Between Two Nerds: NSA's 9 to 5 hacking campaign - Risky Bulletin

Summary5 min read

Risky Bulletin - Episode Summary: Between Two Nerds: NSA's 9 to 5 Hacking Campaign

Release Date: March 3, 2025
Host/Author: risky.biz
Podcast Episode: Between Two Nerds: NSA's 9 to 5 Hacking Campaign

Introduction

In this episode of Risky Bulletin, hosts Tommy Ran and Grok delve into a detailed discussion about the NSA's alleged intrusion into Northwestern Polytechnical University (NPU) in China. The conversation is sparked by Lina Lau's blog post, which translates and interprets Chinese incident response reports concerning this specific NSA operation.

Background on the NSA Intrusion

Tommy introduces the episode by referencing Lina Lau's blog post, where she translated Chinese reports attributing an intrusion at Northwestern Polytechnical University to the NSA. This university is noted for its top-secret research and significant involvement in defense projects, making it a legitimate target.

Tommy Ran [00:12]: "This week's episode is brought to you by Prowler, the open source cloud security company... [we] thought we'd dive into some of the nuances..."

Lena’s Translation and Analysis

The discussion highlights how Lena collated various Chinese reports, rewrote them in a Western style, and published her findings. Tommy encourages listeners to check out the interview with Lena on the main Risky Business podcast for more in-depth insights.

Grok [00:59]: "It's a little bit of a peek behind the curtain. That's if you read between the lines."

Assessment of NSA’s Hacking Methods

Tommy and Grok express their surprise at the apparent lack of sophistication in the NSA's methods as described in Lena's translation. They note that the techniques seem "old school" and lack the automation expected from a top-tier intelligence agency.

Grok [05:50]: "So like what they're showing is that like a Chinese user... how does that work with SSL? I don't see how you can just hijack one side of a stream if it's ssl."

Grok [07:17]: "Yeah. I was hoping for the magic and you didn't see the magic."

Use of Standard Penetration Techniques

The hosts discuss the NSA's reliance on conventional hacking strategies such as phishing, credential theft, and manual intrusion processes. They criticize the lack of advanced automation, suggesting that the operations appear mundane rather than cutting-edge.

Tommy Ran [08:06]: "But it sort of tells you that everyone's playing on fundamentally the same landscape... These are sort of the fundamental things you have to do."

Grok [09:32]: "I think there's two things that go into... Standard stuff. But what it means to me is that there's no automation."

Bounce Servers and Obfuscation Tactics

A significant portion of the conversation focuses on the NSA's use of bounce servers—temporary servers used to obscure the origin of attacks. The discussion points out the use of generic company names like "Jackson Smith Consulting" and "Mueller Diversified Systems," which Grok finds embarrassingly simplistic.

Grok [16:07]: "They had IPs... Jackson Smith Consultants and Mueller Diversified Systems."

Tommy Ran [17:03]: "Like, at that point, I mean, the people in there would get a feeling and they'd speculate and they would build up these sort of chains of evidence."

Operational Priorities and Target Selection

The hosts reflect on the nature of the target—NPU—as being important yet not the highest priority. They suggest that the NSA's approach indicates a long-term, persistent operation rather than a high-intensity, short-term campaign.

Grok [22:32]: "So it's misdirecting. So you're saying, like, we did gain access... You're misdirecting."

Tommy Ran [30:10]: "Like, no one's working weekends for this target."

Misdirection and Deception in Reporting

Tommy and Grok explore the possibility that the NSA might be using phishing as a cover for more sophisticated intrusion methods. They discuss concepts of ambiguity and misdirection in cyber deception, suggesting that publicly attributing attacks to phishing could obscure the true methods employed.

Grok [25:41]: "So you're misdirecting... we did gain access... That's what you need to worry about."

Persistence Over Time

The conversation emphasizes the NSA's long-term presence within NPU, spanning over a decade. This persistence suggests a stable campaign aimed at maintaining ongoing access rather than sporadic attacks.

Tommy Ran [31:01]: "It's the Polytechnic University. It's not... it's the PLA or whatever."

Grok [31:55]: "If someone gets found, comes back, gets found, comes back..."

