ZIP file names include: 2012ChinaUSAviationSymposium.zip, Employee-Benefit-and-Overhead-Adjustment-Keys.zip, and Negative_Reports_Of_Turkey.zip. As you can see and tell, it mimics what a real file and attachment looks like, but contained inside attached is a backdoor. Below is a diagram filed into the Mandiant Report explaining how a successful spear phishing attack occurs.

Figure 4: Diagram Explaining A Typical Spear Phishing Attack

Establishing A Foothold

Establishing a foothold can be basically defined involving actions that ensure control of the target network’s system from outside the network (once the backdoor is established). A backdoor software is software that allows an intruder to send commands to the system remotely (it usually leaves open to terminal access from one machine to the victim’s machine). In almost every case, APT backdoors initiate outbound connections to the intruder’s “command and control” (C2) server. Here are some of the name of the backdoors most commonly used; they are usually public backdoors available on the DarkNet. They include Poison Ivy and Gh0st RAT; sometimes, they use their own custom undetectable backdoors.

10

Privilege Escalation

The most commonly used privilege escalation tools mainly comes from the Metasploit package which includes: cachedump, fgdump, gsecdump, lslsass, mimikatz, pass-the-hash toolkit, pwdump7, and pwdumpX.

Internal Reconnaissance

Once the privileges have been escalated, next starts a stage of internal recon. At this stage, the attacker collects information about the victim environment. This process usually involves executing a Windows batch script to gain the necessary information and then sent to a notepad file such as 1.txt. Figure 5 demonstrates what APT1 used on at least four victim machines looks like.

Figure 5: An APT1 Batch Script That Automates Internal Recon The above script performs the following tasks and saves the results in a file called 1.txt. Forensics have found this on the infected and exploited machine.

Display the victim’s network configuration information

List services running on the victim’s machine

List current running processes

List accounts on the system

List accounts with administrator privileges

List current network connections

List currently connected network shares

List other systems on the network

List network computers and accounts according to their user groups (“domain controllers,” “domain users,” “domain admins,")

11

Moving Stealthily Inside The Network

Once the intruder has a foothold inside the network and a set of legitimate credentials, it is not hard for the intruder to stealthily move around the network undetected.

They can connect to shared resources on other systems

They can execute commands on other systems using the publicly available “psexec” tool from Microsoft Sysinternals or the built-in Windows Task scheduler, which is at.exe

Maintaining Presence Of The Owned Machines

The Mandiant Report crucially emphasizes that the intruder ensures to take full advantage of the systems by maintaining long-term control over the network. They have three main ways of doing that. Firstly, a good way to maintain longer term access to the network, the enemy could install new backdoors on multiple systems. It is generally because of their stay on the network, which could be years. Then, if one backdoor is discovered and deleted, they still have other backdoors they can use (which is conceptually, redundancy). There are usually multiple families of APT1 backdoors installed and scattered throughout the victim’s network when APT1 has been present for more than a few weeks. Hijacking VPNs is also another way for the victim’s computer network to be compromised. APT actors and hackers are always looking for valid credentials to impersonate a legitimate user. Mandiant has observed from APT1 that they are indeed using stolen usernames and passwords to login to victim networks’ VPNs when the VPNs are only protected by a single-factor authentication. From there, they are able to access whatever the impersonated users are allowed to access within the network. Once armed with stolen credentials, APT1 intruders also attempt to login into the web portal, which some of the owned machines offer. This includes not only restricted websites, but also web-based email systems such as Outlook Web Access, which provides convenience for them forging more spear phishing emails.

Mission Accomplished

To accomplish their mission, APT1 has to find files of interest; they are to pack them into archive files before stealing them. APT1 intruders most commonly use the RAR archiving utility like WinRAR, or 7Zip for this task and ensure that the archives are password-protected. Instead of archiving them singly, sometimes intruders will help automate the process easier by creating bash scripts. APT1 uses two email-stealing utilities that are unique in their nature. The first is GETMAIL designed specifically to extract messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files. The exploited GETMAIL tool allows APT1 intruders the flexibility to take only the emails between dates of their choice. The second exploited tool is MAPIGET, designed to steal email that has not yet been archived and still resides on Microsoft Exchange Server. MAPIGET requires username/password combinations that the Exchange server will accept. Once authentication has been confirmed, MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any.

