Tuesday, August 22, 2017

An analysis of China's Military Cyber Force: PLA Third Department and its Technical Reconnaissance Bureaus

We recently published a detailed, but unclassified paper entitled "China's Military Cyber Force: PLA Third Department and its Technical Reconnaissance Bureaus". The paper is being provided at no charge. 


Several elements of China’s People’s Liberation Army (PLA) General Staff Third Department have been identified by Western analysts as involved in cyber intrusions into U.S. and other foreign networks.  These include the Second and Twelfth Bureaus of the Third Department, also known as the 61398 Unit and 61486 Unit, respectively, which have been profiled by Mandiant and CrowdStrike.  The Third Department’s Technical Reconnaissance Bureaus (TRB’s) are also suspected of involvement in cyber operations.  The Chengdu Second TRB (78020 Unit) was identified by ThreatConnect/DGI in 2015 as also conducting intrusions.

Based on this information, Wapack Labs conducted research on other Third Department elements to determine their possible involvement in these cyber operations mission for China.  Third Department units were profiled based on their published academic work, which revealed a subset of elements whose research was predominantly of cyber issues rather than SIGINT-related topics.  The elements identified were:

  • Third Department Computer Center (61539 Unit) in Beijing.  This center has a network security research mission and publishes extensively on computer security issues.
  • Chengdu Military Region Second TRB (78020 Unit) in Kunming.  Identified as a cyber actor, its academic work focused almost exclusively on computer security issues.
  • Lanzhou Military Region First TRB (68002 Unit) in Lanzhou.  There were 20 personnel at this unit identified as authors on cyber topics.
  • Lanzhou Military Region Second TRB (69010 Unit) in Urumqi.  Facilities for possible cyber operations have been built at a base separate from SIGINT operations.
  • Chengdu Military Region First TRB (78006 Unit) in Chengdu.  Addresses for authors of computer articles correspond to a Headquarters base separate from SIGINT operations.

     The paper may be downloaded here. "China's Military Cyber Force: PLA Third Department and its Technical Reconnaissance Bureaus"

    As a precaution, I've implemented a 24 hour delay between sign-up and paper delivery to allow verification of the request and user. 

Saturday, August 19, 2017

Ridiculously Simple - Wapack Labs CTAC fully integrated with ThreatQ

I haven't blogged as much as I normally do this summer. The kids are getting older and vacations and… well… at any rate, it doesn't mean work stops, nor does it mean that we stop pushing to make it ridiculously simple for users at any level access intelligence needed in their SOC, in their risk programs, or as we're starting to find, even the physical security guys are reading our stuff.

Last year we worked hard to get data into a foundational tool that could be used to serve our data up to any number of different applications. Unfortunately for a number of reasons, we didn't get it done, but late last year after a few organizational shifts we went live in a VERY alpha state in January, followed by an MVP launch in March, and now, I'm happy to say, we're seeing new products and applications come alive, bolting on themselves to us.

Our 2013's Threat Recon(R) was our first real push into serving up data (IOCs) through an API.  It remains a popular, Wapack Labs low cost API. Today in 2017,  I'm happy to say, our Cyber Threat Analysis Center (CTAC for short) is online and rolling nicely. Now, users can access more than just our Threat Recon(R) data. They can also search, manipulate and download nearly every collection acquired by the team. CTAC serves up not only Threat Recon(R) data, but also key logger outputs and sinkholes; 'bin' scrapes, early warning, and more.

As a result? Greater interest in accessing and integrating our data into their analytics and tools. One that we were really happy to see was ThreatQ.

Why do I say 'ridiculously simple'? ThreatQ has completely integrated our stuff to the point where an analyst only has to point at our reporting, ingest it into ThreatQ, and after a very simple process of letting the machine do its thing, the data is parsed, correlated against other ThreatQ sources, evaluated, prioritized, and even recommends action.

Mike Clark is an old friend. He and I were early guys in the Honeynet Project together years ago. Mike headed up development on the ThreatQ side. Mike, as always was a pleasure to work with. He worked closely with our team and within a couple of weeks we were integrated and running.

We've integrated with others. You can pull data from Threat Recon(R) from ThreatConnect, and limited data from Anomali, but ThreatQ really did it right. You get not only the indicators but the full range of collections, analysis, and human analyzed outputs in one pane of glass.

If you'd like to read more about the integration, or get more information on ThreatQ, one example of the integration is shown on Mike's ThreatQ blog.

