The Hack That Made China a Superpower: Operation Shady Rat
Summary
TLDRВ 2012 году эксперимент К. Вилхоит демонстрирует уязвимость промышленных систем. Он создает виртуальную воду-станцию с поддельной деятельностью, подключает к интернету и быстро атакуют хакеры из КНДР, России и Европы. Особенно стоит выделить китайских, которые украли документацию и отправили на сервер. Это подтверждает глобальную проблему кибер-шпионажа, которая началась в 2006 году с атаки на южнокорейскую компанию. Хакеры, используя spearfishing и удаленный доступ к компьютерам, собирали данные и расширяли свои сети. В 2011 году McAfee назвал эту активность 'операцией Shady rat', а в 2013 году Mandiant определил хакерскую группу APT1, связанную с китайской армией. Цель атак - кража технологий и интеллектуальной собственности для развития китайской экономики. Несмотря на обвинения и меры США, атаки продолжаются, но стали более скрытными.
Takeaways
- 🧑💻 В 2012 году Кирилл Вилхоит, опытный исследователь в области кибербезопасности, создал экспериментальную сеть промышленных управляющих систем, которая имитирует работу водоочистного завода.
- 🌐 После подключения к интернету, экспериментальная система была атакована хакерами из разных стран, включая северокорейских военных хакеров и российских групп разработки шифров.
- 🎣 Одна из атак, которая выделилась, была путем фишинга, в результате которой был украден документ, содержащий информацию об оборудование и документации завода, и отправлен на сервер в Китае.
- 🔎 Кирилл Вилхоит смог отследить хакеров до серверов в Китае, где были храниться государственные записи, документы и корпоративные секреты.
- 🔒 В 2006 году началось глобальное появление атак под названием APT (Advanced Persistent Threat), которые использовались для длительного невидимого присутствия в сетях и кражи данных.
- 📧 Эти атаки обычно начинались с фишингового письма, которое выдавало знакомство с компанией-жертвой и содержало вложение с вредоносным кодом.
- 🔑 В результате таких атак, теророристы получали доступ к системам и сетям компаний, изучали их и передавали данные в централизованные сервера.
- 🇺🇸 В результате совместной работы частных компаний кибербезопасности и правительства США стало известно, что первоначальные атаки APT были связаны с китайскими хакерами.
- 🏢 Группа APT, ответственная за операцию Shady Rat, была идентифицирована как подразделение китайской армии, работающее в здании на окраине Шанхая под названием 61398.
- 🚀 Одним из первых жертв операции Shady Rat стал американский концерн Martin, откуда было украдено проектирование F-35, самого передового в мире истребителя.
- 🌏 После скандалов с утечкой данных, китайские хакеры стали более осторожными, используя прокси-сервера и не государственных акторов для обеспеченияausible deniability.
Q & A
Что такое эксперимент, который создал Кайл Уилхоит в декабре 2012 года?
-Эксперимент Кая Уилхоита - это виртуальная модель водной электростанции с сложным оборудованием и документацией, которая работала на нескольких машинах в его подвале, имитируя активность. Он подключил систему к интернету, чтобы изучить, как атаки на неё будут происходить.
Какие атаки были направлены на виртуальную электростанцию после подключения к интернету?
-Электростанция была атакована с разных сторон, включая северокорейские военные хакеры, российские группировки расшифровщиков и тролли из США и Европы. Они пытались подключиться к серверам, ломать страницы входа и внедрять код.
Какой атакующий актор выделился среди всех, кто атакует виртуальную электростанцию?
-Один из атак, отправленных через фишинговые электронные письма, выделился. Письма были хорошо исследованы и содержали легитимные внешние вложения, один текстовый документ скрывал вредоносное ПО, которое отправило информацию об оборудовании электростанции на сервер управления.
Какой хакерской группе приписывается атака на виртуальную электростанцию?
-Атакующим был определен китайский хакерский коллектив APT1, который ведет операцию Shady Rat.
Какие компании были атакованы в результате атаки Shady Rat в 2006 году?
-В результате атаки Shady Rat в 2006 году были атакованы по крайней мере восемь компаний, включая строительные компании и промышленные предприятия.
Что такое 'APT' и как оно связано с атаками Shady Rat?
-APT - это сокращение от 'Advanced Persistent Threat', которое обозначает группу хакеров, способных проводить долгосрочные атаки на компьютерные сети. Термин был придуман для описания таких атак, как Shady Rat.
Какой была цель атак Shady Rat и как они работали?
-Цель атак Shady Rat заключалась в краже данных и интеллектуальной собственности. Хакеры устанавливали удаленный доступ к компьютерам компаний, затем копировали и отправляли информацию о новых технологиях и документации в Китай.
Какие компании помогли раскрыть операцию Shady Rat?
-Компания McAfee и Mandiant помогли раскрыть операцию Shady Rat, определив хакерскую группу APT1 и связав их с китайскими военными.
Какую роль сыграла операция Shady Rat в китайском экономическом росте?
-Операция Shady Rat сыграла важную роль в китайском экономическом росте, предоставив стране доступ к новым технологиям и интеллектуальной собственности, что позволило Китаю ускорить свой прогресс и стать крупным кибер-супердержавой.
Как Китай отреагировал на обвинения в кибершпионаже после раскрытия операции Shady Rat?
-Китай отрицал обвинения в кибершпионаже и заявлял, что США также проводят подобные операции. Однако, хакеры начали быть более осторожными, используя перенаправления трафика и привлекая нестатных участников для проведения атак.
Что такое 'Рыбная нора' (rat cave) и как она использовалась в контексте атак Shady Rat?
-Рыбная нора - это метафорический термин для описания секретных точек доступа к сетям, установленных хакерами. В контексте атак Shady Rat, 'рыбные норы' использовались для длительного доступа к системам и кражи данных.
Outlines
😲 Эксперимент с виртуальным заводом и атаки хакеров
В декабре 2012 года эксперт в области кибербезопасности Кейл Вилхоит создал экспериментальную виртуальную систему управления водопроизводством в городе Арнолд, штат Миссури. Эта система была наполнена сложным оборудованием, документацией и имитацией реальной активности. После подключения к интернету, в течение нескольких дней система подверглась атакам со стороны хакеров из Северной Кореи, России и Европы. Одна из атак, в виде фишингового письма, выделилась из-за ее продуманности и наличия вредоносного приложения, который отправил документы оборудованию на сервер в Китае. Исследователь удивился, что атакующий оказался частью китайской группы хакеров, ответственной за операцию 'Shady rat', и что атаки подобного рода происходили уже шесть лет, начиная с 2006 года, когда сотрудник южнокорейской компании получил подозрительный файл, запустивший удаленный троян в его компьютер.
🔎 Раскрытие операции 'Shady rat' и китайских хакеров
В 2011 году команда исследователей McAfee впервые обратила внимание на серию атак 'Shady rat', когда они проникли на сервер, где хранились украденные документы. Это подтвердило, что все жертвы были атакованы одним и тем же методом, и все их документы проходили через 'крысы'. В 2013 году подразделение Google, Mandiant, определило группу, ответственную за атаки, как AP1 и установило, что хакеры работали для подразделения китайской армии - 3-го Департамента 2-го Бюро Генерального штаба Народно-освободительной армии Китая, известного как подразделение 61398. Эти хакеры не скрывали своих действий и не использовали средства для маскировки своих атак, что позволило исследователям и другим организациям отследить их до их базы в Шанхае. Цель атак - кража интеллектуальной собственности и технологий для китайского экономического роста.
🌐 Изменение тактик китайских хакеров и их влияние на инфраструктуру США
После обвинений со стороны США, Китай начал отрицать свои действия в сфере кибершпионажа и перешел к использованию прокси-серверов и других国家的基础设施 для своих атак. Это дало им поверхностную легитимность и возможность продолжать свои действия. Важность операции 'Shady rat' для Китая заключается не только в краже технологий и секретов торговли, но и в установлении китайских хакеров как крупных игроков в кибер-пространстве. Кроме того, наличие 'крыс' в инфраструктуре США, таких как водопроизводство, канализация, газ и электроэнергетика, предоставляет Китаю возможность вмешательства и возможного контроля над критически важными для экономики и национальной безопасности аспектами жизни.
Mindmap
Keywords
💡кибербезопасность
💡управляющие системы
💡APT (Advanced Persistent Threat)
💡фишинг
💡командный и контрольный сервер
💡Operation Shady Rat
💡утечка данных
💡уникальный идентификатор атаки
💡китайская армия
💡интеллектуальная собственность
💡критическая инфраструктура
Highlights
In December 2012, Kyle Wilhoit created a virtual water plant experiment to study cyber attacks.
The virtual plant was attacked by various hackers, including North Korean military and Russian ransomware gangs.
A standout attack involved a phishing email that delivered malware, which extracted documentation to a command server.
Kyle tracked the attacker back to servers in China, revealing a lack of effort needed to infiltrate systems.
The discovery of AP1, the hacker group behind Operation Shady Rat, was made through this experiment.
The story began in 2006 with a South Korean construction company employee receiving a spear phishing email.
The email contained a remote access Trojan, marking the beginning of numerous similar attacks.
Attackers used poor English and crude methods but were effective in breaching companies' cyber security.
Intruders would maintain presence in systems, collecting and sending data back to central locations.
US government started collaborating with private cybersecurity firms to understand these persistent threats.
The term 'Advanced Persistent Threat' (APT) was coined to describe such hacker groups.
McAfee's research team was the first to counter-attack the rat, discovering the extent of Operation Shady Rat.
Mandiant identified AP1 as a significant group linked to the Chinese military's Unit 61398.
The Chinese hackers were brazen and aggressive, not caring about being traced back to their origin.
The primary goal was intellectual property theft, aiding China's rapid economic growth and technological advancement.
Lockheed Martin was a victim, with plans for the F-35 stealth fighter jet stolen through spear phishing.
China's denial of cyber operations was countered by evidence of their involvement, including job listings and scientific papers.
After public exposure, Chinese APTs began using non-state actors and masking their operations for plausible deniability.
The Shady Rat operation not only stole trade secrets but also established China as a major cybernetic superpower.
The operation's long-term effects included the potential to disrupt US critical infrastructure.
Transcripts
December
2012 Kyle Wilhoit a seasoned cyber
security researcher creates an
experiment he builds a water plant a
network of advanced industrial control
systems with complicated equipment full
documentation and a website to boot
according to the legend the plant is
located in the town of Arnold Missouri
but in reality it's completely virtual
it runs from a couple of machines in
Kyle's basement sending fake
measurements back and forth to imitate
activity the researcher takes a deep
breath and connects the system to the
internet the experiment begins within
several days interesting things start
happening the plant gets attacked from
all sides North Korean military hackers
Russian ransomware gangs even trolls
from across the US and Europe they
attempt to do all kinds of Mischief for
Fun and Profit connecting to the servers
breaking login pages and injecting code
wherever
possible but among all of them them one
attack stands out several fishing emails
drop into the box of the supposed plant
they're well researched and written with
legitimate looking attachments one text
document hides malware when launched the
malware scrapes the virtual plant it
finds the equipment documentation and
beams that straight to a command and
control server Kyle follows surprised at
the lack of effort it takes to track the
attacker the servers in China it's big
and and it's full governmental records
documents and corporate Secrets Kyle
can't believe his eyes he got them he
found
AP1 the hacker group that conducted
operation Shady
rat at that point similar stories almost
beat by beat have been happening
worldwide for 6 years except that their
victim s weren't virtual it All Began in
2006 when an employee of a construction
company in South Korea received an email
with an
attachment it was sent from an address
bearing the name of his colleague but
there was something weird about it
confused the worker replied to double
check and within several minutes he got
a confirmation the file is
legit however the attachment didn't open
instead it started a malicious code a
remote access Trojan was launched on the
worker's computer a
rat in just several months at least
eight companies were attacked by the
same rat and dozens more by similar ones
all these intrusions had the same
pattern a spear fishing email posing as
one from a close acquaintance it
displayed some knowledge of the company
but was written in pretty poor English
as if they were in a hurry the
attachment would hide a rat masked as a
document or some other file the
attackers would would converse with the
victim and spare no effort to talk their
way through their defenses this is in
the era of you know we're not worried
about attribution and so it's it's
largely companies and organizations that
had by by today's standards laughable
cyber security I I remember seeing uh
you know some shady rat intrusions where
they were emailing screen Sabers as an
attachment right um and and you look
today and you're like I'm sorry you you
let a screen saver through the email
Gateway right um let alone that the user
is like oh a screen saver cool I'll just
download this and run it on my machine
the methods were crude yet effective but
the most important element wasn't the
breach itself it was what happened later
the attackers didn't run away they
loitered keeping tabs on the system
siphoning all the new data that appeared
there at the same time they would start
moving laterally using the gained
knowledge and access they would infect
adjacent systems other computers in the
network other branches of the company
they would repeat the same pattern again
and again building a rat cave under the
noses of their victims the shortest
documented intrusion of such kind lasted
for around 1 month the longest one for
almost 5 years their goal isn't to
disrupt as much as it's to sit and
collect and learn and send data back to
the central locations so they need to ad
it's it's a lot harder to stay inside of
a network without being detected and
still be able to observe and be active
than it is to um go in Smash grab and
and run off such aexs were slowly
becoming endemic scrambling for answers
the US government started attracting
private cyber security companies and
sharing information with them hoping to
shed some light on the situation a new
name was coined denoting a hacker group
capable of executing such a long-lasting
attack a or advanced persistent threat
however ever it wasn't until several
years later that it became clear who the
original AP
was the credit for the first counter
attack against the rat goes to a treat
research team at macafee in 2011 they
broke into the server where the stolen
documents were stored it housed the logs
documenting the rat's victims
governments institutions companies and
other organizations all the victims were
breached by the same method and all of
their documents were siphoned through
the same rat caves things clicked into
place all the AP activity which seemed
like a bunch of disjointed attacks were
planned and centrally coordinated it was
a part of one operation and McAfee gave
it a name operation Shady rat in 2013
mandiant a cyber security focused
subsidiary of Google managed to get even
further they named the group behind the
operation as AP1 highlighting its size
and importance then they traced the
breadcrumbs left by the hackers it
turned out the people behind this AP
worked for a segment of the Chinese
military called people's Liberation Army
general staff departments third
Department second Bureau otherwise known
as unit
61398 it was located in a military
building on the outskirts of Shanghai
several hundreds of people who worked
there were responsible for anything from
military reconnaissance and electronic
warfare to writing propaganda comments
on social media they were an integral
part of the the Chinese Army and acted
like that in every way from Ironclad
discipline to incredible
resourcefulness except for one thing
operational security between mandiant
mcfey Kyle Wilhoit and possibly others a
lot of people managed to trace the rat
back to its nest and it wasn't because
the Chinese hackers were incompetent or
negligent it was because they just
didn't
care in the first years of operation
Shady rat they didn't use any of the
tools to mask their usage of Chinese
internet providers and their
fingerprints were all over the malware
their attacks were Brazen and aggressive
relying more on the poor cyber security
of the victims than Advanced subterfuge
the on they were there too it was just
you know siphon the data and FTP it back
to China right and I say FTP like not
even using encryption they're just like
back to China directly right um you know
and so stuff that we we just would not
even consider today there were job
listings the former employees would
include the hacking achievements in
their CVS one hacker even published a
scientific paper on his techniques they
weren't subtle at all right if there's
anything you'd say about China it was
like they didn't care about being caued
right and despite this attitude the
attacks worked terabytes of data were
smuggled through the rat caves and ended
up in the hands of Chinese officers but
for
what it's intellectual property theft
right original
um you know their big goal certainly
through the mid-2010s um was technology
transfer and intellectual property theft
that would include you know access to a
lot of new technologies you know about
up and cominging things because if
there's one thing that's known it's it's
very difficult to create but it's very
easy to replicate and enhance which
China has done time after time so if you
go back and read China's fiveyear plans
and they're very public about these
right and the you know the what are we
you know moving um domestically to
produce over the next five years and
what what technologies are we looking to
