An exploration into the potential power of collaborative, mission-focused APT research groups

This post will be one of several that will reveal the origins of the investigation, research, and analysis group effort behind what has been .


The formation, vision, and strategy behind Starlight was a direct result of the and Intellectual Property data theft of vital technical information from RSA that forms the underpinnings of Authentication Frameworks used in thousands of companies and Government organizations worldwide.

(something you have , something you know PIN/PASSWORD) attempts to increase the attackers work effort when they want to in order to compromise protected data.  This data can be in the form of content portals, or even access to entire Internal sensitive networks.

When the was in the press, it shell-shocked the industry.  There was very little information in the public about the event.  Many industry experts simply fed off the news cycle, made predictions, or speculated.  The incredible thing however is the silence from the experts who should have had the most intelligence and data to share, research and discuss.  The lack of knowledge behind what malware was used, what IP/DNS infrastructure was leveraged, who else was attacked, who was doing the attacking, what where they targeting, and what tactics, techniques, and procedures were used to facilitate the attack were all lacking.  Many companies and individuals wanted the information to better protect their own networks, however where found to be lacking useful information to detect the same threat.

It was later revealed that the attack was a success, and the key intellectual property was obtained to engineer a technical circumvention / spoofing of a users authentication session when using a 2-factor method with the RSA Token.  A wave of attacks against in the Defense Industrial Base followed shortly after the RSA compromise confirming the mission of the Threat Groups.

Meet the other guy, across the pond, using his Shell, all up in your BASE, nomming on your data.

Antivirus and other security companies have incredible resources and sensor networks at their disposal providing a wealth of threat intelligence for those that seek to do the research, connect the dots and tell a story.   Sadly however many times that data goes undiscovered or unused, buried under a ton of other data, devoid of operational context which is so important these days when researching threats.

It is critical that you know what you are dealing with when handling a threat in your organization.  Is Nation-State espionage?  Is it CyberCrime?  Is it Hackivism, or simply a curious teenager.  If companies have not yet realized, the most potent threat to their long term survival is an estimated 15-30 voracious Chinese based Threat Groups that have been systematically and successfully pillaging America and its Allies systems and Intellectual Property since at least 2003.

Some of these groups are direct components of . Others are Chinese contractors or affiliates.  For those not familiar with the Chinese Government, it is tightly and intimately interwoven within the entire society.  In many cases it is hard to discern were Government influence ends and “Private” control begins.  However there is no doubt when it comes to the operational unit of a military branch where the orders come from.  The is to use its technical capabilities in Computer Network Exploitation, to , infiltrate, and steal any and all data that meets its intelligence tasking requirements for obtaining information related to is Military Modernization and Economic Growth objectives.

Over the past year, Government officials active and retired, congressmen, and security researchers have come out explicitly this to be the case.  They should know.  There is YEARS of  linking this activity to exact groups and individuals behind these activities.  The old tired adages of how ATTRIBUTION is too hard of a problem, and how its impossible to track the source of an attack are a RED HERRING in this industry.  Do not believe it for a second.  If your told that you are being lied to.  The abilities of Nation States to conduct Multi-INT intelligence analysis on threats is unparalleled.  This intelligence supports the missions of Counter-Intelligence, Law Enforcement, and provides data for Strategy and National Leadership Decision Making.

Future postings here will reveal many of the lessons learned through this experience.

It is my hope that it inspires the community of security experts, investigators, forensic professionals, incident responders, and malware analysts to recognize clearly that there is a dire need to come together as one to share their threat data, become educated on the specific technical threats and the groups behind them, and operate as a single unified entity in confronting the single most damaging threat to our future,  as “the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it.”

I will conclude this post with the original email that I posted to a private research list, in which I issued a community call for action, a Paul Revere’s ride if you will.

Many highly intelligent and dedicated people across many industries and sectors heeded the call, and signed up for the effort.  They all did not seek glory or recognition for their efforts.  They recognized the vital need for a deeply collaborative effort that was mission focused with the goal of centralizing the collective APT knowledge each group member could muster for the aggregate benefit of all.  The process by which members where invited into the organization was based on a that many other groups use as a basis for membership.

