The Hunt for GreenSky27
CameraShy shed light on the Chinese military’s involvement in the Naikon APT and brought into focus the role played by Unit 78020 based in Kunming, China and a certain individual by the name Ge Xing (aka Greensky27). We have already highlighted key findings from the report in an earlier blog entry and discussed how the Diamond Model played a key role in assembling the pieces of this puzzle. This blog post is to deep dive into the technical analysis of the ‘greensky27.vicp[.]net’ which was the basis of Chapter 2 and 4 in the report.
Before we proceed, and in case you haven’t read the report yet (you should, you know), let us examine what is it that made us want to put ‘greensky27.vicp[.]net’ under the microscope. It contains a bunch of C2 infrastructure with host/domain names adhering to a regionalized theme. These domain names tend to follow a pattern that is indicative of the countries being targeted. But a few host/domain names did not follow this pattern, ‘greensky27.vicp[.]net’ being one of them. And that’s what piqued our interest. Right off the bat greensky27 seems like an alias someone would use in say a chat forum of a website or a social media site. This personalized theme of domain naming not only interested us but gave us a foot hold into the Chinese Military Unit behind the Naikon APT infrastructure. And that is why we chose to narrow our focus down to this one host name. By the way we’ve shared all the IOCs (Indicators of Compromise) associated with Naikon in our Common Community on the ThreatConnect Platform. Have you opened your free account yet ?
Address Records Of Last 5 Years
Remember filling out a form that asked for all the addresses you have stayed at in last X years. That is exactly how we started when we decided to take on greensky27. The first order of business was to find out the DNS history of greensky27.vicp[.]net, a history of all the IP addresses this host name resolved to going as far back a possible. We combined the passive DNS 1 records (courtesy of PassiveTotal) with active DNS monitoring records stored in the ThreatConnect Platform for greensky27.vicp[.]net. Combining passive DNS records with our active DNS records gave us a much complete picture of the host’s history. And the data didn’t disappoint, we found data going back to 2010. In all we found some 2,382 instances of a DNS record change. In these 2,382 instances were 1,243 unique IPs. This is fascinating considering we are just talking about a single host out of hundreds of hostnames in the Naikon APT infrastructure. We should mention that vicp[.]net is a dynamic DNS service provider. We combined this DNS history data with Geo-IP data for each of the unique IP addresses to map the IPs to respective Autonomous System Numbers (ASNs). So after some data munging our data looks somewhat similar to the one in Table 1 & 2.
How about some Waffles for Breakfast ?
One of the first things to look at when exploring a highly dynamic DNS record history like we have here, is how long did the hostname resolve to an IP before making a switch to another IP. Secondly how many times did the hostname reuse IPs. Both these metrics give us greater details in to the dynamic nature of the host in question. We started with the workhorse of plotting distributions, histograms. Below for your viewing pleasure are the histograms of the two metrics. And as you can clearly see there is nothing much to them apart from suggesting that the data is heavily right-skewed. Not the most ideal way to visualize this data.
Figure 1: Histograms
Here lied our first challenge. How do we present this data to a wider and perhaps non-statistics savvy audience and yet get the point across? And our search for such a visualization technique lead us to Waffle Charts, also known as square pie charts. These charts are better alternatives to pie-charts and perfect for visualizing highly skewed histograms. Each square represents 1% of the data, and the color gradation decreases from dense area (where most of the data lie) to light area (where just a few of our data lie). Compare and contrast these with the histograms above if you are still not convinced.
Figure 2: Distribution of resolution durations (in hours).
Figure 3: Distribution for number of resolutions per IP address.
To repeat what we’ve already said in the report, 80% of the time the hostname stayed at an IP for less than one day, and 50% of the IPs it used were used only once. That is one wild hostname.
Location is everything.
Next we wanted to explore our metrics in detail in the context of the locations of our IPs. We already saw some locations stand out in Figure 5, and we wanted to take that line of analysis further. When we compared ratio of number of resolutions to number of unique IPs to number of hours resolved to a location, we saw some very compelling patters. As you move your eyes down each Location in Figure 6, compare the ratio of the 3 metrics to each other as well as the pattern of each location to other locations.