Conclusion and Reflections

Tommy and Grok conclude that the NSA's activities, as described in Lena's translation, appear to be routine and lack the sensationalism often associated with high-profile cyber espionage. They express a sense of disappointment, noting that the operations seem more like “nine to five” jobs rather than the highly secretive and advanced campaigns one might expect from a national intelligence agency.

Grok [34:25]: "It just doesn't feel NSA like, it doesn't feel special."

Tommy Ran [35:19]: "Not even."

Key Takeaways

Mundane Operations: The NSA's intrusion methods at NPU appear conventional and lack advanced automation.
Use of Bounce Servers: Simple and generic names for bounce servers raise questions about operational security.
Long-Term Persistence: The decade-long campaign suggests steady, ongoing efforts rather than sporadic attacks.
Misdirection Tactics: Possible use of phishing as a cover for more sophisticated methods.
Lack of Sensationalism: Operations seem routine, lacking the high-profile nature typically expected from intelligence agency hacks.

Notable Quotes

Grok [00:59]: "It's a little bit of a peek behind the curtain."
Grok [05:50]: "I don't see how you can just hijack one side of a stream if it's ssl."
Grok [07:17]: "I was hoping for the magic and you didn't see the magic."
Grok [16:07]: "Jackson Smith Consultants and Mueller Diversified Systems."
Grok [22:32]: "So it's misdirecting. So you're saying, like, we did gain access... That's what you need to worry about."
Grok [34:25]: "It just doesn't feel NSA like, it doesn't feel special."

This episode provides an insightful yet sobering look into the NSA's cyber operations, highlighting the blend of standard techniques and long-term strategies employed in intelligence gathering. While lacking the flashiness often associated with espionage, the discussion underscores the persistent and methodical nature of such campaigns.

