PRC Cyber Capabilities Study

A report prepared by Northrop Grumman on Chinese capability to wage information warfare offers some valuable insights into the nature of professional and national security cyber-attack teams.


“Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation”
Prepared for The US-China Economic and Security Review Commission
by Northrop Grumman Corporation Information Systems Sector

The following are a few key excerpts from one section of the report:

Operational Profile of An Advanced Cyber Intrusion

The scale of this operation, which also targeted other large US companies within a several week period suggests a disciplined command and control structure, a means of sharing specific data collection requirements for various targeted companies and the capability to collate and process extremely large volumes of data once exfiltrated. Additionally, in this specific incident at least, the attackers selected the data for exfiltration with great care. Though they had the opportunity, they did not simply “take what they could get” and leave, rather, they chose specific files, often ignoring related information in adjacent directory locations, activity which suggests these attackers were disciplined and operating from a specific list of collection requirements, a characteristic usually only found in highly professional operations.
During the incident described below, the attackers did not open and review file contents—though they had the required file permissions—but instead navigated immediately to the files or folders they wanted and began the steps necessary to exfiltrate them, suggesting that they had reviewed the directory contents offline and that they had already gained access to this firm’s network to conduct detailed
reconnaissance, including the possible exfiltration of file directory listings.

These types of operational techniques are not characteristic of amateur hackers operating in widely dispersed geographic areas. While the affiliation of the individual operators is impossible to establish, the coordination required to stage this operation suggests that even if these were freelance operators not directly affiliated with a state or military organization, they had professional quality organization and discipline and a specific set of collection objectives, evidenced as much by what they didn’t take— despite having easy access to the data—as what they did take. The type and specificity of data stolen in this case also suggests that the end users were already identified and that they likely had deep science and technology resources at their disposal to make use of the stolen information.


Over a multi-day period during this incident, intruders staged a complex data exfiltration operation and while the activity associated with this incident occurred within a relatively short span of time, the preparations and reconnaissance necessary to support it had likely been ongoing for months.

The teams or individuals who carried out this operation displayed discipline and a deep knowledge of the network architecture they targeted, suggesting that these operators had likely spent months patiently assembling a detailed picture of this network.


The adversary used at least two groups in the operation; a breach team (referred to by these information security analysts as “Team One”) and a collection team (known as “Team Two”), responsible for gathering and exfiltrating the targeted data.


Intruder Command and Control Infrastructure
Analysis of the intruders’ activity prior to, and during, the exfiltration operation indicates that their command and control architecture relied upon previously stolen valid user accounts to authenticate to the company’s internal servers. Once authenticated, they established communications with a variety of previously compromised computers inside the company’s network. The operators then tunneled Remote Desktop Protocol (RDP) within their existing communication channels to establish contact with the targeted hosts for purposes ranging from maintaining basic access to the control of the eventual data exfiltration. Additional stolen account names and passwords were used as needed to gain access to otherwise protected resources such as computers, network shares, folders and files.


Movement of Targeted Data to Intermediate “Staging Servers”
During the first several days of this incident, the adversary transferred the data selected for exfiltration from company file servers (where it normally resided) to Microsoft Exchange email servers that acted as intermediate staging points (See Figure 7, the transfer occurred between the Staging Systems and the Corporate File Servers in this diagram). Their reconnaissance of the network enabled them to select servers that offered the highest performance and network throughput. The identification and selection of these servers, again, underscores the adversary’s precise knowledge of this network’s architecture, gained from detailed reconnaissance prior to this operation.


Exfiltration of Data from the Internal Network
Reflecting their methodical preparations, these operators used seven servers almost in tandem to move data out of the company’s network, suggesting that speed was a priority during this phase of the operation. The movement of data out of the internal network is the most vulnerable phase of the entire operation because of defensive tools the company had in place on its network perimeter and was the only point that they were detected during their multi-day presence in the network in preparation for this action.


The information security staff eventually detected and blocked the exfiltration in mid-stream but not before significant amounts of company data left the network. Intrusion prevention systems on the company’s network were then tuned to alert and block further activity and for the next five hours these systems continued to detect attempts by the operators to return, suggesting that they were interrupted before completing the full exfiltration as planned. Information security analysts with this firm have no means of determining the total intended size of this exfiltration operation.

APT (more)
Advanced Persistent Threat
Attack Methodology

Leave a Reply

You must be logged in to post a comment.