Yesterday ThreatConnect and DGI released a report titled CameraShy, which investigates Chinese cyber espionage activity against nations in the South China Sea. The report combines a very data-driven statistical analysis of malicious infrastructure on the Internet with a very human-focused view into the social media activities of the adversary to arrive at its conclusions. This combo offers a unique and compelling twist on the Chinese APT report genre. Here’s a quick summary of major findings and the original Wall Street Journal article.
There are many aspects to this report we could (and eventually will) discuss, but I’d like to focus on the underlying methodology in this post. One of the things readers will notice immediately is that the whole report is structured around the Diamond Model of Intrusion Analysis. Every chapter features a different facet or vertex of the Diamond, and this wasn’t just window dressing. It was an intentional effort to guide the reader through our own analytical process and also make a case that threat intelligence must understand relationships between adversaries, their target victims, and the capabilities and infrastructure used against those victims.
I got some pretty good feedback on my last Diamond Model post, Luke in the Sky with Diamonds, so I’ve stuck with that formula and adapted a song title for this post too (if this keeps up, I’ll to have to extend my musical horizons to find more “diamonds” in the ruff). I’m sorry to disappoint those wondering about the connection between Pink Floyd and cyber espionage – it goes no deeper than the title. Though I will say that this stanza is more than a little suspicious given our context:
“You reached for the secret too soon, you cried for the moon. [ASEAN state secrets]
Shine on you crazy diamond.
Threatened by shadows at night, and exposed in the light. [espionage revealed via OSINT]
Shine on you crazy diamond.
Well you wore out your welcome with random precision, [persistence, deceptive targeting]
Rode on the steel breeze.” [ephemeral C2 infrastructure]
Makes you wonder, doesn’t it? Ah well; another investigation for another day. Back to the topic at hand.
Quick review: The Diamond Model is an approach to conducting intelligence on network intrusion events. The model gets its name (and shape) from the four core interconnected elements that comprise any event – adversary, infrastructure, capability, and victim. Thus, analyzing security incidents (or intrusions/activity threads/campaigns/etc) essentially involves piecing together “the Diamond” using bits of information collected about these four facets to understand the threat in its full and proper context. Reading on, you’ll find a summary of each chapter’s contribution to filling out the Diamond.
The first chapter of CameraShy provides some background on tensions in the South China Sea and shows how network intrusions are used to further china’s interests in the region. In terms of the Diamond Model, this obviously hits on the upper Adversary apex (though, in my opinion, we should have used a biker helmet and sunglasses rather than the obligatory cybervillian fedora and mask). It focuses on a particular threat group known by some as “Naikon,” which we identify as unit 78020 within a Technical Reconnaissance Bureau located in Kunming. At this point in the report, we don’t yet have a specific adversary persona, but hold your horses; we’ll get there. Victims compromised by Naikon are not identified, but we reference reports that have done so and discuss sustained targeting of nations and entities in Southeast Asia since 2010.
The main thrust of chapter 1 is the socio-political axis, which concerns the aspirations, needs, and intentions of the adversary in relation to the victim. The horizontal axis of the Diamond is also in play here, since we discuss the technical means (or TTPs) leveraged by Naikon to target their victims.
Chapter 2 takes a cross-section of the larger Naikon threat and slides activity associated with a particular domain (greensky27.vicp[.]net) under a microscope. The idea was to analyze several years of DNS records to profile the infrastructure in a purely objective and data-driven manner. We learned that Kunming is the central node, the domain is highly dynamic, regional roles and patterns exist, algorithms render it as slightly Death Star-esque, and there’s a temporal element to the campaign. We geeked out a bit in this chapter and I think readers will really enjoy some of the data visualizations it includes.
In terms of the Diamond Model, Chapter 2 is heavy on the infrastructure side. But we also discuss malware associated with this infrastructure, so it hits on capability and the technical vertex between the two as well. In fact, this chapter is a good example of the concept of pivoting, which is core to both the Diamond Model and the ThreatConnect platform. By researching Naikon malware using regionally-themed delivery vectors, we identified the personified greensky27.vicp[.]net domain as a common C2 callback. Our analysis pivoted to the infrastructure undergirding it and then through another pivot to the adversary persona behind it all.
Chapter 3 gives Camerashy its title and takes the phrase “adversary attribution” to a whole new level where the adversary actually participates in the process. Hundreds of self-posted photos, social media activities, research publications, and some help from the Internet of Things then enabled us to conclusively tie greensky27.vicp[.]net to a specific person, Ge Xing, and place him within the compound of military unit 78020 in Kunming, China. That’s Diamond-speak for an infrastructure to adversary pivot. The report’s moniker is obviously a bit tongue-in-cheek, as our subject clearly isn’t scopophobic.
TC Exchange partner DGI Inc was “pivotal” to this chapter, providing key HUMINT and Chinese language translation components. I really can’t do it further justice via summary – you’ll need to check out the report to fully appreciate the self-attributing mosaic pieced together in chapter 3.
Chapter 4 carries the title “No Room for Coincidence – Evidence Ge Xing and Unit 78020’s Involvement in Naikon Activities.” Lengthy, but spot on. It spikes the attribution ball, correlating the patterns of infrastructure activity from Chapter 2 with the pattern of life activities in Chapter 3. For instance, when he announces the birth of his son or posts travel pics, the infrastructure goes silent at the exact same time. It’s true that correlation doesn’t imply causation, but the number of correlations here and weight of the overall evidence make this about as close to certain as one can get without access to God’s DVR.
Similar to Chapter 3, you’ll need to read it to really appreciate it. It spotlights the relationship between man and machine in a way that I’ve never seen before, and it was thrilling to watch the pieces fall into place.
Piecing it all together, here’s the complete Camerashy diamond. It represents a multi-sourced, multi-faceted approach to threat intelligence that isn’t just achievable by the likes of ThreatConnect and DGI. ThreatConnect’s primary job is enabling our customers to experience the value of “Full Diamond” intelligence for themselves. Toward that end, all indicators associated with this report have been shared to the Common Community in ThreatConnect. Jump in and help us continue to expand and enrich what we collectively know about this threat.
That brings up one final point I’d like to make before closing this one out. It’s worth mentioning that we began this investigation with research shared by others and also worked with others to extend that research. In addition to the knowledge Camerashy imparts about the adversary, we hope it also demonstrates the merits of intelligence sharing and collaborative research. It may sound trite, but we truly are smarter and stronger together.