[The Library] Three Weeks in Review

Three Weeks of Open-Source Intelligence

It's been 21 days since my first post on this blog and it's grown a lot. I went from 0 followers to almost 90, from a couple views per post to a few dozen. I've found some really awesome blogs, followed some really cool content creators, and found a community that supports just about every kind of content out there.

The purpose of this post is to wrap up three weeks of Open-Source Intelligence writing. I've learned a lot from writing intelligence posts and news postings. One of the biggest lessons I've learned is that I have to market the content towards readers. That doesn't mean changing facts or leaving some out, but it does mean that I can't just post a notebook with notes on things I understand and I find interesting. I have to write in a way that is entertaining and attracts readership, because the purpose of intelligence writing is to inform the reader so that they can make informed decisions based on the newest intelligence of the day.

So, here is my review of three weeks of intelligence writing.

Chinese Red Hacker Army

This is pretty much the project that started it all, and is still very much ongoing. I still frequently check my CNHonkerArmy account for people that are reaching out, but haven't posted in a while. I've stayed up to date on the goings on in Chinese cyber space, but it is a big time undertaking to sit down and read over foreign language technical conversation, and, quite honestly, life has been incredibly busy.

The Chinese Red Hacker Army, Honker's Union of China (HUC), or just the Honkers have been my subject of study for years now. They were the group that first drew me to intelligence reporting, and, because of my background in the Mandarin language, the group is where I believe I can help the most.

In the future, I'm going to get back to my investigation into the group. I think they really are a threat, with the growing tensions between the US and China and international tensions sparking talks of another world war. Knowing where your ally stands, how they will react to certain political decisions and international situations, and what the Chinese citizens feel about their country's political climate is incredibly important. That's all without taking into account the ad-hoc hacktivist threat. When you consider these patriotic, technically knowledgeable citizens are a direct threat to the US, that makes it a different story.

The actors I've found on the forums thus far have been largely unimpressive. They're not incredibly technically advanced, and certain portions of their culture makes them vulnerable: one user was so open with me after a short message chain that he gave me administrative FTP access to his personal website. The cultural side of the battle is extremely important, and conversing with users on the site has lead me to learn a lot about their online culture.

The Ongoing Drama of the CWA

I did my first post on CWA mainly because it was relevant at the time. They have a pretty interesting story, with high profile attacks against the intelligence community of the United States and UK. While many dismiss them because of their lack of technical prowess, I see them as a legitimate threat of a non-technical variety: Social Engineering really is just wrapped up Human Intelligence (HUMINT), and the CIA, MI6, and others have been doing it for decades. People with the ability to convince others to act against their own best wishes, that is just as much of a threat as an adept coder or advanced actor.

The CWA took a big hit recently. Cracka, a core member and possibly leader of the group, is awaiting sentencing, Incursio has been sentenced to 2 years in jail, Derp is awaiting sentencing, and Default, a wannabe member of the group, is awaiting his punishment as well. According to Derp, there is a possibility he may be let go with a slap on the wrist, but Cracka's fate doesn't look near as promising. My interview with Derp opened my eyes to some of the inner workings of the group, the drama that they are currently embroiled in even as they await sentencing, and their hopes for the future.

APT1: In the Shadows, and Why That Should Terrify You

APT1 is likely the most dangerous threat actor in business today. They are a nation-state backed group with extensive financial, technical, and political support that specializes in the theft of intellectual property from Western private companies and government agencies. After Mandiant's landmark APT1 report, we haven't heard too much about the group. 

This is why that should terrify you.

APT1 spent an average of over a year in target networks, unseen and unknown. They spent as long as four years in one network, silently siphoning off data and using it to bolster their own country's economic development. I don't want to fear monger or doubt the safety of US systems, but there is a good chance that they're in our networks right now, silently watching, spying, and listening. There's a chance that a US ambassador is about to be blindsided with information that his Chinese counterpart should never have known. There's a chance that a private company that has been researching their technology for years is about to be met with a virtually identical, cheaper version of their product.

The possibility truly does keep me up at night.

Bureau 121: A Scary Cyber Duo

Bureau 121 scares me for a different reason. There are very few ways anyone of any ethnic background can excuse the actions of the Nuclear Hermit Kingdom, much less host their economic espionage program. That's just what our "ally" China is up to. Hosted in a five-star hotel on the border between Fatty Kim Kim and Xi, Bureau 121 hackers are North Korean in heritage and pledge but operate out of Shenyang China, making them a dual threat. 

North Korea lacks the technical infrastructure to carry out a sophisticated hacking campaign. Their only connection to the internet is through China as well, meaning that even if Bureau 121 weren't physically in China, the Chinese are still tacitly allowing the attacks to come through. 

This is a cyber warfare agreement that many aren't paying attention to. The aforementioned APT1 group, and other Chinese threat actors, are working literally alongside each other, possibly even in the same room. This is an unprecedented and worrisome agreement, seeing China in opposition to inflammatory actions against the Hermit Kingdom and the THAAD missile system in the South just as they work together with the North Koreans to infiltrate Western systems.

Gator League: An Embarrassment, But Not a Threat

Here we have a group that I don't plan on wasting too much more space on. Long story short, they're a technically inept crew that got in way over their head, and there's a good possibility that they're just a social engineering group aiming to cause drama and gain fame. Gator League was the result of several, even less threatening defunct groups forming up to cause drama, gain fame, and get in way over their head. They ran a vulnerability scanner against a military site and, it appears, got caught: the password that they found with their automated, plug and chug scanner was changed the next day, and their "access" that they said they had ained was gone or, more likely, had never existed.

The Fancy Threat

Fancy Bear is an incredibly relevant threat, as talk in the media is almost entirely centered on Russian meddling in the US presidential elections. While most of the talk is centered on soft power propaganda and physical espionage, Fancy Bear, along with their Cozy counterparts,  are the ones who sat in DNC networks and stole US secrets in order to meddle with an already broken election. 

Fancy Bear is another advanced nation-state backed group with just as much, or more, backing as APT1. They operate at least incredibly tacitly with the Russian government, and they clearly carried out the government's goals to the end.

There's not much I can say that the media is not already saying. I'll leave this here and urge readers to keep informed about the Fancy Bear threat actor.

Lazarus Group: Fatty Kim Kim's Pawns to Rob the World Blind

The Lazarus group is, as I stated in my report, one of the first cyber bank robbers to be backed by a sovereign state. They robbed  a nation blind, stealing $81 million from a massive and complex banking system and a couple of thousand in a worldwide ransomware outbreak now famously known as WannaCry. They attacked another nation's private producing firm in reaction to a movie they didn't like, steal intellectual secrets, and bolster their rogue regime's threatening nuclear program with stolen funds.

Lazarus Group is an incredible threat. They've acted against South Korean media firms, private companies, and critical infrastructure on behalf of their extremist government. They've attacked Western firms, government entities, and power grids for the express purpose of gaining the global edge their country needs to become a nuclear threat to the world.

I've enjoyed documenting this group in particular. They're a very real threat, and have continued their training to carry out ever more complex attacks against even more high-profile targets.

Like the post? I run this threat intelligence blog on  Steemit and offer the content free of charge. If you're a Steemit user,  you know that upvoting, which you do for free, magically puts a couple  cents in my pocket. Maybe I'll buy a pack of gum with last week's  earnings, but it all depends on your help. Not a Steemit user? My  biggest metric of success is my viewership. If I don't make a cent but  my content reaches a wide audience, that means my product is valuable  and my efforts are worthwhile.  Therefore, give me a share on your social media of choice, follow me on Steemit for more threat intel posts, and follow me on Twitter to see stupid memes and get updates when I post.