Loading summary

Transcript145 lines

[00:04]
Tommy Ran
Hello everyone, this is Tommy Ran. I'm here with the Gruk for another between two nerds discussion. G'day, Grok, how are you?
[00:11]
Grok
G'day, Tom. Fine, and yourself?
[00:13]
Tommy Ran
I'm well. This week's episode is brought to you by Prowler, the open source cloud security company. So in the last week or so, Lina Lau, who is the occasional co host of the Risky Business podcast, wrote this blog post about taking Chinese incident response reports about a particular NSA intrusion and she basically collated them, rewrote them in a western style and published them. Adam and Patrick had Leena on the main Risky Business podcast and they spoke to her and interviewed her. We thought we'd dive into some of the nuances or intricacies or the things that you thought were interesting that weren't explicitly in the report.
[00:59]
Grok
It's a little bit of a peek behind the curtain. That's if you read between the lines. I think it shows you some interesting stuff and I haven't really seen that covered elsewhere.
[01:10]
Tommy Ran
Yeah. So Adam and Patrick interviewed Lena. Go listen to that. That was a good interview. Different material that's more. Even more nerdy.
[01:23]
Grok
If you want to know about the bureaucracy behind why these things are happening, follow us.
[01:27]
Tommy Ran
Yeah, yeah, yeah. So the story is like at the very highest level is that there was an intrusion against this particular Northwestern Polytechnical University and the Chinese instant response firms pegged it on NSA and they wrote these reports like I said, Lena translated them. But just for some context, my former workplace, the Australian Strategic Policy Institute, they have this resource called the China Defence Universities Tracker. And Northwestern Polytechnical University is in there just very briefly. It says it does top secret research, has a very high number of defense labs and defense research areas is involved in illegal exports. I'm not sure what they are. It also says the university is one of the seven sons of National Defence Civil Warner to the miit, that is the Ministry of Industry and Information Technology. So you can understand by looking at.
[02:36]
Grok
All that it's a legitimate target space.
[02:39]
Tommy Ran
Yeah, it makes sense that it's targeted.
[02:42]
Grok
This is a. They're closely associated with defense contractors and such. Just like MIT or any of the, like, you know, Stanford and stuff like that. In the US where there's. If they are targeted, you're not particularly surprised, right?
[03:01]
Tommy Ran
Yeah, yeah. And I imagine that in most US universities there might be research programs which would be of intelligence interest, whereas this seems more like here's an entire university which would likely have many programs that would be of interest. At the same time, you can see it's a legitimate target but it also looks like not the highest priority. It's not Xi Jinping, it's not the.
[03:26]
Grok
Actual Army MSS or it's not the. Yeah, yeah.
[03:30]
Tommy Ran
So what struck you about the report? Which is to be clear, this is not Lena saying these things. It's her distillation from Chinese sources.
[03:41]
Grok
It's multiple. Yeah, it's multiple reports. So yeah, yeah. So she collated a bunch of stuff together, wrote it up in more of a Western way and there's sort of. There's a whole bunch of really interesting details that get pulled out but there's also sort of these higher level things which I found interesting. So one of the things I was curious about is how apparently there's three different APTs that are identified and named by these Chinese companies and one they associate with CIA, one they associate with nsa and there's this third one that is not directly attributed to a specific agency or unit. So I thought that was quite curious. I can't think of who that would be. On the one hand there is a wealth of possibilities and on the other hand none of them strike me as more plausible than others.
[04:33]
Tommy Ran
Yeah, I was wondering about how much, and I don't know the answer to this question, how much of their attribution was based on material that had been leaked in like Shadow Brokers or Snowden? And so whether like you know, that happened to fill in the gaps and then they've just chucked another intrusion in everything that's not.
[04:54]
Grok
Yeah, right, right. So there you go. They'd have a. Everything from. Everything that matches Shadow Brokers is NSA, everything that matches Vault 7 is CIA and everything else is some unknown third.
[05:06]
Tommy Ran
Group which could actually be any country. So I was unclear based on the report whether that could be true. But anyway, go on.
[05:17]
Grok
Right, yeah, so like that's certainly an option. It seems like they'd been doing these incident responses for a while and they had a lot of data and then they were able to use shadow brokers to sort of match things afterwards. Like they already had these artifacts, it was only that Shadow brokers gave them specific names and directly linked them. But there's also links to some stuff from Snowden. Like I thought that was interesting because the diagram that they put together doesn't make sense to me.
[05:50]
Tommy Ran
Right.
[05:52]
Grok
