Home
cover of episode Between Two Nerds: Why Chinese APT tactics are evolving

Between Two Nerds: Why Chinese APT tactics are evolving

2024/8/5
logo of podcast Risky Business News

Risky Business News

Chapters

The discussion explores recent changes in Chinese APT tactics, particularly APT40's shift from using compromised Australian websites to SOHO devices, and the implications of this evolution.

Shownotes Transcript

Hello everyone, this is Tom Uran and I'm here, as per usual, with the Gruck for another Between Two Nerds discussion. G'day Gruck, how are you? G'day Tom, good and yourself? I'm well. This week's episode is brought to you by Material Security, who make a holistic email protection suite. So, a little while ago, Gruck, there was this advisory committee.

that was written by well in my view mostly by the australian cyber security center but it was published in joint with a range of countries agencies including the us japan korea germany and i think what was notable about that report was firstly the joint authorship like they managed to gather together a band of fellow travelers now in the

actual report said a lot of stuff about apt 40 which is a chinese mss that's the ministry of state security either mss sponsored or directed group and one of the interesting things it said was that they'd evolved their tradecraft and so tradecraft is basically pokemon is what you're saying it's leveling up

They had gone from, well, I think, yeah, it is leveling up, isn't it? I think. So they said that APT40 has previously used compromised Australian websites as command and control hosts. So websites, always on, would have a fast... In a data center with a, yeah, with a fast link. And it's going to be a nice...

Yep, so that all seems very reasonable. Then, APT40 has embraced the global trend of using compromised devices, including small office, home office devices, as operational infrastructure and last hop redirectors for its operations in Australia.

And you commented to me at the time something to the effect of, "Ah, this is so low rent." We used to think this was dumb back in 2005. So like in the underground, this was considered lame 20 years ago, like literally 20 years ago. And at the time, South Korea was one of the fastest internet's available. At home, people had 100 megabit connections and stuff when everyone else was on. There were still people on dial-up, right?

They had these super fast connections and no one did any security. It was literally a playground, right? So what would happen is basically everyone who was learning to hack would learn to hack

by going after these Korean Soho routers. Small office, home office. So basically the cable routers that everyone had, or the cable modems that everyone had in their apartment was used as the bounce box. And then every grade school, every high school and all that. So obviously hacking universities are sort of tried, tested. It's a true hacker tradition. But

Hacking a kindergarten is a little bit embarrassing. Like that's like, it's one thing to be like, yeah, I'm using the physics department of Caltech as my bounce box. Like, you know, sure. It's the physics department. It's not particularly good at security, but at least it's interesting. So you're saying that it's a very old technique. It was lame because it was so easy. You're right. Now, at the same time, here we have this report.

co-signed by agencies all across the Five Eyes and elsewhere that's saying that this group is... They've just discovered Fisher-Price, my first hacking box. So the question to me was immediately, well, why did it take them so long?

What's the driver behind that shift? Now, a couple of hypotheses. One is that APT40, they just never needed to hide what they were doing before. And so if you came from a Chinese IP address, well, it didn't stop you from getting caught. It didn't make any difference. So being attributed didn't make any difference. So why bother using a bounce box? So that's one theory. Right.

I'm somewhat skeptical on that because if they were using websites in Australia, then they must have assumed that they couldn't just come out of Beijing and Shanghai direct. So I'm wondering, maybe there's things like IP blocks are now better understood so that if you have a website connecting to your website, that's a weird thing. Whereas a home router connecting from a block of home routers, that should be connecting to your public infrastructure.

Whereas websites should not. Like things out of data centers are going to be a bit weird. So that would show up. Yeah. I mean, the other curious thing is that Russian actors, is it the FSB, have been using home devices for a very long time. So they've been, what, three or four different, was it VPN filter was one of them? Yeah. Going back maybe a decade or so. So they, you know, another state-sponsored actor doing similar stuff.

