Saturday, August 26, 2017

What's the thinking on the USS John F McCain? Directed Energy?

During the Presidential primaries, we authored an intelligence assessment regarding the North Korean potential for an Electro Magnetic Pulse (EMP) floated over a city in the US and detonated, leaving electronics for miles on their death beds. Last week we published a piece on GPS Spoofing in the Black Sea, showing three ships nearly 25 miles away from where GPS put them —in an inland Russian airport. And tonight I'm seeing a number of youtube videos talking about directed energy weapons (DEW) having been used (speculation of course) against the John F. McCain. The video shown below is one of many, now speculating on the idea that a DEW may have been used against the JFMc.


Regardless of your thinking on this (I happen to believe that human error could not have caused this crash), the idea that an EMP or DEW may have been employed in this incident should not be that far fetched.

You see, (ahem) years ago, we had this thing called TEMPEST. TEMPEST was essentially the hardening of computing gear by wrapping it in grounded shielding, sealing seams with braided wire, and ensuring that all of our communications gear was protected from both eavesdropping, and external interference. Just hours before the McCain collision, we reported on GPS spoofing by someone in Russia against three ships in the Black Sea, showing their position nearly 25 miles off, and inland at an airport. This report of course caused my phone to explode. Reporters everywhere wanted to know if I thought this could have been the cause of the collisions in both the Fitzgerald and McCain. I have no idea, but, it's not out of the realm of possibility that someone from shore could have offered a stronger GPS signal that that of the birds, thereby causing the onboard systems —either on the warships or on the commercial vessels, to associate with it, rather than the satellites.. much like your laptop associating with a stronger wireless access point when you're sitting in a coffee shop. And after linking with shipboard receivers with a false signal, showing the ships on very different courses than originally thought. 

I'm not saying it happened, but it isn't crazy either.  A DEW —directed energy attack, is similar except the attacker doesn't care about about modifying GPS, their goal is to scramble or block electrons, leaving scopes unreliable.

So, is this a cyber attack? What's the thinking? We think it is, but not from the network. In this case, assuming a DEW was employed, it could easily overwhelm non-TEMPEST bridge instruments… I'm not much into speculation, but damn. 

Why do we care? 

First, we lost lives on two ships.  Second, About 20 years ago I gave a talk at a SANS conference where I retold a story that had appeared in a WSJ article. It goes like this… a nondescript van drives through the financial district in NYC, and as it passes, computers monitors flicker and die and electronics mysteriously fall off line. I told the story, coupled with (slightly fictionalized) accounts of incidents I'd worked, both as one of the first Internet Storm Center (then called the GIAC) watch standers, and from my work in the Navy.  I was given poor reviews, with one calling me out as a snake oil salesman. Until a few years ago, I gave that exact talk at the Navy War College for Admiral Hogg's Strategic Studies group. 

DEW and EMP are a threat to cyber, and the world knows how much we rely on it.

If your cyber threat intelligence shop isn't considering the likelihood and impact these external threats, and if you're not thinking about how you might deal with a catastrophic electronic event caused by more than just skids, hactivists, or APT, without thinking risk and resilience for a larger scale attack, you might be missing something in your enterprise risk management plan.

If you'd like to read our assessments, call me or join our Read Board community.

For now, I'm off. 

Have a great weekend.
Jeff


Tuesday, August 22, 2017

An analysis of China's Military Cyber Force: PLA Third Department and its Technical Reconnaissance Bureaus

We recently published a detailed, but unclassified paper entitled "China's Military Cyber Force: PLA Third Department and its Technical Reconnaissance Bureaus". The paper is being provided at no charge. 

EXECUTIVE SUMMARY

Several elements of China’s People’s Liberation Army (PLA) General Staff Third Department have been identified by Western analysts as involved in cyber intrusions into U.S. and other foreign networks.  These include the Second and Twelfth Bureaus of the Third Department, also known as the 61398 Unit and 61486 Unit, respectively, which have been profiled by Mandiant and CrowdStrike.  The Third Department’s Technical Reconnaissance Bureaus (TRB’s) are also suspected of involvement in cyber operations.  The Chengdu Second TRB (78020 Unit) was identified by ThreatConnect/DGI in 2015 as also conducting intrusions.

Based on this information, Wapack Labs conducted research on other Third Department elements to determine their possible involvement in these cyber operations mission for China.  Third Department units were profiled based on their published academic work, which revealed a subset of elements whose research was predominantly of cyber issues rather than SIGINT-related topics.  The elements identified were:

  • Third Department Computer Center (61539 Unit) in Beijing.  This center has a network security research mission and publishes extensively on computer security issues.
  • Chengdu Military Region Second TRB (78020 Unit) in Kunming.  Identified as a cyber actor, its academic work focused almost exclusively on computer security issues.
  • Lanzhou Military Region First TRB (68002 Unit) in Lanzhou.  There were 20 personnel at this unit identified as authors on cyber topics.
  • Lanzhou Military Region Second TRB (69010 Unit) in Urumqi.  Facilities for possible cyber operations have been built at a base separate from SIGINT operations.
  • Chengdu Military Region First TRB (78006 Unit) in Chengdu.  Addresses for authors of computer articles correspond to a Headquarters base separate from SIGINT operations.

     The paper may be downloaded here. "China's Military Cyber Force: PLA Third Department and its Technical Reconnaissance Bureaus"

    As a precaution, I've implemented a 24 hour delay between sign-up and paper delivery to allow verification of the request and user.