So like what they're showing is that like a Chinese user like this is our victim makes a request to Gmail. There's an NSA server that redirects the response from Gmail and then hijacks it to send an Oday instead. And how does that work with ssl? I don't see how you can just hijack one side of a stream if it's ssl. That doesn't make sense. I don't get it.
[06:25]
Tommy Ran
So they've got a slide that was leaked in what, 2013, incorporated that in their 2022 report, even though it probably doesn't make sense.
[06:39]
Grok
Yeah, it hasn't made sense for. Since almost that entire time, you know, and it's a nice graphic, so I can certainly see why you'd want to include it. And it looks like a cool thing. But if they're still able to do this, then I would worry a lot more about the fact that they can intercept and inject into SSL than I would worry about that they have O day. That would be a scary capability. Some of the other stuff that just sort of stuck out to me was just how ordinary NSA is. Right. Like they're everything they do.
[07:17]
Tommy Ran
You were hoping for the magic and you didn't see the magic.
[07:21]
Grok
Exactly. I was like, maybe these guys actually do pull a rabbit out of a hat. Like maybe they figured out a way to make a rabbit materialize. And then you look at it and it's like, oh, there's a hole in the table and someone is feeding up a rabbit from underneath. Like that's what everyone does.
[07:36]
Tommy Ran
It's really now the like. So this was interesting to me in. And you say ordinary. And what I interpret that to mean is that they behave like other apts. Like they do the same. They step through the same steps, right, Whatever. You know, initial access, lateral escalation, approval, etc. Etc.
[07:55]
Grok
Etc. Exfiltration. Then they get busted and they go again and it's boring.
[08:06]
Tommy Ran
But I guess this sort of tells you that there's. Everyone's playing on fundamentally the same landscape, right? Or the same terrain or whatever. And it's. These are sort of the fundamental things you have to do. So that's not a surprise though, is it?
[08:24]
Grok
I mean, it's not. It's just. I think there's two things that go into. One of them is that they're using the standard template that everyone uses, which is, you know, you break in, you dig in on edge devices, you have these sort of last chance implants that you use so that you can gain access after you've been kicked out so you don't have to do it all again. You know, you do your lateral traversal, you steal credentials rather than hacking everything from scratch all the time. Standard stuff. But what it means to me is that there's no automation. Right. That they don't have like a worm that does this. They sort of drop a piece of software in that does automated sort of crawling through the network and then collects and sends stuff back, which we know they've done in other cases. So there's that and then there's the fact that like they have these hands on keyboards access that's going on. There's like an open stuff which is. That just seems so primitive.
[09:32]
Tommy Ran
So it's not exactly clear when the events in these reports took place. So we've got a very long like could have been from. When did it start? 2013.
[09:44]
Grok
2012, I think.
[09:46]
Tommy Ran
Yeah, yeah, 2012. Yeah, over a decade. So certainly a decade ago. If you said to me I want an AI thing to automate all my intrusion activity.
[09:57]
Grok
Right, yeah. Like that doesn't work. If someone was saying, yeah, like we've. We've automated it with an intelligent agent that's doing stuff, I'd be like, oh my God, the end of the Internet is coming. This is it.
[10:06]
Tommy Ran
Yeah, that's right.
[10:06]
Grok
I would, I would not be impressed. Whereas if you didn't do that today, I would be upset.
[10:13]
Tommy Ran
Well, I still wonder because I was reading about the latest UBU models that were released in the last couple of weeks and the pieces I saw were. Yeah, they just make up a whole lot of stuff like 20% of references or like 70% for some models. And it's like if you're a serious signals intelligence agency and someone says to you.
[10:39]
Grok
Yeah, okay, so you don't necessarily want hallucinations from like being introduced into your.
[10:45]
Tommy Ran
So.
[10:45]
Grok
So to me it seems we're at.
[10:47]
Tommy Ran
A point where it seems plausible that this is something that could happen. But you've got to get over the. What's the. How confident do we have to be to actually automate it?
[10:59]
Grok
Right.
[11:00]
Tommy Ran
Like. So this is a historical report as well of at least a couple of years.
[11:05]
Grok
So to me that still, for example. Yeah, specifically like the N open thing that was in Japan. Shadow brokers, I would be shocked if they're still using an open. Right, yeah. That was leaked in 2016. You know, if whatever, seven years later they're still using this burn tool. That would be. I would want my taxpayer money back. Yeah. I would want to know why the defense contractors haven't taken millions to write a new version of ssh.
[11:35]
Tommy Ran
Yeah. So the question this raised for me is that the previous reports that I've like to be clear, I've not read them, but I've Read the sort of English language interpretations of them seem quite thin in terms of what the incident response was doing. This has more detail and is better presented, but at the same time it also seems like there's quite a lot of rehashing of leaked material. Now, the more I think about it, the less I think it's possible that Qihu 360 or those other big Chinese companies are incompetent. Like they've got some very, very good people in sort of certainly exporting.