Not quite the same. Probably less intellectual property theft, more espionage focused, has been using home office devices for a long time. So why the difference between those two actors? And so it seems unlikely that the reason, just I'm going to say it seems very unlikely that the reason that the MSS changed the way they're hacking is because security has gotten so good they've had to. Like that's...

I don't think that the operational environment has become so difficult that they've had to adjust the way that they operate just to get past security. That's not a thing that happened. It's possible that there's been some operational change from the ASD or the people monitoring them

And they've had to take that into account. Maybe they don't like the amount of investigation that happens from the net flow, those net flow logs that get sold everywhere from... Team Kumry. Yeah. So maybe they're thinking about how those net flow logs from all the data centers get sold to various security companies who then pour through that

Right.

I mean, one thing that occurred to me is that it's more likely that a website will have a static IP address, whereas it's more likely that a home office will be behind a net and will be dynamic. And then you'd get some sort of benefit in terms of IOCs, I guess. Yeah. And you can, I mean, you can just reboot, right? If someone's internet goes down for a couple of minutes, it's unlikely they'll notice unless they're actually using it at that time.

And if they are, then it's just this damn ISP or that wonky router or whatever, right? You're not going to think this is a strong indicator that MSS has decided to dynamically reassign my IP so that they can try again on one of their targets. That's not going to be your first thought. So yeah, I think it certainly gives them some flexibility there, a little bit of dynamism. I think that there's downsides. Like a home router is less stable than a box in a data center.

It's got less CPU. It's got less disk space. It's got less RAM. The connection isn't as fast, particularly going upstream. The link is going to be less stable, I think, just overall, because, you know, like there's no service level agreement of 99.999% uptime.

Yeah, so the way that the Russian, I think of them as analogous groups, have operated is that they've created not so much just relay boxes, but they've created botnets. And the botnets are like an underlying infrastructure that they use to carry both commands and exfil. And so that's a job, right? It's a job to create a botnet and manage it and run it. Maybe it's just grift.

Right. Like someone was looking at this and being like, you know, I took that distributed programming course. You know, I'm wasted here in, you know, infrastructure rentals. What I need to do is I need to get my own kingdom. And so they make this proposal and they're like, you know, here's what we're going to do. We're going to build a distributed system built on top of home office routers and be a mesh network of blah, blah, blah. And people are like, yeah, cool. Let's allocate budget and resources and make that happen.

Well, I guess the thing is that there have been like two or three instances of this that the US has tried to take down. So there was a VPN filter. There was snake malware, which kind of did something similar.

then there's another one whose name I forget at least. So that's a work package is to build one of those botnet networks and have it as an underlying infrastructure. And that kind of makes sense if you've got a state organization who's going to go, okay, let's have some synergies. You can be the infrastructure group that'll

build this for all of our teams and we can each leverage it. Focus on our core competencies to achieve stakeholder satisfaction. We'll kick some bureaucratic goals here. Whereas the Chinese organizational model has been or appears to be much more

we'll have state agencies, but we'll also have contractors who just go off and do their own thing willy-nilly. And in that structure, it makes less sense to have a shared services model. There are fewer synergies that we can leverage. That's right. That's right.

to sort of actualize and eventuate our cybers. Yeah, no, I think that actually makes a lot of sense. But then you'd sort of wonder, like, why wasn't there a contractor who developed this and then sold it as a service? Because it seems to me like it would be an interesting project on one hand, right? Like writing a mesh network. Like there's a bunch of interesting problems to solve. These unstable boxes behind NAT, all this other stuff.

And then to be able to provide an interface to that, which is usable by other people, and to have it run seamlessly on top of this thing, that would be fun and interesting to do. I would completely see the value in doing that. But could you sell that to the people in charge, right? So I'm wondering if the dynamic in the PRC is so different that it's not sell me a capability, it's...

sell me the intelligence or bring me the intelligence and I'll either buy it or not. Like that's the evidence we have from that Isun data leak, that data leak from an espionage contractor. Yes. Yeah. Like that's because there's a legal case going on between two contractors. And so one of them leaked all the documents for the legal case. I think it shows a level of sophistication where you have espionage service providers using litigation, exonerating

against each other. Like it shows that you have a robust rule of law. Well, it's the free market. People always say that you have to have a sort of a proper rule of law of your espionage activities. And here you have it. They're suing each other. I mean, how is that for court oversight?