Figure 6: Ratio of resolution metrics relative to each city.
See how Denver, U.S.A. is so completely opposite of Taipei, Taiwan, and how Taipei, Taiwan is so similar to Santa Ana U.S.A. These patterns are greatly explored in our report which we once again urge you to read in case you haven’t.
All Naikon roads lead to Kunming, China
Majority of the DNS data involved, pointed us to Kunming China the home base of Unit 78020. But we also wanted to explore how the other locations involved interacted with Kunming. And nothing beats the flexibility of a graph diagram when you want to show nodes (locations in this case) and relationships between them.
Figure 7: Network graph of IP address locations associated with the gsk27 domain
Having explored locations and their relationships we turn to individual IPs and this gave us a deathstar-esque graph diagram of IPs and the relationships between them.
Figure 8: Network graph of all IP addresses associated with gs27
Both these charts are explored in depth in the report, but if you can take anything from them, it should be that not all infrastructure in a APT is uniform and analyzing it can provide great insights in to the inner workings of a APT.
How time flies.
So far we’ve looked at all 5 years worth of data without exploring the temporal nature of it. Complain no more, Our Stream Graph in Figure 9 has that covered. Wwe show the share of each Location in the greensky27.vicp[.]net hostname infrastructure over the years. This chart too is interactive, so feel free to hover over individual locations to see more details.
Figure 9: Stream graph of relative resolution duration per city over time.
Attributions are hard not impossible.
For attributing the Greensky27 handle to Ge Xing we had to explore Ge Xing’s online social life. This is covered in great detail in Chapter 3 of the report. But to tie it all back to the greensky27.vicp[.]net hostname we had to go one step further and overlap Ge Xing’s socio-personal activities with that of the hostname. Chapter 4 of the report is devoted to doing just that. For a more interactive version of the timeline of events highlighted in Chapter 4, look no further than Figure 10. It is by far the most interactive charts we have presented so far and we hope you will enjoy working with it as much as we enjoyed making it. Also what’s not mentioned in the report is that the greensky27.vicp[.]net domain has been parked to Denver, U.S.A. and is inactive ever since Ge Xing was interviewed by Wall Street Journal on Aug 28th 2015. These overlaps sealed the deal for us as far as tying our Victim(s), Adversary, Infrastructure and Capabilities (the 4 corners of the diamond model for Intrusion Analysis) together and presenting to you CameraShy.
Figure 10: Timeline of infrastructure activity and adversary-relevant events.
The Ones that didn’t make the cut.
These are a few reject visualizations which we built just for fun but when better sense prevailed, decided not to put in the report. First up is a sun burst chart showing how the greensky27.vicp[.]net hopped locations. The inner most ring is a starting point, and successive outer rings are hops from that location to another location (which could be the same as previous location). As you can see most of the activity happened in Kunming most of the time. Again an interactive chart for you to play with.
Figure 11: Sunburst Chart of Location Switching of greensky27.vicp[.]net
And finally we couldn’t let you go without dishing out some 3D charts, so here is Figure 12, again showing location switching but this time on a globe. As you might have guessed by now, this too is an interactive chart, so grab that earth and rotate as you please.
Figure 12: 3D Globe, ’nuff said
We highlighted some of the analytic and charting techniques that went into making Chapters 2 and 4 of the CameraShy report. Statistical and Visual analytics can be very powerful analysis tools if used correctly in addition to traditional Infosec analysis. Threatconnect platform provides the right set of tools to aggregate and work on such datasets as were part of CameraShy, and we continue to build out more and more useful feature sets in the platform for our community and customers.
The following tools and people are being acknowledged for their contribution in terms of software and tools that were used in making these charts.
- Passive DNS an Introduction : http://www.enyo.de/fw/software/dnslogger/first2005-paper.pdf↩