[12:19]
Grok
They're super good at winning pone to own, but somehow they don't know how to use encase. Somehow they don't know how to do forensics. Right.
[12:28]
Tommy Ran
That doesn't seem to.
[12:29]
Grok
That doesn't. Yeah, there's been, as you, as you mentioned, there's been a number of previous reports, but generally speaking, those seem to have been released for politically motivated reasons.
[12:40]
Tommy Ran
Right.
[12:40]
Grok
More of a, you know, you're accusing us of hacking into everything and yet here we have a case in, you know, 2015 where you hacked into us. Yeah. So, you know, pot calling the kettle black sort of thing. This seemed to be much more real, I guess, like this was an actual. It wasn't motivated by a political. Well, you do it too. It seems much more of a, like, here's the thing that happened and here's how they did it.
[13:09]
Tommy Ran
And yeah, yeah. Lena did tell Adam and Patrick that these reports were not published on websites, but came out of, were put on WeChat. And so if you're putting them on WeChat, they're clearly not for international distribution.
[13:23]
Grok
Yeah, that's not your target audience.
[13:27]
Tommy Ran
Yeah, that's right.
[13:28]
Grok
Yeah. So I mean, just to go back on that, this hands on keyboards thing, that does surprise me. Right, so you've got NOpen, which was a program that essentially, let's just say it's an ssh. Right. It allows you to bounce from one box to another and get a terminal session, essentially, and then run commands. And the commands that you run would be automated. So it was a, it was called a click script. And this came out with the shadow brokers where you get this, here's a script. You modify these parameters here to be with today's date and the name of the operation that you're on, et cetera, et cetera. And then you run this thing and it sends that content as commands and pulls them off, et cetera. But that just seems so primitive.
[14:20]
Tommy Ran
But I mean, if I had that.
[14:22]
Grok
In 2000, I would think that that was elite. If, like the NSA is using that in, like, 2015, which seems to be sort of roughly what they're suggesting, I would think. Like, what if they spent the last 15 years doing, like, why haven't they tooled up?
[14:38]
Tommy Ran
Yeah, I mean, like we said, we don't think that they're using that same tool nowadays anyway. No, but there's no saying what's on the, you know. Know what's the keyboard end like. It could be like interacting with.
[14:56]
Grok
Well, here's the thing though, is that, like, one of the bugs that came up was when someone had failed to edit the Qlik script. And so you got these errors showing up where there's. Basically, there were lines saying, you know, modify here, showing up as like, regex not found, modify here, regex not found, modify here. So it feels to me like there's still a manual process, like errors showing up like that, at least at one point in time, caused this mistake. That's a human thing. So I feel safe in saying that at some point in time they were doing this very primitive thing and it's embarrassing anytime between 2012 and 2022, which.
[15:41]
Tommy Ran
So it's not as good as you would hope they would be.
[15:45]
Grok
Yeah, I mean, I would just. I would have liked it to be more, I don't know, cool.
[15:52]
Tommy Ran
Amazing. Yes.
[15:54]
Grok
Yeah. I want it to be more impressed.
[15:57]
Tommy Ran
Right. I think this goes back to what I said at the beginning, where they're definitely a target, but maybe they're not the highest priority target. So, you know, it's not necessarily the.
[16:08]
Grok
A team or the B team or maybe even the C team. I mean, I think that's one of the other things that shows up is like. So by tracing back through a bunch of bounces and hops, they found that the IPs that were being used against them were leased to a company called Jackson Smith Consulting. I think it is. Come on, can't you at least pick a first name and a last name? Not just like, did someone, like, click the. Did they. They click, you know, make a fake person and then just read it like, it's just so little effort went into this.
[16:46]
Tommy Ran
But I would say that that's exactly what you want. Right. If you're trying to obfuscate just enough effort who you are, like, you, like you would like, let's just make a random script that comes up with totally brown Brownson.
[17:03]
Grok
Yeah. Oh, yeah.
[17:07]
Tommy Ran
Like, at that point, I mean, Smith.
[17:12]
Grok
It's just embarrassing. I. I don't know. Couldn't they. Couldn't they have gone from, you know, like Jackson holdings or Like Smith Amalgamated, like. Yeah. So I think the other one was similar.
[17:27]
Tommy Ran
It was like Mueller, Mueller Diversified. Yeah. Yeah. So Lena's written the. Through joint investigation of forensics, China, something like a cert organization. Cverc and Chihu360 identified four IPs that they say the NSA purchased through two cover companies, Jackson Smith Consultants and Mueller Diversified Systems.
[17:53]
Grok
That doesn't match my understanding of how. Of how they get access to the Internet, to be honest. Although, I mean, I. It's not like I'll say this, I think the Chinese probably have a better idea of what the NSA is doing than I do. So. Fair enough.