If you'd like more information on Red Sky Alliance, our CTAC, shoot us a note. We're here to help.

Until next time,
Have a great week!

Saturday, July 22, 2017

The Camera Adds 20 Pounds!

Yesterday, WMUR, Manchester, NH's local ABC affiliate, released a three minute news piece on Wapack Labs.  As many of you who've done one of these television pieces know, they come on site and tape for three and a half hours and cut that down into a three minute piece. There's a ton of material that ends up being left on the cutting room floor. 

We were interviewed on the heals of Wannacry, and the WMUR folks, recognizing that NH is made up primarily of small companies, wanted to do the piece. 

During the morning of Wannacry, I'd been at three small local companies —all who'd been directly effected by the ransomware. In one, a florist, I'd spent 45 minutes waiting for an arrangement to be made up for my mothers 'celebration of life'.  While I waited and watched the floral designer piece the arrangement together, I chatted with the owner, who when she found out what I did, immediately told me that she'd lost her entire accounting, inventory, and customer list because the one computer used to run the business had been hit.  She had an IT consultant who was managing the systems, but the backups used to attempt the restore didn't work and they were forced to either pay, or reconsitute the drive through piecemeal backups and manual reentry, or, pay the ransom. 

Here's the math… 

  • Pay $300 in ransom and get the key to simply unlock the system (and then go fire the IT consultant).
  • Or spend days (more?) rebuilding the companies administrative operations. 

The company probably does $2 million per year in revenue; I'm guessing —it's a nice place and they're always hopping. At $2 mil per year, they generate approximately $5495 per day, and my bet is they make about 20% profit on that day — $1100 — after they pay their inventory (flowers come in daily), labor, etc. 

As the business owner, what would you do? 

As a security pro, what would you recommend? 

I recommended paying the ransom, then firing the IT consultant (I recommended a good one —a partner we've used in the past —Ezentria in Nashua), instructing the new IT consultant to build the system new and up to date, and getting back to business. 

DHS recommended (publicly, and spread by every news outlet out there) to NOT pay the ransom. Why? Because they take their outside council from larger companies who had full, clean backups and disaster recovery plans. Guess what? They don't need to pay the ransom. They were prepared and had a plan. 

In 2012, according to U.S. Census Bureau data, there were 5.73 million employer firms in the US. 99.7% of them had fewer than 500 employees. 89.6% had less than 20 workers. Add in the number of nonemployer businesses (solo practitioners) – there were 23.0 million in 2013 – and the number of US businesses with less than 20 workers increases to 97.9 percent

97.9% of companies are small businesses with less than 20 employees!  How many of them were consulted when DHS recommended that they not pay the ransom? Out of those, how many were prepared for a business critical ransomware attack? Not the ones we talked to that day. This florist could resort back to catalogs and the internet —and she did, but what about others who were stopped dead in their tracks? 

Look, there're a million ways to skin this cat, but common sense tells me that the DHS guidance doesn't apply to every company, and when a florist tells me that the government recommends she not pay the ransom (and take the $1100 per day hit to her bottom line), my stomach hurts and my face contorts. I can't help it. It's my natural reaction to stupidity. 

My point is, government paints with a very wide brush  from taxes to gun control to health care to cyber guidance. And for those companies who had strong Information Security teams who had kept the systems up to date, and had a good disaster recovery process, well, they weren't affected. For this who didn't, they were. And if that company didn't have backups, or a way to reconstitute data, and the system were business critical, what would be the right answer? What happens in this case, where Wannacry stopped business?

That day, the morning of Wannacry, we put up a website where we allowed users to contact us for help for free. Some told us they were fine but wanted to know what to do for next time. Others had questions on their current state. We answered what we could and sent others a referral to Ezentria.

We thought WMUR did a terrific job on this. And thank you to Ezentria for handling any calls that we pushed their way. 

Until next time,
Have a great weekend!

Saturday, July 15, 2017

China’s Intelligence Networks in United States Include 25,000 Spies

Beijing's spy networks in the United States include up to 25,000 Chinese intelligence officers and more than 15,000 recruited agents who have stepped up offensive spying activities since 2012, according to a Chinese dissident with close ties to Beijing's military and intelligence establishment. This, in a piece where Bill Gertz, a long time Washington Times reporter and now writing for the Washington Free Beacon, interviews a Chinese dissident who reveals up to 18,000 Americans recruited as Chinese agents.

