Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Countering the Cyber Espionage Threat from China
1. IMPACT 2016 - National Security Institute
Countering the Cyber
Espionage Threat from China
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC
2. China’s Strategy
China’s Strategy for Information Warfare
• China has demonstrated its intention to become an internationally leading player in the fields
of information-and- cyber warfare. Information warfare involves actions taken to achieve
information superiority by affecting adversary information, information processes, information
systems and computer-based networks, while denying the adversaries’ ability to do the
same.
• More than 20 years ago, China began to publish its theories, doctrines, policies and strategies
concerning both defensive and aggressive use of cyberspace.
• A student from the Institute of Systems Engineering of Dalian University of Technology in
China published a research paper titled “Cascade-Based Attack Vulnerability on the US
Power Grid.”
• Several American experts and journalists analyzed the article as a new demonstration of
China’s offensive motivations against American infrastructure (and indeed against the security
and sovereignty of the USA), and also as proof of China’s involvement in a new arms race in
cyberspace.
• China’s approach to information warfare and cyber warfare has two main dimensions: military
and civilian, both developed through theoretical and practical considerations.
http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
3. First Gulf War Influence on China
The Military Dimension – from The Journal of Energy Security
The dazzling success of the US in the first Gulf War was interpreted by several armies in the
world as the victory of new technologies.
According to this model
• Information and information technologies’ dominance provided total control over the battlefield
• Was also the key to military success, victory and power.
This conclusion called for a radical transformation within armed forces.
• China’s Revolution in Military Affairs (RMA) concept.
• Transformation of Chinese doctrine guided new strategies of evolution in
Chinese military affairs
And in several industrialized countries worldwide.
In this context, the concept of information warfare acquired greater consideration among military
experts in China. Since the mid 1990s the Chinese army has implemented a modernization
program guided by the concept of “informationization” (which translates as dominance over
information technologies and cyberspace).
http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
4. First Gulf War Influence on China
The Military Dimension – from The Journal of Energy Security
In 1995 General Wang Pufeng, who is considered the father of Chinese doctrine of
information warfare, outlined several key concepts of this doctrine.
Among them he pointed out that:
• The goal of information warfare is no longer the conquest of territories or the
destruction of enemy troops, but the destruction of the enemy’s will to resist.
• Information warfare is a war in which the ability to see, to know and to strike
more accurately and before the adversary is as important as firepower.
In 1997 Chinese Colonel Baocun Wang added that:
• Information warfare can be conducted in times of peace, crisis and war;
• Information warfare consists of offensive and defensive operations;
The main components of information warfare are command and control, intelligence,
electronic warfare, psychological warfare, hacker-warfare and economic warfare.
http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
5. 3PLA
The Third Department of the People’s Liberation Army’s General Staff Department
Also known as 3PLA, China’s equivalent to the National Security Agency
– Crucial to the country’s military strategy
– Responsible for monitoring much of the world’s communications for threats and
commercial opportunities.
– Using Chinese government websites, academic databases and foreign security
expertise,
– The organization maintains what active and former U.S. officials say are facilities
around Shanghai specialized in watching the U.S.
– One of them located close to the main transoceanic communications cables
linking China to the U.S.
– Those activities were highlighted in May 2014, when the Justice
Department indicted five officers of 3PLA on charges they stole U.S.
corporate secrets.
http://www.wsj.com/articles/chinas-spy-agency-has-broad-reach-1404781324
6. 3PLA
A ground view of 3PLA facilities with an organizational structure of the NSA-like military
department.
Increasingly rattles governments and corporations around the world while remaining obscure to
outside security circles.
http://www.wsj.com/articles/chinas-spy-agency-has-broad-reach-1404781324
7. Military Organization 3PLA Is Tasked With
Monitoring World-Wide Electronic Information
• Monitors Russia and tracks missiles.
• Its military experts analyze Internet phone calls on an island
dubbed China's Hawaii,
• Eavesdrops on Europe from a secret town hidden behind an
array of residential towers.
• Recruited from elite specialist universities, 3PLA’s estimated
100,000-plus hackers, linguists, analysts and officers populate
a dozen military intelligence bureaus, according to the foreign
experts.
http://www.wsj.com/articles/chinas-spy-agency-has-broad-reach-1404781324
Its operational units are spread out widely throughout China.
From mountains near Beijing, China's 3LPA conducts the following:
8. FBI - Cyber’s Most Wanted
Five Chinese Military Hackers Charged with Cyber Espionage Against U.S.
On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five
officers in Unit 61398 of the Third Department of the Chinese People’s Liberation
Army (PLA)
• HUANG ZHENYU (AKA: Huang Zhen Yu, “hzy_lhx”)
• WEN XINYU (AKA: Wen Xin Yu, “WinXYHappy”, “Win_XY”, Lao Wen)
• SUN KAILIANG (AKA: “Jack Sun”)
• WANG DONG (AKA: Jack Wang, "UglyGorilla")
• GU CHUNHUI (AKA: Gu Chun Hui, "KandyGoo")
9. Five 3PLA Officers Indicted
From 2006-2014, the defendants allegedly involved in a hacking
conspiracy that was targeted against:
• Westinghouse Electric Co.
• U.S. subsidiaries of SolarWorld AG
• United States Steel Corp
• Allegheny Technologies Inc.
• United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and
Service Workers International Union (USW)
• Alcoa, Inc
31 criminal counts, including:
– conspiring to commit computer fraud;
– accessing a computer without authorization for the purpose of commercial advantage
– private financial gain;
– damaging computers through the transmission of code and commands;
– aggravated identity theft;
– economic espionage;
– theft of trade secrets
https://www.fbi.gov/wanted/cyber/sun-kailiang/view
10. Lisong Ma - 2013
Lisong Ma, a citizen of China, pled guilty for violating the International Emergency Economic
Powers Act by attempting to export weapons-grade carbon fiber from the USA to China
During the investigation, federal agents maintained a covert cyber-presence on web sites related
to the brokering, purchase and sale of controlled commodities.
• In February 2013, the defendant, using the name “Ma Li,”
e-mailed an undercover agent and indicated that he was
interested in acquiring several different types of high-
grade carbon fiber.
• Then, through various online communications, the
defendant attempted to negotiate the purchase of five tons
of carbon fiber.
• Based on a review of Internet Protocol log-in
information, investigators discovered that the defendant
was communicating from the People’s Republic of
China.
• After traveling to the United States to meet those agents,
Ma paid $400 for a spool of Toray-type, T-800 carbon fiber,
and tried to ship it in a box whose invoice said it contained
clothing, prosecutors said.
http://www.reuters.com/article/us-usa-crime-exports-idUSBRE94T12920130530
11. Su Bin
March 23, 2016 – FBI Press Report
• “A Chinese businessman pleaded guilty on Wednesday to charges of conspiring to
steal sensitive military aircraft data from computers belonging to Boeing and other
defense contractors, in the latest reminder of what the US has called a massive
Chinese cyber espionage campaign.”
• “Su Bin, 50, admitted to collaborating with two unindicted Chinese co-
conspirators over a near six-year period that ended shortly before his 2014 arrest.
• Among the aircraft they targeted were:
– Boeing’s C-17 military transport aircraft and
– Lockheed Martin’s F-35 and F-22 fighter jets.”
“In the last fiscal year alone,
economic espionage and theft
of trade secrets cost the American
economy more than $19 billion.”
“Economic espionage and theft of
trade secrets are increasingly linked
to the insider threat and the growing
threat of cyber espionage.”
http://www.ft.com/intl/cms/s/0/f1206e54-f13e-11e5-9f20-c3a047354386.html#axzz44vRXCKIr
12. USTRANSCOM
September 2014
• “In a 12-month period beginning June 1, 2012, there were about 50
intrusions or other cyber events into the computer networks of
TRANSCOM contractors, the 52-page report stated.”
• “At least 20 of those were successful intrusions attributed to an "advanced
persistent threat," a term used to designate sophisticated threats
commonly associated with attacks against governments. All of those
intrusions were attributed to China.”
• “The investigation found that a "Chinese military intrusion" into a Transcom
contractor between 2008 and 2010 "compromised emails, documents,
user passwords and computer code."
• “In 2012, another intrusion was made into multiple systems of a
commercial ship contracted by Transcom, the report said.”
13. Private Health Care
“Healthcare is by far the largest sector of where data breaches are occurring.”
According to the Experian identity theft resource center, in 2014, 43% of the major data
breeches were from the health care industry.
• August 2014 - Community Health Systems (CYH.N), one of the largest U.S. hospital groups,
said Chinese hackers had stolen Social Security numbers and other personal data from
some 4.5 million patients.
• A group of sophisticated Chinese hackers known for its high-stakes corporate espionage has
a history of stealing medical-device blueprints, prescription-drug formulas and other
valuable intellectual property from large health-care companies.
– For over a year, Dell's SecureWorks division responded to multiple intrusions by a hacking group
targeting health-care and pharmaceutical companies.
– The group uses phishing e-mails and has even gained physical access to computers to infect
target companies.
– They have been "extremely successful in exfiltrating the most valuable intellectual property of
organizations," according to Dell.
• October 2015 - Hackers in China targeted health insurer Anthem to learn how medical
coverage is set up in the US as Beijing grapples with providing healthcare for an ageing
population, US investigators have concluded.
– “People familiar with the Anthem investigation believe that gaining intellectual property and trade
secrets were the rationale for the hack. The individual data held by Anthem, which insures many US
government employees, could also be helpful to Chinese intelligence agencies.”
14. Comparing Costs
How much did the September 11 terrorist attack cost America?
• Counting the value of lives lost as well as property damage and lost production of goods and
services, losses already exceed $100 billion.
• Including the loss in stock market wealth -- the market's own estimate arising from
expectations of lower corporate profits and higher discount rates for economic volatility --
the price tag approaches $2 trillion.
Among the big-ticket items:
- The loss of four civilian aircraft valued at $385 million.
- Destruction of major buildings in the World Trade Center with replacement cost of from $3 to $4.5 billion.
- Damage to a portion of the Pentagon: up to $1 billion.
- Cleanup costs: $1.3 billion.
- Property and infrastructure damage: $10 billion to $13 billion.
- Federal emergency funds (heightened airport security, sky marshals, government takeover of airport
security, retrofitting aircraft with anti-terrorist devices, cost of operations in Afghanistan): $40 billion.
- Direct job losses amounted to 83,000, with $17 billion in lost wages.
- The amount of damaged or unrecoverable property hit $21.8 billion.
- Losses to the city of New York (lost jobs, lost taxes, damage to infrastructure, cleaning): $95 billion.
- Losses to the insurance industry: $40 billion.
- Loss of air traffic revenue: $10 billion.
- Fall of global markets: incalculable.
- http://www.iags.org/costof911.html
15. Comparing Costs
Cybercrime and espionage costs $445 billion annually
The estimate conducted by the Center for Strategic and International Studies
The report, funded by the security firm McAfee, which is part of Intel Security,
represents one of the first efforts to analyze the costs, drawing on a variety of data.
– CSIS estimated that the United States lost about $100 billion.
– Germany was second with $60 billion.
– China followed with $45 billion.
https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
16. What can you do?
• Identify Critical Data and Information
– Protect it with defense in depth
– Don’t put all your eggs in one basket
• Split up and store the secrets in different locations
• Control and monitor access
• Identify Critical Personnel
– Positions key to the success and continuity
– Train replacements
– Perform and record job task analysis
• Identify Critical Resources
– Tech power
– High value technology
18. Insider Threat
Who is an Accidental Insider Threat?
• All employees – exhibit bad habits
– Passwords left on screens, under keyboards
– Tailgating into restricted areas, loss of accountability
– Using their computers to surf the web or communicate personal e-mail
– Bring personal computing devices to work (laptops, PDAs, Smart Phones & Tablets)
– Failing to follow OPSEC
– Social Engineering – Phone call from imposters, Phishing Emails etc..
• IT Personnel - Create vulnerabilities by:
– Having group accounts
– Separation of duties
– Create scripts or back doors for conveniences
– Don’t change default passwords
• Security Personnel – exhibit bad habits
– Deviate from security practices they are required to enforce
• Executive Management
19. Insider Threat
Reduce the Risk for the Accidental Insider Threat:
• Educate and Train all personnel on exhibiting good habits
& behavior
– Computer based – Internal/External (DSS/DISA, Others)
– Develop in house programs
– External training & Conferences
– Provide periodically (monthly, biannually, annually)
– Gear training to the audience
• All personnel
• IT Personnel
• Security Personnel
• Assess the training material for currency and effectiveness
– Update
– Provide Examples (real world events or case studies)
20. Key Take Aways
• Technology touches every aspect of our daily lives
– Does every computing environment need access to the network?
• 2.8 personal devices exist for every human on earth
• IoT creates more ways to be hacked, be wary of new technology
• Work with other stakeholders in the organization
• Look at your contracts and DD-254s
– Do clearances align with both documents?
– What are the ADP/IT requirements?
• Look at 3rd party vendors and
– Create and sign service agreements
• Supply Chain Management
– Applies to sub contractors
– Applies to R&D & Academia relationships
• Talk to HR, Legal and other Stakeholders
– Establish an Incident Response Team and practice it
– Establish a Insider Threat program and review it, meet and discuss indicators
22. Resources
How to Combat the Threat
FBI - Economic Espionage: Protecting American’s Trade Secrets
https://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage-brochure
The FBI’s Business Alliance Initiative
https://www.fbi.gov/about-us/investigate/counterintelligence/us-business-1
Internet Social Networking Risks
https://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
Journal of Energy Security
http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-
threats&catid=106:energysecuritycontent0510&Itemid=361
Infragard Chapters
https://www.infragard.org/
Dr. Shawn P. Murray on SlideShare
http://www.slideshare.net/
Security Organizations (DSS, ISSA, ISC2, Others)
National Security Institute – Reference CD & News Letters
23. References & Citations
Resources and references used for presentation:
• http://www.reuters.com/article/us-usa-military-cyberspying-idUSKBN0HC1TA20140918
• http://blogs.wsj.com/chinarealtime/2014/07/08/meet-3pla-chinas-version-of-the-nsa/?KEYWORDS=china%20hackers
• https://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
• http://www.strategicstudiesinstitute.army.mil/pdffiles/pub1191.pdf
• http://www.ft.com/cms/s/0/242c2f4e-7c2e-11e5-98fb-5a6d4728f74e.html#axzz44vRXCKIr
• https://news.wgbh.org/post/why-would-chinese-hack-your-health-care-account-why-would-anybody
• http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-
threats&catid=106:energysecuritycontent0510&Itemid=361