Friday, March 18, 2016

"I am a Chinese operator"

This piece was originally posted to the DailyDave mailing list (which you should subscribe to!) but I am including it below since it illustrates the concept better than my post here:

So here I am as a Chinese tool developer and operator on one of the
lesser known, but higher skills teams, sitting at my desk drinking
Starbucks, uber-ironically, as I like to do.  We work for the PLA out
of an office in Shanghai, but we don't have a catchy name. Just the
world's most boring cover company that in theory does IT Support for the
local businesses, but in reality does anything but.

I'm finishing up a heap overflow in Flash, technically an integer
overflow, that leads to heap corruption, if you must know. The PLA group
I work for has given me about a few million 32-bit key numbers, which
are stored on a laptop that has never been connected to any network, and
is itself stored in a safe in the back room. I open it up, and run a
quick script to find a 32-bit number from the set that has no bad bytes
in it, and also is a NOP for the purposes of this exploit.

I use that as the fill-string for my exploit, and then for my Javascript
obfuscator pick another one of the numbers and use that as my XOR key.
The third one I use inside the shellcode itself. I mark these three
numbers as used in a file so I don't reuse them later. All my other
variables names are unrelated 32-bit numbers, because why not? But this
is a heap overflow, and not an MFC application, so I don't have room to
sign giant cryptographically secure blobs of random numbers with a
private key of any sort.

What I'm hacking today is a concrete company. They compete with the
Chinese concrete companies in many places of the world, but that's not
the point. They also supply the US Military's Asian bases. So while I
will be pulling down their entire Exchange server, once I get into their
network, which is basically a forgone conclusion, I'm not here for
industrial espionage purposes. Likewise, knowing how much they are
selling goes into our larger economic reports, which are used to make
decisions by the State in terms of interest rates and that sort of
thing. Stuff above my level.

I fire my exploit off at my target three times, to three different
people. One of them succeeds, and I've made my coffee money for the day
(and a bunch more, let's be honest, this is a good gig). I have been
told that if I give any email from this target to my friend who works in
construction, I will of course be fired.

But one of them gets silently caught, and Mandiant includes it in a
report, along with a long detailed description about my trojan, which I
stole from a Russian criminal group. Later, because that concrete
company has been losing a lot of business in Asia a DHS official is
asked if this intrusion is a potential violation of our agreement. He
looks at the very detailed internal Mandiant report on the initial
intrusion, and runs each interesting constant in the report through his
oracle, forwards and backwards, and he says, "I cannot say whether or
not it is the Chinese or the Russians, but they are CLAIMING to follow
our norms process, at least."

No comments:

Post a Comment