[18:13]
Tommy Ran
You would hope for the Chinese sake, like. Yeah, to me it makes sense that you would use multiple bounce hops. Right. The whole point is to make it difficult to get it back to the people who supposed, like. So this is a mystery to me.
[18:32]
Grok
Yeah, Sort of along those lines. One of the things, one of the things that stuck out to me was so they listed countries that had been used as balances and they listed, they said, like, you know, commercial companies and universities. So universities is a. They're very popular bouncers because they have good bandwidth, they have terrible security, they have a lot of crazy traffic and they don't necessarily have the highest level of security interest in stuff. Like if you say your box has been hacked, they'll just re image it and keep going with their research because they've got better things to do than, you know, track down nation states. So that made sense. But the countries that were listed were like, Sweden, Ukraine, South Korea, Japan.
[19:23]
Tommy Ran
These. Yeah, yeah. I'm looking at the. They've got IPs used to launch attacks. Korea, Japan, Italy, Czech Republic, Mexico, Sweden, Germany, Finland, Korea said Korea, Spain, Japan, Australia, Poland, Qatar, uae. So, like quite a selection.
[19:45]
Grok
Yeah. And it's. I'm curious how they do that. Like, I mean, do they hack and then use bounces or do they rent VPs and use bounces? And I feel like they would hack because you're trying not to leave traces. You're trying to make it hard to track down who you are. And if you're using stuff that you've purchased, you're leaving that sort of forensics evidence behind. Those financial transactions will lead back to you and they'll find out that Jackson Smith has been doing dodgy stuff. This is a thing that doesn't get talked about. Whenever you talk about like responsible cyber or who you're allowed to attack and it's always like. Yeah, it's always about how like the ultimate target has to be proportional and it has to be know, relevant. And all these other things. It's never like, how about we don't hack kindergartens in South Korea for bounce points. Right.
[20:42]
Tommy Ran
Okay, so if I was a. A lawyer or if I was in charge, my argument would be, yes, we'll hack these bounce boxes in all sorts of different countries, but there's no impact to them. And, you know, if there's no impact, what's the harm? It gives us an operational benefit. And I can imagine a lawyer signing off on that. And I guess you sort of look at the flip side.
[21:08]
Grok
I think that that might actually be following on from that. I think that that might be relevant in that when you look at the prosecutions that happen against cybercriminals, they will say, like, you know, hit 50 different companies, causing them this much damage. As far as I know, none of those are ever the bouncers that get used. It's always the actual. And victims.
[21:30]
Tommy Ran
Right. Yeah.
[21:30]
Grok
So it feels like maybe in a little bit of a way, like a bounce. Like a bounces are free, they don't count.
[21:38]
Tommy Ran
Well, like, you avoid collateral damage, and this is collateral, but there's no damage.
[21:43]
Grok
Right.
[21:44]
Tommy Ran
And I mean, sort of conversely, if you look at Russian and Chinese operations, they quite often hack home office routers.
[21:52]
Grok
And they do the same thing.
[21:54]
Tommy Ran
And now I think you can mount more or less the same argument, except sometimes those.
[22:01]
Grok
When they get used directly as opposed to when they get used as a balance, I think it's fair to say no harm, no foul. Right. Like, it doesn't. It's not a crime to install a secret SSH and redirect some traffic. Like that doesn't seem.
[22:20]
Tommy Ran
Well, I mean, I think it is a crime.
[22:21]
Grok
I mean, it's technically a crime, but only because it breaks the law. But.
[22:28]
Tommy Ran
To some degree, I would like, it feels like a victimless crime.
[22:32]
Grok
Victimless crime. There we go. It's very much like, it's not a big deal. Like, these things happen, Whatever, everyone does it. It's just part of how you operate that changes. If, for example, you start using them to send spam or to do DDoS, or if you make them sort of actively involved in attacks, it's different, I think. Yeah. Like, that seems like a reasonable line to draw. So touching on some of the stuff that we covered last week when we were talking about these principles of hacking, access, humanity and economy, I think some of the things that are showing up actually reflect those. So, like, as you were saying, this is a target, but it's not A high priority target. Now it's, it's the Polytechnic University. It's not, it's not, you know, Xi Jinping. It's not, you know, the PLA or whatever. So economy comes into effect in that you need to hit them, but you don't need to hit them with billions of dollars of invested tooling. So, yeah, like, economy is going to show up in like. Yeah. Jackson Smith as just a sort of. It's good enough for. It's sufficient for the target that we're going after.
[23:46]
Tommy Ran
Right? Yeah.
[23:47]
Grok
Good enough. Yep.
[23:48]
Tommy Ran
Yeah, yeah. And I think we skipped over it, but it seems like the initial access was via phishing, so.
[23:56]
Grok
Right again.
[23:57]
Tommy Ran
And it seems like a university, you're always going to be able to fish someone at some point, like they're big enough.
[24:05]
Grok
I think at a university you could literally just send out a piece of malware and say for your chance to win a $20Amazon gift card, please run this program on as many. You know, every time you run it, you get another ticket to win. And you would absolutely succeed. I guarantee you that. That would work. Okay. So several years ago there was a report from, I think it was mandiant about how there's this new behavior from the Russians when they were attacking Ukraine and that they were compromise edge devices. They would go in, steal everything, wipe everything. The target company would then rebuild. But because they hadn't cleaned out the edge device, the Russians were able to gain access and they'd sort of do three, four or five iterations of this. And I found out recently that actually one of the ways that they were able to keep doing this was they would mask their. So they would actually be breaking in from like owning the VPN device. But what they would do is they'd send a huge volume of phishing and malware emails so that during the incident response, that would appear to be the way that they gained access. And I'm wondering to a degree if that might be showing up here as well. Right. Because on the one hand you've got them, you know, using oday to go after things, and on the other hand you've got them using phishing, which seems like very like different levels of one or the other. Right.
[25:35]
Tommy Ran
Yeah. Yeah. So I guess what the hypothesis there is that phishing is really just a cover story.
[25:42]
Grok
Yeah. Like it's misdirection. Right. So like there's, there's two types of deception. So a type A or an ambiguity deception is one where it's not obvious what's going on because it's there's too many different plausible options, so you're making it less obvious which one is authentic. And then misdirection or type M. Deception is where rather than increasing the number of possibilities, you're narrowing it down, but you're pointing it in the wrong direction. So you're saying, like, we did gain access. Here's all the malware that we used, it's phishing. That's what you need to worry about.
[26:21]
Tommy Ran
Yeah.
[26:22]
Grok
So you're misdirecting. So it seems like that could be one of the things they're doing. But I mean, on the other hand, this is 10 years of access. I would think that they didn't use Ode every single time.
[26:34]
Tommy Ran
Yeah. So Lena's sort of writer says they had several different ways. One of them was spear phishing. One of them was the system you mentioned before. Man in the middle, she calls it. And. And also zero day at times. And I guess, you know, over a long period of time, I suppose you expect a variety of different methods. And again, it seems like it's the nature of the target. Like, it is an interesting target. You want it. Like, it's definitely a priority. Not the highest priority. So you can. You can. And by this time, they know that they're a target as well. So it's like, well, if they know that we're targeting them, they know that we know.
[27:18]
Grok
Right, Right. So that's sort of one of the other interesting things, I think, is that probably by the 10th year of doing incident response, you must have a fairly good idea of what to start looking for. You must have sort of developed a nose for where to hunt, where to look. Every time they come in, they always go for our next gen torpedo project. So that would be the place to start looking. Let's go and check there.
[27:50]
Tommy Ran
Yeah. So, I mean, what's not in here is what exactly they targeted, which makes sense. But that also makes sense from the perspective of here's the big picture target, which is the university. In the university, there's specific programs that we're interested in, and we want to get into those programs, like, very quietly. So there's kind of different levels within the whole operation, like access to the university. Like, yeah, they know we want that. Whatever. Once we're on there, it's maybe that's where the magic is. Gruh.
[28:28]
Grok
No, it absolutely could be. And to a degree that makes sense. Right. That would be the time to do the type misdirection deceptions, where you're saying, like, oh, we're really interested in your you know? Yeah. Like we don't care about your quantum research lab. We're not super interested in your next generation torpedo program. We're very much interested in the, you know, making canned food last longer for MREs, I guess.
[28:56]
Tommy Ran
Yeah, yeah. I mean, I think the other thing is that once you're a Chinese defense university and you've been hacked many, many times over a decade, like how many different plausible attacking countries are there? Like there's probably only a small list.
[29:15]
Grok
Yeah.
[29:17]
Tommy Ran
Like Leonard actually does step through the other pieces of evidence which were basically sort of patterns of life, you know. Right. Never working on us holidays, only working during like business hours.
[29:32]
Grok
Not even business hours. They knocked off at 4:00. These guys leave early, which maybe they're just trying to beat the traffic, but.
[29:39]
Tommy Ran
Traffic is horrendous around there. To me, that also went to the kind of target this is in that this is a long term strategic target. It's here today, it'll be here tomorrow, it'll be here in five years. So if we lose access at 4:03 on a Friday, it's like this can wait.
[30:01]
Grok
There's nothing that's going to happen before Monday. Yeah, we can take three day weekend and come back on Tuesday and just get right back to it. It's not a. Yeah, yeah, exactly.
[30:11]
Tommy Ran
Like no one's working weekends for this target.
[30:15]
Grok
Whereas no one's missing a kids, you know, softball game for Northwestern China Polytechnic.
[30:26]
Tommy Ran
Whereas you can imagine it'd be a different story in perhaps in counterterrorism or something like that.
[30:31]
Grok
Right, right.
[30:32]
Tommy Ran
Where there's more immediate.
[30:33]
Grok
We've lost contact with the ISIS cell in Brussels, but I guess we'll just pick it up when we come back next week.
[30:39]
Tommy Ran
That's right, it's Memorial Day. Well, nothing bad could happen there.
[30:45]
Grok
There's no urgency I think is what we're getting at. But there's a sort of, you can, you can come back to this when you do and it's not going to be a big deal. If nothing else, that the things that you're looking at that they're doing that are interesting are long term projects anyway.
[31:01]
Tommy Ran
Right. Yeah.
[31:02]
Grok
So not only is that not a particularly high priority, the stuff that they're doing is not going to be, it's not going to be ready at 5:00 on Friday. You need to know about it then.
[31:11]
Tommy Ran
That's right. Yeah. Yeah. So the evidence that she collates and puts together like that, that actually seems fair enough. If you were without all the leaked materials, you would sort of Say to yourself, okay, 10 years. Who would be interested in this? There's a small list of countries. Who has the capability, given the Memorial Day. That's right. Okay. That seems like I would give that pretty high confidence anyway.
[31:40]
Grok
Yeah, I would go for it, I think. I think you hit on the key things, which is like, who would be interested for 10 years and keep it up in a way. If someone breaks in and, like, messes around, they get caught and they get kicked out and never come back. Probably it's a teenager.
[31:56]
Tommy Ran
Could be anyone.
[31:56]
Grok
Yeah, yeah. Not particularly interesting. If someone gets found, comes back, gets found, comes back, gets found, comes back. After some number of years, they, you know, they are persistent, right?
[32:09]
Tommy Ran
Yeah, yeah, yeah. After some number of years, you give them a name, they have a personality, they're like an old friend or frenemy that comes back. I think there's a. Like, the people in there would get a feeling and they'd speculate and they would build up these sort of chains of evidence and.
[32:28]
Grok
Absolutely.
[32:29]
Tommy Ran
I feel like the sort of. The working hours.
[32:33]
Grok
Mm.
[32:33]
Tommy Ran
And the length of time goes to that economy principle where it's like, this is clearly an enduring priority. A priority, but it's not the highest priority.
[32:44]
Grok
Right.
[32:44]
Tommy Ran
And I very much get that feeling from the way this operation is described that it's bog standard.
[32:51]
Grok
Right.
[32:51]
Tommy Ran
It's target.
[32:53]
Grok
Yeah. It's. It's your bread and butter.
[32:55]
Tommy Ran
Yeah.
[32:56]
Grok
Sort of stuff. Very. You know, day in, day out, this is what you're doing. As opposed to. We've got a flash thing that we need to. Absolutely. Yeah. I think in terms of access, one of the things we touched on it briefly, but just the use of passwords and stealing credentials, this is one of the things that comes up, like every time there's someone from the NSA or wherever who gives a. Talk about how we do things, they talk a lot about how they'll just steal passwords. Make sure you've got multiple factor authentication, you know.
[33:33]
Tommy Ran
Right.
[33:33]
Grok
Nation states love using credentials. And it always feels like they're. You always get a sense that they're talking about like the other guys do. I mean, we have magic.
[33:44]
Tommy Ran
So Lena's blog post actually got a lot of attention. And I guess it's because people are interested, because it's a peek behind the curtain of what NSA actually does. But the more we talk about it, the stronger and stronger feeling I get that it's like, you know, just the sort of average, workaday, mundane businesses, not that important, business as usual. Peek behind the curtain, which is kind of disappointing. In a way.
[34:17]
Grok
Yeah. It just. It doesn't feel NSA like, it doesn't feel special. There's no glitter. There's no.
[34:25]
Tommy Ran
I think there's this. I think there's this interesting dynamic where what we're really wanting from this kind of report is something sensational.
[34:34]
Grok
Right, Right.
[34:35]
Tommy Ran
But it's come from like, I feel like it's kind of just a very mundane target. And like ironically, I don't think we'll ever get that sensational report because if the sensational parts get hacked then not going to release instant response reports.
[34:53]
Grok
Right? Yeah.
[34:56]
Tommy Ran
And so we'll lean and translate them. We'll never get to see them. And so that's what we're just left with. The banal hacking of a university. Yeah.
[35:06]
Grok
Yeah. We're condemned to a lifetime of nine to five hacking jobs. That's.
[35:13]
Tommy Ran
Thanks a lot. Gra. Nine to four.
[35:16]
Grok
Nine to four.
[35:19]
Tommy Ran
Not even.