Adversaries In Cyber Security or Defenders of Freedom, Who’s Who, in the Zoo, Part 2: China and USA

Cyber adversaries are sneaky, evil, and gearing up for attack, or are they?

The ten top players in cyberspace are the United States of America, China, the United Kingdom, Russia, the Netherlands, France, Germany, Canada, Japan, and Australia based on total offensive and defensive capabilities. That’s an interesting statistic because when I introduced the MITRE ATT&CK® (Adversarial, Tactic, Techniques, & Common Knowledge) database in Part 1 of this series, I noted other countries like Israel and Iran had been players in some of the most famous attacks on critical infrastructure. There is no denying it, though; China and the United States of America are arguably the two most powerful cyber forces in the world. And for that reason alone, I focus on these two key players today.

If you haven’t done so, please read Part 1 to learn about the MITRE ATT&CK®, Russia, ransomware, and the steps to safeguard against those attacks before this article.

This article is not a lesson on MITRE or about the blatant and obvious cyber attacks found online. In this article, we walk the fine line between seemingly elusive behaviors and two countries’ strategies to dominate in an all-out, no holds barred, modern-day digital Armageddon.

Examples of critical infrastructure attacks and Internet vulnerabilities

All of the critical infrastructure is integrated with computerized technologies. And most of these integrations fall short of the necessary capabilities to prevent outages do cyber attacks. Here’s why. Computers are made of all the cool gooey filling that makes tech geeks’ hearts melt just thinking about them. You’ve got your processors, memories, storages, inputs, and outputs.

But most importantly, computers have the most advanced forms of technical connectivity on Earth. Electromagnetic radiation travels at the speed of light, the only limit to digital communications. While we have yet to achieve our full capabilities globally, our vast fiber optic cabling and wireless networks are nothing short of brilliance. Computer connections have evolved to the point of no return. With virtualized, cloud-based computing, and computing functionality, cyberspace now lives in hyperspace!

Have you heard of the theory of positive control?

Positive control means managing everything in a computer system, hardware, software, and data from creation to destruction. Unfortunately, positive control no longer exists. There is no 100% form of positive control over systems, especially in the cloud. However, a traditional integration point with critical infrastructure exists where modern hyperspace meets the 1970s.

I set the stage by explaining that this concept can be visualized as the difference between the perceived application connection to monitor a critical infrastructure system and the reality of connecting a hand-held mobile device via an app to pressure monitoring in a natural gas piping system. I’ve drawn out the examples below to make this easier for you.

Perceived use of a mobile device to view pipeline control system.

Pipeline graphic provided by https://www.vecteezy.com/vector-art/7885610-isometric-design-concept-illustration-industrial-pipe-factory-for-oil-and-gas

Reality view of mobile device connections used to monitor the critical piping network.

References, Past, present, and future attacks graphic from Part 1, Gas Piping graphic listed previously.

We don’t always realize that we are connecting to the Internet, and what we don’t see can harm us.

So, you were keen, and you noticed the two lightning bolts on the handheld tablet. Those lightning bolts signify the two connections that allow the technician to move around onsite and offsite without losing connectivity. Modern-day mobile devices use Wi-Fi, cellular data plans, and Bluetooth in most instances. Using mobile data plans connects through a network of personal cell phones, building alarms, automobiles, and more Internet of Thing (IoT) devices than you can imagine, even family iPads, chock full of online games and ads! Most organizations do not have policies on Wi-Fi and virtual private networks to disable split tunneling between network connections. It’s not a network bridge, but split tunneling allows users to access networked devices on both networks. In this case, the mobile app, which is hosted in that ominous cloud, uses the mobile device’s connections to gain direct access to the critical piping control system. And, in the background of the Internet, we see all past, present, and future cyber attacks happening before our eyes because all of these critical control systems are part of the global meshed network, the ubiquitous Internet.

In our example, the gas piping pressure monitoring app is a major time saver, allowing technicians to travel around the plant and offsite and monitor gas pressures. But as basic as it seems from a value perspective, this capability has incredible and immense control system risks. The piping control technologies don’t have modern-day security capabilities, but they are easily added to the Cloud, and that is why I called it hyperspace meets the 1970s.

If you haven’t done so, please read Part 1 for a global view of critical infrastructure cyber groups, targeted industries, and their countries of origin.

A quick lesson about the five vulnerabilities in the Internet, according to Paul Rosenzweig’s course, “The Five Gateways of Internet Vulnerability,” on The Great Courses.

1. “The Internet destroys time and space, allowing for almost instantaneous action at a distance.”

2. “The Internet is an asymmetric medium, allowing actors to project force disproportionate to their size, strength, or wealth.”

3. “The Internet allows for anonymous action, in ways that are completely unlike actions in the physical world.”

4. “The Internet is essentially a borderless domain, with no checkpoints or guards monitoring traffic as it crosses international boundaries.”

5. “In cyberspace, the 1s and 0s all look the same. They lack what we call distinction, and so (for example) we’re unable to distinguish between commercial information and a cyber attack.”

You can learn more about Paul Rosenzweig’s quotes and lessons by visiting, Thinking about Cybersecurity: From Cyber Crime to Cyber Warfare on The Great Courses.com.

In summary, an adversary can:

1. Attack at great speed,

2. With marginal resources,

3. Going on unidentified,

4. From anywhere in the world, and

5. While appearing completely benign on the Internet as we know it today.

Without a doubt, the two countries that have gamed these five Internet vulnerabilities, unlike any other in the world, are China and The United States of America.

In this part, I focus on major critical infrastructure attacks tied to China and The United States of America; the techniques and international legal considerations that may or may not have been applied are noted. This information can be found at https://hub.tisafe.com/ or using the MITRE ATT&CK® Framework, the Tallinn Manual 2.0, and resources with my correlations. If this is the first you’ve heard of the Tallinn Manual, its full title is Tallinn Manual 2.0 On The International Law Applicable to Cyber Operations. This is the most holistically documented international cyber law reference I know of.

The Art of (Cyber) War, China

I start this section as I will all other sections about specific adversaries. This is all information sourced from the public domain, as I have discovered and cited throughout. The adversarial information does not reflect my opinion or the views of any person or nation-state I know.

Sun Tzu was a 5th-century BC military strategist famously known for authoring The Art of War. I quote Tzu here to highlight some key trends in Chinese cyber operations that follow his teachings of using deception, being intentional in war actions, and espionage to the letter.

1. “The art of war is vital importance to the State,” as Tzu explains how to plan, adapt and maintain rule through the use of warfare.

2. Tzu continues to describe the concept of war “Energy” as deceitful, always hiding the State’s and war leaders’ true capabilities and intentions during active warfare. Tzu stated the following to build Energy, “Simulated disorder postulates perfect discipline; simulated fear postulates courage; simulated weakness postulates strength.”

3. Tzu clarified this “Energy” for battle, “concealing courage under a show of timidity presupposed a fund of latent energy; masking strength with weakness; is to be effected by tactical dispositions,” undoubtedly Tzu’s example of having “Energy” as being a wolf in sheep’s clothing.

4. Finally, Tzu instructed with the clearest intentions of war, “The Attack (will be) By Fire.”

However, before one can win the war, Tzu stated, “…what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the read of ordinary men, is FOREKNOWLEDGE,” in The Act of War, The Use of Spies.

“Beyond the read of ordinary men” is quite a statement! Many might say this art of war has proven successful time and time again if considering wars lost due to ignorance of the enemies’ capabilities, alliances, and resources.

And to think, Tzu instructed his Chinese brethren on these winning lessons more than 2500 years ago. To use a metaphor, Tzu’s “Energy” can be likened to a nation-state’s Power over the Internet. I relate to how this “Energy” Power is fed by command over the five Internet vulnerabilities outlined in the last section.

You can learn more about Sun Tzu’s The Art of War by visiting https://suntzusaid.com/.

Enter the People’s Republic of China and modern cyberwarfare.

Red October, Bronze Atlas, Night Dragon, and Elderwood are all well-documented and impactful critical infrastructure cyber campaigns with ties to China. Unlike the Russian cyber threats listed in Part 1, these focus on reconnaissance, A.K.A. “FOREKNOWLEDGE.” The focus here will be on one threat actor group affiliated with China, Night Dragon, to explain China’s threat.

Night Dragon

The Night Dragon operation was an extension of the Operation Aurora cyber espionage campaign, a highly complex and coordinated attack against over 70 oil and gas, energy, and petrochemical companies and government agencies between 2006 – 2010. The sheer amount of information stolen is entirely unknown. In 2011, the security firm McAfee released a white paper on Global Energy Cyberattacks: “Night Dragon,” spelling out everything from the complexity of the attacks to the attribution of one threat actor living in Heza City, Shandong Province, China. McAfee identified this threat actor as a possible red herring, who advertised bargain basement prices to host critical data in US-based leased servers. Chinese password utilities and malware were installed on all servers, indicating intent.

Why on Earth would anyone want to use malware to gain insights on critical oil and gas field production, supervisory control and data acquisition (SCADA), and production financial systems from countries like the United States of America, Greece, Taiwan, and Kazakhstan, if not learn how to cripple critical infrastructure and cause massive economic fallouts? Additionally, Night Dragon’s tactics are examples of how China has commanded the use of all of the five Internet vulnerabilities of; instantaneous medium, asymmetrical attack surface, remaining anonymous, lack of borders, and lack of distinction. And they did this over five years while going utterly undetected for most of that time.

What if another country was caught committing espionage or stealing a nation’s secrets?

Night dragon threat actors used multiple techniques and software applications (malware) to perform resonance and espionage activities. Techniques included spear phishing, compromising valid domain accounts, password cracking, file obfuscation, exploiting external remote services, disabling or modifying defenses for evasion, password cracking, and collecting data from local systems. These actions were similar to a few Russian-based attacks I explained in Part 1, except that great efforts were taken to remain hidden, and the job was to collect information. The target was knowledge of other countries’ oil, gas, chemical, and energy critical control systems and operations, SCADA. This was purely an act of espionage, not petty theft. No, this was highly sophisticated, coordinated, and resourced. We observed the nation-state-sponsored equivalent of cloak and dagger; instead of a dagger, we should anticipate a slow and painful firestorm.

When we tie this knowledge gained by China to the possible uses of this information to weaken an enemy during war, we have, as Tzu would call it, “FORENOLEDGE.” I could infer that Tzu’s mention of the use of spies would constitute war-type activity; however, I’d probably be wrong. Under the Espionage Act of 1917 and the international legal code, countries typically consider espionage illegal and possibly treason, depending on the party. However, it’s challenging to consider this an act of war if no harm was done. If an individual is caught, they are most likely to bear the full brunt of the crime and not their nation-state employers.

According to page 323 of the Tallinn Manual 2.0, “Cyber espionage per se, as distinct from the underlying acts that enable the espionage …, does not qualify as intervention (with another state’s sovereignty) because it lacks the cohesive element.” The Tallinn Manual 2.0 continues on page 323 to state, “In the view of the international Group of Experts, this holds true even where intrusion into cyber infrastructure to conduct espionage requires the remote breaching of protective virtual barriers (e.g., the breaching of firewalls or the cracking of passwords).” Ultimately, Tallinn Manual 2.0’s International Group of Experts believes that without causing harm, cyber espionage would not be considered an act of war.

China’s actions appear to reflect its foreknowledge and wisdom beyond that of ordinary men.

Life, Liberty and the pursuit of (Cyber) Happiness, The United States of America

I start this section as I will all other sections about specific adversaries. This is all information sourced from the public domain, as I have discovered and cited throughout. The adversarial information does not reflect my opinion or the views of any person or nation-state I know.

Citizens of the United States of America typically learn about the Declaration of Independence and our country’s 1776 founding earlier in life. And in that declaration, our rights were drafted thusly, “…all men are created equal & independent, that from that equal creation, they derive rights inherent & inalienable, among which are the preservation of life, & liberty, & the pursuit of happiness.”

As a citizen of the United States of America, I know this applies to all interpersonal dealings, both locally, internationally, and online. These are core values, so to speak; life, liberty, and the pursuit of happiness. From a cyberspace perspective, the United States of America preserves these rights for its citizens:

1. Life - everyone can access and exist online,

2. Liberty – users are to use the Internet as they choose,

3. The pursuit of happiness - the Internet is not a tool to control or encumber its citizens,

4. Cyberspace is similar to the physical realm; all this applies unless you break the law.

As a citizen, it’s hard to explain the United States of America in adversarial terms. At the core of who I am, I know that my country is great and has been great to me. I also am convinced that the United States of America is the world’s most significant and most capable cyber and military power. Due to our core values, we call everything war-related defensive activities (i.e., military spending is “defense” spending). As a local, I know these activities are all designed to preserve life, liberty, and the pursuit of happiness. Unfortunately, other countries’ citizens don’t always agree.

This is where I must take an honest approach to the United States of America’s cyber activities. According to the Council on Foreign Relations, the threat actor “United States” has been responsible for numerous cyber incidents, including those against China, Iran, North Korea, and Russia. The most famous incident related to the United States is STUXNET. STUXNET is possibly the most famous cyber incident involving an industrial control system due to the planning, coordination, recourse, and overall sophistication required to pull it off. STUXNET demonstrated that the United States of America had complete command over the five Internet vulnerabilities.

STUXNET

Siemens

Between 2008-2010, STUXNET was a cyber weapon designed to worm its way through the internetworking of the Iran Natanz nuclear development facility once introduced, find Siemen’s branded critical control system computers, reprogram programmable logic controllers (PLCs), and slowly, methodically, incrementally, and totally destroy the centrifuges required for uranium enrichment. STUXNET was successful in Iran and, like many other forms of malware, had a far greater fallout on more organizations and countries than seemingly intended. As a worm, STUXNET spread from Natanz engineers’ computers to the Internet and the world, infecting Indonesia, India, Azerbaijan, the United States, Pakistan, and countless others.

After realizing that STUXNET caused little more than a massive nuisance on computers and control systems other than those found in the Natanz nuclear enrichment plant, researchers quickly realized that the program changes made to the PLCs only affected Natanz required significant insider information to have been developed, so precisely. In contrast to the reverse engineering done by the Russian-based Black Energy actors, whose purpose was to cause immediate outages and damage, STUXNET was meant to cause slow and lasting damage while hiding the activities from engineers and operators and leaving everyone in the dark on the true adversaries’ identities.

A couple of years later, the man who leaked secrets about our National Security Agency, Edward Snowden, claimed that the United States of America worked with the country of Israel to co-write the STUXNET virus. Snowden’s claims corroboratedordinary men's the 2012 New York Times article about President Obama’s orders to speed up cyber-attacks against Iran.

What if another country blatantly attacked and slowed down another country’s abilities to create weapons of mass destruction?

STUXNET was the first recognized malware designed specifically to cause the physical destruction of critical control systems. It would be difficult to debate that Iran’s nuclear development program was significantly hindered by this and that the United States of America didn’t want that to occur. Of course, the fallout was far greater because of the spread of STUXNET across the Internet; however, the adversaries could still successfully claim that the virus was tailored to only cause destruction in Iran. STUXNET was precise, unlike the Russian-based Not Petya virus that caused multiple distributed denials of service and hundreds of millions of dollars in recovery fees. We have a very specific targeted cyber operation with STUXNET, with LASER-like precision, that went off with very little collateral damage.

According to page 415 of the Tallinn Manual 2.0, a “cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” According to the definition, STUXNET was a cyber attack as part of a cyber operation against Iran. According to page 467 of the Tallinn Manual 2.0, “Cyber attacks that are not directed at a lawful target, and consequently are of a nature to strike lawful targets and civilians or civilian objects without distinction, are prohibited.” That being said, STUXNET appears to have been a directed and lawful strike against a military target with no injury or harm impacting civilians or non-military targets. Essentially, STUXNET did not violate articles related to international law.

Wrapping up part two

In this two-part mini-series of articles, I’ve introduced the three most prominent cyber adversaries targeting critical infrastructures andability their approaches, Russia, China, and the United States. I’ve also mentioned other key players capable of pulling off offensive and defensive attacks in both articles, although not in detail.

This Part 2 article focused on techniques used by China and the United States of America but not as much on defenses against those techniques. This was partially because the defenses in Part 1 of this series could apply to protecting from these attacks. It was also important to call out key societal elements that help assign attributes to these two countries. Combined with Part 1, we can now develop some basic signatures for critical infrastructure cyber attacks from each of these adversaries.

In summary these threats can be characterized as the following,

Russia, the “Reckless”

• Effective at taking down critical infrastructure on multiple occasions.

• Collateral damage to civilian organizations has been high.

• Cyber-attack met the Tallinn 2.0 definition, and motives were clear, to take down critical infrastructure affecting civilians – could be considered illegal or war crimes based on international codes of conduct.

• Attribution is still unclear and possibly the only reason Russia has not been convicted of war crimes.

China, the “Wise”

• Effective at stealing millions of bytes of information about nation-states and critical infrastructures.

• Zero collateral damage, although the information could lead to catastrophic civilian impacts.

• Cyber-espionage would not meet the definition of a cyber-war operation, although civilian companies’ data was compromised, would not be considered international war crimes based on Tallinn Manual 2.0’s explanations.

• Attribution was made but considered a “red herring” due to the scale of all reconnaissance efforts and the inability to link all techniques and malware back to China.

The United States of America, the “Great”

• Effective at the proactive dismantling of a nation-state’s nuclear development activities.

• Minimal collateral damage, with evidence that civilians minorly impacted were not the intended targets and suffered no harm or injury.

• Cyber-attack met the Tallinn 2.0 definition, and motives were clear; discriminant military development equipment was the target and would not be considered international war crimes based on Tallinn Manual 2.0’s explanations as civilians were not the target.

• Attribution was made by a witness; however, that witness had a bias, and his motives were tarnished by other illegal behaviors.

In conclusion, if Russia is Reckless, China is Wise, and the United States of America is Great, where does that leave the rest of the world? I will pose this question in a different form. If the Reckless is hasty, the Wise is patient, and the Great always has to win, what does it take to defend against each? In contrast, what would adversaries do to attack each, respectively?

And, still, something must be said about Dr. Rosenzweig’s five paths to Internet vulnerabilities. Perhaps, a deeper dive is necessary to analyze them more completely and bounce each of these countries' signatures off each of the given vulnerabilities. Maybe then, we’ll crack that code. For now, friend or foe, you be the judge if any one country is an adversary or defender of freedom.