The group formed a pact of anonymity with regards to their identities and affiliations.   They produced excellent work, in-depth technical research, and collaborated continuously and richly to the effort and mission.  This privacy will be honored in this and future postings.  Their contributions and dedication to the group made Operation Starlight a successful model for future collaborative efforts challenged with APT research.

Future postings will cover:

  • The dynamics of group formation
  • The challenges of cyber intelligence sharing
  • Targeting the right expertise for inclusion
  • Contribution of resources to the effort
  • Communication and content sharing mechanisms
  • The data that kicked the RSA investigation into high gear
  • The 3 Groups that attacked RSA and their malware / methods
  • Dealing with Press Inquiries
  • The challenges of dealing with Attribution Research
  • APT Malware Analysis and forensic artifacts
  • Timelining Zero Day Exploit Research in Embedded Attacks tied to China
  • Spearfish attack research and Shellcode Analysis
  • Network intelligence, DNS monitoring
  • Scaling and analysis issues with regard to information overload
  • Information organization
  • Threat Group enumeration and categorization
  • CyberWeapon attribution and naming challenges
  • Historical Threat Group campaigns
  • Victim Identification and Intelligence
  • Decoder development
  • Operational Monitoring
  • Disruption Operations
  • Novel and GroundBreaking Game Changing Strategies
  • Lessons in Crisis Management
  • Victim Notification and LE interactions
  • CyberThreat Overclassification
  • The Profit/Patriotism Conundrum and Ambulance Chasing
  • Big Data Mining
  • Smear Campaigns and Information Operations
  • and many other interesting topics

I hope you will enjoy my sharing of experiences and wish that it may inspire you to think differently about things with regard to APT research and how you can make a difference.  There is now a ton of open intelligence that any enterprising researcher can leverage to peel back the onion, connect the dots, and the come the definitive conclusion that our networks our undefendable, there is a desperate need for gamechanging strategies, and our Government is to constrained by policy and political will to do anything about the issue with regards to China until it is too late.

The communication and application of punitive severe consequences in the form of Economic, Trade, Financial pain combined with a massive tactical offensive cyber counter-attack on all CN APT CNE infrastructure, actors, and resources is partially what is needed to show that we mean business. Developing cadres of patrotic operation under letters of combined with the of a also .  This should be preferably done in close collaboration with our Allied friends that recognize that they too are under the same threats and have the will to do something about it.  If not, we might as well concede, and step back from our positions as the leaders of the free world.  I hope the Communist Party of China treats you kindly.

in the sand and denying it will not make the data leaving your networks slow down anytime soon.  We are a , however the and of  speaks volumes about our efforts to roll back the threat or even demonstrate an effective deterrence.

The email that started it all. (Click image to view entire email)

We had better collectively get in gear on this.  Someday lives will be  and we will be looking down the barrel of our own innovation and weapons…


March 27, 2011

One of the most vexing and frustrating (for many) aspects of cyber espionage intrusion response is the ongoing debate over whether or not samples discovered should be submitted to AV companies.  Obviously what would happen is that at some point most likely an automatic process would engage and some type of generic signature would be generated marking it and its variants as malicious.  The hosts monitored would then detect and delete the sample, the smart CNE operator would detect this, and then modify his sample for new and undetected attacks.

One of the primary worries by many is “We don’t want them evolving! It will be to hard to find and detect!” Therefore lets not up the ante by forcing them to evolve.  Well, has that helped the situation at all? NO.  Has that stemmed the massive data loss.  NO.  Sure its easier to analyze samples when they are not packed, and the code is easy to read.

Groups like Mandiant and others working investigative forensic response have seen samples become detected and the adversaries entrench deeper, and modify their malware which foils an effective response and they have to start their intelligence collection cycle again before they can do a proper remediation.  Of course this would help their billings, but it really doesn’t help the poor victims and it does not stem the data loss and it certainly does not get them out.

In light of this issue I propose a concept I have been espousing for a while.

GAMECHANGER:  Out of Band CyberEspionage Malware notification/alert system for AV security endpoint agents.

Currently victims don’t want to reveal their malware and all its nefarious tricks to AV companies for fear of it pooching a remediation effort.  AV systems typically detect threat and delete, simple as that.  Usually admins don’t even look at the AV logs and even then the information is usually not much use.  Ironically the consumer AV product offerings are more descriptive than the commercial ones.

What is needed is for AV companies to have an option so that anytime a specific espionage malware related event occurs,  the customer has registered a hotline number and POC that can be registered for example the CISO, or one of their lead investigators who will be notified in an out of band fashion.   Detection of this malware would do simply that, Detect and report via out of band.  It will never block it, alert it, report it, share it, or raise any results whatsoever on a scan event.  The ONLY communication will be from the AV vendor directly via encrypted out of band communication to the registered POC who would be very cognizant of the importance of this particular threat. Well one would ask, what exactly gets detected signature wise for this type of event?  It could consist of in the cloud “highly sensitive signatures” that are developed as a result of espionage related incident investigations with a focus on custom malware and malware that is openly available, however used predominately by cyber espionage actors.  The malware sample set could include hashes, IP and domain lists, detection of very specific techniques, signatures, ectera that  would constitute a compilation of intelligence that is several orders of magnitude smaller than all the copious amounts of cybercrime information that is prevalent today.  This small data set of intelligence if generated by authoritative sources in a collaborative fashion, combined with a secure and intelligent way would allow for rapid notification to a organization UHhhh You got some Serious Problems going on, PLA is all up in yoZ SHIT.  This could dramatically change the balance of power.

Investigators would be free to segregate and label samples as espionage-ware if properly vetted, highly advanced analytical resources can then collaboratively rip apart samples to a much more in depth technical level, and resources would have a higher qualitative return on investment due to the fact that they are not wasting time with crap, and focusing on a much smaller set of highly damaging threats.  (Have you noticed that AV Threat Scores are worthless???)  Ironically the smaller the prevalence of the malware threat (APT —-> ) leads to AV vendors saying it is a low, very low threat.  Well not when its shunting Joint Strike Fighter data to Beijing its not.  Get with the program.  Granted AV companies dont give a crap about the US Government.  They are global in nature and have millions of customers.  A targeted attack, being thats its well, targeted, only might impact .005 percent of their customers.  However Threat ratings are still stuck in the worm days and have not evolved appreciably in years…

At the end of the day this will allow organizations to save a ton of money and resources where currently they are trying to cobble together, buy/build their own internal VirusTotal systems on the back end (a Ridiculous effort and waste) and proceed with half ass implementations of their own sandbox systems for fear that AV companies will report this out to the world and by nature of their products tip off the attackers that they have been discovered.

This would also prevent allow for intelligent threat driven TRIAGE of their malcode events allowing them the freedom of action to handle each and every event the way THEY want to.  Allowing them to capture memory first, collect a forensic image, or say monitor network traffic for a time to profile the attack, or conduct active defense actions by infiltrating the C2 channels/distrupting the hostile infrastructures. and allow for capture and analysis of the compromised hop point that will reveal the origins of the TRUE attackers.

I know this blog gets lots of readers however it gets VERY little active discussion and feedback.  This is a dam shame.  If you know of any open blogs that actually these issues seriously and discuss them in depth and are willing to address the bugaboo in the room then let me know and I will link them.  I would be AV companies are sitting on a ton of APT malware that they have no clue as to the operational context….

It’s high time you stop getting events labeled trojan.generic and Backdoor.ckb  Come on man that’s just crap.  Customers should demand better.

At the end of the day I guess, I am really just planting seeds..

One of the things that drives my research in relation to other technical research on malware that only tends to focus on the bits and the bytes is the fact that you can tell entire stories and interrelate seemingly disparate hostile acts of cyber aggression if you know enough and look long enough at the data right in front of you.

The concept of malware intelligence and connecting the dots after view many many samples seems to be under appreciated in the industry to a large extent.  Especially with AV vendors whose mission is to mainly focus on large prevalent threats and most of the Excellent stuff is never reported or just rubbed out of existence with ridiculous CARO naming convention names that mean nothing to the end user and speak nothing to the level of Weaponization of the malware nor its myriad of intelligence nuggets that can be found in its inner core.  Additionally where this information may be discovered, it is not correlated, shared, or discussed in the open.  The actors and organizations are given free reign to act in the shadows due to the fact that no one is actually pointing a finger in their direction and putting heat on them.  This is additionally true in the cybercrime area of malware development where many may know the actors responsible or behind networks however keep it private.    This only enables the sorry state of our situation where the game has completely changed and a tipping point (actually we are way past that) has occurred.  The ground has shifted under our feet and we are still not gauging how serious things are occurring.

GAMECHANGER: I am proposing that industry luminaries come together to create a highly technical Malware Intelligence Fusion Center with the express goal of bringing the special weaponization techniques to light and out in the open.  Identify and correlate the myriad of slipups that hostile actors use that can enable attribution whether it be embedded payload metadata, unique encryption, shellcode specifics, payload pedigrees, TTPs of hostile actors, and then tie these back to multi-INT sources of open source intelligence thus creating threat dossiers that can be leveraged for real world actions.

These cyber actions are done precisely because there is NO risk of consequence, They can operate in the dark because the industry allows them to.  They fail to focus on the fine technical details that might actually connect the dots and draw a bigger picture, then use that knowledge to force a change of behavior.   The numerous denials from various Foreign Ministers about how they would Never ever do these things is on its face wholly ridiculous, however when challenged after each attack, the victims simply let it go, they do not aggressively push for results, demand a change in behavior, or impose consequences collectively or individually.  Most will simply write up a small malware analysis report, not the C2 IP address for (blocking purposes) which is completely worthless and holds NO worth whatsoever in cyberdefense now as we speak.  Then they will post it somewhere and occasionally it will get referenced when next attack occurs.

The collective talent in the security and AV space is staggering, however with all that brain power not a single group or entity (save for possibly Mandiant) has truly tackled and provided a real Cyber Espionage Malware Intelligence capability that is worth much of anything.  If countries want to do the malware espionage game, then they will have to up their game and not get caught, or else all their information is identified and captured and made available to the community for the purposes of collective defense.  (think water buffaloes rallying around and protecting themselves when a pride of lions enters the area)

One of the problems is that much of this is done sort-of effectively in the military/intelligence space, however its pretty much akin to a group of lords and ladies all protected behind big stone walls while the barbarians ravage the countryside and pillage the peasants and merchant class.  This is Exactly what is occurring today, however the fallacy is thinking that the lords and ladies behind the walls are actually safe.  They are not.  They are under concerted siege, and only discovering the rotting diseased corpses that have been placed in the wells, and catapulted over the walls at night, and the assassin insiders that manipulate and kill from within.   Cyber espionage is at a risk of being over popularized to the point where now people hear of a major breach, roll their eyes and say O man not again.  O well.  It happens a lot and then proceed to blah blah about how they should have been secure.

Why has the public discussion not turned openly hostile, demanded action, demanded answers and started act in a more active defense posture towards this?  Currently there is very little open academic or public debate on the benefits of aggressive self defense.  I will say that the latest video where this poor fat kid is just getting the crap punched out of him by a sadistic yet smaller little bastard of a kid.  The fat kid finally say @#[email protected]# and grabs the little pissant, heaves him up in the air and .    The bully then proceeds to do a ridiculous “I just got knocked the F&(k out!” wobble and the bullied kid walks away.

This should serve as a nice inspiration for an example in active defense but I doubt many think its time to work on these things.

My main purpose for this blog was to infect the blogosphere with memes’ and concepts to modify the way things are being done today in the realms of cyberwar/conflict and the sorry situation we are in.  I have proposed game changing concepts that seem to be so actively sought after by organizations like DARPA and NIST as well as others.   Based on the types of organizations that have actively followed this blog, I would say that some of the content has influenced actions or ideas and maybe just maybe planted seeds, where we can pivot from the old and emerge stronger and more active into the new paradigm we find ourselves in.

Many have inquired about the various sources of some of my previous posts.  You can piece together much of the cyber espionage program by researching a variety of sources such as ThreatExpert / Security research on zero-day exploits where they cover not only the embedded attacks, but analysis of the payloads, deep technical analysis on contagio’s web site samples.  Combine that with reports to congress on China, James M’s excellent reporting on behalf of NGC, Topical reports from InfoWar Monitor on GHOSTNET/Aurora/Nightdragon and others, as well as the Excellent malware analysis reports that where exposed due to HBGary’s colossal fuckup revealing new victims as well as in depth malware analysis reports from the targeted and thoroughly compromised Qinetiq organization that works in cyber defense,  Tieing that to the revelations of Wikileaks which exposed methods and code names and past attacks and timelines, along with the excellent reports that Mandiant puts out, and you can easily combine it with the full bevy of open source social networking research to make and tell a wonderful fact based story and connect the dots.  The fact that attackers suck so much at their job (or don’t care about operational security) or that we are just so good and putting the pieces together makes for interesting days.

We shall see how the RSA thing pans out, however there are more “invasions” BTW that’s what China calls computer intrusions…. than you can shake a stick at and we and our allies will be doing post mortem until the cows come home.  In the mean time those little bastards will continue to steal our data on the hosts You Are not looking at.

One of the things I have been absolutly annoyed with to no end is the bullshit sentences that cyber criminals get.  Aside from Alberto Gonzales, sentencing today is still bullshit compared to street crimes of way less monetary values.  If we where really serious we would be pushing RICO charges against cybergangs who are pillaging and raping the cybercountry side.  On a humorous ironic side note, my credit union was owned and my SSN and credit card info most likely stolen.  If it was via Zeus (There are so many kick ass banking programs to pick from these days) then I have a word for the author.  [REDACTED]

So the tranference of data into information, and information into knowledge that operational people can use to better defend and respond to malware is critical.  Assuming that the concept of a centralized Malware DNA database can get off the ground, and we dont have 50 different competing versions, the next logical step is crafting an operational Vision to unify the concept and actually make it useful. 

Here is an overview of one such method.

The Crucial “Digital Genome Sequencing Methodology” advances the established highly technical field of malware analysis by revolutionizing the current operational methods for communicating, collaborating, and sharing critical intelligence about malicious code. This new communications model is comprised of the following key components:

  • A Digital Genome Sequence data representation standard collaboratively established through an expert network of malicious code analysts and implemented as a unique binary bitstream for the description of malware along with its hash and fuzzy hash signatures.
  • A knowledge base repository of malware DNA traits comprising characteristics and functions. Characteristics are what the malware looks like, functions represent the potentially hostile effects that can impact operations.
  • An XML Malware DNA Trait data schema to parse the malware bitstream and represent it to applications for operational use. This schema will translate the bitstream into technical intelligence by presenting detailed information about each trait.
  • A distributed Malware Intelligence Fusion Dashboard application implements the XML schema and communicates the analytical information to the operator as an intelligence dossier about the malware sample.
  • A Malware Analyst Workbench component within the dashboard will allow analysts to retrieve a malware sample during analysis and author the digital genome sequence data by selecting DNA traits as they are discovered allowing for constant sample refinement in collaboration with other analysts who can securely discuss the markup process.
  • The Malware Dossier is constructed of DNA traits fused together with previously derived cyber-intelligence related to that sample and delivered as analytical product for total situational awareness.
  • An Operational Impact Score is generated for the cyber-operator based on a weighted scoring algorithm that evaluates the likelihood of code being malicious based on its characteristics, functions, and historical cyber-intelligence compared to its delivery vector and operational targeting of critical assets, organizations, data, or operations.

This “Offense informs Defense” approach allows for commanders to effectively plan for agile cyber-defense and conduct precise cyber-targeting in support of counter-force and counter-intelligence actions.

The collaborative approach to analysis and communication of malware DNA traits is the only realistic and scalable solution to a critical national security problem that threatens to blunt the ability to protect national interests and erosion of the scientific and technological advantage gained through expensive research and development.

Any knowledgebase is only as good as the collaborative work that is entered into it by the hardworking and pioneering analysts that currently research new malware tactics, techniques, and procedures.  I will be issuing this invitation to reversers and analysts that I have respected and read about while doing my research.  It is my hope that a small portion of these researchers will accept this role and help guide the open source generation of the worlds largest malware DNA knowledge base.

Here is the list in no particular order: 

  • Phil Wallisch – HBGary
  • Lorenzo Kucaric – Crucial Security
  • Michael Troutman – Crucial Security
  • Nick Harbor – Mandiant
  • Jorge Mieres
  • Tom Liston
  • Giuseppe Bonfa (Evil Cry)
  • Frank Boldewin
  • Alex Lanstein – Fireeye
  • Atif Mushtaq – Fireeye
  • Julia Wolf – Fireeye
  • Dider Stevens
  • Paul Royal
  • Danny Quist – Offensive Computing
  • Marco Cova
  • Ero Carrera
  • Joe Stewart – SecureWorks
  • Anushree Reddy
  • Dancho Danchev
  • Peter Kleissner
  • Ivan Kirillov – MITRE MAEC
  • Dr. Michael VanPutte – DARPA Cyber Genome

This list is not complete, and will be enhanced based on recommendation from other analysts and researchers.  There is also standing invite to all AntiVirus community researchers that do this for a living and have seen these techniques and tricks for years, yet have never had an effective way to communicate these traits in a standardized fashion.  Now here is your chance! 

