you're reading...
Communication & Technology

The imperfect cyber storm is coming and it’s not China – Mandiant cyber spying

Richard Bejtlich

Richard Bejtlich

In a revealing discussion on cyber security at the National Policy Centre in Washington DC, Good Harbor Chief of Staff Emilian Papadopoulos and Richard Bejtlich, Mandiant Chief Security Officer discussed the technical and organisational challenges of defining and meeting threats to national and corporate security.

Merely developing consistent definitions across the broad spectrum of networks is yet to be achieved. It’s a work in progress, more or less.

Three levels of cyber security threats (brief, brief description) that are out there and what they are:

  1. Basic Denial of Service attacks that almost anyone with a grudge or an agenda can hit a target with, smothering it under a deluge of traffic that can slow operations to a crawl. This is a fairly common event and tools to accomplish this are available to almost anyone.
  2. Level two is a step up and includes defacing web sites and sending disinformation out in another party’s name. Usually this is something like vandalism. The threat here (often not exercised) is that the intruder in fact did gain access to a server or network and might have dig deeper if so inclined, even erasing or downloading files and passwords, etc.
  3. Level three is what poses the deepest threat to government and corporate networks: embedding a persistent Trojan that can curate and process activity on an infected system and send the information to a remote host. This can be files, login activity, usage logs (enabling deeper, focused penetration) and are virtually undetectable by users. They can persist for years and can manifest as a permanent leak of national security information, intellectual property, and system control of municipal utilities, air traffic, and other infrastructure.

Of course, much of the talk today focused on a level three infection by China People’s Liberation Army’s (PLA) unit 61398 and a building located in Shanghai. After the recent uproar when Mandiant revealed they had been tracking this source since about 2006 in February 2012, which revealed a persistent pattern of massive thefts of internal emails and technical information, notable for the outrageous network infection of both the New York Times and the Washington Post. (disclaimer: that’s my local paper!) activity quieted down some. In recent days however, the number of attacks sourced at 61398 are ramping up.

The attacks were (and are) focused mainly on English language sites and servers. The Chinese are in high denial of this information and are ignoring multiple protests from around the globe about their failure to pull back from the activity. Even Russia is responsive when other nations object to activity originating in the Russian Federation. It’s impossible to deny it’s happening though. In fact the construction billing for the building (PLA) and the posts of a disgruntled soldier-hackers have all been uncovered in addiction to masses of IP address logs and “breadcrumbs” leading to a faceless 12-story building, roof covered with satellite dishes and sidewalks patrolled by strolling guards who strongly discourage photography.

Meeting these threats onshore here in the US requires more than simple installation of anti-virus software. For an individual user this may be adequate. But for corporate organisations, it is much more fraught, something firms such as Good Harbor are prepared to deal with. A sure metric of an organisation’s preparedness is the answer to the question…

“Was the threat detected in 1 day and steps initiated to deal with it?”

For all too many organizations the reply is “no, it wasn’t.”

CEOs often are reluctant to initiate instant response and do not want to reveal attacks–stock market values can be effected almost instantly on news (or rumours/disinformation) of proprietary information thefts or confidentiality breaches. Best practices for acquisitions and business partnerships calculations must include network security verification or the cost of security upgrades before deals are closed and operations begin.

This collateral effect of security leak “value” malaise from reports means that companies are reluctant to be open about the details. And the murky and inconsistent regulatory turmoil emanating from Washington’s agencies and Congress, let alone from National Security and Military agendas, show few signs of fostering a confident and sort-of-transparent system for accurate, consistent threat reporting and analysis. This must be resolved.

For soon a new threat is sure to arise in the Mideast and South Asia as thousands of unemployed and skilled network-savvy youth take on tasks, legitimate or unsavoury, within the next ten years. More sophisticated players in the regions such as Iran, Israel, Saudi Arabia and a few other parties in dispersed pockets already are playing a sophisticated cat-and mouse game that has wrecked 30,000 Saudi computers in the oil-production networks. The Stuxnet attack on Iran’s nuclear refinement centrifuges is another example of a very lethal network attack. And recently Iran is suspect of a monster hit on Western banking systems.

As the major players in “the great game” of the Internet today deal with security, cyber spying, and governance, the new threat may be arising with workers schooled in the rough-and-tumble school of hard knocks and experiential knowledge of political unrest and oppressive regimes. Who knows where a new open-source Arabic Language compiler will lead? It behooves the large entities managing and exploiting the Internet right now to look beyond utter self-interest and to develop robust metrics and consistent governance. Cooperation among present rivals and the future’s players will lift all users, unbridled rivalry may not.

About suptweet

...is an independent content & media consultant, semiotic contortionist and American Indian blogger with 20 + years on the web, hand code, graphics, video, early user, I'll help


3 thoughts on “The imperfect cyber storm is coming and it’s not China – Mandiant cyber spying

  1. Reblogged this on Welcome To My World (My Life My Way ツ. My Destiny).


    Posted by LissaCaldina | May 18, 2013, 8:54 am


  1. Pingback: Super-sized tweets and news energy, politics, security | Suptweet's Blog - May 17, 2013

  2. Pingback: Edward Snowden says US hacking Hong Kong and China for years | China Daily Mail - June 13, 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

China News

China News is not affiliated in any way with any publication in China or anywhere else.

Enter your email address to receive an email each time an article is published, or join our RSS feed. 100% FREE.

Join 3,690 other followers

Want to write for China News?

Read “Contributor Guidelines” above to join our team of 76 contributors. Write news or opinion about issues in China, or post photos and video. Promote your own site.

Recent Posts

China News Articles Have Been Featured In:

%d bloggers like this: