The Hack That Made China a Superpower: Operation Shady Rat

00:00

December

00:01

2012 Kyle Wilhoit a seasoned cyber

00:04

security researcher creates an

00:06

experiment he builds a water plant a

00:10

network of advanced industrial control

00:11

systems with complicated equipment full

00:14

documentation and a website to boot

00:17

according to the legend the plant is

00:19

located in the town of Arnold Missouri

00:22

but in reality it's completely virtual

00:25

it runs from a couple of machines in

00:26

Kyle's basement sending fake

00:28

measurements back and forth to imitate

00:30

activity the researcher takes a deep

00:32

breath and connects the system to the

00:34

internet the experiment begins within

00:38

several days interesting things start

00:40

happening the plant gets attacked from

00:42

all sides North Korean military hackers

00:45

Russian ransomware gangs even trolls

00:47

from across the US and Europe they

00:49

attempt to do all kinds of Mischief for

00:51

Fun and Profit connecting to the servers

00:54

breaking login pages and injecting code

00:56

wherever

00:58

possible but among all of them them one

01:01

attack stands out several fishing emails

01:03

drop into the box of the supposed plant

01:06

they're well researched and written with

01:08

legitimate looking attachments one text

01:11

document hides malware when launched the

01:14

malware scrapes the virtual plant it

01:16

finds the equipment documentation and

01:18

beams that straight to a command and

01:20

control server Kyle follows surprised at

01:23

the lack of effort it takes to track the

01:25

attacker the servers in China it's big

01:29

and and it's full governmental records

01:33

documents and corporate Secrets Kyle

01:36

can't believe his eyes he got them he

01:39

found

01:40

AP1 the hacker group that conducted

01:43

operation Shady

01:52

rat at that point similar stories almost

01:55

beat by beat have been happening

01:57

worldwide for 6 years except that their

01:59

victim s weren't virtual it All Began in

02:03

2006 when an employee of a construction

02:05

company in South Korea received an email

02:07

with an

02:08

attachment it was sent from an address

02:11

bearing the name of his colleague but

02:12

there was something weird about it

02:15

confused the worker replied to double

02:17

check and within several minutes he got

02:19

a confirmation the file is

02:22

legit however the attachment didn't open

02:26

instead it started a malicious code a

02:29

remote access Trojan was launched on the

02:31

worker's computer a

02:34

rat in just several months at least

02:37

eight companies were attacked by the

02:38

same rat and dozens more by similar ones

02:42

all these intrusions had the same

02:44

pattern a spear fishing email posing as

02:47

one from a close acquaintance it

02:49

displayed some knowledge of the company

02:51

but was written in pretty poor English

02:53

as if they were in a hurry the

02:55

attachment would hide a rat masked as a

02:57

document or some other file the

02:59

attackers would would converse with the

03:00

victim and spare no effort to talk their

03:02

way through their defenses this is in

03:04

the era of you know we're not worried

03:06

about attribution and so it's it's

03:09

largely companies and organizations that

03:11

had by by today's standards laughable

03:14

cyber security I I remember seeing uh

03:16

you know some shady rat intrusions where

03:18

they were emailing screen Sabers as an

03:21

attachment right um and and you look

03:23

today and you're like I'm sorry you you

03:26

let a screen saver through the email

03:28

Gateway right um let alone that the user

03:31

is like oh a screen saver cool I'll just

03:33

download this and run it on my machine

03:36

the methods were crude yet effective but

03:38

the most important element wasn't the

03:40

breach itself it was what happened later

03:43

the attackers didn't run away they

03:45

loitered keeping tabs on the system

03:47

siphoning all the new data that appeared

03:49

there at the same time they would start

03:52

moving laterally using the gained

03:54

knowledge and access they would infect

03:56

adjacent systems other computers in the

03:58

network other branches of the company

04:01

they would repeat the same pattern again

04:04

and again building a rat cave under the

04:06

noses of their victims the shortest

04:08

documented intrusion of such kind lasted

04:11

for around 1 month the longest one for

04:14

almost 5 years their goal isn't to

04:17

disrupt as much as it's to sit and

04:20

collect and learn and send data back to

04:23

the central locations so they need to ad

04:25

it's it's a lot harder to stay inside of

04:27

a network without being detected and

04:29

still be able to observe and be active

04:31

than it is to um go in Smash grab and

04:35

and run off such aexs were slowly

04:38

becoming endemic scrambling for answers

04:41

the US government started attracting

04:43

private cyber security companies and

04:45

sharing information with them hoping to

04:47

shed some light on the situation a new

04:49

name was coined denoting a hacker group

04:52

capable of executing such a long-lasting

04:54

attack a or advanced persistent threat

04:59

however ever it wasn't until several

05:01

years later that it became clear who the

05:03

original AP

05:05

was the credit for the first counter

05:07

attack against the rat goes to a treat

05:10

research team at macafee in 2011 they

05:13

broke into the server where the stolen

05:14

documents were stored it housed the logs

05:17

documenting the rat's victims

05:19

governments institutions companies and

05:22

other organizations all the victims were

05:24

breached by the same method and all of

05:26

their documents were siphoned through

05:28

the same rat caves things clicked into

05:30

place all the AP activity which seemed

05:34

like a bunch of disjointed attacks were

05:36

planned and centrally coordinated it was

05:38

a part of one operation and McAfee gave

05:41

it a name operation Shady rat in 2013

05:46

mandiant a cyber security focused

05:48

subsidiary of Google managed to get even

05:51

further they named the group behind the

05:53

operation as AP1 highlighting its size

05:56

and importance then they traced the

05:58

breadcrumbs left by the hackers it

06:00

turned out the people behind this AP

06:03

worked for a segment of the Chinese

06:05

military called people's Liberation Army

06:07

general staff departments third

06:09

Department second Bureau otherwise known

06:12

as unit

06:14

61398 it was located in a military

06:16

building on the outskirts of Shanghai

06:19

several hundreds of people who worked

06:20

there were responsible for anything from

06:22

military reconnaissance and electronic

06:24

warfare to writing propaganda comments

06:26

on social media they were an integral

06:29

part of the the Chinese Army and acted

06:31

like that in every way from Ironclad

06:33

discipline to incredible

06:36

resourcefulness except for one thing

06:38

operational security between mandiant

06:42

mcfey Kyle Wilhoit and possibly others a

06:45

lot of people managed to trace the rat

06:47

back to its nest and it wasn't because

06:50

the Chinese hackers were incompetent or

06:52

negligent it was because they just

06:54

didn't

06:55

care in the first years of operation

06:58

Shady rat they didn't use any of the

07:00

tools to mask their usage of Chinese

07:02

internet providers and their

07:04

fingerprints were all over the malware

07:06

their attacks were Brazen and aggressive

07:09

relying more on the poor cyber security

07:11

of the victims than Advanced subterfuge

07:13

the on they were there too it was just

07:15

you know siphon the data and FTP it back

07:17

to China right and I say FTP like not

07:19

even using encryption they're just like

07:21

back to China directly right um you know

07:24

and so stuff that we we just would not

07:26

even consider today there were job

07:28

listings the former employees would

07:30

include the hacking achievements in

07:32

their CVS one hacker even published a

07:35

scientific paper on his techniques they

07:37

weren't subtle at all right if there's

07:39

anything you'd say about China it was

07:41

like they didn't care about being caued

07:43

right and despite this attitude the

07:45

attacks worked terabytes of data were

07:48

smuggled through the rat caves and ended

07:49

up in the hands of Chinese officers but

07:52

for

07:55

what it's intellectual property theft

07:58

right original

08:00

um you know their big goal certainly

08:01

through the mid-2010s um was technology

08:04

transfer and intellectual property theft

08:06

that would include you know access to a

08:08

lot of new technologies you know about

08:10

up and cominging things because if

08:11

there's one thing that's known it's it's

08:14

very difficult to create but it's very

08:16

easy to replicate and enhance which

08:19

China has done time after time so if you

08:22

go back and read China's fiveyear plans

08:25

and they're very public about these

08:27

right and the you know the what are we

08:29

you know moving um domestically to

08:32

produce over the next five years and

08:34

what what technologies are we looking to

08:36

advance you can overlay that directly

08:39

with their targets locked Martin an

08:42

American defense manufacturing giant was

08:44

one of the first victims of the Shady

08:46

rat in 2007 a rat's cave was dug into

08:49

its servers in there laid the plans for

08:52

the F-35 the latest and most advanced

08:55

stealth fighter jet the world has ever

08:57

seen just several years later a

09:00

remarkably similar aircraft took off for

09:02

a test flight in China it was called

09:04

Shenyang

09:06

fc31 and people started to get

09:08

suspicious several leaked reports

09:10

already stated that the US military was

09:12

worried about its systems being