But now that I think about it, in that data leak, there were documents where Isun was trying to sell capabilities to other... It's not exactly clear. They had marketing brochures and PowerPoints and stuff like that. So presumably that kind of stuff does go on. See, the reason I think it happens is I think that, as I said, I could see being nerd sniped by building this shadow mesh thing.

And so there's going to be hackers who are like, I could build that. That would be cool. And then people would buy it because it's a good thing. So I'm going to do that. People would do it because they want to do it. And then they would hope that someone would buy it at the other end. And if it works as a business or not, that's probably not the first thing that comes to mind for a technical person who wants to sort of tackle that.

which I think that might be why it just hasn't appeared before, is that everyone who's done it earlier has failed to gain a customer. Now, it does say in the report this technique is also regularly used by other PRC state-sponsored actors worldwide. So it just seems that APT40 perhaps was particularly late to get on board. Slow adoption, yeah. Now, one of the other things that I thought was... When you're looking at the Gartner quadrant of where they stand, they're at the... Like they...

What is it? Late Adopter? Is that the one? Yeah, yeah. Late Adopter, yeah. Now, one of the other things that I found curious in the report, it says APT40 has shifted to using SOHO devices. Is it? This has enabled the authoring agencies to better characterize and track this group's movements. Now, I thought that the whole point of using those devices was to tunnel your traffic through many different hops.

in all sorts of people's routers and therefore be more... That looks completely legitimate because it's supposed to have traffic like that. Yeah. See, to me, I've got to say, like, whenever I read a public thing from an intelligence agency, whatever they say, I sort of believe the opposite. I think it's like...

Oh, no. They're using Soho routers. You played straight into our hands. Yeah, exactly. Oh, you think you're safer using this highly anonymous, difficult to track, well-integrated system? You're so wrong. This is easier for us. And we're not even going to explain why, because it's a great special secret technique that we have. To me, it smells like they're trying to influence the behavior of MSS by saying,

this is worse for you. I'm not sure that MSS makes their operational decisions based on reports. So you're skeptical that this is actually true. So your theory hypothesis is that this sentence is in here

Just to put doubt in the minds of whoever's running APT40. And if it works and they go, well, this is a terrible idea, we'll move to something else that'll be better for ACSC and its colleagues. Why not? I mean, if they weren't doing that, I would be a little bit disappointed.

because I expect some sort of tricky stuff from an intelligence agency. I expect them to make some effort at being sneaky. Right, right, right. So even though this is an advisory, the notional audience is Australian and allied organizations protecting themselves. These advisories have multiple audiences. And so you think this sentence is aimed possibly at the APT40s.

Well, I mean, what value, if you're a small home office or whatever, what value do you get from knowing that ASD finds it easier to track them because they're using your router? Wouldn't it say that like, oh, well, if it's easier for them, then maybe we should not protect ourselves. Give the ASD the old assist. Well, I guess this would support your argument, right? What's the value in telling your adversary that we're better able to track you?

because you've done this thing. That seems also counterintuitive to publish that. Yeah. So you know that the adage for spy agencies is you always trade intelligence for something of greater or equal value. Always. So you would never just freely say, oh, wow, you guys are doing a really good job. Keep doing that thing where you only use taxis from this one company. It's really hard for us to track that, right? Like...

You would never say that. Or we really appreciate that you haven't changed the frequency for your operational radios for your surveillance teams. It's made it a lot easier for us. Like you don't say that sort of thing. So I don't know why. Why would you say that? I could see listing IOCs because that's actually useful. And like, yes, you're giving something away, but you're gaining something in that they lose capability. Whereas what do you get out of this? So yeah, I don't know.

Unless MSS is listening, in which case we're just spitballing. Definitely trust the ASD on this one. Well, I mean, I think the thing is there's an element of doubt no matter what you believe, right? Maybe it is true.

