Der gute Mensch von Sezuan is a play by Brecht where the essentially good female protagonist is unable to survive in a wicked world without inventing a far darker male persona to look after her own interests. I’m not in a position to judge the inner motivation or goodness/badness of the inhabitants of Sichuan, but it’s interesting to note how often the place comes up in the history of targeted attacks and hackers for hire in China: Ken Dunham and Jim Melnick discussed some of the dramatis personae of the NCPH group, connected with the Sichuan University of Science and Engineering, in the AVIEN Malware Defense Guide, which I co-wrote and edited back in 2007.
A few years on and with particular reference to the recent analyses by AlienVault Lab et al, Trend Micro has linked the targeted attacks on Tibet via the Luckycat campaign C&C servers to a hacker in China going by the handles “dang0102” or “scuhkr”, and associated with the University of Sichuan’s Information Security Institute. Trend’s report is actually about a lot more than that, including some analysis of malware used in the Luckycat campaign and details of attacks on India and Japan as well as on Tibet, malware hashes, C&C details and other attack components, and connections with other campaigns (notably Shadownet). Fascinating stuff, and Symantec’s paper on Luckycat is also well worth a read.
Meanwhile stratsec’s blog article No Café in Tibet, Babe includes some substantial analysis of the MS Office files that exploit MS09-027 in one of those attacks.
It also occurs to me that I’ve somehow overlooked to mention Ivan Macalintal’s very apposite article for Trend on Game Change: Mac Users Now Also Susceptible to Targeted Attacks in my previous blogs. I can’t believe I forgot to include it!
And finally, a tweet by F-Secure’s Mikko Hypponen reminded me of a Chinese TV documentary that actually showed footage of Chinese government systems launching attacks against US targets. The video disappeared long ago, but there’s enough substance in Mikko’s blog from last August to shake the faith of anyone who still believes that China is an innocent party in – if you’ll excuse the expression – all the cyberwarfare/cyberespionage/cyberwhatever dung that we’re all up to our monitors in nowadays.
David Harley CITP FBCS CISSP