09:14

compromised but the military denied

09:16

everything it wasn't until 2015 when

09:18

documents leaked by Edward Snowden

09:20

confirmed the F-35 was stolen and not by

09:24

a daring Maverick or an undercover

09:28

agent

09:29

it was stolen by a person who just sent

09:32

a bunch of emails to a Lockheed Martin

09:34

Employee pretending to be his coworker

09:36

and this is just one high-profile case

09:38

that we're reasonably certain about

09:40

construction companies like the South

09:42

Korean one where the attacks began

09:45

industrial plants like the one imitated

09:47

by Kyle wilhoit's experiment other

09:49

factories offices and institutions

09:52

countless intrusions that allowed China

09:54

to copy devices systems best practices

09:58

the rat was bringing home the lumber

09:59

that fueled the fire the blaze of

10:02

unprecedented economic growth the

10:04

mainland economy grew by some 400% from

10:07

200000 uh grown so fast almost on

10:10

steroid the country has not missed a

10:12

single GDP Target this entire

10:18

decade there were attempts to confront

10:20

China we've agreed that neither the us

10:23

or the Chinese government will conduct

10:25

or knowingly support cyber enabled theft

10:28

of intellectual property argue with it

10:30

China's foreign Ministry on Monday

10:32

called on the US to immediately withdraw

10:34

its charges even dragged the military

10:36

hackers into court wanted by the FBI

10:39

none of them worked the standard

10:41

response of Chinese officials has been

10:43

to vehemently deny that their country

10:45

conducts any offensive cyber operations

10:47

and then strike back with the old

10:49

logical fallacy as old as time if the US

10:52

conducts them why shouldn't we however

10:55

despite those claims the Chinese APS

10:58

started being being more careful they

11:00

began employing the help of non-state

11:02

actors and masking their traffic giving

11:04

their operations at least a semblance of

11:07

plausible deniability the brazenness of

11:10

the attacks right um you know really

11:12

really drops and so one of the things

11:15

that we saw you know happen uh quite a

11:17

bit after that uh admonishment that very

11:21

public state level admonishment um is

11:23

that you know they they began routinely

11:26

using what we call redirectors right so

11:29

basically hopping through some other

11:31

country's infrastructure instead of the

11:33

attacks coming in many cases just

11:35

straight from China the Shady rat ended

11:38

the old tools were no longer adequate

11:39

for the job the hackers had to be more

11:42

careful they couldn't go after so many

11:44

targets and the attacks had to

11:46

change the reasons for the attacks also

11:49

changed the purpose of maintaining

11:51

presence of building a reliable rat cave

11:54

was no longer to steal information it

11:56

was to maintain access in case there was

11:59

a need for it in the US critical

12:02

infrastructure is defined as the asset

12:04

systems and networks that are most

12:06

critical to our economy and our national

12:07

security and Community well-being and

12:09

the like and presumably the end goal

12:11

there of course is to stop the

12:14

functioning of things that that are that

12:15

are important get in the way of

12:16

transportation Logistics systems the

12:18

ability to communicate or the ability of

12:21

organizations you know loss of power and

12:24

things like that shady rat was an

12:25

immensely important operation for China

12:27

for many reasons

12:29

it supplied the Chinese industry with

12:31

all the Trade Secrets it needed and it

12:33

established China as a major cybernetic

12:36

superpower but it also had a much more

12:38

Insidious and much more profound

12:41

effect say you have a rat that has

12:43

access to a water plant not a virtual

12:46

one but a real plant somewhere in the

12:48

rural United States you had a cave

12:50

leading there for years and nobody

12:53

noticed you stole all the documentation

12:55

you needed copied the plant's blueprints

12:58

but the cave is is still there in fact

13:01

there are lots of those caves leading to

13:03

many plants across the country water

13:06

sewage gas electricity all kinds of

13:09

infrastructure that are critically

13:11

needed for the functioning of an economy

13:13

what could be done with it what could be

13:16

carried through all those caves you know

13:19

when I was in government at in the cyber

13:21

security infrastru security agency uh we

13:23

we used a nice analogy that I think is

13:25

still pertinent which was at the time

13:28

you know

13:29

I'm talking about the end of the last

13:30

decade Russia was sort of hurricanes and

13:33

tornadoes and natural disaster and China

13:35

was climate change thanks for watching

13:39

if you'd like more videos like this

13:41

subscribe to let us know and then check

13:43

out our Channel have a nice

13:47

day