Luxembourg: The Steve McQueen of Cybersecurity

Here’s the scant good news on cybersecurity It’s getting harder for attackers to hide.  The same security weaknesses that bedevil our networks can be found on the systems used by our attackers. A shorter version is something I call Baker’s Law: “Our security sucks.  But so does theirs.”

That’s good news because, with a little gumption, we can exploit hacker networks, gather evidence that identifies our attackers, and eventually take action that will make them regret their career choices.

Unfortunately, the United States has been sitting out this attribution revolution.  Our vaunted CyberCommand may be energetically exploiting hacker networks, but it isn’t helping private victims of cyberespionage. Foreign governments are hacking US companies, law firms, activists, and individuals with abandon, but our government seems unable or unwilling to stop the attacks or identify the attackers.  In fact, hacking victims who want to gather evidence against the bad guys are being warned off, told that conducting a private investigation could put them at risk of prosecution.  As an anonymous Justice Department recently told the press,

“Arguments for or against hack-back efforts fall into two categories: law and policy,” the DOJ spokesman told BNA. “Both recommend against hack-back. Under current law, accessing a computer that you do not own or operate without permission is likely a violation of law. And while there might be something satisfying about the notion of hack-back on a primal level, it is not good policy either.”

Actually, the spokesman could have stated the Department’s policy even more concisely: “We don’t know how to protect you, but we do know how to keep you from protecting yourselves.”

Justice wants to cut off the debate over hacking back. But it’s too late for that.  Even if Justice adopts something tougher than its carefully qualified (and longstanding) statement that hackbacks are “likely a violation” of federal law, all it can really do is drive hackbacks offshore, leaving US companies more exposed to intrusions than companies in more tough-minded jurisdictions.

Exhibit A for this theory is a recent cybersecurity report from two Luxembourg entities, a private computer incident response team and iTrust Consulting.  Because it turns out that, as far as hackbacks go, little Luxembourg has more cojones than the entire United States cybersecurity establishment.

The report, by Paul Rascagnères, focuses on “APT1” — the cyberespionage gang recently identified by Mandiant as Unit 61398 of the Chinese People’s Liberation Army.  For those of us who think hackback is a useful cybersecurity policy tool, the report is both informative and fun — because Rascagnères served APT1 a double helping of what the unit has been dishing out to the rest of us for years.  ITrust logo

Inspired by Mandiant, Rascagnères decided to go hunting for the hacking unit’s command and control infrastructure.  Unlike Mandiant, though, he didn’t start with victims and track back to the controllers.  Instead, he started at the other end, scanning whole networks of machines to find ones that were running Poison Ivy, the hackers’ favorite Remote Access Tool, or RAT.  Poison Ivy operates in a client-server model, where the client is installed on a victim’s computer and connects to the attacker’s server. The server software presents a graphical user interface for surreptitiously controlling another persons computer. (Several screenshots of this “exploit GUI” are included in the report.)

The first thing Rascagnères discovered was that APT1 only ran its Poison Ivy servers during office hours – 8 to 5 Shanghai time. That by itself was a pretty good clue for attribution, but Rascagnères was just getting started.

Building on another researcher’s identification of weaknesses in Poison Ivy, Rascagnères did what any red-blooded Luxembourger would do (someone please cover the Justice Department’s eyes):  he broke into and mapped the hackers’ exploitation network.

And he collected valuable intelligence about how the Chinese unit is responding to the publicity generated by Mandiant’s report.  The Mandiant report described a unit that controlled many victims through a single command and control server, often a compromised machine in the United States.  This meant that when Mandiant got access to that command and control machine, Mandiant could identify dozens of other victim networks.

What Rascagnères found was more sophisticated – and partially protected from Mandiant’s technique.  Now, it appears, the Chinese hacking unit is covering its tracks by assigning every victim his own dedicated proxy server connected to his own Poison Ivy server. Both machines are remotely controlled by mechanisms (Remote Desktop Protocol and VMWare remote desktop) that obscure the actual location of APT1.  All of this makes it much harder to develop signatures of compromise, since exposing one exfiltration route reveals only a single “bad” IP address and no additional victims.

But Rascagnères caught the Chinese unit recycling IP addresses. When a victim realized he’d been infiltrated and started blocking his dedicated Poison Ivy IP address, the unit simply assigned that address to a different victim. So it’s still possible to assemble a list of victims and bad IP addresses, but only if each victim shares every “bad” IP address used against him, and that information is widely disseminated to other potential victims.  These changes tell us a couple of things about the Chinese unit.  First, they’re too cheap, too poor, or too invested to get a new IP address for every new compromise; that’s
Apt1 diagram a weakness we can work.  And second, given how easily their new scheme can be defeated by widespread information sharing, they must be betting against adoption of CISPA. (The ACLU must be really popular these days in Beijing.)

Even these discoveries didn’t end the drama.  At one point, the Chinese hackers realized that their network had been penetrated.  They started searching for the intruder, but so hamhandedly that he spotted the effort.  He installed a keylogger on the Poison Ivy servers that he had hacked and waited for the Chinese to log in to their proxy servers.  Then he dropped his compromised connection to the Poison Ivy servers and instead hacked the proxy servers using the Chinese hackers’ credentials. Once in the proxy server, his connection to the network looked like every other victim network communicating with its controller.

That’s impressive but Luxembourg’s finest wasn’t even close to done. While he was in the hacker’s network Rascagnères copied their remote access logs to map the attackers’ workstation machines.  Then he rifled the Poison Ivy servers to find the tools the hackers were using — as well as all the data they were stealing from victim networks. The data had been password-protected by the hackers, so he brute-forced their passwords. And, while the Chinese unit was probably still desperately trying to figure out whether they’d successfully locked the intruder out, he exfiltrated  all their stuff out from under their noses.

For those who’ve been the victims of Unit 61398, that sure sounds familiar.  And deeply satisfying.  Unless you’re the United States Justice Department, in which case it sounds like a felony, and “not good policy either.”

Justice couldn’t be more wrong.  This kind of tactic is absolutely essential if we want to create an effective defense against cyberespionage. Thanks to Luxembourg’s machismo, we won’t have to learn Unit 61398’s new tactics by trial and error; and we already have ways to thwart the new tactics, plus a store of tools and stolen data.

Oh and one more thing:  while he was playing with their command and control system, Rascagnères discovered that it didn’t correctly parse data sent by a victim machine.  Using that flaw, he wrote what looks to me like the first public zero-day exploit of the hackers’ own tool and released the code for other researchers to use.

Perhaps the Justice Department thinks that the government could have found all of this out on its own.  Maybe the government already knows all this from its own supersecret penetrations of Chinese hacker networks, achieved without any help from vigilantes like Rascagnères.  I kind of doubt it, but the more important fact is that it doesn’t really matter to all the private victims in this country what the government knows.  We need to know it too.  And because it wants to protect its sources and methods, the government isn’t likely ever to tell us.  After all, it didn’t tell us about Unit 61398, or about Luckycat, or about Ghostnet.  Everything we know about China’s hackers we owe to brave private citizens like Trend Micro and Mandiant and Citizen Lab, who went right up to the line that Justice is busily waving everyone away from.

Now we owe a lot to Paul Rascagnères, though he seems to have treated the Justice Department’s line the way Steve McQueen treated the fence in The Great Escape.

Well, God bless him, he’s showing us a new path to cybersecurity.  It’s better than the old path, for sure.  And no matter what the Justice Department says to American companies, the rest of the world is going to follow.

ART CREDIT: iTrust Consulting and Malware.lu

CAVEAT:  As always, I welcome corrections to my understanding of technical matters.