FBI’s Cyber Task Force Identifies Stealthy FF-RATs Used In OPM Cyber Attack; Did Edward Snowden Wittingly, Or Unwittingly, Aid China’s Breach Of OPM?

FBI’s Cyber Task Force Identifies Stealthy FF-RATs Used In OPM Cyber Attack;  Did Edward Snowden Wittingly, Or Unwittingly, Aid China’s Breach Of OPM?

www.fortunascorner.com

     Wang Wei, writing on the September 2, 2015 edition of TheHackerNews.com, notes that “after three months of investigation, the FBI’s Cyber Task Force, identified several Remote Access Tools (RATs),” that were used to carry out the U.S. Office of Personnel Management (OPM) hack.  “One of the most effective tools discovered is called — ”FF-RAT.’  Mr. Wei writes that the “FF-RAT evades endpoint detection through stealth tactics, including the ability to download Dynamic Link Library (DLL) files — remotely; and, execute them in memory only.”  According to Webopedia, a DLL is a “library of executable functions, or data that can be used by Windows applications.  Typically, a DLL provides one, or more, particular functions, and a program accesses the functions by creating either a static, or dynamic link to the DLL.”

     “Hackers use RATs to gain unlimited access to infected endpoints.  Once the victim’s access privilege is acquired, it is then used for malware deployment, Command and Control (C&C) server communication, and data exfiltration.  Most Advanced Persistent Threat (APT) attacks also take advantage of RAT functionality for bypassing strong authentication, reconnaissance, spreading infection, and accessing sensitive applications to exfiltrate data.  In order to mitigate these types of attacks,” Mr. Wei notes, “it is key that you have the tools and methods in place for early detection.  It is important that you identify these attacks early, and in time for you to isolate infected assets, and remediate issues — before they spread, or move to the second stage (deploying additional malware, stealing important data, acting as its own C&C server, etc.).”

     Mr. Wei writes that “when deploying a RAT, a hacker’s primary goal is to create a backdoor to infected systems — so, they can gain complete control over the system.”  Once the RAT “is installed on your system, the attacker is able to view the change, or manipulate data on the infected machine.  This leaves your system, [network] and possibly your client’s  system, and sensitive data at risk.  Often,” Mr. Wei adds, ” a single RAT is deployed as a pivot point to deploy additional malware in the local network; or, use the infected system to host malware for remote retrieval.”

Did China’s Reconnaissance Of The OPM Site That Produced The Massive Cyber Security Breach Of  OPM — Begin After Edward Snowden’s Time In Hong Kong? 

www.fortunascorner.com
 
     Did China begin its surveillance and reconnaissance of the U.S. Government’s Office of Personnel Management (OPM) website — after Edward Snowden’s stay in Hong Kong – May/June of 2013?  Investigative journalist Edward Jay Epstein wrote in the June 29, 2014 Wall Street Journal, wrote at the time that “one day after stealing secrets from the National Security Agency (NSA), Mr. Snowden flew to Hong Kong.”  Of note. Mr. Snowden flew “to a special region of China,: Mr. Epstein added, which did have an extradition treaty with the United States; but, that is not the focus of this article.
     “From May 20, 2013, until May 31, 2013,” according to a publicly released Defense Intelligence Agency (DIA) report on the Snowden affair, “U.S. investigative agencies were unable to discover any credit-card charges, nor hotel records verifying his whereabouts.  “On a recent trip to Hong Kong,” Mr. Epstein wrote at the time, “a U.S. official told him [Mr. Epstein], that Mr. Snowden had been observed on CCTV cameras entering the skyscraper that housed the Russian consulate on three occasions — but, the visits were in June.”
    “Mr. Snowden would later tell Glenn Greenwald — who at the time was ‘working with’ young Mr. Snowden, along with Ms. Laura Poitras of London’s The Guardian, hat he had been “holed up” in his room at the Mira Hotel — from the time of his arrival in Hong Kong.” “But according to inquiries by The Wall Street Journal reporter, Te-PingChen, Mr. Snowden arrived there on June 1.” Mr. Epstein writes that “I confirmed the date with the hotel’s employees. A hotel security guard told Mr. Epstein that “Mr. Snowden was not in the Mira in the late May [2013] period, and when he did stay there, — he used his own passport and credit card.”
     
     “So, where was Edward Snowden between May 20 and May 31,” asks Mr. Epstein.
     The belief among many intelligence and national security professionals — is that Mr. Snowden was being ‘managed’ by China’s Ministry of State Security — even though the young Mr. Snowden may not have realized it — at the time.  Now, to the OPM breach some two years later.
China’s Breach Of OPM Reportedly Occurred In December 2014
     According to a June 10, 2015 article on FedSmith.com by Ian Smith, “the intrusion into OPM’s network occurred in December, 2014; but, was not discovered until April, 2015 — some four ,months later.  But, it is more than curious, that eighteen months after Mr. Snowden departed Hong Kong  — and, after being under the ‘care and feeding,’ of China’s Ministry of State Security — Beijing was able to strategically pinpoint and target the OPM network that would give China access to the massive amount of data on all Federal employees, especially those with Top Secret clearances.
     Nicholas Weaver, writing on the June 4, 2015 website — International Business Times — suggests that the U.S. government itself may be responsible for this massive leak.  He notes that, “the U.S. government carried out an audit of OPM’s Information Security Management; and, published its findings last November; which revealed an alarming list of issues, and shortcomings,” in OPM’s IT enterprise.  Mr. Weaver wrote, “the playbook, which could act like a playbook for any hackers looking to breach the security of OPM — lists 11 major issues with the way the agency deals with cyber security.”  This list, includes, “11 major OPM information systems, operating without a valid authorization,” which represents a material weakness in the internal control structure of OPM’s IT security program.”  The report goes on to say, “the drastic increase in the number of systems operating without a valid authorization….is alarming,” the report concluded.
China May Have Had The Keys To Breach The OPM System When Mr. Snowden Left Hong Kong — But, Used The OPM Study As A Cover For Conducting This Massive Breach
     The world of intelligence, counterintelligence, and cyber espionage is a digital wilderness of mirrors, with many dead ends, ‘alleyways,’ side-streets, and black holes leading to nowhere.  It would be easy to connect the dot between the report on the vulnerability of OPM’s IT enterprise, in November of 2014, and the actual breach one month later in December 2014 — if indeed that is the correct timetable.
     But, one has to unfortunately consider the possibility that Beijing, along with a host of our other adversaries, — but, certainly China, and Russia — had the cyber keys to OPM’s system, as well as others — and, used events like the publication of OPM’s shortcomings in securing their network/s — as top cover, for information they had already obtained — with the help (knowingly or not) of young Mr. Snowden.  Perhaps the earlier reported breach of the White House network, could be traced to what Russia has derived from the Snowden leaks.

