All Your Nets Are Belong to the PLA
February 19, 2013 7:20 AM   Subscribe

The Mandiant security firm has released a report attributing a number of hacking events to Advanced Persistent Threat (APT) activity perpetrated by China's 2nd Bureau of the People's Liberation Army General Staff Deparment's 3rd Department. They have also released an appendix containing multiple artifacts that can be used to detect intrusions on networks.
posted by bfranklin (64 comments total) 10 users marked this as a favorite
 
The report in question is particularly fascinating due to the forensically sound methodology used to gather the data, and the intelligence work done to link digital artifacts on the Internet to their existing investigation in order to draw an extremely plausible conclusion.
posted by bfranklin at 7:23 AM on February 19, 2013 [1 favorite]


NPR's morning Marketwatch did a report on this report, and pretty much blew it off as unsubstantiated and sided with the Chinese on calling it "bullshit", based primarily on a cell phone # shown in the video that was tied to an old farmer who didn't know what "hacking" was.
posted by Old'n'Busted at 7:40 AM on February 19, 2013


NPR's morning Marketwatch did a report on this report, and pretty much blew it off as unsubstantiated and sided with the Chinese on calling it "bullshit", based primarily on a cell phone # shown in the video that was tied to an old farmer who didn't know what "hacking" was.

Yeah, I heard that on the way into work this morning. It really lowered my estimation of the Marketwatch team's ability to understand the subject under discussion.
posted by Inspector.Gadget at 7:42 AM on February 19, 2013 [8 favorites]


Thanks for posting this as links to the original reports. FWIW the New York Times summary is quite good; they seem to have been pre-briefed and pick up the highlights.

We've known for a few years that Chinese Army units have been hacking US companies; Google's disclosure, among others, made that pretty clear. But this report has a lot more detail and specifics than have been published before, it's important.

What I don't understand (or what scares me) is why the Chinese Army is infiltrating power grids and other infrastructure. I get the value of hacking news companies, human rights groups, corporate espionage; those all produce tangible benefits to Chinese interests today. But the only reason to hack a oil supply company or an electric grid company is because you would like to be able to demolish it some day. That's an explicitly military goal, and that scares me. Maybe in their mind it's no different than having an ICBM pointed at a city.
posted by Nelson at 7:46 AM on February 19, 2013 [1 favorite]


He who can destroy a thing, controls a thing.
posted by seanmpuckett at 7:52 AM on February 19, 2013 [2 favorites]


The Chinese Army is a rather explicitly military organization, so I'm not sure why that surprises you.

The question that all this raises, though, is what equivalence will be drawn between what they're doing and more traditional military actions when they finally fuck up or overplay their hand in some way and things become too obvious to ignore. I.e., is infiltrating the control systems of a power plant, with the obvious aim of being able to turn it off or blow it up, equivalent to sending a special forces guy in with a bomb and planting it there? I could see how that parallel could be drawn.

I'm reminded of certain incidents from early hacker culture where people did things that were pretty obviously illegal, but since they did them with a computer, it seemed rather harmless, and they were rather surprised when the actual cops showed up. There seems to be a similar disconnect going on, only at the nation-state level, right now: countries (particularly China, it seems) are engaging in acts that anyone can see would be insanely provocative if done conventionally, but are apparently excusing them because they're being done through computer networks. But as computer networks become more fundamental to modern life, I think that will cease to be a meaningful difference.
posted by Kadin2048 at 7:56 AM on February 19, 2013 [9 favorites]


That's an explicitly military goal, and that scares me. Maybe in their mind it's no different than having an ICBM pointed at a city.

Indeed. It's an act of war. Which is more or less the official position of the White House and the Pentagon:

International Strategy for Cyberspace, Prosperity, Security, and Openness in a Networked World, May 2011, Barack Obama (pdf, whitehouse.gov)

"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible." (emphasis added.)

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.

If this is true and China's military is hacking into US systems as an official matter of Chinese military policy, then that's kinda sorta really really close to an act of war and Obama can't let that go unanswered. Those commies would have to pay some face-loosing price for that.

One assumes that the all-powerful NSA has been aware of this for some time and Obama has had a chance to prepare his response. Now that public allegations have been made by Mandiant, I guess we'll see swift action from the White House.

