Monday, September 24, 2007

Expensive Chinese Takeout No One Can Afford

Titan Rain isn't the name for the precipitation on the Saturn moon, Titan. It's the name the United States government has given to a Chinese Intellectual Property theft effort that has likely been ongoing since August 2004 or earlier. That's also when an IP theft worm called Myfip emerged onto the Internet. Joe Stewart discovered it and wrote one of the first analyses and a lovely lecture in pdf format. While the original worm only stole pdfs, Myfip.B, and later variants, steal pdfs, docs, mdbs (Microsoft database files), and various CAD files. The Myfip.h variant is a kernel mode rootkit that removes its process from the Windows kernel process list without the need of a kernel mode driver which is unusual according to F-Secure. So, one can see that the worm has gotten even more sophisticated with time. Any collected files were initially sent to a remote server at address '', which no longer exists, using TCP on port 34330. Current Myfip distribution servers are located in Tianjin, China's third largest city, while the collection servers are in Guangdong and Tianjin. It is speculated that the group responsible for this worm started getting back sensitive information that the Chinese government would be interested in which is why the second variant of the worm broadened its collecting to documents, CAD/CAM files and databases instead of just pdf files.

Besides the theft of IP, Guangdong is the other connection between the worm and Titan Rain. Shawn Carpenter, an IT Security Investigator, then at Sandia National Laboratory, discovered an intrusion and tracked the attackers back to Guangdong. These were very skillful and professional attackers who made only one mistake - they got noticed by Shawn Carpenter. His Lockheed Martin bosses didn't want him to pursue the issue further, so he offered to help Army Counterintelligence and the FBI in his spare time. He monitored the thieves attacks via their gateway router in Guangdong and he guesses that there are 10-15 workstations manned 24x7 actively stealing information from all over the world. For all his hard work and diligence, Lockheed Martin terminated him and harassed his wife who also worked there because he shared his information with other government entities even though he was expressly told not to do so. He recently won a lawsuit that Sandia National Labs and Lockheed Martin are appealling.* The Chinese government denies that they have anything to do with Titan Rain and they are not cooperating with the American government. The Germans recently accused the Chinese government of cyberespionage.

So, what is going on? Is it a Chinese criminal gang who is stealing trade and government secrets and selling them to the highest bidder? Is it the Chinese government actively doing the stealing? Or is it both? The simplest explanation is the latter one. A criminal gang started the enterprise and when the Chinese government discovered how lucrative, cheap and easy it was, they offered people and resources to the gang for a piece of the action. The Chinese government maintains plausible deniability by using the Chinese criminal gang as cover for their cyberespionage activities while reaping huge benefits. It doesn't help that U.S. government contractors cover up the attacks on government and corporate systems at government facilities because they don't want the bad press. As to how extensive and successful Titan Rain is and what has been stolen, only the thieves know. Our government isn't disclosing what's been lost, possibly from embarrassment. This "hypertrophied secrecy" prevents the full extent of the damage from being known and disseminated, and is analogous to the government declaring certain projects Black Projects to hide risky or expensive military projects from the American taxpayers' scrutiny. Foreign governments and determined individuals can figure out what the Black Projects are using standard intelligence gathering and analysis techniques. Likely the agents the FBI has on the case aren't from their Computer Forensics Lab, but are field agents who may or may not be competent in both counterintelligence and computer forensics. We can only hope that since the Chinese use Microsoft Windows extensively that we are stealing more of their secrets than they are of ours, but I wouldn't bet on it.

* (Thanks to Richard Beijlich and his Taosecurity blog for informing me of Shawn Carpenter's case.)


Don't know if you saw this article or not, a while back. Interesting.
Thanks for the link. I knew of the Estonian attacks, but I didn't know the specifics. It makes sense what they did, though I would have expected that we'd be beyond cliques by now. An informal group such as The Vetted should have become either a public or private entity with formal recognition and power. That such a group is still informal and has so much power is a bit worrisome, but then I always though it was unusual that Jon Postel who was practically the Father of DNS died during surgery back when the Internet was really getting started. He practically had all the power that The Vetted do now. So maybe we replaced a benevolent dictator with a benevolent oligarchy.
And here we got to all this trouble to avoid emailing floor plans of government buildings... when a worm could be stealing them from our computers anyway. Whoo.

Good reading, though.
Not from your computer, Jules. it's a Mac! :-) They mostly steal from Windows and Linux/ Unix systems. The latter rootkits have no known commercial antivirus signatures will likely work on the Intel Macs though. A friend told me that they stole 50 GB per hour, 500 GB total of classified documents over 10 hours.
Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?