这个消息从5月19日就传开了。可以理解为网络战的最新发展态势——借由法律为名的公开化。

网络战升级,FBI通缉五名中国军方人员_新型威胁

From left, Chinese military officers Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu have been indicted on cyber espionage charges.

美国司法部认为有必要起诉的理由是认为这个刺探行动超越了他们“给自己划定”的军事、政治领域,而将刺探的信息用于经济目的。在起诉书中大量列举了受害者的失窃信息,我猜想他们都应该向FBI报案了。

网络战升级,FBI通缉五名中国军方人员_网络战_02

起码,他们知道他们有什么信息被窃取了,并且通过手段找到了他们认定的犯罪份子。单就这两点而言,可见美国的信息与网络安全取证的水平之高。

FBI的新闻稿中写道:Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA). The indictment alleges that Wang, Sun, and Wen, among others known and unknown to the grand jury, hacked or attempted to hack into U.S. entities named in the indictment, while Huang and Gu supported their conspiracy by, among other things, managing infrastructure (e.g., domain accounts) used for hacking.

受害人: Westinghouse Electric Co. (Westinghouse); U.S. subsidiaries of SolarWorld AG (SolarWorld); United States Steel Corp. (U.S. Steel); Allegheny Technologies Inc. (ATI); the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW); and Alcoa Inc.

刺探的时间跨度: 2006-2014

31条犯罪指控: 31 counts as follow (all defendants are charged in all counts):

Count(s)ChargeStatuteMaximum Penalty
One

Conspiring to commit computer fraud and abuse

18 U.S.C. § 1030(b)10 years
Two through nineAccessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2Five years (each count)
10-23Transmitting a program, information, code, or command with the intent to cause damage to protected computers18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 210 years (each count)
24-29Aggravated identity theft18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2Two years (mandatory consecutive)
30Economic espionage18 U.S.C. §§ 1831(a)(2), (a)(4), and 215 years
31Trade secret theft18 U.S.C. §§ 1832(a)(2), (a)(4), and 210 years

Summary of Defendants’ Conduct Alleged in the Indictment

DefendantVictimCriminal Conduct
SunWestinghouse

In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.

Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.
WenSolarWorldIn 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.
Wang and SunU.S. SteelIn 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang thereafter took steps to identify and exploit vulnerable servers on that list.
WenATIIn 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.
WenUSWIn 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.
SunAlcoaAbout three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun sent a spearphishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of e-mail messages and p_w_uploads from Alcoa’s computers, including internal discussions concerning that transaction.
Huang
Huang facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into U.S. entities. Additionally, between 2006 and at least 2009, Unit 61398 assigned Huang to perform programming work for SOE-2, including the creation of a “secret” database designed to hold corporate “intelligence” about the iron and steel industries, including information about American companies.
Gu
Gu managed domain accounts used to facilitate hacking activities against American entities and also tested spear phishing e-mails in furtherance of the conspiracy.

撇开政治不谈,我好奇的是他们的取证分析技术和方法。

根据指控书和相关材料显示,有几点比较有趣:

1)为何那么多起美国政府认定的来自的攻击都没有起诉,偏偏这次起诉了呢?原因就在于他们这次认定了攻击行动获取的企业机密信息被用于了经济目的,并提供给了本国的企业,用于获得竞争优势。那么,他们是如何具体阐述的呢?他们说,这个部队的人一方面有组织地对美国企业进行刺探,获取机密情报信息,另一方面这个部队的人也为国内的企业提供安全服务,在为客户提供安全服务的时候,将之前获取的信息透露给了这些国内企业(主要是几家SOE——国有企业)。仔细一看,他们还真是分析的很深。

2)在认定是这个部队的人的时候,用了N种方法互相印证,我猜想用到了之前Mandiant的APT1报告中列举的那些证据或者类似的、更高级的证据。同时,他们还提到了一个论证,就是发现用于回传机密数据的动态DNS的网站的流量的周期性波动,具有显著的早8点到晚5点(中国时间)的波峰特性,而其他时间(还有中午1个小时)则呈现波谷,说这跟中国国有事业单位的上班时间很吻合。在指控书附录中还贴出了几幅流量图。很有意思。

3)在指控书中还比较详细的枚举了受害人失窃的信息,细到了具体的主机名,信息类型,甚至个别条目。


看了这些你就明白为什么FireEye要收购Mandiant,检测威胁很重要,数字取证分析和溯源也很重要啊!结合到一起才NB。


【参考】

Mandiant对APT1组织的攻击行动的情报分析报告

四大传奇:中国网络黑客组织