China Recon 101: Finding Nation State Infra w/ Almost Free Tools

[Music] gentle folk around the noon period uh I'm sure there's lots of hungry bellies in here so I'm going to make this fast and filled with content welcome to China Recon 101 we're finding nation state infrastructure with almost free tools um an early disclaimer here when I mean China I'm talking about the People's Republic of China uh or PRC as I'm going to say repeatedly I'm talking about the political body the combination of the nation state and the uh party State um and not any broader Heritage or culture uh which is a very broad demographic again this is the state I'm specifically talking about so here's our quick agenda um I'm going to explain myself in one

second um then I'm going to explain uh China it's it infrastructure as fast as humanly possible uh and then we're going to do a deeper dive exploits at like a super high level this is a 101 class um and then we're going to do a a dive into groups again at a 101 level I'm going to show some very practical and simple ways to perform Recon on state linked outfits uh again this is super fast 30 slides um I've linked this presentation out on my Mastadon which will show up in uh just one second bees infos infos sec. exchange uh do reference it this is exact the same Google Slides I'm hoping to maintain as

a living document uh for some of the scope I cover on this uh as for me I'm an engineer at Security Org since 2016 I'm currently a dragos I work largely on content and analytics and that includes internal tools uh synaps uh and our threat intelligence landscape stuff like that I've also been a China scholar with various Academia institutions since 2004 I've done postgraduate uh International relations at udub mostly within political economy and defense studies but also Ching history um I F out fsot Circa 2009 which is where you have kind of this conflicts of uh interests uh so what even is this uh this is China Recon 101 we're trying to take two rather

broad subjects together China State actors and early indicators of bad behavior um so the what we have for our early we if were to parameterize where early warning signs are it's all these different data domains uh I've isolated five of them here which is essentially you got the infrastructure which is to say what is doing all the reconnaissance where does it exist can I find on show in uh you have the secrets they use which is could be something as simple as like was SSH public key that they use again public key maybe not so secret but it's definitely something which allows us to do correlation work organizations which organizations have an affinity towards attacking my infrastructure that helps

you kind of understand their constraints and their interests capabilities like what what do they do for a living what do the actors do for a living and what the organizational Focus um and then identities not identities as in Persona but literally what is the PRI what is the PE what is the PK they use in their databases um and then I will get into some not often uh um identities used by both the ministry of State security and the ministry of public security um our objectives for doing this kind of Recon uh analysis um is to kind of get some ideas of what VI victimology is like essentially am I within am I in the

crosshairs here um and then given an idea that perhaps there's some off chance I'm in the off I'm in the crosshairs prepare for the offs and know what sort of tooling they use um and in general the reason why people use Recon in general is for a form of opportunism as to say that you will find certain threat actors especially bere on resources who will transition from a Recon state to an attack State pretty quickly but for the audience here what we're talking about is mostly a form of Defense in depth meaning we get as much metad day as we know that tells us the probability that we're going to be victimized and we have a near intimate

relationship with the parties that could do this are you subject of PRC Recon so nowadays this is a very difficult question to answer because you will see the first four bull points here you work for the dod you work in government you work in R&D or Academia or you work in a critical industry those are pretty straightforward you're either in it or not the fifth bull point do you own a vulnerable router is where things get kind of dicey because that could be virtually everybody in the US um the the kind of breakthrough for five worth noting the reason why we've gone to the depths and why the scope has increased I think you could see

specifically within the volt typhoon report which if you're to tear it down and look at the ioc's um for uh the malware which was related to an attack on a defense industrial base in Guam you will find that one of those ioc's on virus total has a call home to a router based in a B for a Soho router which is to say it is the router for a small physical security business based in Texas um so the fact that Soho is involved in the mix or when I say Soho I mean small office home uh small office or a home um when with Soho in the mix it means that there's a pretty broad

space here um so we're going to do a turbo mode area studies here um it's basically what is I'm going to go through what is China what is it and China in like maybe two or three minutes so you ready go so first off this is like essentially how the internet evolved in China 1999 you had it was basically an academic study uh the charts on the right are Circ of 1999 you can see oh hey there's uh everything is oriented by the ministry of information of Industry which is to say it's an industrial practice but then you see some most of the organ organizations me mentioned you have the Ministry of Education and Chinese Academy of Science