Post a reply here if your interested in being on the board.

This is a test of a development prototype for the identification and submission of Malware DNA Traits into a centralized Knowledgebase.  This will be a collaborative industry effort.  The industry has recognized and validated the need for this.  There are several excellent groups that are adopting the concepts of malware DNA.  Here is a sampling.  The fact that pools of research money have been and are still being put into solving this problem, especially under DARPA, demonstrates how challenging a realization of this will be.

  • HBGary – feature in their Responder Pro – Live memory analysis toolset
  • Harris Corp. – - Digital Genome Sequencing Methodology
  • MITRE –
  • IEEE Standards Association – (blog post and )
  • Defense Advanced Research Projects Agency (DARPA) Strategic Projects Office – –

So I originally came up with this Idea for Counterterrorism a while ago and have modified it for Cyberwar conflict.  It goes like this.  Why are’nt more terrorists Killed on a daily basis by powers that can do it and have the will?  For the completely countervailing reason that usually trumps Direct Action.  Intelligence gathering. Plain and Simple.  INTs collection is used on a world wide basis to target actors.  However, Pre 9/11 completely showed a lack of will and balls to actually take care of problems for completely bullshit reasons.    Lawyers, human rights blah blah. Bureaucracy.  Apethy and pragmatic thought.


My solution for terrorists was this.  You all the INT collection you want.  But 1 [ONE] DAY EVERY YEAR you have a what I will term a BLACK NOVEMBER. What is it do you ask.  Its a kill pulse.  all the intelligence derived and gathered and fused and generated during the year gets put into a master target list.  And direct action takes place Syncronized.   This will have the immediate effect of Dramatically draining the SWAMP immediately, eliminating alot of the BS INTEL noise you get in collection efforts and clear the way for a new round of intel gathering, new link analysis and Intel collection.

Direct action will be expendable, and non-attributable and revolve around “accidents or otherwise mundane unfortunate circumstances”  Better not to attack that much attention unless thats what you want to go for.

I then evolved this concept to Terrorist electronic communication forums which present the inherent evil in allowed for dispursement of terrorist ideaology, plans, TTPs and other Terrorist crap.  So the BLACK NOVEMBER would essentially over time corrupt any backups of data that was being made, then target and destroy, Crypto attack or secure delete all world wide terrorist extremeist forums and other info material that is in direct control of mal actors.

One, this highly disruptive attack would sow CHAOS into the ranks, break communication mechanisms, force the reestablishment of new networks and comms that can be rapidly identified and tracked to be put into the next yearly Purge cycle for cyberwipe.

So after this I come to my 3rd evolution of BLACK NOVEMBER.  That is doing the same thing but targeting the numerous cybercrime forums, tool factories, egosites, and Botnet command and control sites that exist throughout the Internet. [NOTE: IF IT WASN'T ALREADY OBVIOUS. you do this Non-attributable, preferably geographically spread across the Internet IP space and Geographies, you also use massive variation in code, techniques, and character sets and styles.  Unless of course you don't care about attribution for the shock factor]

This can be a massive sweep or it could be a certain number of high threat target sets.  Either way, this pulse of cyberpurging would ENSURE ONE THING. That there are no excuses, no compromises, and real,…REAL action taken against at least the Technical mal-infrastructure that pervades the net and sucks like a vampire of our National Security and Economic Security.

I will be the first to say that I dont think our authorities have the will, vision, foresight, or balls to ever consider any of these actions.  However I will say this.  I am laying out there as a though meme, a destabilizing concept that needs to be expanded and discussed and further investigated….
SO WHAT…. DO YOU HAVE A BETTER SOLUTION?  If so fire away propose one.  And don’t rehash any of the ideas that have been bandied about for years.  Come up with something original.

Yes folks, we need a Phoenix Program for Cyber.  That’s what I’m saying.


Get every new post delivered to your Inbox.