advance you can overlay that directly
with their targets locked Martin an
American defense manufacturing giant was
one of the first victims of the Shady
rat in 2007 a rat's cave was dug into
its servers in there laid the plans for
the F-35 the latest and most advanced
stealth fighter jet the world has ever
seen just several years later a
remarkably similar aircraft took off for
a test flight in China it was called
Shenyang
fc31 and people started to get
suspicious several leaked reports
already stated that the US military was
worried about its systems being
compromised but the military denied
everything it wasn't until 2015 when
documents leaked by Edward Snowden
confirmed the F-35 was stolen and not by
a daring Maverick or an undercover
agent
it was stolen by a person who just sent
a bunch of emails to a Lockheed Martin
Employee pretending to be his coworker
and this is just one high-profile case
that we're reasonably certain about
construction companies like the South
Korean one where the attacks began
industrial plants like the one imitated
by Kyle wilhoit's experiment other
factories offices and institutions
countless intrusions that allowed China
to copy devices systems best practices
the rat was bringing home the lumber
that fueled the fire the blaze of
unprecedented economic growth the
mainland economy grew by some 400% from
200000 uh grown so fast almost on
steroid the country has not missed a
single GDP Target this entire
decade there were attempts to confront
China we've agreed that neither the us
or the Chinese government will conduct
or knowingly support cyber enabled theft
of intellectual property argue with it
China's foreign Ministry on Monday
called on the US to immediately withdraw
its charges even dragged the military
hackers into court wanted by the FBI
none of them worked the standard
response of Chinese officials has been
to vehemently deny that their country
conducts any offensive cyber operations
and then strike back with the old
logical fallacy as old as time if the US
conducts them why shouldn't we however
despite those claims the Chinese APS
started being being more careful they
began employing the help of non-state
actors and masking their traffic giving
their operations at least a semblance of
plausible deniability the brazenness of
the attacks right um you know really
really drops and so one of the things
that we saw you know happen uh quite a
bit after that uh admonishment that very
public state level admonishment um is
that you know they they began routinely
using what we call redirectors right so
basically hopping through some other
country's infrastructure instead of the
attacks coming in many cases just
straight from China the Shady rat ended
the old tools were no longer adequate
for the job the hackers had to be more
careful they couldn't go after so many
targets and the attacks had to
change the reasons for the attacks also
changed the purpose of maintaining
presence of building a reliable rat cave
was no longer to steal information it
was to maintain access in case there was
a need for it in the US critical
infrastructure is defined as the asset
systems and networks that are most
critical to our economy and our national
security and Community well-being and
the like and presumably the end goal
there of course is to stop the
functioning of things that that are that
are important get in the way of
transportation Logistics systems the
ability to communicate or the ability of
organizations you know loss of power and
things like that shady rat was an
immensely important operation for China
for many reasons
it supplied the Chinese industry with
all the Trade Secrets it needed and it
established China as a major cybernetic
superpower but it also had a much more
Insidious and much more profound
effect say you have a rat that has
access to a water plant not a virtual
one but a real plant somewhere in the
rural United States you had a cave
leading there for years and nobody
noticed you stole all the documentation
you needed copied the plant's blueprints
but the cave is is still there in fact
there are lots of those caves leading to
many plants across the country water
sewage gas electricity all kinds of
infrastructure that are critically
needed for the functioning of an economy
what could be done with it what could be
carried through all those caves you know
when I was in government at in the cyber
security infrastru security agency uh we
we used a nice analogy that I think is
still pertinent which was at the time
you know
I'm talking about the end of the last
decade Russia was sort of hurricanes and
tornadoes and natural disaster and China
was climate change thanks for watching
if you'd like more videos like this
subscribe to let us know and then check
out our Channel have a nice
day
浏览更多相关视频
ОЭСР прогнозирует рост ВВП и снижение инфляции
Tapwave Zodiac: The Failed 2003 Gaming PDA
ДЕМОГРАФИЯ УКРАИНЫ. Война до последнего украинца?
Жителям освобождённого 2 года назад города устроили праздник
Великобритания сближается с Германией, несмотря на Brexit
Турция ввела в строй первую отечественную подлодку
5.0 / 5 (0 votes)