It's becoming clear why Hillary Clinton wanted out.....
posted by three blind mice at 7:58 AM on February 19, 2013 [1 favorite]


Side note... Can we please not use the word commies? Its so 80s xenophobic jingoism. Thanks.
posted by aspo at 8:05 AM on February 19, 2013


What I want to know is why all this stuff is so easily accessible? I mean, it's like the guy who owns a liquor store and never locks the door at night complaining about the looting of his hooch.
posted by njohnson23 at 8:08 AM on February 19, 2013


No doubt the USA does the same, just more discreetly, and through their intelligence branch instead of their military (pretty much the same thing these days).
posted by furtive at 8:13 AM on February 19, 2013 [6 favorites]


Furtive has it for sure. Hell the US (and/or Israel) is AFAIK the only party to have launched an attack on a country using this vector. Stuxnet and Iran.

Maybe we're just a little more sophisticated and discreet about it - or maybe the PLA gets how the game is played and sees no benefit to airing any breeches they've had. Most of the allegations from the US have been from the private sector.

And I'm sure we aren't just hacking the Chinese, but also any of our allies who leave a door open.
posted by JPD at 8:20 AM on February 19, 2013 [1 favorite]


Can we please not use the word commies? Its so 80s xenophobic jingoism.

And the '70s, and the '60s and the '50s. But if you want to really sound like an old hand, the preferred term is "Chi-coms."
posted by Longtime Listener at 8:22 AM on February 19, 2013 [3 favorites]


The US does have an active cyberwar department, but it seems to be much more precisely targeted at military targets (see: Stuxnet, Duqu). Part of what's astonishing about the Chinese Army hacks is they seem to be hacking everything at once: corporations, news agencies, civil infrastructure, and presumably military systems. Also while we presume (and hope) the US is building cyberwar capability, so far they've not really been caught at it. Hell, even the US ownership of Stuxnet is still more of a matter of supposition than certainty.

I still don't know how to interpret a Chinese Army infiltrating, say, an electric distribution network. It's not itself an act of war; they've done no harm. It's more of an act of espionage. It's more like creating the ability to attack rather than attacking. In that way I think it really is analagous to our pointing ICBMs at China, or engaging in wargame maneuvers near Chinese waters. A demonstration that we could attack, not an attack in itself.
posted by Nelson at 8:22 AM on February 19, 2013 [3 favorites]


Hell the US (and/or Israel) is AFAIK the only party to have launched an attack on a country using this vector. Stuxnet and Iran.

It's as if the US government actually treats Chomsky as a manual of operations. The cognitive dissonance of the amount doublethink involved in producing these stories must create an audible sound...
posted by ennui.bz at 8:26 AM on February 19, 2013 [2 favorites]


What I want to know is why all this stuff is so easily accessible? I mean, it's like the guy who owns a liquor store and never locks the door at night complaining about the looting of his hooch.

Security is like insurance. It's a cost you pay that you may never see an ROI on. As such, most organizations are unwilling to pay for quality security personnel and unwilling to invest much more than the bare minimum to meet regulatory compliance for security. The undersized and underskilled security staff are unable to accurately present the risks to management (or management just doesn't care about digital risk).

Management is far more interested in getting new revenue generating programs up as quickly as possible, as opposed to investing the time and effort to secure them. Security managers don't have executive backing, and as soon as the director of sales or VP of marketing wants all his people to have unfettered access to the internet, gmail, and installing random software so the creativity isn't stifled, the security team is forced to just send an email saying "we don't recommend this at all. Don't fire us when this goes poorly because we told you so."

Systems are also amazingly complex, and to do a good security analysis of how to implement something, you need to know how to secure networks, OSs, and applications, and how all those layers can interact to work against you. Your average app admin knows jack about Diffie-Hellman key exchange and selecting cipher suites.

Even if all of this can be addressed for the most part, enterprise networks are constantly changing. With a security team of 3 in a business of 3000, you just plain don't have time to inspect everything. Even if you did, all software has bugs, and a lot of those bugs have already been weaponized by criminals and foreign national actors. Or someone could just send your secretary a malicious file masquerading as a cute cat video.

The basic nature of the beast is that you _are_ going to be compromised. Chances are that you already are. Rapid detection and response is the new face of the game. Many businesses haven't got the memo, though, as this is the stuff that practitioners talk about, but it hasn't made it into the pages of Forbes or HBR.

All of this shouldn't be taken as saying security is a hopeless cause, though. Much like running from a lion, the goal is largely not to be the slowest of the pack. Good practitioners can use the old patch-harden-and-fortify method to make a network very cost-ineffective to get into, and can lock things down so it's hard to compromise additional hosts once you get a foothold. They also can quickly detect anomalous network activity and investigate to quickly respond to compromise.

