China And The Spear Of Destiny

August 23, 2013: Strategy Page

Despite increasingly effective Internet defenses the biggest vulnerability remains human error. Case in point is the continued success of attacks via Internet against specific civilian, military, and government individuals using psychology rather than just technology. This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. In the last year, an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached, and asking for prompt attention.

The most recent example of the continued effectiveness of spear fishing can be seen in the repeated use of spear fishing by a group of Syrian hackers, calling themselves the Syrian Electronic Army (SEA) and are loyal to the beleaguered Assad dictatorship in Syria. The SEA has been using spear fishing to hack into media sites. Despite most media companies having in place software and personnel rules to block spear fishing attacks there are so many email accounts to attack and you only have to get one victim to respond for the SEA to get in (using the login data from the compromised account). The automated defenses are supposed to block the actions of the hacker software that is triggered when the victim clicks on the email attachment, but hackers keep finding exploitable vulnerabilities to the defenses and these make the defenses vulnerable, at least until the vulnerability is detected and patched. The SEA has enough cash and expertise to know where on the hacker underground the latest (and most effective) malware attachments can be found and purchased. With that, it’s just a matter of modifying the malware package, buying the email lists (of media company employees) and the services of an illegal network of hacked PCs (a botnet) to transmit your spear fishing emails.

China has been a major user of spear fishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spear fishing payloads. The methods, and source of many spear fishing attacks have been traced back to China. Two years ago Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers, and all movement of command and stolen data led back to servers in China. Since China is an ally of the Assad government, the SEA has access to the best spear fishing tools.

The SEA have been grabbing a lot of headlines in the last year for their increasing number of Internet based attacks. However, this tends to be low level stuff, like breaking into Twitter accounts. The Assads remained power for decades by favoring the most talented, best educated and wealthy families at the expense of everyone else and now many of those Syrians are supporting the Assads anyway they can. For the last two years the 80 percent who were left out have been in open rebellion and early on the SEA showed up to help their families hang on to their wealth and position in Syria.

The SEA has not made any really sophisticated hacks until the recent use of multiple spear fishing campaigns (against a large number of media companies and some of their Internet based suppliers). SEA has used these attacks to publicize their cause (via defacing of anti-Assad websites) and seeking to identify rebel leaders, especially those operating inside Syria. This intel collection effort does not get much publicity but it is probably more helpful than the low-level hacks. That’s because the Assad secret police are still very active inside Syria and have been effective in finding and capturing (or just killing) lots of rebels.