Saturday, March 26, 2016

Iraq's new drone in action..

Iraq's new drone, the Chinese C-4 drew first blood against ISIS, according to an article in Popular Science. And this made me think back... for how many years did we chase Chinese espionage from networks where these things were built? And while I have no idea what the guts of these birds look like, they certainly look similar on the outside.

Iraq's new C4, Optics retracted to reduce drag during flight

The report discussed general trends, but relating to this morning's blog was the idea that UAVs were near the top of the targeting list... and they had been for five years. So based on that thinking, 2004-2009 were peak UAV harvesting years, at a time when only the US had them.   

In a previous post, I reported that a US bird (at the time) was selling for $3.2 mil, while the Chinese version was selling for ~$800,000 (USD). And now, just a few years later, we're seeing the results of that espionage activity in the air, flying against ISIS. Good for the Iraqi's! Bad for us. 

And then I think about the idea that it seems like only yesterday when UAVs (unmanned arial vehicles) were high in the target for Chinese acquisitions. In fact, in 2010, the Defense Security Service reported in an unclassified report:

"East Asia and the Pacific region were hosts to the highest number of intelligence collection attempts. “For the fifth year in a row, reporting with an East Asia and Pacific nexus far exceeded those from any other region suggesting a continuing, concerted, and growing effort to exploit contacts within United States industry for competitive, economic, and military advantage,” the report states."

We've experienced massive cyber thefts from our R&D EDUs, R&D centers, and OEMs. In the early days, the idea that new technology was obtained through cyber means was shocking. Today, not so much. The targeting of UASs (Unmanned Aerial Systems --the updated term for UAVs) today means stealing IP that allows for refined controls of the previously stolen systems --how can they be made better --navigation, targeting, optics. Regardless if for military or economic gain, the simple idea that these birds sell for a quarter of the price of our own and the skies will soon be full of them means jobs lost --and not just in the US, but also in the international supply chain. 


As always, a busy week. Two new fusion reports were posted to the Red Sky portal. We've been using a new format with all of our new published reports. Members have had problems navigating the number of reports in our socially driven site. The engine isn't machine to machine, rather focusing on the human interaction. So to assist with some of the confusion, we've begun adding snapshot views to each of our products, as well as a cross reference of our previous reporting (links inside Red Sky - redacted for this post) and a link to our indicator database (open to all) where users can download indicators (

Our latest report focuses on Locky:
Executive Summary
In February 2016, the Dridex botnet was observed distributing a new ransomware variant named Locky. Since then, a number of Locky macros and downloaders have been leveraged to distribute the ransomware. This report describes recently observed Javascript Locky downloader that appeared in early March. Similar to Dridex, the delivery infrastructure consists of compromised bots, which send the malicious emails, as well as compromised websites that host the Locky payload.

This report includes technical details and mitigations on this Locky downloader variant and related infrastructure. Mitigations are offered at the end of this report.

Publication date: 24 March 2016; information cutoff date: 18 March 2016

Handling requirements: Traffic light protocol (TLP) AMBER. Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors: The Locky Javascript Downloader variant is a part of the Dridex/Locky botnet.

Actor Type: Adversary capabilities have been assessed as Tier IIPractitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

As well, this time of year is always busy for us. We've offered membership to one more organization, and have proposals out with three others. Interactions in the portal seemed to have slowed a bit this spring, but we continue to populate it with intelligence, reports, commentary/analysis and actionable data.  Even with the slowdown, we still see over 36% returns month over month, so I'm not complaining. 

What's coming? 
  • We're planning our first Cyber Symposium with a partner in Huntsville, AL.  Wapack Labs and H2L Solutions -a DFAR assessment company performing NIST 800-171 assessments in the area will be hosting a Cyber Symposium for local companies on June 7th. 
  • Two weeks later, we're doing our pre-summer quarterly Red Sky Alliance Threat Day at a member location in Stamford, CT.

It's busy. We like it this way.

The blog is getting long, so I'm going to take advantage of the sun up here in New England. 
Until next time,
Have a great weekend!

Post a Comment