Did China’s Reconnaissance Of The OPM Site That Produced The Massive Cyber Security Breach Of  OPM — Begin After Edward Snowden’s Time In Hong Kong? 

 
      Investigative journalist Edward Jay Epstein wrote in the June 29, 2014 Wall Street Journal, that “one day after stealing secrets from the National Security Agency (NSA), Mr. Snowden flew to Hong Kong.”  Of note. Mr. Snowden flew “to a special region of China,: Mr. Epstein added, which did have an extradition treaty with the United States; but, that is not the focus of this article.
     “From May 20, 2013, until May 31, 2013,” according to a publicly released Defense Intelligence Agency (DIA) report on the Snowden affair, “U.S. investigative agencies were unable to discover any credit-card charges, nor hotel records verifying his whereabouts.  “On a recent trip to Hong Kong,” Mr. Epstein wrote at the time, “a U.S. official told him [Mr. Epstein], that Mr. Snowden had been observed on CCTV cameras entering the skyscraper that housed the Russian consulate on three occasions — but, the visits were in June.”
    “Mr. Snowden would later tell Glenn Greenwald — who at the time was ‘working with’ young Mr. Snowden, along with Ms. Laura Poitras of London’s The Guardian, hat he had been “holed up” in his room at the Mira Hotel — from the time of his arrival in Hong Kong.” “But according to inquiries by The Wall Street Journal reporter, Te-PingChen, Mr. Snowden arrived there on June 1.” Mr. Epstein writes that “I confirmed the date with the hotel’s employees. A hotel security guard told Mr. Epstein that “Mr. Snowden was not in the Mira in the late May [2013] period, and when he did stay there, — he used his own passport and credit card.”
     
     “So, where was Edward Snowden between May 20 and May 31,” asks Mr. Epstein.
     The belief among many intelligence and national security professionals — is that Mr. Snowden was being ‘managed’ by China’s Ministry of State Security — even though the young Mr. Snowden may not have realized it — at the time.  Now, to the OPM breach some two years later.
China’s Breach Of OPM Reportedly Occurred In December 2014
     According to a June 10, 2015 article on FedSmith.com by Ian Smith, “the intrusion into OPM’s network occurred in December, 2014; but, was not discovered until April, 2015 — some four ,months later.  But, it is more than curious, that eighteen months after Mr. Snowden departed Hong Kong  — and, after being under the ‘care and feeding,’ of China’s Ministry of State Security — Beijing was able to strategically pinpoint and target the OPM network that would give China access to the massive amount of data on all Federal employees, especially those with Top Secret clearances.
     Nicholas Weaver, writing on the June 4, 2015 website — International Business Times — suggests that the U.S. government itself may be responsible for this massive leak.  He notes that, “the U.S. government carried out an audit of OPM’s Information Security Management; and, published its findings last November; which revealed an alarming list of issues, and shortcomings,” in OPM’s IT enterprise.  Mr. Weaver wrote, “the playbook, which could act like a playbook for any hackers looking to breach the security of OPM — lists 11 major issues with the way the agency deals with cyber security.”  This list, includes, “11 major OPM information systems, operating without a valid authorization,” which represents a material weakness in the internal control structure of OPM’s IT security program.”  The report goes on to say, “the drastic increase in the number of systems operating without a valid authorization….is alarming,” the report concluded.
China May Have Had The Keys To Breach The OPM System When Mr. Snowden Left Hong Kong — But, Used The OPM Study As A Cover For Conducting This Massive Breach
     The world of intelligence, counterintelligence, and cyber espionage is a digital wilderness of mirrors, with many dead ends, ‘alleyways,’ side-streets, and black holes leading to nowhere.  It would be easy to connect the dot between the report on the vulnerability of OPM’s IT enterprise, in November of 2014, and the actual breach one month later in December 2014 — if indeed that is the correct timetable.
     But, one has to unfortunately consider the possibility that Beijing, along with a host of our other adversaries, — but, certainly China, and Russia — had the cyber keys to OPM’s system, as well as others — and, used events like the publication of OPM’s shortcomings in securing their network/s — as top cover, for information they had already obtained — with the help (knowingly or not) of young Mr. Snowden.  Perhaps the earlier reported breach of the White House network, could be traced to what Russia has derived from the Snowden leaks.  V/R, RCP

Leave a Reply

Your email address will not be published. Required fields are marked *