National Cyber Warfare Foundation (NCWF) Forums


op Soon to be fucked


1 user ratings
2024-11-05 23:51:26
blscott
Objective
The purpose of this operation is to poke I-Soon. Making it appear to be coming from Chengdu Chuang. The intent is to cause the two to get into a fight.

Story ARC
I-Soon and Chengfu Chang have been suing each other over Intellectual Property theft. Both are tied strongly to Emperor Xi, who is losing power. This is causing them to curry favor and try to re-align with the next power players. We will poke I-Soon from the perspective of Cheng Chang and leave indicators that make it look like Cheng Chang did it and try to prove they are the ones to go with and I-Soon is to amateur.

Two groups / orgs
  • Chengdu Chuang'an
  • I-Soon

  • Chengdu Silingsi Network Technology Co (Chengdu 404)
    • Chengdu Silingsi (404) Network Technology Company
    • Qian Chuan (a.k.a Squall) was President, Jiang Lizhi (a.k.a Black Fox) served as Vice President for the Technical Department, and Fu Qiang, (a.k.a StandNY) served as Manager for Big Data Development
  • Chengdu Chuang'an Jiadun Technology Co., Ltd. (Chengdu Sichuon, China) D&B: 408650509
    • https://www.dnb.com/business-directory/company-profiles.chengdu_chuangan_jiadun_technology_co_ltd.68820b8b744ee957e3e8618f7d1feb57.html
    • Hui Zeng - Principal
    • Address: No.1201, Floor 12, Building 1, No.1800, Middle Section, Yizhou Avenue, High-Tech Zone, China Pilot Free Trade Zone Chengdu, Sichuan, 611630 China
  • I-Soon Technology (Chengdu, Sichuan, China)
    • https://www.crunchbase.com/organization/i-soon
    • Links to POISON CARP and JACKPOT PANDA
    • Sichuan i-SOON
    • Sichuan i-SOON Information Technology Company
    • Sichuan i-SOON is a subsidiary of Shanghai i-SOON Information Technology
    • CEO: Wu Haibo a.k.a shutdown (Honker and Green army)


Thoughts
  1. Post on pastebin information paste's that talk about I-Soon targets and some attribution to Cheng Chang.

Base material

2. Reconnaissance and Intelligence Gathering

  • Identify Target Infrastructure: Map out the adversary’s physical systems and networks, including hardware components, network architecture, and communication protocols.
    • For instance, identify whether they use SCADA (Supervisory Control and Data Acquisition) systems for controlling physical processes or specific ICS (Industrial Control Systems).
  • Vulnerability Scanning: Perform comprehensive scans and reconnaissance on the cyber layer using tools like:
    • Nmap for network mapping and service detection
    • Shodan to locate exposed devices and ICS endpoints
    • Metasploit to identify software vulnerabilities
  • Physical Reconnaissance (if possible): Gather intelligence on physical access points, environmental controls, or backup power systems through UAVs (drones), onsite human intel, or satellite imagery.

3. Develop Attack Vectors

  • Network-Based Attack Vectors:
    • Spear Phishing & Social Engineering: Target key personnel to gain login credentials or introduce malware that can propagate through the network.
    • Exploiting Vulnerabilities in ICS/SCADA: Use specific exploits targeting known ICS/SCADA vulnerabilities (e.g., Modbus TCP vulnerabilities in energy systems).
  • Hardware-Based Attack Vectors:
    • Firmware Manipulation: Develop malware that can overwrite or manipulate firmware, especially for devices managing physical processes like PLCs (Programmable Logic Controllers).
    • Supply Chain Infiltration: Insert compromised components into the adversary’s supply chain, potentially preloaded with malware or remote access backdoors.

