Monday, September 24, 2007
Expensive Chinese Takeout No One Can Afford
Besides the theft of IP, Guangdong is the other connection between the worm and Titan Rain. Shawn Carpenter, an IT Security Investigator, then at Sandia National Laboratory, discovered an intrusion and tracked the attackers back to Guangdong. These were very skillful and professional attackers who made only one mistake - they got noticed by Shawn Carpenter. His Lockheed Martin bosses didn't want him to pursue the issue further, so he offered to help Army Counterintelligence and the FBI in his spare time. He monitored the thieves attacks via their gateway router in Guangdong and he guesses that there are 10-15 workstations manned 24x7 actively stealing information from all over the world. For all his hard work and diligence, Lockheed Martin terminated him and harassed his wife who also worked there because he shared his information with other government entities even though he was expressly told not to do so. He recently won a lawsuit that Sandia National Labs and Lockheed Martin are appealling.* The Chinese government denies that they have anything to do with Titan Rain and they are not cooperating with the American government. The Germans recently accused the Chinese government of cyberespionage.
So, what is going on? Is it a Chinese criminal gang who is stealing trade and government secrets and selling them to the highest bidder? Is it the Chinese government actively doing the stealing? Or is it both? The simplest explanation is the latter one. A criminal gang started the enterprise and when the Chinese government discovered how lucrative, cheap and easy it was, they offered people and resources to the gang for a piece of the action. The Chinese government maintains plausible deniability by using the Chinese criminal gang as cover for their cyberespionage activities while reaping huge benefits. It doesn't help that U.S. government contractors cover up the attacks on government and corporate systems at government facilities because they don't want the bad press. As to how extensive and successful Titan Rain is and what has been stolen, only the thieves know. Our government isn't disclosing what's been lost, possibly from embarrassment. This "hypertrophied secrecy" prevents the full extent of the damage from being known and disseminated, and is analogous to the government declaring certain projects Black Projects to hide risky or expensive military projects from the American taxpayers' scrutiny. Foreign governments and determined individuals can figure out what the Black Projects are using standard intelligence gathering and analysis techniques. Likely the agents the FBI has on the case aren't from their Computer Forensics Lab, but are field agents who may or may not be competent in both counterintelligence and computer forensics. We can only hope that since the Chinese use Microsoft Windows extensively that we are stealing more of their secrets than they are of ours, but I wouldn't bet on it.
* (Thanks to Richard Beijlich and his Taosecurity blog for informing me of Shawn Carpenter's case.)
Good reading, though.
Links to this post: