Posted by: David Harley | March 30, 2012

A not-so-good person of Sichuan?

Der gute Mensch von Sezuan is a play by Brecht where the essentially good female protagonist is unable to survive in a wicked world without inventing a far darker male persona to look after her own interests. I’m not in a position to judge the inner motivation or goodness/badness of the inhabitants of Sichuan, but it’s interesting to note how often the place comes up in the history of targeted attacks and hackers for hire in China: Ken Dunham and Jim Melnick discussed some of the dramatis personae of the NCPH group, connected with the Sichuan University of Science and Engineering, in the AVIEN Malware Defense Guide, which I co-wrote and edited back in 2007.

A few years on and with particular reference to the recent analyses by AlienVault Lab et al, Trend Micro has linked the targeted attacks on Tibet via the Luckycat campaign C&C servers to a hacker in China going by the handles “dang0102″ or “scuhkr”, and associated with the University of Sichuan’s Information Security Institute. Trend’s report is actually about a lot more than that, including some analysis of malware used in the Luckycat campaign and details of attacks on India and Japan as well as on Tibet, malware hashes, C&C details and other attack components, and connections with other campaigns (notably Shadownet). Fascinating stuff, and Symantec’s paper on Luckycat is also well worth a read.

Meanwhile stratsec’s blog article No  Café in Tibet, Babe includes some substantial analysis of the MS Office files that exploit MS09-027 in one of those attacks.

It also occurs to me that I’ve somehow overlooked to mention Ivan Macalintal’s very apposite article for Trend on Game Change: Mac Users Now Also Susceptible to Targeted Attacks in my previous blogs. I can’t believe I forgot to include it!

And finally, a tweet by F-Secure’s Mikko Hypponen reminded me of a Chinese TV documentary that actually showed footage of Chinese government systems launching attacks against US targets. The video disappeared long ago, but there’s enough substance in Mikko’s blog from last August to shake the faith of anyone who still believes that China is an innocent party in – if you’ll excuse the expression – all the cyberwarfare/cyberespionage/cyberwhatever dung that we’re all up to our monitors in nowadays.

David Harley CITP FBCS CISSP


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 38 other followers

%d bloggers like this: