Death Match: Peter the Great Versus Sun Tzu

Friday, September 21, 2012

Infosec Island Admin


“Douchery, it seems, like life, always finds a way”

Even in the shallowest of pools, the most vile of biological sludge can dwell.. And so it seems that the friendly folks at Trend Micro have decided to put out a little pdf on how the different kinds of APT act, rating them against greater entities from history.

In other words, they put out a pile of crap and think that they have done the world a great service in laying said pile of crap where you can trod in it.

The paper, “Peter the Great Versus Sun Tzu” alleges that a comparison can be made between the varying actors in malware creation and use today. They have broken this down into a battle royal between the “Asians” (i.e. China) and the “Eastern Europeans” (i.,e. The Russians) which, is just patently stupid, but, lets choke down the bile for a bit to really look at their “research” shall we?

Let’s look first at the players in this game, well the ones other than an AV firm looking to get their horse into the APT game that is…

First off, the paper is co-mingling and APT vs Crimeware activities while trying to compare the two which is somewhat dubious in my opinion. Why? Because as there are different goals here and widely different time tables as well as assets available. Crimeware may have come a long way, but, it is not at all at the level of the espionage game being played not only by China, but also Russia as well as a host of other countries in the game today. So, just to focus on these two is rather short sighted to start, but wait, it gets worse! They go on to look at the structure of the orgs as well comparing each to a thought leader in their country, thus we have Sun Tzu and Peter The Great.. Which, uhh, well, Peter The Great? Really? I’da gone with Rasputin or something like that but ok…

Secondly, the paper then goes on to talk about infrastructures and timetables of each group’s modus operandi claiming that there was extensive research into it. Of course the only research that they link to was a paper on the Chinese syndicates on their blog. They do link to a couple other studies on past malware packages but really, where’s the love for the Russians here? What’s more, the author then goes on to talk about how the players are like mercenaries (Russia) and Foot Soldiers (China) which in a stretch can be almost made, but, there is much more complexity to this issue of operations than an eight page document allows for. Sorry, but you are glossing over so many salient facts that must be talked about here that it all just makes the point of the exercise laughable.

What’s more here, uhh how is this going to help anyone looking for help with APT with your product Trend? Do you have some magical “Sun Tzu Difference Engine” that we don’t know about yet? Look, it’s all good that you want to investigate the players and you think that you can look to be better equipped as an AV company to deal with these threats, but nothing in this document has anything to do with real world countermeasures or, for that matter, solid information or understanding of the mindset’s of the players here.

Not to mention, like I alluded to above, they are not the only players here. So… What was your point again? I mean, even your “tactical comparisons” were weak and only part of a larger and more complex picture that you just don’t seem to have a handle on. Otherwise I think you would have thought better than to release this on the internet.

“Sun Tzu is Angry…”

Ahh, well, here we have another aspect of this paper that I have a bone to pick with. I have had this discussion with Jericho on more than one occasion and to whit, anyone trying to kulge Sun Tzu into any cyberwar or cyber cyber cyber argument had better be well versed in two things.

1) Being able to think like a tactician

2) READ and have UNDERSTOOD all of Sun Tzu and The Art of War

All too often people wing out a single maxim and BANG! They are experts on this subject! No, no, you’re not there cowboy, now sit down and shut up mmmkay? In this instance, Sun Tzu’s name is used but not really related to at all within the document as a whole. No explanations on how the author conceived how Sun Tzu’s teachings about warfare at all affected or shaped the Chinese APT/Hackers/Malware Writers at all. Not. One. Word. So, exactly how does Sun Tzu fit in here other than a catchy title one wonders… I am going to hazard a guess that the author has not read and understood Sun Tzu… And I am further going to make a statement that that is just really douchey.

While the paper does have some inkling of the idea that there are different classes of hackers within China, they really have yet to emote any other understanding than that. It’s akin to saying there are many cats in the world.. “So many that there are all kinds!” Yeah, thank you, please sit down and learn with the class there Clyde… Look, there are many reasons for hackers and malware writers to be active. Many psychological reasons that are innumerable, but, there are some broader stroke ideas that can be made, and yes, some of them are political. See, we are all a product of our upbringing and in China, they are rather nationalist as a country, so sure, there would be a great swath of players out there doing it for their country or their pride. But, that’s not the whole picture nor are any others really written about in this paper.

Additionally, I nearly choked when the paper cited the “Thousand Grains of Sand” without any real preface or explanation thereof afterwards. All I’m saying here is that you need a better understanding of China, the MSS, and the players as a whole (Green Army to today’s patriotic outfits) as well as the Nation State players before you just release such drivel upon the world Trend.

Go read… Maybe talk to some hackers… Eight pages to explain the Chinese! HA! Do you know that they have 26k characters in their language right? Eight pages…

Sun Tzu is pissed and he will send the clay army after you soon.

“Peter The Great is pissed too!”

This brings me to the illusory statement about the Russian hackers being “Mercenaries” and on equal footing like the days of Peter when he removed the egalitarian nature of the army to allow for officers of any class to be made…


It’s twattle and you should be beaten around the head and neck with a rubber fish for that one. How the hell do you get from there to the criminal gangs today? Hell, how do you even try to equate that to FSB/KGB/GRU activities being perpetrated by these groups? I mean, ok, sure, highest bidder for services and small groups of thugs sure, maybe the moniker of mercenary is apro pos but they are more like thugs and gangs than anything else.

Sure, they want to keep their trade secrets to sell to the highest bidder as well. So they take more time and patients with their infrastructure and coding. It only makes sense, but once again, what has this to do with your AV product? Do you have some sort of “Semiotics Engine” you are selling here? It’s all just backfill and not really fully fleshed out with, oh, facts and such. You know, citations maybe?

Yes the Russians have quite the syndicate of malware writer gangs and yes, they make lots of money… But if I wanted to know more about that, I’d talk to Brian Krebbs because, oh, he has experience and cites facts in his articles…

Just sayin…


In the end, I read this paper with increasing amounts of bile rising out of my duodenum with each word. It’s great that you want to take up this “research” and all, but, really, what’s it got to do with Sun Tzu, tactics, Peter the Great, or for that matter, your AV product? Will all this unsolicited and unsupported conjecture really give me an edge with your product line? Will the “Semiotics Engine” stop the next wave of crimeware phishing emails coming at me that try to connect to Turkish servers? Will that in fact tell me that it is really the Russians or the Baltic players? Or maybe this is all some sort of “Attribution Engine” you are developing for us all to understand the adversary better as you shrug your shoulders, palms up, and say “Sorry, our product didn’t stop that malware”

Do us all a favor and go make an engine that really works. Come up with a means to really protect our end users from phishing emails and their own stupidity (CLICK CLICK CLICK! HEY WHY WON’T THIS SCREENSAVER WORK?) because this paper, as you call it, is useless to me and everyone else out here in the real world looking for some kind of solution.

… And don’t come out of your lab til you have a real workable solution…

Why? Cuz Sun Tzu said so THAT’s WHY!


Cross-posted from Krypt3ia

Possibly Related Articles:
Information Security
China malware Cyberwar Cyber Crime Advanced Persistent Threats hackers FUD Russia Sun Tzu
Post Rating I Like this!
Jeffrey Carr I thought you were a little rough on the paper, K. IMO, it was refreshing to see something in print that wasn't all about China. Further, there are differences in the way that EE hackers and EA hackers operate.

I don't agree with everything that Tom Kellerman wrote but I know Tom personally and he's a good guy - well informed and well-meaning.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.