It's a hard problem, and it's why I tell people getting into security because of job prospects rather than a love of the problems to look for jobs with big 4 firms where you'll be auditing based on a checklist. Those folks aren't cut out for operational enterprise security or security architecture. You've got to love the details of it to do it well.
posted by bfranklin at 8:28 AM on February 19, 2013 [9 favorites]


the US ownership of Stuxnet is still more of a matter of supposition than certainty.

the only institution with the infrastructure and credibility to make that certain is the U.S. government. I bet the NSA is really working to track down what entity is responsibility for a highly sophisticated attack on Iran's nuclear infrastructure that leveraged inside corporate connections and knowledge.
posted by ennui.bz at 8:30 AM on February 19, 2013 [1 favorite]


He who can destroy a thing, controls a thing.

He who owns a thing, wants a copy of the keys.
posted by Blazecock Pileon at 8:43 AM on February 19, 2013


Passwords need to be banned, throughout government and business.
posted by gsteff at 8:56 AM on February 19, 2013


What a funny coincidence, this report being publicized the same week that CISPA was reintroduced in the House of Representatives!
posted by orme at 9:02 AM on February 19, 2013 [7 favorites]


I'm not sure if this kind of thing is banned by the WTO, but regardless, WTO rules need to be updated to make espionage of this sort a major regulatory focus. And then the U.S. and the other western nations that get hit by China in this way need to flood China with WTO cases until it's obvious that they either need to cut this out or be kicked out of the WTO.
posted by gsteff at 9:08 AM on February 19, 2013


Maybe in their mind it's no different than having an ICBM pointed at a city.

This is pretty much it. He who wants peace prepares for war, MAD, etc.

the US ownership of Stuxnet is still more of a matter of supposition than certainty.

What we know of US cyber capability is that it's geared toward support of real-world military action, about as subtle as a sledgehammer to the forehead, and operates on spooky levels not well understood by most infosec researchers - the Israeli jets flying through Syrian airspace, invisible to the newest generation Russian AA radar, was something of a wakeup call. On the other hand the US has proven they're not much good at internet level security, offense or defense... currently, their instinct is to airgap everything and hide it behind a foot of lead. This strategy has shown mixed results, at best.

Stuxnet and Fire don't fit the profile - it's either Israeli or a NATO thing. Money's on the Dutch and the Germans.
posted by Slap*Happy at 9:15 AM on February 19, 2013


A demonstration that we could attack, not an attack in itself.

I would disagree. I think hacking into a system that you dont own/control is an attack in itself.
posted by gen at 9:24 AM on February 19, 2013



NPR's morning Marketwatch did a report on this report, and pretty much blew it off as unsubstantiated and sided with the Chinese on calling it "bullshit", based primarily on a cell phone # shown in the video that was tied to an old farmer who didn't know what "hacking" was.

Yeah, I heard that on the way into work this morning. It really lowered my estimation of the Marketwatch team's ability to understand the subject under discussion.
posted by Inspector.Gadget at 10:42 AM on February 19 [4 favorites +] [!]


A number of years ago, Marketwatch broadcast a week or two direct from China, with emphasis on the new business climate in China, with a Chinese company/organization picking up the tab. Their reportage of China is suspect at best, and bought and paid for at worst.
posted by SPUTNIK at 9:25 AM on February 19, 2013 [3 favorites]


Their reportage of China is suspect at best, and bought and paid for at worst.

This is a sweeping statement that should be supported with evidence.
posted by gen at 9:29 AM on February 19, 2013 [1 favorite]


It really lowered my estimation of the Marketwatch team's ability to understand the subject under discussion.

Did you mean Marketplace's morning report? Because if it's Marketplace, every time they say something it lowers my opinion of them (and NPR for carrying one of their segments in their otherwise informative morning news) - they're like the Economist of public radio: there's one solution and it's the free market, regardless of the topic at hand. And the smugness with which their reporting and opinion pieces are delivered is both astounding and infuriating - it's the only show which will actually get me to switch the radio station off of public radio.

Marketplace rant now over, the Chinese denial was entertaining: Hacking attacks are transnational and anonymous. Well, yes on the first (obviously), but perhaps not so much the latter...
posted by combinatorial explosion at 9:57 AM on February 19, 2013 [4 favorites]


What we know of US cyber capability is that it's geared toward support of real-world military action, about as subtle as a sledgehammer to the forehead, and operates on spooky levels not well understood by most infosec researchers... Stuxnet and Fire don't fit the profile - it's either Israeli or a NATO thing. Money's on the Dutch and the Germans.

