Operation Starlight: The Chinese PLA Assault on RSA and the undermining of the Authentication Control Supply Chain

February 4, 2012


An exploration into the potential power of collaborative, mission-focused APT research groups

This post will be one of several that will reveal the origins of the investigation, research, and analysis group effort behind what has been revealed as Operation Starlight.

BACKGROUND

The formation, vision, and strategy behind Starlight was a direct result of the compromise and Intellectual Property data theft of vital technical information from RSA that forms the underpinnings of Authentication Frameworks used in thousands of companies and Government organizations worldwide.

2-factor authentication (something you have TOKEN, something you know PIN/PASSWORD) attempts to increase the attackers work effort when they want to exploit access controls in order to compromise protected data.  This data can be in the form of content portals, or even access to entire Internal sensitive networks.

When the RSA intrusion was first revealed in the press, it shell-shocked the industry.  There was very little information in the public about the event.  Many industry experts simply fed off the news cycle, made predictions, or speculated.  The incredible thing however is the silence from the experts who should have had the most intelligence and data to share, research and discuss.  The lack of knowledge behind what malware was used, what IP/DNS infrastructure was leveraged, who else was attacked, who was doing the attacking, what where they targeting, and what tactics, techniques, and procedures were used to facilitate the attack were all lacking.  Many companies and individuals wanted the information to better protect their own networks, however where found to be lacking useful information to detect the same threat.

It was later revealed that the attack was a success, and the key intellectual property was obtained to engineer a technical circumvention / spoofing of a users authentication session when using a 2-factor method with the RSA Token.  A wave of attacks against defense contractors in the Defense Industrial Base followed shortly after the RSA compromise confirming the mission of the Threat Groups.

Meet the other guy, across the pond, using his Shell, all up in your BASE, nomming on your data.

Antivirus and other security companies have incredible resources and sensor networks at their disposal providing a wealth of threat intelligence for those that seek to do the research, connect the dots and tell a story.   Sadly however many times that data goes undiscovered or unused, buried under a ton of other data, devoid of operational context which is so important these days when researching threats.

It is critical that you know what you are dealing with when handling a threat in your organization.  Is Nation-State espionage?  Is it CyberCrime?  Is it Hackivism, or simply a curious teenager.  If companies have not yet realized, the most potent threat to their long term survival is an estimated 15-30 voracious Chinese based Threat Groups that have been systematically and successfully pillaging America and its Allies systems and Intellectual Property since at least 2003.

Some of these groups are direct components of China’s Military and Intelligence Organizations. Others are Chinese contractors or affiliates.  For those not familiar with the Chinese Government, it is tightly and intimately interwoven within the entire society.  In many cases it is hard to discern were Government influence ends and “Private” control begins.  However there is no doubt when it comes to the operational unit of a military branch where the orders come from.  The Chinese National Policy and Strategy is to use its technical capabilities in Computer Network Exploitation, to attack, infiltrate, and steal any and all data that meets its intelligence tasking requirements for obtaining information related to is Military Modernization and Economic Growth objectives.

Over the past year, Government officials active and retired, congressmen, and security researchers have come out explicitly linking and declaring this to be the case.  They should know.  There is YEARS of evidentiary data linking this activity to exact groups and individuals behind these activities.  The old tired adages of how ATTRIBUTION is too hard of a problem, and how its impossible to track the source of an attack are a RED HERRING in this industry.  Do not believe it for a second.  If your told that you are being lied to.  The abilities of Nation States to conduct Multi-INT intelligence analysis on threats is unparalleled.  This intelligence supports the missions of Counter-Intelligence, Law Enforcement, and provides data for Strategy and National Leadership Decision Making.

Future postings here will reveal many of the lessons learned through this experience.

It is my hope that it inspires the community of security experts, investigators, forensic professionals, incident responders, and malware analysts to recognize clearly that there is a dire need to come together as one to share their threat data, become educated on the specific technical threats and the groups behind them, and operate as a single unified entity in confronting the single most damaging threat to our future, described as “the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it.”