The Crooks And The Crime Behind The Action According to the US Department of Justice, the U.S. layed charges on five Chinese military hackers for cyber espionage against U.S. corporations and a labor organization for

12

commercial advantage, in May 2014. From the grand jury of the Western District of Pennsylvania (WDPA), there has been an indictment for five military hackers behind APT who are namely, Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui. This indictment alleges that Wang, Sun, and Wen, among others known and unknown to the grand jury, hacked or attempted to hack into U.S. entities named in the indictment, while Huang and Gu supported their conspiracy by, among other things managing U.S. infrastructure (e.g. domain accounts) used for hacking. Some of the victims involved in the collaborative hackings include Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc. Below is a table that list of counts, charges, statutes and their maximum penalties for the case taken from the U.S. DoJ (Department of Justice). Table 1: Counts, Charges, Statutes, and Max Penalty

Count(s) Charge Statute Maximum Penalty

1 Conspiring to

commit computer

fraud and abuse

18 U.S.C. § 1030(b) 10 years.

2-9

Accessing (or

attempting to

access) a protected

computer without

authorization to

obtain information

for the purpose of

commercial

advantage and

private financial

gain.

18 U.S.C. §§

1030(a)(2)(C)，

1030(c)(2)(B)(i)-(iii),

and 2.

5 years (each

count).

10-23 Transmitting a

program,

information, code,

or command with

the intent to cause

damage to

protected

computers.

18 U.S.C. §§

1030(a)(5)(A),

1030(c)(4)(B), and

2.

10 years (each

count).

13

24-29 Aggravated identity

theft.

18 U.S.C. §§

1028(a)(1), (b),

(c)(4), and 2

2 years (mandatory

consecutive).

30 Economic

espionage.

18 U.S.C. §§

1831(a)(2), (a)(4),

and 2.

15 years.

31 Trade secret theft 18 U.S.C. §§

1832(a)(2), (a)(4),

and 2.

10 years.

In addition to list of the counts and their offenses shown above, here are the Summary of Defendants’ Conduct Alleged in the Indictment directly quoted from the DoJ website. Table 2: Summary of Defendant’s Conduct Alleged in the Indictment

Defendant Victim Criminal Conduct

Sun Westinghouse In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.

Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.

Wen

SolarWorld In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese

14

competitor to target SolarWorld’s business operations aggressively from a variety of angles.

Wang and Sun U.S. Steel In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spear phishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang thereafter took steps to identify and exploit vulnerable servers on that list.

Wen ATI In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.

Wen USW In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.

Sun Alcoa About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun sent a spear phishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of

15

e-mail messages and attachments from Alcoa’s computers, including internal discussions concerning that transaction.

Huang Huang facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into U.S. entities. Additionally, between 2006 and at least 2009, Unit 61398 assigned Huang to perform programming work for SOE-2, including the creation of a “secret” database designed to hold corporate “intelligence” about the iron and steel industries, including information about American companies.

Gu Gu managed domain accounts used to facilitate hacking activities against American entities and also tested spear phishing e-mails in furtherance of the conspiracy.

Detection And Forensics

The Mandiant Report was written as a result of the detection and forensics of APT1 (as directly observed). Mandiant has compared, therefore they know what had happened. I will now do a comparison of the direct observations of APT1 in comparison to Unit 61398 of what was factually reported. In terms of the mission area, APT1 stole intellectual property from English-speaking organizations and targets strategic emerging industries identified in China’s 12th Five Year Plan. In contrast of that, what was factually reported was that the unit conducts computer network operations against English-speaking targets.

Next, I will compare tools, tactics, and procedures that were used. APT1 has organized, funded, disciplined operators with specific targeting objectives, and code of ethics. For example, Mandiant has not witnessed APT1 destroy property or steal money which contrasts most “hackers” and even the most sophisticated organized crime syndicates. They are not as heinous as they look, for example. Similarly, the unit has been reported that it conducts military-grade computer network operations.

We can compare the scale of operations, as well. According to APT1 as threats were

directly observed, Mandiant has continuously witnessed the stealing of hundreds of terabytes from 141 organizations since at least 2006, some of the data that were targeted spreads across at least 20 major industries. The size of the “hop” infrastructure and continuous malware updates suggests at least dozens (but probably hundreds) of operators with hundreds of support personnel are trained in IT infrastructure and literate of the English language. The unit, as part of the PLA, has the resources (people, money, influence) necessary to orchestrate operations at APT1’s scale. Investigations and reports also have found that the site has

16

hundreds, perhaps thousands of people, as suggested by the size for their facilities and position within the PLA.

Moreover, their expertise, also can be compared. APT1 as observed has the necessary

English language proficiency, malware authoring and computer hacking techniques, and the ability to identify data worth stealing in 20 industries. As Unit 61398 has reported, they have English language requirements, operating system internals, digital signal processing, and steganography techniques, in order for them to join the crew. Most of the unit’s crew were recruited from Chinese technology universities. As for the location, there are hints of detection that can be traced.

The location of the attack can be evaluated and then contrasted. An APT1 actor used a

Shanghai phone number to register email accounts, as evidenced. Two of four “home” Shanghai net blocks are assigned to the Pudong New Area. Systems used by APT1 intruders have Simplified Chinese language settings as identified by the system. Also, an APT1 persona’s self-identified location is the Pudong New Area. When the unit is compared, headquarters and other facilities spread throughout the Pudong New Area of Shanghai, China.

Lastly, infrastructure can be compared. The telecommunications linked back to four

main net blocks in Shanghai, are hosted by China Unicom (one of two Tier 1 ISPs in China) and some use China Telecom IP addresses (the other Tier 1 ISP). As reported by Unit 61398, there is co-building network infrastructure with China Telecom in the name of national defense.

Recommendations From The Author

To reflect, I believe that spear phishing and social engineering’s main counter-attack is

to train people how to think like a hacker and have yearly if not monthly drills to make them aware that a hacking can occur at any time just like an earthquake or fire can rampantly happen as well. Implementing the correct security policies will make the adequate difference within a company than if a company had none. Another hard fact we need to approach is to limit data leakage; we need to remember that a good social engineer such as Kevin Mitnick will use that information to a company’s advantage. For example, websites, public databases, Internet registries, and other publicly accessible data sources should list only generic information, instead of employee names (InfoSec Institute, 2014). We as citizens and people who work in the corporate world have to know what social engineering really means. In fact, it means giving away our rights to the attacker and ultimately getting compromised greatly when in fact it is our own misunderstandings and shortcomings that have shaped us to be who we are. We need to remember that, “[we] could spend a fortune purchasing technology and services… and [our] network infrastructure could still remain vulnerable to old-fashioned manipulation” (InfoSec Institute, 2014).

We also need to understand what social engineers really want from us. A skilled social

engineer is looking for information that is divulged from us that could lead to another step further with financial or identity theft or to prepare them for a more targeted attack. They are also looking for ways to install backdoors into your system, like the APT1 case, that gives them better access to personal data, computer systems, or accounts. Some social engineers do it for the keeps – the competitive advantages.

17

A Comparison Of Other Similar Cyber-crimes and Techniques

Phishing is commonly done in the hacker’s world, but there are other techniques that are also just as dangerous. IVR or phone phishing also known as ‘vishing’ uses an interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victim then is tricked into call in to the “bank” via a phone number provided in order to “verify” information.

Baiting is another black-hat technique and is typically done by leaving a malware-

infected CD or USB key in a company building, some place that would make it seem as though the item has been dropped by accident. Similarly, it is like picking something similar to a Trojan horse that has been gifted to the attacker by surprise.

Finally, there is also reverse social engineering where an attacker can get their victims

to call them back pertaining to something an attacker may have previously said or done. “Since the victim is calling the attacker, the victim is already at the attacker’s mercy, and it is almost impossible for the victim to tell that they are being attacked if they have already legitimately made the call back to the attacker” (InfoSec Institute, 2014)

Conclusion Will the U.S. threats be mitigated when China’s flames are smothered and quenched? Not exactly! But, when crimes are investigated, people will know who the main perpetrators are, and who the real heroes are. A great warlord and philosopher, Sun Tzu once said, “If you know the enemy and know yourself you need not fear the results of a hundred battles.” Likewise, if we know how the great PLA will attack us before they even do, we will know how to set up our great firewalls of America to prevent the flaming arrows from coming in. We can definitely play our chess pieces with servers and computers as we equip ourselves with security head knowledge to defend them with towers of encryption and strong passwords. We would also know how to set up anti-viruses and IDSes (Intrusion Detection Software) and IPSes (Intrusion Prevention Software) strengthening the core of our strongholds. If we can detect attack signatures and virus definitions including custom backdoors, we would have better intelligence, and a more fortified network. So, let’s set up those bulletproof servers and try to set up more defenses to engage in the future cyberwars that would occur between the Great Wall of China and the Great Wall of US.

18

REFERENCES

Clayton, M. (2014, May 19). US indicts five in China's secret 'Unit 61398' for cyber-spying on US firms ( video). Retrieved November 11, 2014, from http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0519/US-indicts-five-in-China-s-secret-Unit-61398-for-cyber-spying-on-US-firms-video

Kerner, S. (January 1, 2014). Justice Department Charges Chinese Military Officers With Hacking. Eweek, 5.

Mandiant APT1 Report. (2013). Retrieved November 11, 2014, from http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Paganini, P. (2013, June 9). China vs US, cyber superpowers compared. Retrieved November 11, 2014, from http://resources.infosecinstitute.com/china-vs-us-cyber-superpowers-compared/

Sanger, D., Barboza, D., & Perlroth, N. (2013, February 18). Chinese Army Unit Is Seen as Tied to Hacking Against U.S. Retrieved November 11, 2014, from http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

Smith, N. D., LeBrun, N., Center for the Book., Cronkite Ward Company., & Discovery Communications, Inc. (1994). Sun-Tzu: art of war. Bathesda, MD: Discovery Communications, Inc.

Social Engineering: The Art of Human Hacking. (2013, December 18). Retrieved November 11, 2014, from http://www.tuicool.com/articles/VfIRjm

U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage. (2014, May 19). Retrieved November 11, 2014, from http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor