
Cyber Sleuths Track Hacker to China’s Military - vinnyglennon
http://www.wsj.com/articles/cyber-sleuths-track-hacker-to-chinas-military-1443042030
======
kposehn
I think it is very important to understand that the timing of this report is
likely no coincidence. With Xi set to have discussions today with Obama, this
is effectively a slap across the face to Xi right before an important visit
that he can't back out of, and effectively puts china on a lower footing by
showing them to be lying directly to the US about their intentions.

Edit: this isn't to say publication/announcement was done at the
administration's request, simply that the timing is extremely suspect. Other
interests also want to see Xi brought down a few pegs. Politics :-/

~~~
peter303
Ironical MSFT and FB are fawning over Xi's visit giving him the royal tours.
China treats these two companies very poorly. Nearly all MSFT software in
China is pirated. China bans FB partly for censorship and partly to protect
internal social networking products.

~~~
happywolf
MS technically has ability to shut off and cripple any pirated Windows over
the wire if it wants to. But in this case, it has chosen not to for a lot of
Asian countries. The reason? Market share.

It wants users to get used to how Windows works, versus to other alternatives
like Linux, Mac, etc.

~~~
imglorp
Good observation. MS is willing to pay a high price for market share.

For example, nobody wanted Windows Mobile, so they paid Nokia to install it.
Failing that (<4% mkt share), they bought Nokia.

X-Box is another product they're paying customers to take, in exchange for
living room share. It's lost billions overall since its beginning.

------
dogma1138
Google redirect:
[https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web...](https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCIQqQIwAGoVChMI9pbzr-
mPyAIVCG0UCh0eFwMP&url=http%3A%2F%2Fwww.wsj.com%2Farticles%2Fcyber-sleuths-
track-hacker-to-chinas-
military-1443042030&usg=AFQjCNGl6ZyioiIvQYcBbJMX5V7yj_Wnng&sig2=JvBSU8a9c6Gs9U6_-FwmFw)

~~~
jstanley
Still paywalled for me, even following that link.

~~~
dogma1138
try opening it in a private tab, Google tracking cookies seem to break it for
some reason.

~~~
throwaway_97
Thanks, don't know why but opening it in incognito mode broke the signup-wall

~~~
stephengillie
Sorry to tangent the tangent, but will we ever see adblockers hunted down the
way torrenters were? The net effect is the same, but the scope (news articles)
is much smaller.

~~~
ionised
Possibly.

If we do we will also see it to be equally as futile as trying to stop
torrenters.

------
late2part
I wonder if China online newspapers have stories about tracking hackers to
USA's military?

~~~
halviti
[http://finance.qq.com/a/20130624/011309.htm](http://finance.qq.com/a/20130624/011309.htm)

------
webXL
"Grassroots" hacking isn't a good strategy for a state that wants to cover up
its tracks. So I'm suspicious of these claims.

Perhaps the government makes it worth the hackers' while to hack the USG
instead of it. Just sad that so many intelligent people would rather be
powerful/wealthy than free (not that the USG is a shining example of that
sentiment).

~~~
tellthetruth1
You are Not free if you are poor and powerless!

~~~
webXL
I'm not sure I understand your point. What does material possession and power
(I assume over others) have to do with freedom?

These hackers have power (their ability to obtain government data and subvert
its power) and the Chinese government is perhaps wisely channeling it to its
foreign adversaries.

------
antsar
Without having read the full PDF report [0], the summarized version [1] makes
the allegations seem quite weak. It comes down, seemingly, to the fact that a
PLA domain name appears in the malware. Maybe I'm missing something.

[0]
[http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_Threa...](http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf)

[1] [http://www.threatconnect.com/camerashy-
resources/](http://www.threatconnect.com/camerashy-resources/)

~~~
huac
Looks like PLA domain shares name with probable PLA employee social media
handle. And the social media accounts were deleted immediately after the WSJ
called the guy.

It seems pretty likely there is some PLA connection, though not necessarily to
this particular guy - no way of knowing that a buddy didn't steal his handle
for use elsewhere (seriously, not sharing the same hacking handle and the same
personal username should be Tradecraft 101)

------
at-fates-hands
If you get the paywall, I'd advise downloading the actual report from
ThreatConnect it's far more detailed:

[http://www.threatconnect.com/camerashy/](http://www.threatconnect.com/camerashy/)

~~~
billyhoffman
Why do companies, security companies even, do something like this... " Below
are the document checksums for
Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf

MD5: b12f118840d0aa0d5ab2fb9aa052ede3 SHA1:
dbd710751a6c32ba91401fb5e5623f46b4d2475f SHA256:
da6b105f1e58f860ce67b2ad2db7b15ff7b637cfb37f7d0680a20eb633bcc741"

... when you are then providing both the PDF, and the list of its supposed
hashes, over an unencrypted connection! It renders it meaningless. I can't
trust those hashes or that document. And creating megabyte long PDFs with
colliding MD5 hashes is not even a difficult challenge anymore.

The irony here is this page is say _" hey open this document, it's safe, trust
us"_ when the document is all about APT attack methods, which often involve
compromising people's computers by opening untrustworthy documents! I doubt
that's what's happening here, but still kind of silly when you think about it.

Please, all the companies out there. Stop adding a list of hashes to appear
more legitimate when you clearly don't know what you are doing.

~~~
ghshephard
Well, not meaningless. You can monitor the original values of the hashes, and
verify they haven't been changed. The PDFs will be copied around and around.

Also - There is no known method to (within the lifetime of this universe)
create a different document with the same MD5 and SHA1 and SHA256. Adding the
MD5 doesn't weaken things, and might improve them.

~~~
jgome
Are you saying that some random ISP(s), some third party or even their hosting
provider can't modify the PDFs and the sums on the fly to inject malware? Do
you really think most people checks the sums?

~~~
ghshephard
Here is the way this works.

The person who posts PDFs on websites with MD5/SHA1/SHA256 hashes adds a
watchdog to verify that those hashes aren't changing - Once you get the
framework together, adding a new page with hashes to the watchdog takes just a
few seconds. That way, if the random ISP(s) or third parties are modifying
those sums on the fly, will trigger the watchdog.

As to whether most people check the sum - I have no idea, but at least anybody
who wants to take 90 seconds to authenticate the document can just go:

x=Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf ; md5 $x; shasum -a 1 $x;
shasum -a 256 $x;

Keep in mind - I totally agree with you that this isn't a great mechanism, but
I would argue it's better than nothing at all. (as long as someone has a
watchdog to confirm the hashes aren't being modified in flight - they could
probably help their case a little by at least serving those pages with HTTPS).

A _much_ better mechanism would be to use OpenBSDs signify
([http://www.openbsd.org/papers/bsdcan-
signify.html](http://www.openbsd.org/papers/bsdcan-signify.html)) which solves
this whole problem of trying to sign documents with something simple that
doesn't involve byzantine chains of trust in a very elegant way.

They could just create a key pair:

    
    
       signify -G -p threatpub -s sec
    

And make their public key, which is short, and easy to copy/distribute
everywhere - looks like this:

    
    
       untrusted comment: signify public key
       RWQw2u3UPjm6spK9OYJxylK2jSKz2agskG2EKPsxwFN4IjHVw66dYPhT
    

And then, with each document they create, they just sign the PDF:

    
    
       signify -S -s sec -m Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
    

Which provides a signature file, signed with their private key:

    
    
       untrusted comment: signature from signify secret key
       RWQw2u3UPjm6svkWhs4fgy1Qi0P72hp+uDuTxX8bDSvd/qr/7vc55v+PndgDdWOWj0JiLco/CCfOzw6Alau9RTi5gBiHSzuRHAs=
    

Now, those two documents, the PDF and the Signature file - can be distributed
_everywhere_ \- and are not subject to a malware attack because everyone has
ThreatConnect's public key, which they can use to verify _any_ threatconnect
file and signature, with the simple command:

    
    
       signify -V -p threatpub -m Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
    

I'm presuming that's the better mechanism you have in mind for this sort of
thing? I think I'll forward our thread over to the threatconnect team, see if
they are willing to upgrade their procedures.

------
sandworm101
Having read many of these reports over the years, this one seems more
manifesto than security report. It is full of carefully controlled language
meant to appease a very specific audience: politicians and members of various
agencies.

A huge amount of space is dedicated to tenuous ties between physical military
activities and espionage on the assumption that all chinese agencies are
coordinating with each other, that the Chinese are just better at conspiracy
than any US operation. No actual intelligence officer would ever describe
China in that way. It's a patchwork of poorly-connected operations all trying
to put on a good show for the bosses, much the same as US intelligence
agencies.

Certain key phrases suggest political motive. As example, the phrase "China’s
... military grade signals intelligence Unit" caught my ear. "Military grade"
doesn't mean much in infosec. It does mean something to lifelong service
members who labour under the assumption that military structures just do
things better than civilian organizations. In some fields "military grade" is
actually a bad thing, a reference to products built to conform to rarely-
updated procurement standards. It's like still selling floppy disks because
the computer on the stealth bombers haven't been updated in 20 years. The
phrase appears right at the start of the takeaways section, right where most
senior officials will probably start reading.

The drilling down upon a few people, to the point of tracking a man's
movements and finding the bike he offered for sale, certainly plays into
current US national security desires. Targeted killings based on poor intel is
a big chip on the military shoulder these days. They aren't happy about it. So
peppering a document with a few grains of seemingly accurate and specific
intel about individuals is a good trick to win people over. The excessive
reliance on google maps is just eyecandy. This gives the false impression of
validity, a false suggestion that the rest of the report is based on equally
detailed and reliable intel. if this were such intel, it wouldn't be released
publicly.

the pdf:
[http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_Threa...](http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf)

~~~
jgome
It's as if China was the universal scapegoat for infosec people in the US...
Wait, this is a known fact in infosec circles.

~~~
sandworm101
A scapegoat would be innocent. I doubt even the Chinese would argue they
haven't done anything. That's much of the problem generally and with this
document specifically. If you latch onto things and investigate them to death
you will in time run across actual wrongdoing. The danger is then that you
cherry-pick these truths and spread them to each and every situation, giving
the appearance of overwhelming wrongdoing. I think the people behind this
document have done this knowingly.

------
astaroth360
I mean isn't it already widely accepted that China has one of the world's
largest and most active cyber warfare forces?

When is the US going to get its shit together and start worrying about
cyberdefenses?

~~~
jgome
>I mean isn't it already widely accepted that China has one of the world's
largest and most active cyber warfare forces?

Do they? I thought the largest "cyber warfare force" (gotta love these
buzzwords) was the NSA, and the US govt itself. The US practically controls
the internet...

~~~
astaroth360
Well yes, I imagine the US force dwarfs most others, however that doesn't
change my being worried about China's activities.

The whole world needs to start making protection of user data (private sphere)
and citizen data (public sphere) a priority. Until that happens, there will
continue to be massive hacks of sensitive data that end up hurting very large
numbers of people.

It's well past time that the world as a whole started taking the issue of
cyber security seriously.

------
ChrisArchitect
Cyber Sleuths cyberespionage cyberwarriors cyberspace cybersecurity
cyberintrusions cybertheft cyberspying cyber operations

~~~
pastycrinkles
You forgot about the cyber military!

------
w8rbt
One of the most difficult aspects of cyber security is attribution. There's
really no way to know for certain who did what. Also, it's easy and convenient
(right now) for other nations to blame China as cover for their own cyber
intrusions. Compromise a few systems in China, launch attacks from them then
sit back and watch while others place blame.

------
jkrejci
China is fucking shady.

~~~
ldpg
This sentiment is heard too often. It comes more from xenophobia and
propaganda than from reality. In reality China is about as duplicitous as we
are.

------
CDokolas
More like "Chinese military cyber-warrior doxed by the WSJ."

Bad guy or good guy, what I worry about is that man's fate... if he hasn't met
it already :(

------
mladenkovacevic
WSJ, CNN, Fortune all lining up this latest PR story line right on cue.

It's embarrassing to see the flailing of the US intelligence apparatus trying
to take attention away from their own abuses of power.

