Saturday, July 15, 2017

China’s Intelligence Networks in United States Include 25,000 Spies

Beijing's spy networks in the United States include up to 25,000 Chinese intelligence officers and more than 15,000 recruited agents who have stepped up offensive spying activities since 2012, according to a Chinese dissident with close ties to Beijing's military and intelligence establishment. This, in a piece where Bill Gertz, a long time Washington Times reporter and now writing for the Washington Free Beacon, interviews a Chinese dissident who reveals up to 18,000 Americans recruited as Chinese agents.

Without questioning Guo's motivations, the priority list that's played out in the last few years —in action, appears to be directly inline with what Guo talks about in his statements, and the aggressive positioning undertaken in their recent reorganization. We can't speak to the human rights abused claimed in the piece, for example "Chinese intelligence officers sent to the United States are controlled by the MSS by keeping all their family members and relatives hostage"  but according to Guo:

  • China's intelligence targets included several strategic areas of the United States.
  • "The first is to obtain military weapons-related technology. This is priority No. 1," Guo said.
  • Second, Chinese intelligence is engaged in "buying" senior U.S. officials personally, 
  • and a third objective is buying family members of American political or business elites "with a view to getting intelligence and to make big business deals in China's favor," he said.
  • A fourth priority is penetrating the American internet system and critical infrastructure by implanting malicious software.
  • "And they have successfully penetrated all the major defense weapons suppliers of the U.S. government," Guo said, adding that "the scale of their operations is mind boggling."
Guo said Ma, the MSS vice minister, told him that a major shift by the Chinese was expanding the scope of agent recruitment from Asians to mainstream ethnic groups.
"This is where the biggest danger lies," he said. "It's clear the situation is getting more and more dangerous now. The United States has the best weapons in its arsenal, such as laser weapons, etc. Yet, the Chinese spy system has penetrated into the bloodstream of American defense establishment with their viruses and everything else."
"The United States is bleeding and is unaware that sooner or later the United States will run out of blood," Guo said.
Also, the United States is overly reliant on technical spying while China has an asymmetrical advantage in using its tens of thousands of human spies.

On June 26th, Wapack Labs published a top down report on the Chinese reorganization of their new cyber structure. The report summarizes Wapack Labs research conducted on the PLA Third Department, suspected of being the primary military cyber force for China.  The research was conducted entirely on open sources available on the Chinese Internet, plus unclassified satellite imagery.  The report is unclassified but sensitive in that it reveals more about Chinese cyber-related military facilities than has been published in the past.  This is a compilation of recent Wapack Labs reporting separately on each of these Third Department entities.  If you'd like a copy of the report, register, and we'll send you one.

Monday, June 26, 2017

VIDEO: Integrated with ThreatQ with raw collection data (CORRECTED COPY)

Sorry folks. I realized I mixed up the link to the video. Let's try this again.


A few months ago, a good friend told me that he really loves the quality of our reporting, but that we really needed to figure out out to get it into systems.  I've been wanting to see this happen for the last coupe of years, but we've finally, completely integrated into ThreatQ.

Why'd it take so long? We needed our own APIs to allow ThreatQ to be able to pull, and now with CTAC online, the ability to integrate becomes much easier.

So rather than write an entire blog, and hope you read it, I've put up a video of Micheal Clark at our last Threat Day, where he walks users through pulling Wapack Labs intelligence into ThreatQ.



Saturday, June 17, 2017

Risk Management, Compliance, Resilience. What's old is new again!

Three times this week a user or potential customer told me I'm not looking for more intelligence. I'm looking for compliance, risk management, resiliency.

Imagine that! Those are the three things that that we talk about most… well, may be not resiliency. Your failover is something completely out of my control, but for over 20 years I've had a copy of ISACA's Enterprise Risk Management framework documents either on, or very close to my desk. I'm a long time user of SEI'S OCTAVE Risk Modeling system —even though it's morphed, it's easy to explain, use, and train a team to implement. And compliance? That's pretty easy. If I see massive amounts of lost PII, intellectual property or outbound activities touching our sinkholes, it's pretty easy to know who's in compliance and who's not.  I don't see the systems, but I definitely see the outputs.

