The Hack That Made China a Superpower: Operation Shady Rat

December 2012 Kyle Wilhoit, an experienced cybersecurity researcher, creates an experiment, building a water plant, a network of advanced industrial control systems with complicated equipment, complete documentation and a website to boot, according to legend, the plant It is located in the city of Arnold Missouri, but in reality it is completely virtual. It runs from a couple of machines in Kyle's basement, sending fake measurements back and forth to mimic the activity. The researcher takes a deep breath and connects the system to the Internet. the experiment begins within several days interesting things start to happen the plant is attacked from all sides North Korean military

hack

ers Russian ransomware gangs even trolls from the US and Europe try to do all kinds of mischief for fun and profit by connecting to the servers by breaking login pages and injecting code wherever possible, but among all of them there is one attack that stands out that several fishing emails fall into the box of the supposed plant, they are well researched and written with attachments that look legitimate, a text document hides the malware when it is launched, the malware scrapes the virtual plant, finds the computer's documentation and transmits it directly to a command and control server Kyle remains surprised by the lack of effort it takes to track the attacker's servers in China they are large and full of government records, documents and corporate secrets Kyle can't believe his eyes, he got them, he found AP1, the

hack

ing group that carried out Operation Shady Rat At that time, similar stories almost happened step have been happening around the world for 6 years, except their victims were not virtual.

It all started in 2006, when an employee at a construction company in South Korea received an email with an attachment. It was sent from an address named after his colleague, but there was something strange about it. Confused, the worker responded to verify again and after several minutes he got a confirmation that the file is legitimate, however, the attachment did not open, but instead initiated malicious code. a remote access trojan was launched on the worker's computer a rat in just a few months at least eight companies were attacked by the same rat and dozens more by similar ones all of these intrusions had the same pattern a spearfishing email posing as The one from a close acquaintance showed some knowledge of the company, but it was written in rather poor English, as if they were in a hurry.

The attached file would hide a rat disguised as a document or some other file. The attackers would talk to the victim and spare no effort to talk to them. Through their defenses, this is in the era where we're not concerned with attribution, so it's largely companies and organizations that, by today's standards, had ridiculous cybersecurity. I remember seeing, you know, some

shady

rat intrusions where they were sending emails. Screen Sabers as an attachment, right, um, and you look today and say, Sorry, you left a screensaver through the email gateway, right, um, let alone the user says, oh, a cool screensaver, I'll just download it. this and running it on my machine, the methods were crude but effective, but the most important element was not the breach itself, it was what happened afterwards, the attackers did not run away, they wandered around monitoring the system, siphoning off all the new data that appeared. there, at the same time, they would begin to move laterally using the acquired knowledge and access, they would infect adjacent systems, other computers on the network, other branches of the company, they would repeat the same pattern over and over again, building a rat cave beneath the noses of his victims. the shortest documented intrusion of this type lasted around 1 month, the longest almost 5 years, their goal is not so much to disrupt but to sit, collect, learn and send data to central locations, so they need to announce it.

It's much harder to stay inside a network undetected and still be able to observe and be active than it is to go Smash grab and run. Such aexs were becoming endemic, scrambling for answers, the US government began to attract private. cybersecurity companies and share information with them in the hope of shedding some light on the situation, a new name was coined denoting a group of hackers capable of executing an attack as long-lasting as an advanced persistent threat, however, not It was not until several years later that it became clear who the original AP was. Credit for the first counterattack against the rat goes to a candy research team at Macafee in 2011.

They broke into the server where the stolen documents were stored that housed the records documenting to the victims of the rat government institutions companies and other organizations, all the victims were breached by the same method and all their documents were routed through the same rat dens, things fell into place, all the AP activity that It seemed like it was a bunch of unconnected attacks, they were centrally planned and coordinated, it was part of an

operation

and McAfee named it Operation Shady Rat in 2013, and a Google subsidiary focused on cybersecurity managed to go even further, They named the group behind the

operation

as AP1, highlighting its size and importance, then tracked down the breadcrumbs left by the hackers.

It turned out that the people behind this AP worked for a segment of the Chinese military called the General Staff of the People's Liberation Army, departments of the Third Department, Second Bureau, also known as unit 61398, was located in a military building on the outskirts of Shanghai, several hundred people worked there. They were responsible for everything from military reconnaissance and electronic warfare to writing propaganda comments on social media, they were an integral part of the Chinese military and acted like it in every way, from iron discipline to incredible ingenuity, except for one thing. : operational security between principal mcfey kyle.

Wilhoit and possibly others, many people managed to track the rat to its nest and it was not because the Chinese hackers were incompetent or negligent, but because they simply didn't care in the early years of Operation Shady Rat, they didn't care. They didn't use any of the tools to mask their use of Chinese ISPs, and their fingerprints were all over the malware. Their attacks were brazen and aggressive, relying more on victims' poor cybersecurity than advanced subterfuge. They were there too, it was just you know, reroute the data and FTP it back to China, and I say FTP like they don't even use encryption, they're like going back to China directly, you know, and things that we wouldn't even consider today.

Today, there were job offers. Former employees would include hacking achievements on their CVS. One hacker even published a scientific paper about his techniques. They were not subtle at all. If there's one thing you would say about China, it was like they didn't care about being fooled. and despite this attitude, the attacks worked, terabytes of data were smuggled through the rat dens and ended up in the hands of Chinese officials, but so it's intellectual property theft, right, original, you know, its The big goal without a doubt until the mid-2010s was technology transfer. and the theft of intellectual property that would include access to many new technologies, which knows about future things because if there is one thing that is known it is that it is very difficult to create, but it is very easy to replicate and improve, which China has done for a long time after. time, so if you go back and read China's five-year plans and they're very public about it, you know what we're moving domestically to produce over the next five years and what technologies we're looking at moving forward. they can overlay that directly with their locked targets Martin, an American defense manufacturing giant, was one of the first victims of the Shady rat in 2007, a rat cave was dug on their servers, the plans for the F- were laid out there. 35, the most recent and advanced sigil.

The fighter jet the world has ever seen, just several years later, a remarkably similar aircraft took off for a test flight in China. It was called Shenyang fc31 and people became suspicious. Several leaked reports already indicated that the US military was concerned that its systems were compromised. but the army denied everything, it was not until 2015 when documents leaked by Edward Snowden confirmed that the F-35 was stolen and not by a daring Maverick or an undercover agent, it was stolen by a person who just sent a bunch of emails electronics to Lockheed. Martin Employee posing as his co-worker and this is just one high-profile case that we are reasonably sure about construction companies like the one in South Korea where the attacks began industrial plants like the one that imitated Kyle Wilhoit's experiment other factories offices and institutions countless intrusions that allowed China to copy devices, systems, best practices, the rat was bringing home the wood that fueled the fire, the glow of unprecedented economic growth, the mainland economy grew approximately 400% from 200,000 uh grew so fast almost on steroids that the country has not missed a single GDP Target Throughout this decade there have been attempts to confront China.

We have agreed that neither the US nor the Chinese government will knowingly carry out or support cyber theft of intellectual property. We argue with it. China's Foreign Ministry on Monday called on the US to withdraw immediately. His charges even dragged military hackers into court sought by the FBI. None of them worked. The standard response from Chinese officials has been to vehemently deny that their country conducts offensive cyber operations and then counterattack with the old logical fallacy as old as time. The United States carries them out, why shouldn't we? However, despite those claims, the Chinese APS began to be more careful, began to employ the help of non-state actors and to mask their trafficking, giving their operations at least a semblance of plausible deniability, the brazenness of the attacks. right, you know, it really falls and one of the things that we saw happen quite a bit after that reprimand, that very public reprimand at the state level, is that, you know, they started routinely using what we call redirectors, so basically jumping through some other country's infrastructure instead of attacks that in many cases came directly from China, the Shady rat ended up the old tools were no longer fit for the job, the hackers had to be more careful, they couldn't chase so many targets and the The attacks had to change the reasons for the attacks also changed the purpose of maintaining the presence of building a reliable rat den was no longer to steal information but to maintain access in case it was needed in the US.

Critical infrastructure is defined as the asset systems and networks that are most critical to our economy and our national security and community well-being and the like and presumably the end goal there, of course, is to stop the functioning of things that are important and that hinder transport. The logistics systems, the ability to communicate or the ability of organizations, you know, the loss of power and things like that, that

shady

rat was an immensely important operation for China for many reasons, it supplied Chinese industry with all the trade secrets that needed and established China as a major cyber

superpower

, but it also had a much more insidious and much deeper effect.

Let's say you have a rat that has access to a water plant, not virtual but real, somewhere in rural America. You had a cave leading there for years. and no one noticed that you stole all the documentation you needed, you copied the plans of the plant, but the cave is still there, in fact, there are many such caves that lead to many plants throughout the country, water, sewage, gas, electricity, all kinds of infrastructure that is critically needed for the functioning of an economy, what could be done with it, what could be carried through all those caves, you know, when I was in government at the agency of cybersecurity infrastructure security, we use a nice analogy that I think is still relevant, which was at the You know, I'm talking about the end of the last decade, Russia was kind of hurricanes, tornadoes and natural disasters and China was the climate change.

Thanks for watching. If you want to see more videos like this, subscribe to let us know and then watch. our channel have a good day