U.S. weapons system designs compromised by Chinese cyberspies

It is being widely reported in the press that Chinese cyberspies have stolen designs of many leading edge U.S. weapons systems.

F-35 Lightning II Joint Strike Fighter

The Washington Post lists the stolen technology:

The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.

Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.

Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion.

Press reports do not tell us how the Chinese were able to obtain these secrets.  We know from reports such as APT1 from Mandiant that the Chinese are experts at infiltrating systems using spearphishing emails. John Pescatore, director of emerging security trends at the SANS Institute has observed:

It’s not that the Chinese have some unbeatable way of breaking into a network. What is innovative is their targeting.

At Iconix, our goal is to make this threat vector less effective. Spearphishers deceive employees into making bad email decisions that compromise security. IT needs to help employees make better email processing decisions.

IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

India’s Cyberattack Infrastructure

In a detective story worthy of Sherlock Holmes, Norman has uncovered the cyberattack infrastructure that India appears to be using to spy on systems in Pakistan and elsewhere. Anyone interested in a real life IT detective story should read Unveiling an Indian Cyber attack Infrastructure.

On March 17, 2013, the Norwegian press reported that Telenor, the Norwegian telecommunications company, had filed a complaint with the Norwegian police about suspected unlawful intrusion into Telenor’s computer network.  The intrusion appeared to have been accomplished using — you guessed it — spearphishing.  Another example of the triumph of social engineering over technical defenses.

As Norman conducted their investigation they discovered that the attackers had done a very good job of covering their tracks.  But, as in any good detective story, not a perfect job.  The break in the case came when Norman accidentally discovered that the attackers had left behind Command and Control servers which contained readable folders. These folders contained connection logs, keylogs and data uploaded from compromised systems. The folders also contained malicious code. Some of this code was digitally signed. These clues lead to the discovery of a network of IT resources used in the attacks. Using this data, Norman was able to create a domain map of the attack infrastructure.

Norman’s efforts also uncovered decoy documents that were used as bait in the spearphishing emails. Norman observed:

… the attackers have gone to great lengths to make the social engineering aspect as credible and applicable as possible.

Norman’s report includes many samples of compelling bait.  While it is hard to pick just one, this is an example of the compelling materials that were used to lure victims:

In addition to highly relevant bait, the social engineering efforts included cleverly devised cousin domains clearly intended to deceive the recipient into believing the bait came from a trusted sender.

At Iconix, our goal is to make this threat vector less effective. Spearphishers deceive employees into making bad email decisions that compromise security. IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

Back From Vacation, China Renews Simple, But Effective, Cyberattacks

The New York Times is reporting that Unit 61398, the Chinese cyber-espionage unit that has stolen vast amounts of data from western governments and industry, has returned to its old tricks.  Following the release of the Mandiant report in February 2103, the unit disappeared from the internet.  However, they have now returned to the web, operating at 60% to 70% of the level there at which they were working before Mandiant exposed them.  Quoting Crowdstrike, the NYT reports that it is “business as usual” for the Chinese hackers.

Reporting on the same story, Computerworld observes that what the Unit 61398 is doing is not technically sophisticated.  And this is the real lesson to be learned from Unit 61398.  The Chinese are not using advanced cybertechnology to infiltrate our systems and steal our secrets — they are using simple, but effective tools.  Quoting John Pescatore, director of emerging security trends at the SANS Institute:

It’s not that the Chinese have some unbeatable way of breaking into a network. What is innovative is their targeting.

What is that targeting?  This diagram shows how it works:

Simple, but effective.

At Iconix, our goal is to make this threat vector less effective. Spearphishers deceive employees into making bad email decisions that compromise security. IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

Magic Malware

In a recent blog posting, Seculert  discussed a new malware threat which they have dubbed “Magic Malware.”

Magic Malware uses a proprietary communications protocol which evades detection by evasion detection software which monitors regular communications protocols.  Seculert observed:

This “magic malware” — as we’ve dubbed it — is active, persistent and had remained undetected on the targeted machines for the past 11 months. … The real intention of the attackers behind this magic malware … is yet to be known. As the malware is capable of setting up a backdoor, stealing information, and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities. But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.

Magic Malware is yet another example of the evasion methods used by the developers of  modern malware.  Quoted in Infosecurity, Adrian Cully of Dambella observed:

The whole industry has thought for over twenty years that if your Anti-Virus/Firewall/IDS/IPS/DLP saw no problems then there were none – when it fact it turns out that while these defenses are all good, they are not good enough when it comes to APTs.

Magic Malware is corrupting systems all over the world.  Seculert provided this graph to show its distribution:

Seculert does not tell us how Magic Malware is introduced into the victims’ systems. Note the high concentration of Magic Malware in the UK.  Is Magic Malware related to the recent warnings from MI5 about state sponsored efforts to steal advanced British research in the areas of graphene, quantum photonics and advanced aerospace?  That we don’t know.  What we do know is that over 95% of state sponsored cyber espionage infiltrates systems using spearphishing.

Employees’ email decisions can compromise security. Cyber espionage exploits this fact.  IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

Malware – Why Prevention Is Crucial

In a recent Computerworld article entitled Security tools can’t keep hackers at bay, Jaikumar Vijayan writes about malware that struck Schnucks supermarket chain.  It took the experts from Mandiant two weeks to plug the security holes exploited by this malware.

Why was this malware so difficult to  find and fix? Because the bad guys are using ever more sophisticated means to hide their evil work. The article quotes Avivah Litan, an analyst at Gartner:

Increasingly, attackers are resorting to techniques like hiding stolen data inside legitimate files and encrypting data to evade detection. They cloak their malware or hide it within seemingly innocuous files so that it’s very difficult to detect.  [Today’s] network and enterprise security tools are not smart enough to detect the hacking when it occurs and they might not even uncover such activity in a matter of hours or even days.

Companies need to be sure they are using latest tools and techniques to uncover nefarious activities.  However, they also need to take strong preventative measures. Prevention is crucial when one considers that, according to Verizon, 95% of state affiliated cyber-espionage is accomplished using spearphishing.  In cyber-security, as elsewhere, an ounce of prevention is worth a pound of cure.

Employees’ email decisions can compromise security.  IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

Phishing – Favorite Tool of State Affiliated Espionage

Verizon recently released their 2013 Data Breach Investigations Report.

We encourage everyone who cares about network security to read the report. One statistic stands out from the rest:

The bad guys need credentials to do their dirty work. The most effective way to get credentials is to steal them using spearphishing. At Iconix we are dedicated to offering a real solution to this problem. That solution is SP Guard.

Twitterverse’s Spearphishing Agony

The Twitter feeds of the BBC, the AP and the Guardian have all been compromised.  This fake tweet from the real AP Twitter account:

caused $140 billion in stock market losses.

In response to these events, Twitter issued a memo to the press  in which Twitter gives various recommendations on how to deal with the spearphishing problem. While this memo gives sound advice, the recommendations do not address the core spearphishing problem.

What is the core spearphishing problem? Deception is the core spearphishing problem. In spearphishing, the bad guys send socially engineered emails which initiate a process which steals credentials.  The spearphisher’s job is to create an email which will deceive the intended victim.  This is the email that was used to steal the AP Twitter credentials:

When the link was clicked in this seemingly benign email from a colleague, a series of events were initiated which resulted in the compromise of the Twitter credentials.

Employees’ email decisions can compromise security.  IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.