4. Weaponize Payloads

  • Malware for Cyber-Physical Manipulation:
    • Develop custom malware to cause operational failures within physical systems (e.g., modifying rotational speed in centrifuges, as seen in Stuxnet).
    • Design malware that can remain dormant until triggered, allowing for stealthy infiltration and controlled activation.
  • Data Exfiltration Tools:
    • For critical telemetry data, use tools that periodically exfiltrate small packets to avoid detection, capturing telemetry data crucial to physical processes.
  • Control Hijacking Tools:
    • Use malware designed to hijack operational controls (e.g., override safety limits in PLCs).

5. Infiltration Phase

  • Deploy Payload: Use multi-channel delivery options:
    • Remote Access: If vulnerable, deploy via VPN, RDP, or exposed SSH ports.
    • Physical Access: USB injection, compromised employee devices, or insider assistance can facilitate access directly.
  • Establish Persistent Access: Once inside, establish footholds through persistence mechanisms such as:
    • Rootkits to hide malware in the system kernel
    • Backdoors to maintain control even if the initial access method is closed

6. Execution of Cyber-Physical Disruption

  • Control Physical Systems:
    • Override Commands: Hijack the ICS/SCADA commands to the physical systems, causing changes in operation that may damage hardware, delay processes, or disrupt functionality.
    • Timing Attacks: Introduce timing-based logic errors (e.g., delayed actuation of safety mechanisms) to induce hazardous conditions.
  • Initiate Cascading Failures:
    • Target interdependent systems (e.g., energy systems affecting water treatment facilities) to amplify impact across multiple infrastructures.
    • Carefully synchronize attacks on multiple components to maximize system stress and failure rates.

7. Cover Tracks and Ensure Operational Security

  • Erase Logs: Ensure all traces of intrusion and malware deployment are deleted from system logs, network logs, and device-level memory.
  • Deploy Anti-Forensics: Use encryption on communication channels, disable logging on compromised endpoints, and wipe any command-and-control instructions once the attack completes.
  • Trigger Fail-Safe Mechanisms: If needed, deploy secondary payloads that deactivate systems remotely, making recovery or analysis by adversaries challenging.

8. Post-Attack Analysis and Mitigation

  • Damage Assessment: Conduct a full damage assessment to understand the operation’s impact and prevent possible retaliation or misuse of techniques.
  • Long-Term Monitoring: Monitor for potential counter-attacks or residual effects in the cyber-physical environment.
  • Forensic Analysis for Future Operations: Collect forensic evidence to refine future operations, analyze weaknesses in adversarial systems, and improve counterintelligence measures.

Attributing the attacks to Cheng Chang

Understand Chengdu Chuang'an’s Operational Profile

  • Study Their Known Tactics, Techniques, and Procedures (TTPs): Research and identify any unique signatures, such as IP ranges, malware patterns, or encryption algorithms associated with Chengdu Chuang'an. Use threat intelligence sources and analyze past attacks attributed to them.
  • Geographic Indicators: Determine typical server locations, IP geolocation, and time zones associated with Chengdu Chuang'an’s operations. This information is crucial for crafting a plausible attribution fingerprint.
  • Language and Regional Code Preferences: Understand if they tend to use specific coding languages, variables, comments in their native language, or patterns in character encoding (e.g., simplified Chinese).

2. Embed Artifacts that Resemble Chengdu Chuang'an’s Attack Markers

  • Code and Malware: Modify any deployed malware or script to resemble known patterns linked to Chengdu Chuang'an. Examples include:
    • Hardcoded Language Indicators: Insert comments or debugging output in simplified Chinese or phrases they commonly use.
    • Unique Protocols or Tool Marks: Use protocols or tools known to be employed by Chengdu Chuang'an (e.g., unique encryption libraries or compression algorithms linked to their past attacks).
  • Timestamp Manipulation: Adjust timestamps on deployed malware or server access logs to reflect working hours in China Standard Time (CST). This creates a pattern consistent with a group operating in their region.

3. Network and Infrastructure Spoofing

  • Use Known Chengdu Chuang'an IP Addresses: Proxy or route any C2 (Command and Control) traffic through IP ranges associated with past Chengdu Chuang'an attacks. Using a Virtual Private Server (VPS) in regions they typically operate from (e.g., China-based data centers) adds another layer of authenticity.
  • Domain Name Spoofing: If feasible within a controlled simulation, register domains that mimic Chengdu Chuang'an’s typical naming conventions. This could involve slight misspellings of their known domains or similar-looking URLs.
  • Proxy Chains and Relays: Set up a chain of relays across Chinese IP addresses, terminating in a VPS with attributes similar to those Chengdu Chuang'an has historically used. This method makes the traffic appear as if it's originating from their geographical area.

4. Exploit Development and Code Customization

  • Malware Reuse: If Chengdu Chuang'an is known for specific malware families or exploits, reuse portions of their publicly known codebase where legal. Open-source or leaked versions of malware can be retooled to create a similar footprint.
  • Exfiltration Channels: Use command-and-control channels that Chengdu Chuang'an has historically used (e.g., specific cloud providers, protocols, or exfiltration methods). For instance, if they typically use DNS tunneling or HTTP/S POST requests to specific ports, implement similar patterns.

5. Deploy Decoy Data and Indicators on the Target Network

  • Leaving Evidence Trails: Create breadcrumbs within the target’s systems that would implicate Chengdu Chuang'an if discovered. This could include:
    • Login Attempts with Chinese-Language Usernames: Simulate failed login attempts or log entries with usernames written in simplified Chinese, which investigators might associate with Chengdu Chuang'an.
    • Dropped Files or Logs with Chinese Filenames: Place files with names that use simplified Chinese characters, aligning with common malware payloads or Chengdu Chuang'an file naming conventions.

6. Communication Protocol Emulation

  • Mimic Chengdu Chuang'an’s C2 Infrastructure: Modify communication protocols to reflect those that Chengdu Chuang'an uses. For example, if they often use custom ports or packet headers, replicate those for this simulation.
  • Beaconing Patterns: Implement C2 beaconing that aligns with Chengdu Chuang'an’s known activity patterns, such as irregular intervals that match their historical activity or specific packet structures.

7. Leave an Intelligence Trail

  • Simulated Online Activity: Use public forums, paste sites, or underground marketplaces to create an information trail. For example, leaked conversations that hint at Chengdu Chuang'an’s involvement or posts suggesting their focus on U.S. infrastructure.
  • Deploy Decoy Artifacts for Forensics: Plant digital forensic indicators in the attack’s wake, such as cryptographic hashes, malware strings, or IOCs (Indicators of Compromise) that closely match Chengdu Chuang'an’s known artifacts.

8. Post-Attack Indicators and Forensic Markers

  • Geolocate Exfiltration to Chinese Servers: Ensure any exfiltrated data is transferred to IPs or servers based in China. This reinforces the impression that the data’s final destination is associated with Chinese infrastructure.
  • Wipe Logs Selectively: To create plausible deniability, selectively wipe logs in a manner Chengdu Chuang'an might, focusing on overwriting key logs while leaving innocuous or misleading traces.
  • Decoy Backdoors: Deploy secondary backdoors or persistent malware that resembles Chengdu Chuang'an’s methods, ensuring it’s embedded in ways that cybersecurity teams familiar with their tactics would recognize.



Comments
new comment

Here is some emails I got from the i-Soon leaks. 

Chen Cheng aka lengmo: [email protected]
Wu Haibo aka Shutd0wn: [email protected]
Zheng Huadong: [email protected]
Liang Guodong aka liner aka girder:
[email protected]

I also noticed that iSOON =  Anxun  Anxun Information tech is located :

 Room 1007, Block A, Hongyi Building 2158 Wanyuan Road, Minhang District Shanghai, Shanghai, China
Just helps expand the search abit, but only the two are pretty much used interchangably. 




2024-11-12 23:29:21
joshuaculbertson8
 




This link is from a restricted area of the forums.
Forum



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.