Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/31/2013
11:45 PM
Tom Parker
Tom Parker
Commentary
50%
50%

Got Attitude?

Attack attitude: Does China really not care about attribution?

Following up on my previous blog post on the Comment Crew (or APT1, to quote a Mandiantism) attack and related coverage, I wanted to dig a little deeper into the observed attitude about the documented attack activity and what we might learn about the operating environment and overall sentiment toward OPSEC and attribution.

In the United States, the general perception both in and outside of the security industry is that China-based threat actors simply don’t care about attribution. Given the outwardly brazen appearance of the many attacks thought to have originated from China, one could certainly be forgiven for making this assumption. While not entirely incorrect, I firmly believe that what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for.

Let me begin by saying clearly: China cares far less in the subtlety department than, say, the United States. If this weren’t the case, then you would surely expect to have seen more evidence of the U.S. (and other nations) using offensive cybercapabilities with the same frequency and scale that we’re seeing coming from over the Pacific. China, in the same breath as denying its own involvement in cyberattacks, has stated that it believes the U.S. is up to the very same things that the U.S. has accused it of -- and yet the evidence all points in the direction of the former accusation.

Sure, this could, in part, also be attributed to the U.S., et al., viewing cybercapabilities as more of a tactical capability and therefore far more narrowly focused. However, the point is that there is an overt sense of justification in the use of offensive cybercapabilities on the part of China, which plays a key role when forming attitudes toward attacks for adversaries both within and outside of its government. This and other driving factors are infrequently discussed as a part of the investigative dialogue when dissecting attacks.

When we consider this attitude toward the use of cybercapabilities against the U.S. and the Comment Crew attacks, a slightly different story emerges than one of complete arrogance on the part of the individuals documented to be associated with the Comment Crew. This matters because it demonstrates a presence of mind, rather than belligerence in the planning and execution of these attacks. In short, being attributed was a decision, not a foregone conclusion, owing to a lack of capability on the part of the adversary.

Since the press frenzy over the Comment Crew attacks, I’ve had numerous conversations with peers in the industry over possible repercussions for the individuals who were publicly named and shamed. The general response I seem to get goes somewhere along the lines of, “Of course nothing will happen to them; China simply doesn’t care about attribution.” While this would likely be true if we were dealing with a belligerent adversary who feels it can act without consequence, I think this is far from the truth. Further, the military unit implicated in the Comment Crew case (Unit “61398”) is a branch of a military (read: non-civilian) organization, where discipline and consequence are certainly not unfamiliar concepts. If I were to place bets on the topic, then my money would be on the population of a Chinese labor camp having increased by at least one in the past month.

In closing, while the bravado, denial, and other more overt attributes of attacks associated with the PRC may draw us to believe that China just doesn’t care, this is simply not the case. The reasons stated make it a far more formidable adversary than the cyberdrunkard that China is often mischaracterized as.

Tom Parker is CTO of FusionX LLC

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1249412400790
50%
50%
ANON1249412400790,
User Rank: Apprentice
4/10/2013 | 3:11:18 AM
re: Got Attitude?
Even though the claim made by-Tom Parker that,

"...what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for."

may very well be true, since the Chinese typically have a strategic bent, he did not prove it conclusively in his article. -The article merely skirts around this issue with-rhetoric-and does not provide specific evidence and analysis to prove his point.

To this reader the article therefore was a disappointment.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
4/4/2013 | 10:12:56 PM
re: Got Attitude?
This is an interesting question -- why doesn't China employ more obfuscation or false flags to put the blame on other nation-states?

Kelly Jackson Higgins, Senior Editor, Dark Reading
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26244
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
CVE-2020-28206
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...