Updated: Hong Kong's Apple Daily reported ^^ -更新:香港蘋果日報報導^^-**All THe Would City Lauguage**-
-Update [17/08-2015]in the end garbage continent China-pig ''(Ministry of Foreign Affairs, also known as "Hybrid intercourse,, below) '' in '' masturbation 'what?! Shameful "beast than"! -By -hk.apple.nextmedia.com -&- Ntdtv. com -&- cna.com.tw/news-&-epochtimes.com-&-thehackernews.com-&-abc.net.au-&-snip.ly/giNB-
-Update[17/08-2015]到底大陸垃圾支那豬''(外交部 又名雜交 部,,下同)''在''自瀆''甚麽呢!這些禽獸不如!由-hk.apple.nextmedia.com-&-ntdtv.com-&-cna.com.tw/news-&-epochtimes.com-&-thehackernews.com-&-abc.net.au-&-snip.ly/giNB-**All The World Country Lauguage**-
*Update [15/08-2015]By-hk.apple.nextmedia.com released - [] Pearl Harbor 70 years[] after the war,, fireworks
 |
| 圖5:HttpBrowser有效載荷編譯時間 |
Wallace released - "Why Turkey is fighting the Kurds who are fighting ISIS !!" -and -research.zscaler.com[14/08-2015] issued - "Chinese spy network leveraging APT group recently leaked by hackers team utilized positioning , a financial services company!"-
更新[15/08-2015]hk.apple.nextmedia.com發佈的-【戰後70年】珍珠港放煙花,,日美同紀念戰爭結束~和-[17/08-2015]''臥底公安潛美,,迫貪官返國,,遭美國警告!-和-由bbc.com[14/08-2015]發佈的-"美高官:中國應改善人權確保習訪美成功"-和-由voacantonese.com[17/08發-2015]發佈的-"人權將在習近平訪美時被列關鍵議
題~"-和-由NYTimes.com[12/08-2015]-作者:莎拉ALMUKHTAR和 TIM華萊士發佈的-"為什麼土耳其是戰鬥的庫爾德人誰是戰鬥ISIS !!"-和-research.zscaler.com[14/08-2015]發佈的-"中國網絡間諜APT組借力最近洩露黑客團隊利用定位一個金融服務公司!"-Aktualisieren [15/08-2015] By-hk.apple.nextmedia.com veröffentlicht - [] Pearl Harbor 70 Jahre [] nach dem Krieg ,, Feuerwerk das Ende des Krieges mit Japan und den USA -und - [17/08-2015] '' Undercover öffentliche Sicherheit latent US ,,Zwangsrückführung von korrupten Beamten von den US-Warnungen -und- durch die bbc.com [14/08-2015] veröffentlicht- "Mei Gaoguan: China sollte seine Menschen verbessern Rechte Studienbesuch zum Erfolg zu gewährleisten!''- Und- durch die voacantonese.com [17/08 Haare -2015] Tuch - "Die Menschenrechte werden aufgelistet, wenn Xi Jinping besuchte die Vereinigten Staaten in Schlüsselfragen ..." - Und - durch die NYTimes.com [12/08-2015] - Autor:Sarah ALMUKHTAR und TIM Wallace veröffentlicht - "Warum die Türkei im Kampf gegen die Kurden, die Bekämpfung von ISIS werden !!" -und -research.zscaler.com [14/08-2015] abgegeben - "Chinese Spionagenetz nutzt APT Gruppe kürzlich von Hacker-Team genutzt Positionierung, ein Finanzdienstleistungsunternehmen ausgelaufen!"-
**All The World City Lauguage**-
**Please use the Google god of high-tech
translator to translate your national / local language ah ^^ -
**請各位使用谷歌大神的高科技翻譯器來翻譯你們的國家/地方的語言啊^^-
**지역 / 국가 언어 아 ^^ 번역 하이테크 번역기의 구글 하나님을 사용하십시오 -
**Se il vous plaît utiliser le dieu Google
de traducteur de haute technologie pour traduire votre ah langue nationale /
locale ^^-
**あなたの国内/地域言語ああ^^翻訳するハイテクトランスレータのGoogleの神を使用してください -
**Будь ласка, використовуйте бога Google
високотехнологічного перекладача, щоб перевести свій національним /
регіональним мовою ах ^^-
**กรุณาใช้พระเจ้าของ Google แปลที่มีเทคโนโลยีสูงในการแปล / ชาติภาษาท้องถิ่นของคุณอา ^^-
**Si prega di utilizzare il dio Google
Traduttore di high-tech per tradurre il vostro / ah lingua locale nazionale ^^-
**Fadlan isticmaal ilaah Google ee
turjumaan farsmada heerka sare ah loo turjumi / ka ah luuqada maxaliga ah ee
qaranka ^^-
**Gunakan dewa Google penerjemah
berteknologi tinggi untuk menerjemahkan nasional / ah bahasa lokal ^^-
**Por favor, utilice el dios Google
Traductor de alta tecnología para traducir su / ah nacional idioma local ^^-
**आफ्नो राष्ट्रिय / स्थानीय
भाषा आह ^^ अनुवाद गर्न उच्च-प्रविधी अनुवादक को गुगल देवता प्रयोग गर्नुहोस् -
**Bonvolu uzi la Google dio de alta-tech
tradukisto por traduki vian nacian / lokan lingvon ah ^^-
http://hk.apple.nextmedia.com/international/art/20150818/19259788
Sent agents to the United States to catch so complete was the White House warned China
Communist secret agents sent to the United States to threaten former Director in order to complete the scheme brother, asking him to return to "cooperate with the investigation" incident eventually annoy the White House. "New York Times" revealed that the US State Department warned China not to send agents in the United States to hunt down fugitives, forcing them to return for trial. US move not only affect Chinese overseas "Foxfire", but also give Xi Jinping's visit next month, adding to the waves.