So, the US builds a $2 billion data center in Utah, the NSA is stuffed with really smart people and has a budget like a iceberg (largely invisible) yet can't find someone to do subtle hacking? Not plausible.

One of the biggest things those cyberpunk novels got wrong is the idea that the world of hacking computers would be dominated by lone programmers, hacking the gibson in cheap coffin-hotels. Like everything else, once computers became a known thing, the government has the best resources and infrastructure. The best hackers are sitting in cubicles in government/military office buildings, in the US, in China or wherever and will get a pension.
posted by ennui.bz at 10:38 AM on February 19, 2013 [2 favorites]




One of my guesses is that the Chinese didn't think they were going to get exposed like this; they figured that they could just keep saying "you have no evidence," believing that the hackers had covered their tracks well enough. And then Mandiant goes and drops this out in the open, going so far as to point out the building the hacking is originating from. I'm sure they'll continue to deny everything, but you have to figure that the diplomatic conversations have just taken a different tone.

I'm also not surprised that the way they get in tends to be by sending emails, and the link gets clicked on and *boom*. Getting people to practice safer online practices is always an uphill battle. I have always been incredibly skeptical on my email and I don't click on any links or attachments unless it's something I specifically asked to be sent. But when you have so many people, including those at higher levels of corporations, who are joining the "Fw: FW: Fw: FW: Funny Picture" email chains, you gotta pretty well figure you're not going to ever be able to have much security in email systems. Add in that the hackers have been putting together highly sophisticated emails that look exactly like they've come from the boss, and there ya go.
posted by azpenguin at 10:59 AM on February 19, 2013




Related posts.
posted by homunculus at 11:18 AM on February 19, 2013


The Mac malware targets the known holes in Java. Anyone who doesn't need it should have Java disabled by default. Doesn't matter what platform you're using.
posted by azpenguin at 11:26 AM on February 19, 2013 [2 favorites]


lol java
posted by entropicamericana at 11:37 AM on February 19, 2013 [1 favorite]


I am much more worried how the response is going to infringe on my privacy and rights than I am worried that China is going to hurt us.
posted by psycho-alchemy at 11:47 AM on February 19, 2013




their instinct is to airgap everything and hide it behind a foot of lead. This strategy has shown mixed results, at best.

As a strategy it's better than anything else that anyone has come up with, it's just really expensive to implement, which is why the private sector generally balks at it.

It's not like the SIPRnet concept is perfect, but the only compromises I've been aware of are via a USB-conveyed worm, which is a limited attack vector (certainly better than having an attacker gain online access) and could be hardened against pretty trivially (disable USB storage devices on endpoints), and then the high-profile compromise carried out by Bradley Manning. The latter is not really something you blame on the network; even if the files had been kept on paper, someone with the right level of access could have copied them with a Minox or something. People are always going to be a weak link, but at least they are something that we have experience dealing with.

Where the air-gapped network concept has failed it's almost always because corners were cut somewhere, either by using unsecured commodity machines and operating systems at the endpoints, or allowing tunneling from public networks such that there has to be a gateway somewhere, etc.

For something like industrial-control / SCADA systems, there's no reason why those networks shouldn't be completely isolated and accessible from endpoints located only within secure facilities themselves. That they're not suggests to me that someone is putting cost-savings ahead of security, and perhaps they should be steered in the right direction via regulation. Security is always going to be a cost center and will always be given short shrift by private organizations, if they're not the ones who have to clean up the mess in the event if a compromise (i.e. the government will bail them out rather than let them fail). Thus, unless we're really prepared to let them fail (in the case of the power grid, clearly not), we should force them to prioritize security, rather than leaving it up to market forces.
posted by Kadin2048 at 12:10 PM on February 19, 2013 [3 favorites]


What I don't understand (or what scares me) is why the Chinese Army is infiltrating power grids and other infrastructure. I get the value of hacking news companies, human rights groups, corporate espionage; those all produce tangible benefits to Chinese interests today. But the only reason to hack a oil supply company or an electric grid company is because you would like to be able to demolish it some day. That's an explicitly military goal, and that scares me. Maybe in their mind it's no different than having an ICBM pointed at a city.
No different? Except for the part where you are minorly inconvenienced for a short period of time instead of blown up or irradiated?

Also, China does not have nuclear weapons pointed at the US. From the Union of concerned Scientists:
China currently possesses a small nuclear arsenal, with an estimated 155 nuclear warheads ready to be deployed on six types of land-based missiles. Approximately 50 of its 155 missiles can reach the continental United States. The United States, by comparison, currently has more than 1,700 deployed nuclear warheads that can reach China.
Note that while China could deploy it's missles, they are currently not even armed, while the US has a standing array of 1,700 missles ready to be fired at a moments notice, and tens of thousands of nuclear bombs in storage.

Anwyay, the whole "Cyberwar" thing is a total joke. It's just some bullshit hyped by beltway defense contractors so they can collect massive paychecks to sit on their ass and screw around with computers.

In fact, focusing on computer security in the framework of a "war" is actually pretty dumb, since wars are rare. It should be looked at as inteligence gathering, which obviously China wants to do.

And by the way, does anyone not think the U.S. government isn't doing the exact same thing? Maybe the chinese government and corporations just aren't whining about it to the media? There's no incentive for them to publicise it, and the government keeps a tight lid on the media, you probably don't see any national security stories that aren't government approved there.

I mean think about it, we all hear about the problems with the F-22 in the U.S, because of the free press. Do you think that if the Chinese were having the same kinds of problems with their flagship figher jets you'd be hearing about in the Chinese media?

Also, in the U.S there is an incentive to stoke fear about "cyberwar" in order to boost funding for "cyberwar" pork.

And as I was saying, looking at hacking through the "cyberwar" lens isn't a good way to do things: rather then bitch about Chinese hackers, we should be spending the money to make sure our stuff is secure and can't be hacked. Why even build power systems that are capable of being hacked in the first place?
insanely provocative if done conventionally, but are apparently excusing them because they're being done through computer networks. But as computer networks become more fundamental to modern life, I think that will cease to be a meaningful difference.
As I said, I don't see them as being particularly provocative, I couldn't really care less and assume we're doing the same things to them anyway - but why would you build systems that we depend on with such obvious security flaws in the first place?

If anything, it's better if critical systems are targeted, because then you can actually see where the weaknesses are, rather then having all be hypothetical.
"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible."
My GOD They might actually write a sternly worded letter!!!
What we know of US cyber capability is that it's geared toward support of real-world military action
Why would you know anything?
Stuxnet and Fire don't fit the profile - it's either Israeli or a NATO thing. Money's on the Dutch and the Germans.
That's completely ridiculous. First of all, the US is a part of NATO, Anything NATO does the US is going to be involved in. Secondly why the Dutch or Germans? The U.S. and Isreal are by far doing the most in the open to stop the weapons program (sanctions, etc) Do you have any basis for accusing the Netherlands or Germany whatsoever, or are they just the first two countries other then the US that popped into your head?

Also, the NYT reported that the US ordered the attacks Their headline is literally: "Obama Order Sped Up Wave of Cyberattacks Against Iran" In order for the NYT to publish this they would have almost certainly talked to people in the US government with direct knowledge.
At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed.
So you think the NYT reporters just made all of that up? That it's total fiction? You should really give us your evidence for the "Dutch or German" hypothesis.
posted by delmoi at 12:28 PM on February 19, 2013


Anyway, I'm obviously not saying it didn't happen, and it seems reasonable to perhaps levy a fine (enforced with tariffs or something) or something for any damage they've caused. But really the whole "cyberwar" nonsense, it's just ridiculous. Cyberwar is not going to kill anyone. This is just 21st century espionage, and the Chinese just sucked at covering their tracks apparently.

I'm kind of surprised to see people so credulously swallowing obvious propaganda intended to get more funding for Cyber-B.S. in D.C. Was it an "Act of War" when the U.S stuck a covert listening device in the headboards of the bed on China's presidential jet?

People need to take responsibility for securing their own stuff.
posted by delmoi at 12:36 PM on February 19, 2013






delmoi, while I agree with you that often the "cyberwar" term ends up being superfluous with "pork barrel" I think you're underestimating the value of leveraged control over SCADA systems (at least in the United States). When you say that "people need to take responsibility for securing their own stuff" I don't think the penalties for non-compliance are distributed only to those responsible. It's just the opposite - remember when Comodo got hacked multiple times and issued fake certificates and so every browser vendor removed them from their list of trusted CAs and so now they're out of business?