I have to laugh. I consider myself an expert in risk management. I have an MBA with a focus in risk, and have built and implemented risk models at some of the best companies, on three different occasions.

I've been interested in, and preaching risk management since 1998, first using OCTAVE as a Navy Officer, implementing risk management into Navy Networks through a visiting scientist partnership with SEI. This work lead into processes for building SiLK models (Suresh L Konda's network flow engine —a CMU PhD and good friend) —now Centaur and Einstein.

Later, after leaving the Navy and working for Cisco (2001-2005) I built a team and implemented hybrid OCTAVE, COSO, and ISO models to build risk processes. This hybrid model was used to evaluate M&A prospects, third party partners and suppliers, and remote offices. We used these models in dozens of locations and organizations in as many countries around the world. Risk is a common language transcending country borders.

At Northrop Grumman (2005-2008), I built on these processes using ISACA's early Enterprise Risk Management framework —a larger view designed to integrate IT Risk into larger organizational risk models —financial, operational, etc. We used it to evaluate (again) M&A candidates, third party partners and suppliers and remote offices. And when it came time to chase out bad guys, we already knew the issues with the infrastructure in which we were operating. This product evolved into full-out, large scale risk management and identification run by my second team hire.

Yep. This stuff works.

But guess what all three of these have in common?

Every one requires a deep understanding of external threats —to operations, to finance, and to IT. That information is called intelligence, and it's a linch-pin component of every risk management process. No matter which one you choose, they all require external inputs to understand and prioritize the threat, the strategy, and the spend that will go into mitigating, minimizing, transferring (through insurance), or accepting the risks identified.

Without intelligence, you can't have risk management, and therefore can not have either compliance or resilience. Intelligence is foundational.  And if you're relying on intelligence that comes in that sexy little silver UTM (we use one too!), you're missing the boat. Are you going to show your boss the UTM logs when you need budget for next year's threats? Probably not.

You need to think strategically, and that requires good intelligence —the story behind the threat, the motivation of the bad guys chasing you, maybe a picture of one or two of those guys, and an understanding of how they'll affect your business --not just a feed of IOCS.

An as is always the theme of my blog… we're here to help.

Wapack Labs Cyber Threat Analysis Center is a great way for companies of any size to be constantly aware of threats you face.  Whether it's monitoring threats to key personnel, stolen credentials, sinkhole analysis, or sentiment analysis, CTAC makes it easy to monitor your daily and ongoing threat picture. Look at five years worth of data and extrapolate that out into longer term planning. Request a deep dive on your company and use that in planning futures. We've published on everything from stolen credit cards to North Korean Nuclear and EMP options. We've covered Ukrainian | Russian geopolitical risk monitoring for our companies who do work in the area, and published lists and mitigations for cyber tools being hoarded by Iranian hackers during last year's nuclear talks. We publish indicators with confidence ratings, key logger dumps (not TOR captures with high false positives), and probably have one of the largest sinkhole collections going.

Risk Management, Compliance, Resilience. As you think through these processes and need to figure out who to call for intelligence inputs, call us first.

Want a demo? Drop us a note. We're hear to help.

Saturday, June 03, 2017

Wannacry —I know, it's getting old already right? Read this...

On 02 Jun 2017 Wapack Labs obtained several sinkholes associated with the Virut botnet and were able to confirm that the botnet is being used to deliver the Wannacry ransomware.  Because the botnet owners are paid by the number of installs, Wannacry is now being deployed globally, and fast. Wapack Labs has reason to believe that Wannacry is now affecting banks and ATM machines, are specifically infecting companies in the Middle East and Northern Africa region.

Why should you care? Virut has been around since at least 2006, and although suffering a 2013 takedown by the Polska CERT, has resurfaced and remains one of the most prevalent distribution networks for spam, phishing, malware, etc… and now, ransomeware. Wannacry is now being spread far and wide, and if you've not installed the patch, there's a high probability that you're about to learn a hard lesson in network hygiene. 