Without questioning Guo's motivations, the priority list that's played out in the last few years —in action, appears to be directly inline with what Guo talks about in his statements, and the aggressive positioning undertaken in their recent reorganization. We can't speak to the human rights abused claimed in the piece, for example "Chinese intelligence officers sent to the United States are controlled by the MSS by keeping all their family members and relatives hostage"  but according to Guo:

  • China's intelligence targets included several strategic areas of the United States.
  • "The first is to obtain military weapons-related technology. This is priority No. 1," Guo said.
  • Second, Chinese intelligence is engaged in "buying" senior U.S. officials personally, 
  • and a third objective is buying family members of American political or business elites "with a view to getting intelligence and to make big business deals in China's favor," he said.
  • A fourth priority is penetrating the American internet system and critical infrastructure by implanting malicious software.
  • "And they have successfully penetrated all the major defense weapons suppliers of the U.S. government," Guo said, adding that "the scale of their operations is mind boggling."
Guo said Ma, the MSS vice minister, told him that a major shift by the Chinese was expanding the scope of agent recruitment from Asians to mainstream ethnic groups.
"This is where the biggest danger lies," he said. "It's clear the situation is getting more and more dangerous now. The United States has the best weapons in its arsenal, such as laser weapons, etc. Yet, the Chinese spy system has penetrated into the bloodstream of American defense establishment with their viruses and everything else."
"The United States is bleeding and is unaware that sooner or later the United States will run out of blood," Guo said.
Also, the United States is overly reliant on technical spying while China has an asymmetrical advantage in using its tens of thousands of human spies.

On June 26th, Wapack Labs published a top down report on the Chinese reorganization of their new cyber structure. The report summarizes Wapack Labs research conducted on the PLA Third Department, suspected of being the primary military cyber force for China.  The research was conducted entirely on open sources available on the Chinese Internet, plus unclassified satellite imagery.  The report is unclassified but sensitive in that it reveals more about Chinese cyber-related military facilities than has been published in the past.  This is a compilation of recent Wapack Labs reporting separately on each of these Third Department entities.  If you'd like a copy of the report, register, and we'll send you one.

Monday, June 26, 2017

VIDEO: Integrated with ThreatQ with raw collection data (CORRECTED COPY)

Sorry folks. I realized I mixed up the link to the video. Let's try this again.


A few months ago, a good friend told me that he really loves the quality of our reporting, but that we really needed to figure out out to get it into systems.  I've been wanting to see this happen for the last coupe of years, but we've finally, completely integrated into ThreatQ.

Why'd it take so long? We needed our own APIs to allow ThreatQ to be able to pull, and now with CTAC online, the ability to integrate becomes much easier.

So rather than write an entire blog, and hope you read it, I've put up a video of Micheal Clark at our last Threat Day, where he walks users through pulling Wapack Labs intelligence into ThreatQ.



Saturday, June 17, 2017

Risk Management, Compliance, Resilience. What's old is new again!

Three times this week a user or potential customer told me I'm not looking for more intelligence. I'm looking for compliance, risk management, resiliency.

Imagine that! Those are the three things that that we talk about most… well, may be not resiliency. Your failover is something completely out of my control, but for over 20 years I've had a copy of ISACA's Enterprise Risk Management framework documents either on, or very close to my desk. I'm a long time user of SEI'S OCTAVE Risk Modeling system —even though it's morphed, it's easy to explain, use, and train a team to implement. And compliance? That's pretty easy. If I see massive amounts of lost PII, intellectual property or outbound activities touching our sinkholes, it's pretty easy to know who's in compliance and who's not.  I don't see the systems, but I definitely see the outputs.

I have to laugh. I consider myself an expert in risk management. I have an MBA with a focus in risk, and have built and implemented risk models at some of the best companies, on three different occasions.

I've been interested in, and preaching risk management since 1998, first using OCTAVE as a Navy Officer, implementing risk management into Navy Networks through a visiting scientist partnership with SEI. This work lead into processes for building SiLK models (Suresh L Konda's network flow engine —a CMU PhD and good friend) —now Centaur and Einstein.

Later, after leaving the Navy and working for Cisco (2001-2005) I built a team and implemented hybrid OCTAVE, COSO, and ISO models to build risk processes. This hybrid model was used to evaluate M&A prospects, third party partners and suppliers, and remote offices. We used these models in dozens of locations and organizations in as many countries around the world. Risk is a common language transcending country borders.