If SCADA systems are breached, then lives are absolutely at stake, and that's why contractors can beat the war drums (and for the record, I think Mandiant has at least been forthcoming with the infosec boots-on-the-ground types with their willingness to share this data, even if it simultaneously leads to nice contracts for them). If the creators of Stuxnet had more malicious intentions, or had attacked the uranium enrichment plant in a less-sophisticated way, there absolutely could have been lives at risk. The lines between "attack" and "espionage" are just becoming a bit more blurry as information becomes increasingly valuable.
posted by antonymous at 2:19 PM on February 19, 2013 [3 favorites]


Anwyay, the whole "Cyberwar" thing is a total joke. It's just some bullshit hyped by beltway defense contractors

I used to think that. Then companies like Google started talking about being hacked. These advanced persistent threats aren't some bullshit being made up to feed at the defense spending trough or to justify some civil liberties-curtailing legislation. They do serve that purpose too, but the attacks are real.
posted by Nelson at 2:25 PM on February 19, 2013 [1 favorite]


oops, I got my "synonymous" and "superfluous" mixed up - at least we now know I'm not versed well enough in English to by a spy!
posted by antonymous at 2:37 PM on February 19, 2013


I don't believe the accounts that had Israelis and USAns working together to create Stuxnet. Cooperation for something like this would have to be initiated at the highest levels of the respective governments. This cooperation would presumably come after an initial attempt had hit a brick wall, and after the original developers decided they needed outside help, and after assistance had been sought from every local source. I can't see the leaders of either nation admitting that they don't have sufficient resources in their entire country to complete the project.

Furthermore, cooperation on something like this would require intimate sharing of not only information but also development resources. I just can't see the USA (which is vastly larger than Israel, has vastly greater resources, and vastly better connections with the countries that supplied Iran's hardware) compromising its security like that in exchange for ... what? Some programming assistance? Maybe, possibly, I could see the USA sourcing Iranian intelligence via Israel, or using Israeli connections within Iran to deploy USB drives and so forth once the trojan was created.
posted by Joe in Australia at 3:57 PM on February 19, 2013


I used to think that. Then companies like Google started talking about being hacked. These advanced persistent threats aren't some bullshit being made up to feed at the defense spending trough or to justify some civil liberties-curtailing legislation. They do serve that purpose too, but the attacks are real.

But does that amount to _war_?
posted by bfranklin at 4:45 PM on February 19, 2013 [1 favorite]


I used to think that. Then companies like Google started talking about being hacked. These advanced persistent threats aren't some bullshit being made up to feed at the defense spending trough or to justify some civil liberties-curtailing legislation. They do serve that purpose too, but the attacks are real.
Yes, Google got hacked, and what happened as a result? Did anyone get killed?

The way some people talk about this makes it seem as though this stuff could somehow be as bad as traditional warfare. Someone up-thread said that hacking electrical systems it was "the same" as having nukes pointed at you. Except, you know it's actually totally not the same at all.

That's the problem here, all this talk about how this is an "Act of war" and other nonsense. It's espionage. Obviously, we would rather they not succeed but do you seriously expect the U.S. to not spy on China? The fact we were able to find them and figure out where they were located just means that we're better at it then they are.

For people who think this is an "act of war", was it also an act of war when we stuck bugs on the Chinese presidential plane? What's the difference, other than the scale that the Chinese are operating at?

And again, there are always going to be hackers out there - the fact that the Chinese are doing this is just going to make people more wary about the possibility of APT in general and more likely maybe we'll see some progress on people building systems with more intrinsic security in the first place.
posted by delmoi at 7:42 PM on February 19, 2013


Mandivant have been profiled on several NPR shows over the past few months and I have been really impressed with what these guys have been doing. They are on top of their game.
posted by daHIFI at 7:59 PM on February 19, 2013


The way some people talk about this makes it seem as though this stuff could somehow be as bad as traditional warfare. Someone up-thread said that hacking electrical systems it was "the same" as having nukes pointed at you. Except, you know it's actually totally not the same at all.

Its not the same, its worse. Its like the nukes doesn't even need to be delivered via bomber or missile, they could go off anywhere at any time with no warning. And there's no risk of mutually assured destruction.

Consider the implications of total access to these control systems. Stuxnet sabotaged systems while presenting false data to the operators' consoles making it seem like everything was ok. That could be happening to our power grid, utilities, all sorts of stuff.
posted by frijole at 5:30 AM on February 20, 2013


That's the problem here, all this talk about how this is an "Act of war" and other nonsense. It's espionage.

