image of breaking badness
Breaking Badness
Breaking Badness

21. Introducing The New Security Moat


Here are a few highlights from each article we discussed:

Deputy Dog, Not Reporting for Duty

  • Intrusion Truth has doxxed two Chinese APT groups before – APT3 and APT10 – both of which led to indictments against Chinese individuals from the US DOJ. Intrusion Truth has also tied both of those groups back to the Chinese Ministry of State Security (aka the MSS).
  • These campaigns haven’t seemed to impact cyberespionage groups. The Chinese seem to be unfazed by the doxxing and by the DOJ indictments, and the espionage continues. This report from Intrusion Truth this month is a good example – Intrusion Truth says APT17 is associated with the MSS. So it doesn’t sound like the MSS was all that scared by the accusations and indictments made against them in the past.
  • They released several short blog posts with varying levels of information about the individuals they think are involved in APT17. First, they talk about 3 individuals – Guo Lin, Wang Qingwei, and Zeng Xiaoyong – as well as tied them all to 3 businesses – Jinan Anchuang Information Technology Co. Ltd, Jinan Quanxin Technology Co. Ltd, and Jinan Fanglang Information Technology Co. Ltd.
  • Next, they tied these businesses and individuals back to the MSS by tying code made by Zeng to ZoxRPC – malware used by Chinese APTS. ZoxRPC is also known as BLACKCOFFEE, and APT17 is known to have used BLACKCOFFEE.
  • Interestingly, in addition to all that, Intrusion Truth found a sale brochure with data for sale – and the data didn’t just come from Western companies. While they don’t give a solid answer for why this is, they speculate that either APT17 had a remit to spy on Chinese citizens, or they’d gone rogue and were selling Chinese data on the side.
  • APT17 is related to the MSS, meaning of course that, like APT3 and APT10, APT17 has been acting on orders from the Chinese government.
  • Attribution can be considered a bad word in the security space, so it was a big statement to bring individual names into the report. Attribution is a bad word because it can be used so sloppily, and because it sometimes is asked for/required when it’s not actually important. For regular daily SOC work, spending the time to get to individual-level attribution of the guy who sent you a phishing email probably isn’t important and isn’t worth your time. In those cases, motivational attribution (cyber crime, espionage, etc) are probably enough, or maybe for more important things country-level attribution might be important.
  • In this case, IT went all the way down to the individual level, which is kind of a scary thing to do from a research perspective. I certainly wouldn’t want to release an article like they did unless I was 100% certain in my results, and I’m sure they were. Because of that, and because of how clear they were in their reasoning to why they felt those three individuals were involved in APT17, I do think there is medium to high confidence in their attribution. Additionally, because they have a good track record, that helps as well.
  • The US hasn’t been shy about indicting foreign nationals in the past, including Chinese nationals that were doxxed by IT in the past. The problem is that China has no legal obligation to do anything, and so the indictment is useless unless those individuals step foot in a country where the US can arrest them.

Unleash the Cybers! NSA Forms Cybersecurity Directorate

  • This is an outcome from the FBI Special Counselor Mueller’s investigation and warning on the Russian election interference that occurred in the last election.
  • The NSA developed a team called the “Russia Small Group” which is a specialized unit dedicated to thwarting Russian election interference formed back in 2018.
  • In April of this year that unit was made to be a permanent one and now rolls under the leadership of the newly created NSA Directorate. The leader of the NSA Directorate is Anne Neuberger who previously served as the deputy director of the “Russia Small Group” unit. This directorate is supposed to become operational October, 1 2019.
  • In terms of a debate around this Directorate, it really boils down to your personal bias. For me, I’m an American and the Russian election interference was horrible so any move towards mitigating those types of attacks are totally welcomed. The rest of my circle of security friends are all generally in agreement. But I think everyone still rightly views the NSA in a suspicious light after the Snowden leaks.
  • This Directorate will likely impact cyber warfare by upping sophistication. When one side builds their defenses stronger, the attackers are forced to evolve. It’s a never ending arms race and this is a part of that evolution.

The Real Dark Web

  • City Power – a utility company in Johannesburg, South Africa – was infected with ransomware. That would be bad enough, except it managed to affect the part of their network that allows prepaid customers to refill their account, so some customers are getting their power shut off. This of course is happening during a particularly cold season of winter there. They did, however, clarify that customer information was not obtained by the attackers.
  • City Power issued generic boilerplate response apologizing for the inconvenience, but they also included something really concerning too.”Customers should not panic as none of their details were compromised.”
  • I think this part of the statement has good intentions but is completely tone deaf to the impact this caused. Losing power to medical infrastructure can literally kill people. But there are non-obvious ramifications too, like what if the traffic light system was impacted which caused cars to collide and people to die? Customers should panic and Joburg should reassure people what steps they’ll enact so this doesn’t happen again.
  • We have included a few things organizations should be doing right now to mitigate ransomware attacks:
    • Backups are important – many times, ransomware incidents take so long to recorder from because the affected company doesn’t have proper backups in place.
    • End-user training – I’ve beaten this horse to death before, but training your employees to not enable macros on external emails and to be suspicious of attachments in external emails is key. A lot of people have jobs that require them to frequently receive and click on external emails, but training them about the common threats associated with ransomware – attachments with macros, unexpected links, etc, can help them be suspicious of clicking. In addition, having a procedure in place to report suspicious emails AND GET THEM BACK IF THEY’RE NOT MALICIOUS is important as well. Train your employees to be suspicious first and to take the time to confirm an email is safe before clicking.
    • Additionally, it’s important to hire effective security folks, invest in vulnerability management, patching, and AV

This Week’s Hoodie/Goodie Scale

Deputy Dog, Not Reporting for Duty

[Emily]: 4/10 Goodies for Intrusion Truth
[Tarik]: 2/10 Hoodies

Unleash the Cybers! NSA Forms Cybersecurity Directorate

[Emily]: 3/10 Hoodies
[Tarik]: 10/10 Goodies and 3/10 Hoodies

The Real Dark Web

[Emily]: 6/10 Hoodies
[Tarik]: 10/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!