it's academic similar to um the beginnings in the US with arpanet except kind of push forward a little bit um 1995 again it it this sort of Norm uh spreads throughout all of Academia 2005 is when their dotom boom hits a little bit five years in the future um and then 2015 under shping there's been an aggressive uh Central Iz ation uh pushing towards State Control discipline on Enterprises that act out um you have firms like Alibaba being punished because you have a researcher um uh uh uh uh documenting log for Shell um before disclosing to the state um Telecom infra is a very complicated subject um all the arrows kind of show bound relationships but the

main thing you got to know is there's three big players China mobile China Telecom China Unicom um all of them are State Enterprises so they are subject to the control of a organization called saac uh which is basically the largest organization in the world uh in terms of capitalization it's hundreds of billions of dollars uh further um the internet has exploded in kind of a a huge way all told beginning of 2023 there's over a thousand ASN that're PRC based um or at least have one PRC based host operating in it uh that's around 200 million domains around 800 million IPS um uh IPS along ipv4 uh and around like millions of ipv4 subnets Alone um so a major thing that we're

going to actually deal with practically is that Chinese is hard for computers there's multiple encodings uh Unicode uh Unicode is kind of a new wave it kind of makes the rest of the rest of encodings look easy uh some habits from the old days persist uh the two habits we'll I'll focus on our opinion initialism so you have um a word guu which means Mandarin in one way or another which might initialize to gy you also have number Rhymes which um take certain uh which use numbers in order to based on how they're pronounced and makes Rhymes off it so 16 aa.com is Yi obaba or Alibaba so we will use pinion initialism later so remember that okay we're going

super fast in exploits there's a lot more to talk about area studies but this is not the focus of my talk um we need to drill deeper specifically State organizations that deal with network security and specifically how they deal with network exploitation and so we're going to talk about uh just a slew of players right here uh the top and they all within different hierarchies within the government uh you have the state Council which is more or less the head of government um you have seac under that which I mentioned previously it runs the Talos you have the nasp which is a coent of NSA it comes up with cryptog C cryptography standards uh under the

state Council you've the ministry of industry and it which I'll refer to as miit uh they own nvd which is essentially the state vulnerability program uh which is to say they hold all of the vules it's essentially a nationwide uh version of your favorite nist establishment um you have cener and CET SE under the ministry of State security which both do vulnerability research and their own kind of focus you have Ministry of public security which mostly are the FBI as kind of a rough analogy they mostly take care domestic situation Ministry of State security which is more foreign oriented again they have cetc under them we will be talking a lot about cetc and then

there's a whole bunch of national champions which you know alib bab is a good example they're all uh they all have close relationships with the state Council of Telco as as uh to to use the example of uh Alibaba and the uh the vulnerability uh disclosure as an example so um what they really have at this point is all these players are in the mix for a national strategic software kind of exploitation program which is relatively new like Circa 2015 um as you can imagine every single different actor in this has different interests which align with the bolt points over here which quickly is to Rack severity rank the severity of vulnerability stack the reporting

structure um to involve foreign business uh which is to say capture the vulnerabilities broad imp punitive measures capture core technology through licensing and to in general have a national strategic Focus that's kind of an orientation that um uh part that uh governmental discipline is uh inculcated um and largely this inculcation has occurred through the CAC which is again it's new isi it's run directly through the party rather than the state the CAC is short for the Cyber Security Administrative uh Council or excuse me cyers Space Administration in China it's hierarchy extends in the Central Committee and it's evolve from kind of this body tending towards uh censorship policy into enforcing the recent r dra of aggressive security legislation such

as the personal information Protection Law or people um so pushing forward uh so this is where kind of the vulnerability plan gets articulated or the vulnerability stockpiling a national level gets uh articulated this is uh a a graph uh from a um a publishment called uh it's called the slight of hand as in the council uh Council uh the Council produced recently it's the work of Dakota car and Christian Del Roso um you can see essentially the there's directed graph that pushes exploit uh uh vulnerability research from Mi which this this is nvdb right here in the middle of it and um through CSI CS which is essentially a Ministry of uh it Security Management and ends up flowing

to MPS which again is domestic security and that in turn informs cener which um has an information sharing based on the dog red line uh to um the MSS which is to say that the main change as of late has been to take the trade Associated vulnerabilities which is to say stuff that might affect commercial interests and kind of make it a function of national security by default um it is it is currently the law that disclosure has to go directly to the state preempting uh preempting uh any um any broader uh disclosure databases and this is something that was influenced by the Alibaba Engineers uh disclosure of uh uh um a log for Shell so having acknowledged the raised

Stakes with exploitation and that whole slide which is to say so is the wheels greased for publishing exploitation um I'm going to get a little bit more specific not super specific like here's what activity group threat groups uh Tendencies are but I'm going to do a relatively unique clustering of them uh our focus is to how to determine shared behavior and figured out what level of risk applies to you um so right now the players in rough order kind of dictate this dialectical between resources and sovereignty and it kind of plays out in four different rakes of actors you've got people who serve the state full-time you're excuse me you have organizations that uh serve the state full-time if

organizations that serve the state less than full-time we'll call it part-time uh some Publications refer to it as double hatting after you know you know they're basically guest players there are players who are not at all state actors of which there are a few and then there's uh players who are deliberately enemy of the state um so the rough kind of the rough criteria I have for how the organizational life cycle works for these players is under the resource Banner the goals are to stay profitable and grow capabilities profitability could be something like uh the sort of ransomware activity or the type of credential harvesting uh uh Feats that we see with lapsis from the previous session uh more often than

not it does involve capital outflows which are very difficult to measure um alongside it there's um there's a tendency to obtain political Capital based off of their activities um which in turn informs securing their autonomy meaning they get to do what they want day-to-day um and ultimately the whole point is to avoid domestic scrutiny um when you are a threat actor who has a part-time relationship with the state uh you have a nebulous Rel relationship with a state and uh crackdowns can be R so this is a rough clustering I've come up with at this point um again we got sovereignty as the Y AIS um and the resources as the x-axis you may notice

that I've included some non CNL related players non-computer network operations players on this you look at the far left you have the largely Inc confident which is to say not many resources but also no requirements for very ad hoc requirements for sovereignty you have Peg Tech who has acted as a VPN source for threats on an adhawk basis and his otherwise known as kind of a sketchy spam source and then you have cloudy which hon has written on recently uh which is it it operates pretty closely to Peg Tech if not sketch here and is like a oneperson show um all the way on the top we have state Affiliated uh content um you have the walong the

five-cent party which uh is uh individuals who are taking payment uh to make their thoughts known potentially biased thoughts known on domestic social media um there's been other CIB uh players uh that have been noticed through Facebook reports but there's not much osint about these groups um at least for now it's getting more and more clear as of the 20 the last quarter's release um and then as kind of a contrast point I have HHA dingue which is a cross Straits organization which I will later show has interesting connections to the technological capacities of the ministry of State security um so we'll get we'll get back we'll get back toas Jing way um as far

as the actual known players the actual people you see and know the very bottom of of black Tech and Shadow tiger who as far as I can tell do some domestic targeting in the PRC which means that you know they want money but also um uh are perhaps uh not at the beck and call of the state um and then you have the line going down you have menu pass and Leviathan which we know literally to be the pla in some sort of another um below them is half haum and ap41 which you have uh bloggers and uh threat research has shown that they're at least some population are MSS funded so we can say okay they're some degree of

part-time you have Mustang Panda who um they have a lot of overlap with objectives uh which is to say their interest in South in Southeast Asia tends to correlate with more official actors but there's basically no confirmation about about the affiliation of their personnel and then there's a Drago specific group called laurite who um let's just say they use a lot of commodity gear um MPS and uh GOI goby I'll return to in a second uh they seem rather script Kitty um and they after um uh BC related goals which is to say financial goals so maybe they're more opportunistic uh in a in a sense so finally we're going to get to Recon we I got maybe nine or 10 minutes

left so I'm going to try to Blitz through this this is the actual practical Recon you can use in your day-to-day jobs um to profile this threat or perhaps other threats um I'm I'm going to make sure I have five minutes for question questions at the end so okay what Recon is we're looking at infra Secrets organizations capabilities identities the tools we're going to be using are census showen Google Buu on I I don't actually use Buu here but it's very useful if you need a a different search indexer uh hunt iio and grey noise I also don't use here but I can recommend their use census is very good for looking at certs and

certificate transparency logs as the previous talks referred to showns great for hosts uh Hunt diio is uh fantastic for looking for open directories I highly suggest it grey noise is good for finding scanners which I'm unfortunately not looking at scanners in this session but I can tell you it's amazing for what it does uh these are mostly free meaning you can have a limited amount of results sets each month just by having either a no account or a free account um okay so quick infro example so um I came across a weird ASN as3 7937 which is a data center Associated or I would say a re a part of the internet related to the

China ovet information center I had no idea what it was so I wanted to profile really quickly just to see is there something here which could be threatening and some just by looking at domains within census you can see a wealth of information the G dat just by going to the top result which is 10 uh 10 results the GJ D yzj B it turns out to be really to sarf which is like an Arts organization has movie ticket info um the second result sslvpn that is a string associate with old sang for firewalls which is to say there's probably some tech debt in this this data center uh ndrc regulator uh kubernetes Ingress controller fake

certificate that is Dev Kates to anybody who likes that sort of stuff um it turns out to be uh the dev side on blockchain stuff and then a bunch a wealth of email domains for the ministry of ecology so you can see old new gear Dev prod gear lots of relayed ORS in the state Council uh Secrets this is a little bit more applied so Google Dorking is your friend um in this case I was interested in what sort of assets the Pung Chung laboratory might have which is p.c. CN and I just dork them a lot just to see what do you have uh I'm specifically from a professional standpoint I'm interested what they have

in their cyber range because everybody has different cyber ranges and uh as somebody works in ic hey you know whatever they you know it's it's interesting to see what that sort of thing is uh so that brought me to pcr. PCL which is essentially the the range uh just by simply hunting around their domains uh I popped into Cloud brain which is also quite interesting which is their uh their uh their ml Data Center and what I found most interesting is if you look for Doc x's on a resource related Cloud brain um it was possible to find a public hey pair which again it's public hey pair like you can't use it to own anything

but in some cases it gives you some awareness of oh somebody associated with pong Chong might want to be is is trying to talk to my SSH hosts as as a really quick example um okay organizations so um it's kind of like a guilt by association within subnet so uh I one day I was poking at 10342 78 .28 it's a subnet that exists within the uh people.cn uh uh um as which is to say people.cn is reman Rau the main uh publication for the state and just by going across if you just look at the sites served within the ASN you can find um you can find kind of an organizational link to the Central

Committee and to uh perhaps State security Affiliated organizations So within uh people.cn I saw hw.com which like I mentioned it's an MSS front for uh propaganda front for cross straight relations uh the nsfc is essentially the Academia uh head of the MSS if you're like a highly educated and you're in the MSS and you want to retire you go to NSS sfc um and of course the Communist youth is there um for good sources if you're interested in where members of MSS go to retire I highly suggest Alex joske's work um it is in the acknowledgements uh page in this uh I'm going to uh I am four minutes away so I'm going to I'm going to skip capabilities

but I highly suggest you check out this slide if you're interested in certific security certification information um identities I'm also going to I'm going to a light on briefly so do note that there's certain patterns for reverse DNS within uh Chinese data centers um here's a couple of them off the off the tip most of them use initialism for example ip. ADSL poool sx. net.cn SX is short for Shan XI and this is a pattern that Associates with Unicom specifically um there are many undocumented identities used in National Security which are super fun uh the one I highly suggest if you're interested in finding um in finding really interesting things is the I ISS Tech code which is

used by um the national uh state secret uh uh body so browse those as you wish quick takeaways and I'll take questions takeaways practicing defense in depth is important it allows you to want one to judge the possibilities es especially with something that could be as remote As State actors um nobly for the PRC what I what I see coming is that network ioc's will likely be North American based meaning you got a you got a VPS North America and then it's going to hit you when it comes to actual attack for Recon it could be different uh with volt typhoon we found clear links back to China Telecom um with uh certain doe uh

doe related I uh ioc's uh exploit stockpiling is accelerating and targeting IC um something that is clear from uh Dakota Dakota and KD's report is that there is an IC kind of organizational Bend to then the the Vol centralization project um the groups like I ranked all have distinct State sovereignty and resources and it's worth kind of bucketing it based off what you know and what your your own organizational um bearing is um and I think finally most practical for people there are key details that look pral analysis techniques you can get ASN C and shared infra correlation with census it's very very simple it does require you doing research and visiting some pages but you you can do it trust

yourself um Google doring is very powerful as usual um and specifically for this Regional bearing you want to look at when wangan and sinit seex uh databases it will tell you certified products people companies um and will give you procurement information which is is just it's it gives you some interesting insight into what's happening uh even for organizations which try to keep themselves covert uh so here's a bunch of additional reading take a look at the slide look at click some links intrusion truth is kind of the coolest out of this but slide of hand I always I I always suggest so any questions at this point I have exactly one minute oops sorry that sounds like a

enough thanks he