Posted on Leave a comment

Differences in Chinese and Russian security philosophies and how the United States should counter

image thumb391

Shanghai's northern suburb of Gaoqiao, alleged to be the home of a Chinese military-led hacking group

The Hacker’s Code

I enjoy hacking.  The intrigue, digging through arcane protocol specs in order to discover some new architectural design flaw or idiotic programmer bug, and the excitement surrounding a mysterious hidden world that few are capable of experiencing, in my mind is akin to losing yourself deep in a software coding problem, something that my friend, who runs IT services in London, agreed is common to any pen tester or security expert fanatic.  I consider myself a white-hat, maybe gray-hat hacker (depends on my mood).  Like Showtime’s Dexter, I have a specific, well-defined “code” that I follow.  I’m not a bad guy intent on breaking into an unsuspecting company’s network to wreak havoc or steal corporate secrets but rather, am seeking the challenge of the hack and the experience I glean from the attempt – in addition to stopping the attacks China and Russian hackers have directed at my servers.   And yeah, I think the government’s philosophy regarding cybersecurity-countermeasures should, and will, change to promote a more offensive response to targeted attacks against American servers.

Here’s the code I follow:

  1. Firstly, the target must have attacked me first.  I’m not talking about a quick drive-by scan but rather, a relentless attempt to break into one of my machines means I will take an offensive tack in order to stop the attack.
  2. I only respond to foreign attacks.  Yeah, that sounds pretty nationalist, maybe even racist, but it’s a fact.  I won’t go after American hackers primarily because the American law could decide to go after me.  But if the target is from Russia, China, Korea, or other foreign entity that seems to counter American interests then for me, they’re open game.
  3. If I successfully penetrate a machine, I do not break or tear anything up.
  4. I do not steal anything.  Period.  No exceptions.  Even “turn about is fair play” philosophy does not apply here.

It’s a pretty simple code to follow and one that I feel justifies my attempt, both morally and legally, to break into a target machine.  Still, in an era where we are not really sure if a simple honeypot violates electronic communications laws (some feel a honeypot could be perceived as an illegal wiretap), there’s always a bit of legal risk involved so occasionally I proxy through proxychains using a secure proxy or TOR connection.

Differences in Chinese and Russian cybersecurity

Chinese hackers

In my hacking endeavors, I’ve found the differences in Chinese and Russian architectures to be intriguing.  In many ways, their security architecture and cybersecurity philosophy falls right in line with how we (Americans) perceive their political systems.  Notwithstanding the fact that Chinese networks are the only ones in the world built upon the more secure IPV6 architecture and that their government supposedly authorizes its citizens to initiate cyberattacks against “enemies of the state” without retribution, their defenses in many ways follow a “closed door” philosophy.  Hack at a Chinese network and you’re going to find one of two things – zero ports open or 65,535 deceptively faked open ports.  There’s no in between.

Unlike the American philosophy, “allow everyone in and only block the bad guys”, the Chinese philosophy tends to be just the opposite.  China’s networks lean more towards blocking everyone and only allowing known users access to their networks and systems.  It makes a great defensive platform but one that could potentially be compromised with a bit of proxy manipulation (i.e. bounce off a Chinese-based proxy server and hope that (1) the proxy doesn’t publicly disclose that they are a proxy service and (2) the proxy is not a well-known proxy service).

Chinese methods of compromise are surprisingly simple, following a simple, “canned” approach in their attack.  Routine scans following the “flavor of the  month” are common as they look for well-known vulnerabilities.  Their scans appear to be drawn out, a few scans every three days, but consistent and persistent   Many Chinese attacks carry on for months (hence another reason to run an IDS system that easily identifies these persistent attack vectors).

Russian hackers

Compare that to the Russian philosophy which pretty much mirrors their “wild west” political environment.  Scan a Russian machine and you will likely find sloppy open ports and vulnerable systems ready for the taking.  But then, just as your mouth is watering and your fingers are beginning to twitch, you launch a brute force Hydra attack against port 22 and you will find, within minutes, that someone on the other end is indeed paying more attention that you’d initially thought.  In every instance that I have attempted to aggressively brute force a Russian machine (especially if they are located in Moscow), and I don’t mean sometimes or most of the time, but *every time* I have attempted it, within minutes my entire network is shut down by a DDoS counter attack.  All of my computers drop their connections, my televisions sets all shut down, even my telephone stops working – anything connected to the IP network is knocked down.  It’s pretty cool to see and I’ve demonstrated it for family and friends on more than one occasion.  Russia definitely follows an “offensive” minded counter-attack philosophy.

Russian scans on your network go all out with many leaving you scratching your head wondering what they are up to.  They are great at identifying new vulnerabilities, before anyone else, and using them to their advantage until the world finally catches on.  They will scan hard, more of a blitzkrieg approach, then leave if easy entry is not found.

Contrasted to each other – China vs. Russia vs. United States

The purpose of Russian and Chinese attacks seems to differ too.  Alarmingly, successful Chinese penetration of your network systems may go unnoticed as they rarely boast of successful attacks, instead preferring to silently own the system for as long as possible while they secretly siphon information off the wires.  Russians on the other hand, attack without boundaries and once successfully gain control of a system, use it all out, unrestrained, for purposes ranging from operation of illicit web sites to (more commonly) using the compromised box as a platform for further attacks.

Contrast both Chinese and Russian security philosophies with the typical American technique of throwing up a firewall and forgetting about it.  Most American companies (and private citizens) do run firewalls but then commence to opening ports, whether on purpose or for testing reasons, and then forgetting about them.  Most do not run IDS (Intrusion Detection Systems) or IPS (Intrusion Protection Systems) nor do they routinely monitor their network interfaces and log files for nefarious activity.  As a result, the number of compromised networks is almost certainly higher than their Chinese and Russian counterparts.  We’ve let our guard down when it comes to network system security and now there is hell to pay.

Countering Chinese and Russian Cyberattacks

This begs the question, which method, the Chinese “lock everything down” or the Russian “hack me and I’ll kick your ass” strategy is best?  The answer in my opinion, gray as it may seem, is  – a little of both.  Americans need to do more than thrown down a firewall and forget about it.  They should be running IDS solutions and regularly monitoring its reports.  They should run log file reporting systems (e.g. Splunk) that   aggregate log files and provide easy summary access to the log file output.  They should not be afraid to lock out entire network blocks for fear of offending someone or “repressing” their right to information.  Close the door and only answer it when someone you know knocks and identifies themselves.

At the same time, a more “offensive” reaction to hacker attacks is also warranted.  Without an offensive-minded counter attack philosophy, America is disregarding their greatest asset – the expertise of their technical community, which arguably is the top technical powerhouse on the planet.  Albeit in a day and age where the legal standing of a simple honeypot remains in question, an offensive reaction should still be taken, at least until someone tests the court system to find out whether it is legal or not or the United States government makes their cybersecurity position a bit clearer.

Afraid of getting blood on your hands?  You can go on the offensive in “baby steps” too.  For instance, move SSH off of port 22 (a good idea anyway) and in its place, install a Kippo SSH honeypot to monitor illegal hacking attempts targeted at your shell service.  When a persistent attack is detected on your network, don’t hesitate to take advantage of your ISP’s “burst” exclusion – turn your on-demand big cannons towards the attacker and launch an all-out DDoS firestorm for 15 minutes or so – just enough to let them know that you are aware of their attempts to crack your system and that the turn-about harassment card is on the table.  As with a typical Russian DDoS counterattack response, in all likelihood this will, at the very least, stop the script kiddies in their tracks.

So how does a hacker counter the differing cybersecurity philosophies and infrastructure differences between these two superpowers?  Oddly, each one has a key point that must be kept in mind if you are going to successfully penetrate their defenses.  For the China networks, you’ll have much better luck utilizing a China-based proxy service.  Understand though, that proxy services often disclose that they are proxying for you and in addition, some Chinese proxy services are well known.  Each of these facts in themselves may be enough to trigger a Chinese response.

Regarding Russia (and let’s face it, they are much better at penetrating systems than the Chinese), the key is simply – be stealthy.  Don’t try to aggressively bruteforce services – be patient and persistent   If a scan is blocked, switch to proxychains and try again.  Don’t brute force with nmap at its comprehensive setting but instead, utilize nmap’s built-in stealth facilities.  Although this rule generally applies to everyone, it is especially true with Russian targets – you gotta sneak in, quietly, without arousing their suspicions (which in all honesty, is going to be a lot tougher to do than it sounds).

Oh, and for both, don’t forget that you’re dealing with a foreign entity.  Use the right dictionary for the occasion.  And yeah, you might want to cover your tracks just in case the U.S. decides to start allowing extraditions (ha, imagine the firestorm that would create).

Is this insanity?

Does this sound atrocious to you?  Think about this – a boxer who thinks he can spend three rounds in the ring holding his hands up, playing pure defense, is going to get knocked out eventually.  It’s not a matter of *if* it will happen but *when*.

Recall the Google vs. China battle that took place a while back.  Google’s delta force not only discovered the attackers origin but also found evidence that the hackers had attacked 33 other companies, big names like Adobe, and that the onslaught actually came from China, not Taiwan. More to the point, “much of the evidence, including the sophistication of the attacks, strongly suggested an operation run by Chinese government agencies, or at least approved by them”.  Google didn’t sit around and do nothing – they went on the offensive and realized utility from their actions that could be used to thwart further Chinese attacks.

Remember the New York Times incident where China cracked NYT’s systems, gaining access to the newspaper’s internal systems.  The New York Times didn’t just put more firewalls in place but went one step further – they hired Mandiant, a 9-year-old Virginia-based firm, to investigate the breakins.  Do you think all the information obtained in the Mandiant report came via word of mouth?  Hardly.  Mandiant reportedly counterattacked, running their own espionage campaign to gather evidence and out the attackers.

Times have changed and the American response to cyber attacks must change too.  Matt Pottinger, CEO of Asia-focused consulting firm China Six LLC, put it best.

“Americans don’t live in a safe neighborhood anymore. In terms of our digital security, we’ve gone from living in Logan, Utah to Logar, Afghanistan in less than a decade.”

Got a tip on hacking back?  Share it below!