At Northrop Grumman (2005-2008), I built on these processes using ISACA's early Enterprise Risk Management framework —a larger view designed to integrate IT Risk into larger organizational risk models —financial, operational, etc. We used it to evaluate (again) M&A candidates, third party partners and suppliers and remote offices. And when it came time to chase out bad guys, we already knew the issues with the infrastructure in which we were operating. This product evolved into full-out, large scale risk management and identification run by my second team hire.

Yep. This stuff works.

But guess what all three of these have in common?

Every one requires a deep understanding of external threats —to operations, to finance, and to IT. That information is called intelligence, and it's a linch-pin component of every risk management process. No matter which one you choose, they all require external inputs to understand and prioritize the threat, the strategy, and the spend that will go into mitigating, minimizing, transferring (through insurance), or accepting the risks identified.

Without intelligence, you can't have risk management, and therefore can not have either compliance or resilience. Intelligence is foundational.  And if you're relying on intelligence that comes in that sexy little silver UTM (we use one too!), you're missing the boat. Are you going to show your boss the UTM logs when you need budget for next year's threats? Probably not.

You need to think strategically, and that requires good intelligence —the story behind the threat, the motivation of the bad guys chasing you, maybe a picture of one or two of those guys, and an understanding of how they'll affect your business --not just a feed of IOCS.

An as is always the theme of my blog… we're here to help.

Wapack Labs Cyber Threat Analysis Center is a great way for companies of any size to be constantly aware of threats you face.  Whether it's monitoring threats to key personnel, stolen credentials, sinkhole analysis, or sentiment analysis, CTAC makes it easy to monitor your daily and ongoing threat picture. Look at five years worth of data and extrapolate that out into longer term planning. Request a deep dive on your company and use that in planning futures. We've published on everything from stolen credit cards to North Korean Nuclear and EMP options. We've covered Ukrainian | Russian geopolitical risk monitoring for our companies who do work in the area, and published lists and mitigations for cyber tools being hoarded by Iranian hackers during last year's nuclear talks. We publish indicators with confidence ratings, key logger dumps (not TOR captures with high false positives), and probably have one of the largest sinkhole collections going.

Risk Management, Compliance, Resilience. As you think through these processes and need to figure out who to call for intelligence inputs, call us first.

Want a demo? Drop us a note. We're hear to help.

Saturday, June 03, 2017

Wannacry —I know, it's getting old already right? Read this...

On 02 Jun 2017 Wapack Labs obtained several sinkholes associated with the Virut botnet and were able to confirm that the botnet is being used to deliver the Wannacry ransomware.  Because the botnet owners are paid by the number of installs, Wannacry is now being deployed globally, and fast. Wapack Labs has reason to believe that Wannacry is now affecting banks and ATM machines, are specifically infecting companies in the Middle East and Northern Africa region.

Why should you care? Virut has been around since at least 2006, and although suffering a 2013 takedown by the Polska CERT, has resurfaced and remains one of the most prevalent distribution networks for spam, phishing, malware, etc… and now, ransomeware. Wannacry is now being spread far and wide, and if you've not installed the patch, there's a high probability that you're about to learn a hard lesson in network hygiene. 

And so for now, this ends our public service announcement. 

As an aside, and a bit of a science experiment, we're experimenting with some rudimentary artificial intelligence and publishing capabilities. One, is one of the earliest and simplest forms. We've loaded a public (and gratis) version of MediaWiki in an effort to encourage massive crowdsourcing. We call it Wapackapedia(R)Yes, there are LOADS of issues with sharing information like this; it's definitely a Bambi but in cases like this, where hundreds of thousands more computers are now carrying dormant versions of Wannacry, my science experiment goes like this… Get the damn word out!

Here's the link:  https://wapackapedia.wapacklabs.com/Wannacry

I also published two other pages.. mostly with computer generated work but one page has some new and interesting stuff on Lazarus (North Korean APT).

Here's that link:  https://wapackapedia.wapacklabs.com/Lazarus

I'm looking for maximum crowdsourcing. You guys know me enough.. I believe in machine to machine interfacing but my belief is that real value comes from human communication first, then distilled into machine readable stuff.  Of course, any victim information is not posted here. As always, we prefer to not out victims publicly —they've been victimized once already. For that, we've built out private locations behind our Red Sky curtain where we notify our members.

As always, if you'd like to know more, reach out. Jim's the new President and will be happy to set you up with a demo. He can be reached at jmckee@wapacklabs.com.