I think IOCs are interesting in that you're giving up that you know something, but it's also information that APT40 already knows. They know what they're doing, presumably. Maybe they're not keeping records, but...

But it's not a secret. If they wanted MD5 some, they can figure it out themselves. That's right. Exactly. And so you are giving up something. But this seems like something that a PT40 wouldn't necessarily know. Right. Probably wouldn't know, you would think. Yeah. This is counterintuitive as well. Like as we've said, you'd look at this and you'd think, huh.

I would think it would be harder to track using SOHO routers. That seems... That seems like the point, isn't it? Yeah, like why would you switch from websites which are, you know, as we've said, there's some downsides, but all the upside is, you know, like bandwidth, power, static IP, uptime, all things being equal.

I would probably choose a website over a router any day. But remember Mirai and things like that? So that's one of the things that makes this sort of infrastructure interesting as a distributed system is you could automate the build. You don't have to go and manually hack everything. You could have it regenerate itself, which again, that's a nerd sniping sort of thing. Isn't that cool? You've got the self-healing botnet.

I mean, I'm surprised that these things just don't exist in the wild anyway, because they're just kind of cool to build. Well, I mean, I guess they do exist in the wild, right? But they're usually, we think of them as botnets rather than as command and control bots.

Like they've got different purposes. Yeah, it's not a command and control fabric. It's then used as a backbone for someone's infrastructure. It's usually a DDoS. Then used by 17-year-olds who are on Minecraft servers. And you start selling their services for five bucks a pop to other people.

How embarrassing is it that your advanced state-level attack infrastructure is the same thing as a booter uses to knock people off Minecraft servers for $5?

It seems like a bit of a step down for a state. Well, I remember that snake malware report that we talked about. So the snake was created by the FSB and they'd been using it for something like 20 years. So at that point, you can convince yourself it's not just a botnet that anyone could create. It's a labor of love that we're invested in. It's seen people get married, have kids and send them to college. Right?

And it's just, it's always been there, you know? And then one day... And you can see that, like, when that has happened, you have a, I guess I would call it a steady state, where you've reached some sort of organizational equilibrium where this is the way we do things, whereas this is, we're shifting from one way to another. So there's been some sort of driver that's either forced you or lured you to do that. I'm wondering...

if there's an element of different time horizons. So if you're very short-term focused, you don't invest in this kind of capability because it's a short-term diversion. Like it's an enabler,

But an enabler doesn't get you anything until you've built it. Right. And it's going to have a lead time. And it's going to have maintenance costs as well. Yeah, that's right. And what you think you're going to get out of it's got to outweigh the amount of time you put in. If you're very short-term focused, it just can't do that. Right. Whereas if you hack a website and use it as a C2, you do that today. Yeah, that's right. You don't have to build software.

Yeah, so I wonder if it indicates some sort of strategic shift where... Oh, that's much more interesting. ...a shift to being more strategic, I guess. Not a strategic shift to being more strategic. A strategic shift to strategy. Yeah, that's right.

That makes it sound doubly important. Yeah, yeah. Like to me, the report sort of raises more questions than it answers, right? Why are they doing this? Why are they doing this now? Why didn't they do it earlier? Why did ASD say it's easier to track them? Who's going to benefit? Like as an end user, what do I get out of knowing that my home router is going to get hacked? Like it comes from the ISP. I can't do anything.

Yeah, yeah. So what I was thinking is that overall there's this shift from those kind of agencies, CISR and ASD, towards more, I guess I'd call it commercial responsibility. So in one way, this is like another piece that says there's a problem with home office security. And so it's not the piece of information that's going to convince everyone to chuck away their routers and upgrade them. But it is a piece that says...

router manufacturers need to do better, ISPs need to do better. Right. So, you know, like ZTE, Huawei, you're on notice. You have to protect against MSS hacking. That's right. You can get right on that. Thanks a lot, Greg. Thanks a lot, Tom.