We just don't have an accurate singular term to describe what this is. In this case, the XOR of "act of war" is not "espionage." There's no precedent for this type of action taken in the context of our modern global climate.

I suppose you could make the case that it's "just" espionage - stealing information has been going on in modern civilization for thousands of years. Hell, you could make a case that America was built on stolen information - would the United States have led the industrial revolution without it? So is it just a matter of scale - some building in Shanghai is able to just steal every single blueprint in the world and and China is simply well-positioned to leverage it?

The problem is that in the 200 years since the industrial revolution, the full value of information has been realized. And to extend my Americentric rant, the laws which govern information have deep root in the America's property system - IP is property, after all, and stealing information is akin to depriving a landowner of his right to work the land. This makes no sense to the Chinese, but perfect sense to American lawmakers, who, along with the courts, base their ideas and judgements in almost 200 years of heritage and precedent. This fundamental cultural disconnect will continue to lead to conflicts for the foreseeable future, IMO.

For people who think this is an "act of war", was it also an act of war when we stuck bugs on the Chinese presidential plane? What's the difference, other than the scale that the Chinese are operating at?

A bug is not the proper analogy to the situation here. A better one might be if Americans were to put a remote kill switch on the engine. Does the mere existence of the switch constitute an act of war? Does activating the switch? What if that plane is the only one in existence and there is no other way for the Chinese president to return home?

A bug is about espionage and gleaning information, but the reason this situation is so alarming is that it directly alters global relationships between power, leverage, and control. It's not difficult to imagine the POTUS imposing some kind of sanction on China for this bad behavior, but thanks to the proliferation of vulnerable SCADA systems, it's easy to retaliate - a power plant shuts down for an hour, all traffic lights in a city turn green for 30 seconds, etc. I am not worried about that happening in the near future (because, in the words of a modern American poet, "Consequences will never be the same"), but the fact that this could be accomplished with some amount of plausible deniability certainly gives me pause.

To me, the question becomes "what is a proportional response to this loss of autonomy?" That's certainly not a new question, and is one that has been studied by folks far smarter than myself, and one that I encourage everyone to ask.
posted by antonymous at 9:31 AM on February 20, 2013 [1 favorite]




stealing information is akin to depriving a landowner of his right to work the land

Except this is also a muddled analogy because it ignores the fact that sovereignty is a very real thing with land, whereas sovereignty is much more nebulous on the Internet.

To me, the question becomes "what is a proportional response to this loss of autonomy?" That's certainly not a new question, and is one that has been studied by folks far smarter than myself, and one that I encourage everyone to ask.

You find a Microsoft Office 0-day (trivial), you find a network compromised by APT1 (trivial for the NSA), you package the .cn version of Stux in a word document containing juicy business plans, and you check if the Chinese are just as careful as they hope American corporate interests aren't.

Actually, the NSA has probably already done this and has some clever side-channels leaking them information from the inside of this group. These guys are using windows, not SELinux. I wouldn't be surprised if it's amateur hour once you get past the firewall.
posted by bfranklin at 1:10 PM on February 20, 2013






Mandiant’s China Hacking Claims Draw Criticism.

That's some serious sour grapes. Intelligence has a fetish for ACH, and while it's a great technique when you're dealing with questionable data, Mandiant has tremendous forensics capabilities and is dealing with a lot of hard evidence. This reads to me like bitching that the police aren't using ACH in their investigations.

Further, Carr can't even really say they're wrong, because he hasn't run ACH to come up with a more plausible hypothesis.
posted by bfranklin at 5:15 PM on February 20, 2013


NMAnews: Chinese military hacker unit behind US attacks.
posted by scalefree at 8:07 PM on February 20, 2013 [1 favorite]


Actually, the NSA has probably already done this and has some clever side-channels leaking them information from the inside of this group. These guys are using windows, not SELinux. I wouldn't be surprised if it's amateur hour once you get past the firewall.

It occurs to me that one reason why perhaps there hasn't been much in the way of an obvious US government response to the Chinese hacking is because: (1) it's so sloppy as to not constitute a serious threat in the eyes of the NSA et al, and (2) it gives the NSA and other US agencies a window into Chinese "cyberwar" capabilities and prioritization that they wouldn't otherwise have.