And so for now, this ends our public service announcement. 

As an aside, and a bit of a science experiment, we're experimenting with some rudimentary artificial intelligence and publishing capabilities. One, is one of the earliest and simplest forms. We've loaded a public (and gratis) version of MediaWiki in an effort to encourage massive crowdsourcing. We call it Wapackapedia(R)Yes, there are LOADS of issues with sharing information like this; it's definitely a Bambi but in cases like this, where hundreds of thousands more computers are now carrying dormant versions of Wannacry, my science experiment goes like this… Get the damn word out!

Here's the link:

I also published two other pages.. mostly with computer generated work but one page has some new and interesting stuff on Lazarus (North Korean APT).

Here's that link:

I'm looking for maximum crowdsourcing. You guys know me enough.. I believe in machine to machine interfacing but my belief is that real value comes from human communication first, then distilled into machine readable stuff.  Of course, any victim information is not posted here. As always, we prefer to not out victims publicly —they've been victimized once already. For that, we've built out private locations behind our Red Sky curtain where we notify our members.

As always, if you'd like to know more, reach out. Jim's the new President and will be happy to set you up with a demo. He can be reached at

Saturday, May 27, 2017

Stutzman assumes new role...

What's that all about?

I've been running Red Sky and Wapack Labs since Feb '12 after leaving the government to join my old friend Jim McKee. I enjoy building new things, but long term? I needed a break. I keep finding myself with one foot in the analytic camp and one foot in the management camp, but as the company grows it becomes harder and harder to do both things well.

This week I told my partners that I felt like I was getting dumber with every day that passed, and
every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.

So on Monday, I turned over to Jim McKee, anointed him President, and started writing analysis.

My first task? I convened a fusion cell and authored a weekly report —one that we push out to customers who use us for tailored intelligence. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.

So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…

Tanqueray Martini. Shaken, not stirred.

CloudHopper? Systemic... AND Stutzman assumes new role!

This is an excerpt from a piece we authored for our membership. CloudHopper, first discussed about a month ago by PwC UK and BAE are targeting Managed Service Providers for VPN and RDP credentials. Brilliant. When I first read the piece I assumed this to mean Managed Security Service Providers had been targeted.. which would be bad, but colocation facilities? Not a new TTP but still brilliant. 

"CloudHopper, a new name for APT 10 has been identified stealing VPN/Remote Desktop credentials from Managed Service Providers in an effort to obtain administrative level direct access to network infrastructure mechanisms. In our opinion, this is significant. In almost every presentation, at least one financial presenter talks about “systemic threat”. This, we believe, is the epitome of systemic –get the administrative credentials to the network perimeter, change the authentication, and obtain unfettered, unchallenged access to any of the MSP’s customer base. (View the full report:"

This actually scares the hell out of me. 

Four years ago we rented colo-space for a malware analysis sandbox. The colo-provider had all of the right words in their list of certifications —ISO 27001, PCI, HIPAA, etc. After a walk-around of the facility, we signed the contract for a two year stint. 

Within a month we started noticing fun things happening on the box. Fortunately for us we hadn't opened it up for our Red Sky membership; we were still very much in our testing phase. It was clear to us however that the machine had been compromised —so we drove to Boston, removed the server from the rack and brought it back to Manchester where we mounted it locally. We found that the colo had the necessary tools to monitor the systems, but not monitor the security. In fact, they had all of the right tools and skills, but never monitored for the things that would have allowed them to see unauthorized access —something we'd paid for. 

The idea that VPN/RDP credentials are stolen and pathways are used is not at all new. In fact, these were the first cases that I can remember after building my APT team when I worked at 'that really big defense contractor', over ten years ago. These accounts are most prized, and in many cases in large companies administrative credentials —domain credentials —those that most often have VPN and RDP access to many many servers across the horizontal become one of the single most effective vectors for systemic breach. And when it's done in a colocation facility where small and medium sized companies are most likely to host? Not new, but still brilliant. 

When asked why he robbed banks, Willie Sutton replied, “I rob banks because that’s where the money is.”  Why target colo facilities? Because that's the pathway to small company innovation and potentially, larger accesses. 


This may or may not be a surprise to many of you, but I've been running Red Sky and Wapack Labs since February 2012 when I joined my old friend Jim McKee in building Red Sky. 

This week I told him that I felt like I was getting dumber with every day that passed, and that every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.

So on Monday I anointed him President, and started doing analysis again. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.

My first task? We write tailored weekly products as an intelligence provider to some big companies. Yesterday I wrote my first one in nearly six months. There are several more to come. 

So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…

Tanqueray Martini. Shaken, not stirred.

Saturday, May 20, 2017

#WannaCry - To Pay or Not to Pay. That is the question...

I'm not always sure that the government offers the best advice… and the press simply repeats it.

Earlier the week I was interviewed by the local ABC Affiliate. The next day, my team pulled together roughly 40 Red Sky Alliance members for a  —largely on my request to better understand and make sense of all of the noise in the press. 

Yesterday, I picked up flowers at a local shop, when one of the owners approached. She'd seen me on WMUR and wanted to tell me that she'd also experienced a WannaCry incident. This was the third such mention by someone who'd been infected. None of the three had full backups. All three told me that because 'they' (meaning the press, largely because of circular reporting) had instructed victims to not pay the ransom. I handed them a business card and told them to call me Monday.

I have a few thoughts. 

1. Don't pay? Be careful. Large companies, and those smaller companies who are prepared for such an event might be fine not paying the ransom. What's 'prepared' mean? It means that you can completely restore lost data from tested backups. In these cases, none of the three had complete backups. They will soon. Each lost far more revenue than they would have if they'd have just paid the ransom.

2. Make your own decisions. The government doesn't run your business. The press only reports what others tell them. Many times those opinions are based on something reported by others —often times coming directly from the government. In this case the government urges people to not pay the ransom. The US does not negotiate with . I would urge you to make you own decisions. 

3. Who did this? I'm not sure anyone has any real evidence. One report compared WannaCry with Lazarus, but in our work, we found only six lines of code in common —largely machine generated; and our opinion, not a good indicator. We discounted it. We do however have theories… we rarely look at attribution at the country level (i.e.: Russia, China, N. Korea). I prefer to look for individuals. In this case, I think the story will unfold. My team, and our Red Sky members, are watching to see if this is a test. My bet? There'll be more. 

WannaCry encrypted over 200,000 computers. Last heard, the attackers earned slightly over $75,000 US. Not a bad payday if you're sitting in someones garage punching a keyboard. Not so good if it's a country attempting to steal money (N. Korea?). 

The bigger lesson? I have two. First, small business owners listen to the government, but in this case, the government (and repeated by the press) didn't give adequate guidance to small businesses. In fact, Here's what the US-CERT offered as guidance:

"Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."
One, me, might argue that in this case, this guidance is only partially true. Let's break this down.
Paying the ransom does not guarantee that the encrypted files will be released...
 this to me demonstrates a lack of basic understanding on the part of US-CERT. Ransomware is a customer service business. A few weeks back, we paid a ransom for a client --roughly $30,000. When we couldn't decrypt servers we contacted their tech support. YES! They have TECH SUPPORT!. If someone pays and still can't get their stuff back, victims will stop paying. It's bad for business!
…it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.
I'm sorry. Did I miss something? In which case did WannaCry take someones banking information? Here's the way you buy a BitCoin… Go to an exchange, pay the money, take a picture of yourself with a note that clearly states that you want to purchase the BitCoin (the picture/note combination will be given to PayPal or your credit card company in the event that you try and reverse the purchase). You then get credited with the BitCoin —in a personal digital wallet. Send the bitcoin to the bad guy, and you're done. So where does my bank account get stolen?
In addition, decrypting files does not mean the malware infection itself has been removed.
This is absolutely true. Even if you pay, you'll want to burn that machine to the ground and reload it. 
Two of three pieces of guidance offered by US-CERT were not completely true, and in fact (again, Stutzman's humble opinion) poorly worded guidance. If US-CERT is going to be cited as the authority (and they SHOULD BE!), they really need to pay attention to their audience. Never, EVER give guidance to one company and expect it'll hold true to another. 
I'm certain there are victims out there still reeling from the encryptor. Drop us a note

Saturday, May 13, 2017

Hacking back: A viable strategy or a major risk?

