Pierluigi Paganini January 29, 2012

It’s not first time and the news itself doesn’t rapresent a surprise, once again Chinese hacker groups are involved in cyber intelligence operations against western companies with the intent to steal critical information. Symantec Researchers have proved the involvement of Chinese groups in attacks alerting the international community regarding the target attacked, including major U.S. defense contractors.

The trend is established, most often to obtain information regarding activities of the Government hackers prefer to attack private companies that collaborate with it, commonly referred to as contractors. This targets are often more exposed despite the government ask to the contractors the compliance with specific standards regarding the information management implemented to guarantee the confidentiality and integrity of data stored.  Government of China is accused to systematically attacking the computer networks of the western governments and corporations. Beijing is successfully stealing research and development, software source code, manufacturing know-how and government plans. The shadow of China is behind the famous unauthorized network access events at several U.S. defense contractors, and that they may also be responsible for the RSA SecurID breach as well ot the massive attacks against Japan istitutions. We are facing with a new ‘cold war’, but this time the challenge is to obtain dominance in cyberspace.

Just contractors and relationships with governments in the security chain are considered weak links, as potentially vulnerable interface between very different worlds. Economic crisis, constant cuts to many aspects of manufacturing processes, safety first and foremost, have led to an exposure difficult to manage. Given the increasing number of attacks recorded against these figures it is essential that relationships with contractors are constantly being reviewed and revised by the authorities in order to avoid data breach potentially dangerous. Needless to lock down facilities when you leave the keys in the lock, the keys are represented by their own contractors careless and ignorant to the safety aspects of technological change we are seeing.

Questionable whether the outsourcing of many government activities can be really useful, if in fact often in this way can reduce the direct costs we must take into account the indirect costs related to management of risk of information exposure, that frequently has become real.

After this my personal reflection lets come back to the discovered attacks, the attacks have use malicious PDF documents exploiting an Adobe Reader bug patched last month to infect Windows PCs with trojan “Sykipot”. As described in my previous article Sykipot is a trojan with feature of backdoor already used in other attacks against U.S PKI infrastructures based on smart cards.

The vulnerability involved the application’s Universal 3D file format (U3D) and could allow attackers the ability to remotely take over an infected system, cause system crashes, and conduct denial of service exploits.

The Symantec researchers have discovered one of the main server, the machine that phisically mantains more that 100 malformed PDF, used during the attack is located in Beijing and hosted by one of the country’s largest Internet service providers not yet identified. More in detail Symatec researchers have discovered a real architecture used for the attacks that include also other machines responsible of the modification of the maliciuos PDF documents, activity necessary to avoid the antivirus action on the target.

At least six Chinese ip addresses that are used to proxy or host the C&C servers. The Netbox webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin.  In the analysis have been involved also researchers of the AlienVault security firm that have decleared that the server used in the operations are Windows based and with high probability locaded in China. It’s difficult to gain certainty of this, proxies usage, routing tricks and spoofed IP addresses can be easily coordinated to give the evidence of a fake attack origin. Researchers have also collected the evidences that the hackers who connected to the staging server did so from Zhejiang province on eastern coast.

A specific feature of the Sykipot attacks is an hard-code identifier of the malware used by the creator in each operation to evaluate the effectiveness of the attacks.
Symantec has mantained a cautious position doens’t link the hackers directly with Chinese Government but the clues demonstrate the origin of the attacks.

“Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China,” Symantec stated.

What is iteresting is the ability to exploit a zero day vulerability and also the process used to avoid antivirus actions with continuos modification to the malware, that proves that behind this operations there are skilled group that manage each attack like an ongoing project.

Ironically it is precisely that the company Lockheed Martin that had discovered the vulnerability used was among the victims of the attacks.

In Italy we say: <<Two clues are evidence>>

Pierluigi Paganini

References

http://www.computerworld.com/s/article/9223765/Researchers_unearth_more_Chinese_links_to_defense_contractor_attacks