I will conclude this post with the original email that I posted to a private research list, in which I issued a community call for action, a Paul Revere’s ride if you will.

Many highly intelligent and dedicated people across many industries and sectors heeded the call, and signed up for the effort.  They all did not seek glory or recognition for their efforts.  They recognized the vital need for a deeply collaborative effort that was mission focused with the goal of centralizing the collective APT knowledge each group member could muster for the aggregate benefit of all.  The process by which members where invited into the organization was based on a Trust Model that many other groups use as a basis for membership.

The group formed a pact of anonymity with regards to their identities and affiliations.   They produced excellent work, in-depth technical research, and collaborated continuously and richly to the effort and mission.  This privacy will be honored in this and future postings.  Their contributions and dedication to the group made Operation Starlight a successful model for future collaborative efforts challenged with APT research.

Future postings will cover:

  • The dynamics of group formation
  • The challenges of cyber intelligence sharing
  • Targeting the right expertise for inclusion
  • Contribution of resources to the effort
  • Communication and content sharing mechanisms
  • The data that kicked the RSA investigation into high gear
  • The 3 Groups that attacked RSA and their malware / methods
  • Dealing with Press Inquiries
  • The challenges of dealing with Attribution Research
  • APT Malware Analysis and forensic artifacts
  • Timelining Zero Day Exploit Research in Embedded Attacks tied to China
  • Spearfish attack research and Shellcode Analysis
  • Network intelligence, DNS monitoring
  • Scaling and analysis issues with regard to information overload
  • Information organization
  • Threat Group enumeration and categorization
  • CyberWeapon attribution and naming challenges
  • Historical Threat Group campaigns
  • Victim Identification and Intelligence
  • Decoder development
  • Operational Monitoring
  • Disruption Operations
  • Novel and GroundBreaking Game Changing Strategies
  • Lessons in Crisis Management
  • Victim Notification and LE interactions
  • CyberThreat Overclassification
  • The Profit/Patriotism Conundrum and Ambulance Chasing
  • Big Data Mining
  • Smear Campaigns and Information Operations
  • and many other interesting topics

I hope you will enjoy my sharing of experiences and wish that it may inspire you to think differently about things with regard to APT research and how you can make a difference.  There is now a ton of open intelligence that any enterprising researcher can leverage to peel back the onion, connect the dots, and the come the definitive conclusion that our networks our undefendable, there is a desperate need for gamechanging strategies, and our Government is to constrained by policy and political will to do anything about the issue with regards to China until it is too late.

The communication and application of punitive severe consequences in the form of Economic, Trade, Financial pain combined with a massive tactical offensive cyber counter-attack on all CN APT CNE infrastructure, actors, and resources is partially what is needed to show that we mean business. Developing cadres of patrotic cyber warriors in the private sector operation under letters of Cyber Marque combined with the declaration of a Cyber Monroe Declaration also show promise.  This should be preferably done in close collaboration with our Allied friends that recognize that they too are under the same threats and have the will to do something about it.  If not, we might as well concede, and step back from our positions as the leaders of the free world.  I hope the Communist Party of China treats you kindly.

Burying your heads in the sand and denying it will not make the data leaving your networks slow down anytime soon.  We are talking a good talk now, however the pace and scale of ongoing attacks  speaks volumes about our efforts to roll back the threat or even demonstrate an effective deterrence.

The email that started it all. (Click image to view entire email)

We had better collectively get in gear on this.  Someday lives will be on the line and we will be looking down the barrel of our own innovation and weapons…

2 Responses to “Operation Starlight: The Chinese PLA Assault on RSA and the undermining of the Authentication Control Supply Chain”

  1. 0xdabbad00 said

    Glad to see you’re active again. Always a pleasure to read.

  2. Zhude81 said

    “meet the other guy” image too bad but not。 Any time u find a picture of the Han in uniform it is the villan in the current cyber opera。The gents in the pic happen to be SRF missile techs and ground security forces using the MWR facilities’ cyber cafe at the 2nd Artty base in Xi’an。Far cry from cyber units, but hey they all look the same。

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: