Bogus OPM – China Claims Debunked

Summary:

Claim 1: Stolen, signed security certificates, require a level of sophistication not observed outside nation-state cyber forces. (Bogus)

Claim 2: Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda. (Bogus)

The details:

Start with Hacking as Offensive Counterintelligence by John Schindler, which reads in part:

The IC is pointing the finger at China, tentatively, apparently at hacking entities that have a “close relationship” with Chinese intelligence. The case for official Chinese culpability is growing.

The “is growing” hyperlink takes us to a tweet by Bill Gertz (that got 8 retweets and 2 favorites) that reads:

Week in Cyber Threat Space: New technical details reveal PLA link to OPM hack http://flashcritic.com/technical-forensics-of-opm-hack-reveal-pla-links-to-cyber-attacks-targeting-americans/

Which takes us to: Technical forensics of OPM hack reveal PLA links to cyber attacks targeting Americans by Bill Gertz.

Evidence for Chinese groups being involved?

Sakula is a Remote Access Tool, or RAT, that employs the use of stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces.

The domain names used by the hackers in the OPM attack included OPMsecurity.org and opm-learning.org.

Claim 1:

“…stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces.”

Really?

A casual web search uncovers: Bogus AV program uses 12 stolen digital certificates to make the malware look legit by Jeremy Kirk.

Which reads in part:

The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued “by a number of different CAs to software developers in various locations around the world,” the company wrote.

The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.

Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.

One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating “that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.

The claim that:

“…stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces.”

is: BOGUS!

Claim 2:

Another method used by the Chinese in the OPM data breach was Mimikatz, software that allows remote users to learn network administrator log-in credentials through a relatively simple process.

“Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda,” said a security analyst familiar with details of the attack. “This allows the actors to dump password hashes, perform pass the hash and ‘golden ticket’ attacks in the victim environment.”

A “classic…of Deep Panda?”

Mimikatz is the latest, and one of the best, tool to gather credential data from Windows systems. In fact I consider Mimikatz to be the “swiss army knife” of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage.

Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested).

From Mimikatz and Active Directory Kerberos Attacks by Sean Metcalf.

OK, I guess “classic” is the right term for a program that is (3 months on the Internet = 1 Web year) thirty-two (32) Web years old.

I don’t see any basis for claiming that Mimikatz is unique to “Deep Panda,” assuming “Deep Panda” is something other than marketing hype. Mimikatz is available from Github and is used by thousands if not tens of thousands of users.

The claim that:

“Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda,”

is: BOGUS!

The article does have one useful bit of information related to the OPM hack:

The OPM hack involved the compromise of administrator-level access that allowed the hackers to download information, and potentially to alter or corrupt data within the system.

Do you remember item 4 on page 40 of the United States Office of Personnel Management, Agency Financial Report, 2014:

The password length setting for privileged user accounts did not meet minimum OPM password length requirements.

So the OPM hack did not occur because:

the group [was] among the most sophisticated state-sponsored cyber intrusion entities.

but rather because “privileged users” failed to “meet minimum OPM password length requirements.”

No nation states required for the OPM hack, just poorly skilled network administrators.

One Response to “Bogus OPM – China Claims Debunked”

  1. shunting says:

    “Rebug” is not a word. That’s surprising, because it should be. Usage example:

    The White House-mandated 30-day cybersecurity sprint following the OPM data breach will prove to be a massive exercise in rebugging.