I spent yesterday at a conference at the Kostas Research Center at Northeastern University.  

I don't normally spend my time in the midst of so many government folks anymore but I did yesterday. I gave my "Daily Show" talk —the talk of massive key logger exploitation in the Maritime space and sat a panel later in the afternoon. 

Yesterday morning however, something BIG happened —a massive ransomeware campaign #WannaCry ransomware was used in targeting healthcare and other industries in roughly a dozen countries around the world.

If you've heard me talk recently you know that one of the things I talk about are threats 3-5 years out… I call it my Futurist talk. What should we be thinking about beyond the end of next week? One of those things I talk about often are swarm attacks in cyberspace… the idea that massive computers can communicate swarm, and attack a target computer, system or network and insert code, drop systems, etc., taking any opportunity to implant something that denies, degrade, destroys, or simply embeds.

During the panel, one question came up —a question that always comes up.  A strong offense is often times better than a strong defense.  Should we be offensive in our defense?  Should we be hacking back?

I think about this a lot, especially as it relates to ideas that in three to five years, even the most mature security teams (in my opinion) will not be able to keep up with the overwhelming amount of data that will be needed to actively, in real time, defend from these swarm attacks, attacks that I call the nuclear option, and cyber laser guided bombs.

Anyway, we started on my right. The first panelist talked of legal issues. The second spoke of mis-targeting (the old.. what I hit the baby milk formula factory?!), the third? Heck I don't remember. When it was my turn, I gave the answer that I always give. I generally have two analogies:

  • "If I get into a bar fight, I'll make a decision to either talk it down, defend myself, or run…  depending on who's picking the fight, whether or not I'm outnumbered, surrounded, etc." Generally, the other guy doesn't know that I've been a black belt for years, and if he pushes to hard, well…  Maybe I'll buy the guy a beer to try and de-escalte the situation, but if that fails, if I think I can defend my self and win, I'll fight. If not? I'm asses and elbows outa there!
  • The second analogy? The one I used yesterday... "I live in New Hampshire. If someone break into my home in the middle of the night and attacks my family.. I'm going to shoot them dead ---and nobody is going to care. I was defending my family."

So why is it that in cyberspace, I'm not allowed to fight back?

Police aren't charged with, or equipped to protect you from cyber crime and the government isn't going to come to your rescue unless you're a member of a critical infrastructure, and even then, well....  So what are you to do?

Hackers often times learn their trade by sharing tactics and many times, hacking each other —for fun or profit —live… yet defenders are expected to build expensive labs, take training, follow process, be good citizens, and stay within the law.

At some point, the tables have to turn. I'm not saying this is an answer that everyone should pursue. I am saying that if you feel you can defend yourself —and win, go for it. There may be legal consequences, and you might get a cyber broken nose, but for those who believe that they have the skillsets to actively defend themselves, my feeling is, they should be able to do so without fear of prosecution. 

This is a topic of discussion that I both enjoy, and have talked about both inside Red Sky and in public. In fact, Wapack Labs publishes an intelligence product that we call the Targeteer(R) report --dossiers on bad guys that we've identified over the years that pose threats to our membership. We identify them through good old fashion research. These guys are the wolves closest to your sleds.

We want to know if someone is a threat, and when we find out, we want to know how they work, where they live, how they connect to the internet, where they operate from, etc.  Why would we not use this information to our advantage? It's good intelligence and it can be used for many things —hacking back, legal or HR, freezing credit cards, and more.  This is good intelligence work and we publish it to our Red Sky members.

Should you fight back? Probably not. Should you have the right to? Absolutely.

Interested in hearing my futurist talk? Drop me a note. We'll set something up.