In other words, perhaps it's felt that slapping the Chinese for their overt and ham-handed "cyberwar" activities would only cause them to develop more subtle ones that could be monitored less easily, so it's better to let them carry on — and if it scares the private sector into a better security posture in the meantime (or, more cynically, can be used as a bogeyman for securing more "cyberwar" funding), bonus.
posted by Kadin2048 at 9:35 AM on February 21, 2013


Its not the same, its worse. Its like the nukes doesn't even need to be delivered via bomber or missile, they could go off anywhere at any time with no warning. And there's no risk of mutually assured destruction.
It's worse to lose electrical power for a few days then it is to have millions of people and cities destroyed by nuclear weapons?

This is how you can tell the "cyberwar" people don't seem to be thinking clearly whatsoever.

Wars are bad because they kill people, and cause death and destruction on a wide scale. Yes, in theory having your electrical grid go out might cause some people to die, massive blackouts happen from time to time accidentally. Look at the power outages caused by hurricane sandy. Are you actually saying you think that the power outages Hurricane sandy was somehow worse than the nuking of Hiroshima and Nagasaki?

I mean, it's utterly insane.
A bug is not the proper analogy to the situation here. A better one might be if Americans were to put a remote kill switch on the engine.
There's no claim they installed "remote kill switches" anywhere. It seems like something that would have been noted. The concern is the fact that because they looked around, they could have installed a kill switch - but the same is true of the bugs on the Chinese airplane. They could have installed a kill switch or bombs or whatever, there is no way to know without completely disassembling and re-assembling the plane.

And again, having the power go out for an hour is something that happens from time to time on accident. It's not the end of the world. Compare that to having an entire city annihilated, it's completely insane to say that the possibility of a cyber-attack is somehow as bad as having a nuclear weapon pointed at you - there's zero sense of proportionality or scale. I mean does anyone personally think it's worse or just as bad to be without power for an hour or two then it is to be incinerated? It's just totally bonkers.
posted by delmoi at 10:12 AM on February 21, 2013


Schneier on Security: More On Chinese Cyberattacks
posted by the man of twists and turns at 11:46 AM on February 21, 2013


There's no claim they installed "remote kill switches" anywhere. It seems like something that would have been noted.

I wasn't trying to claim this was true, I was using an analogy to illustrate a point about power and control. As it stands, swiping IP is harmless enough (unless you're a jittery investor), but by railing against "cyberwar" just because China can't/won't conduct a military campaign? I don't want to put words in your mouth, but your statements imply that the United States should be willing to relinquish control/autonomy over infrastructure controlled by SCADA systems just because they're not capable of causing "enough" harm. I just don't see why the United States should cede that to an adversary, even at the expense of "cyberwar people" (assuming you mean military-tech contractors) getting rich, which is pretty much inevitable IMO.
posted by antonymous at 7:31 PM on February 21, 2013


Also delmoi, after re-reading your comments I think we maybe have more of a gap in language than anything else. I've personally internalized the "cyberwar" label in discussions with others on this and generally use it as a mental shortcut to refer to a wide range of actions, many not included in Mandiant's report. I do agree with you that this term is unnecessarily alarmist (and too quickly deployed) when used in the context of the actions uncovered by the report. I also agree that perhaps in this specific instance "espionage" is a more useful term. This is not "war" but if these types of actions continue to escalate (and escalate tensions), then it will eventually be called a war (rightly or wrongly) for lack of better term. I was focused on discussing additional, as-of-yet-unexposed actions which could more easily be construed as some kind of "war."

(I do appreciate your perspective, as it's helped me realize the above)
posted by antonymous at 8:54 PM on February 21, 2013




If you're a Chinese hacker, you probably hate your job
Your boss cheats on his expenses, but won’t approve yours. Wang’s boss expensed a $100 bottle of liquor—a popular form of gift given to advance business relationships—while he was denied reimbursement for a $1 bus ticket to attend a conference.

You get punished just for trying to do a good job. Hackers commonly use phishing emails to invade their targets’ computers. And in order to get a native English-speaker to open your email, is has to be Chinglish-free. So Wang tried to spiff up his language by reading The Economist and Harvard Business Review—only to have his boss chide him for spending too much time reading foreign papers.
posted by the man of twists and turns at 10:22 AM on March 13, 2013






Bruce Schneier: Danger Lurks in Growing New Internet Nationalism
posted by homunculus at 4:34 PM on March 13, 2013


« Older this is why that is important   |   The Changing Face of Superman Newer »


This thread has been archived and is closed to new comments