The report quoted US officials said, Chinese secret agents to carry out
operations in the United States, the famous Chinese living in the
United States put pressure on them to return to stand trial, some of
them involving allegations of corruption in China because that is
wanted.
In this regard the Obama administration has warned Beijing, called on
Beijing to stop the activity, which reflects Washington scare tactics to
Chinese agents in the United States is rising discontent.
Heralds the completion of a large number of confidential documents
US officials say they have conclusive evidence that Chinese agents with a variety of tough measures to force the US to return fugitives, including the threat to take adverse action against their families in China. The Chinese agents came to the US activities are not holders of official visas, but to use tourist, business visas to enter the United States. US officials say Chinese agents in recent months efforts in increasing.It is unclear whether the United States will deport these Chinese agents. The FBI and Homeland Security agents through conversation and to monitor China, the Chinese agent activity in the United States to collect evidence of Chinese living in the United States. Interviewees included last year fled to the United States, so complete. So if he sought political asylum to the United States, it will be the most destructive in the history of Communist defectors. Biography he was carrying a large number of the scheme provided by the brother of the Office of confidential documents, including Xi Jinping, Wang Qishan adverse files.
The United States denounced the practice of "amazing"
The United States refused to disclose the identity and the number of Chinese in the United States and agents, but these agents from the Chinese Ministry of Public Security means. Ministry of Public Security is responsible for "Foxfire," the law enforcement agencies, the United States has intelligence officers in each other's land to steal each other's confidential information, but "Foxfire" Chinese agent activity in the United States, to break the two countries in each other's secret intelligence work a few The standard practice for decades, the United States is unacceptable."Foxfire" by the Central Discipline Inspection Commission, Ministry of Supervision, Ministry of Public Security and other ministries initiated ran outside to hunt corrupt officials and economic criminals as the goal, the end of July last year began on January 1 this year. Chinese Ministry of Public Security, the Foreign Ministry did not respond to "The Times" reports, but the official Xinhua News Agency issued a document yesterday, denounced the US practice of "amazing" because the United States more than once pledged to strengthen anti-corruption cooperation with China, "the United States is sitting in the ass in the end In the corrupt justice here or over there "?
"New York Times"
=====
Reviews --Ethlon Chan-Liu Xiaobo and other rights activists, how can sin be imprisoned innocent? "The Communist Party's ass in the end is still sitting there in the interests of justice here"?-Rk Sha-Continental guy is really crazy line to someone else's country kidnapping, really thought he was Kim Il Sung.-Rk Sha-What is not happy to find you the microphone Interpol, the International Criminal Police when they really positive.- Wing-hung yellow -US support agents executed bandits!-Thomas Kam-The US government will all catch Shina both agents and criminal deportation of all blacklisted, it may not set foot in the United States half a step!-Eric Dunn-Mainland public security can not even pull off the Hong Kong man! Moreover, you go to the country people, no greeting, a four-dimensional extortion! Speak good twenty-eight split stems have classes flutter Street would like to own the bag in the sun, your grandfather left a bad thing either!Re: -CHENG WILLIAM-Hong Kong Department of Public Security has already extended the mainland public security arm of friends.-Esther Lam-That the Department of Chinese Communist Party has not been progress. (Hahahaa..ofcourse.)-Rk Sha-Sitting side while she has no possibility to other people's countries implement their own national laws! (Well ^^ the point! Melody ^)-Lam AL-Fan turned off twist Ah, America D agents to you Shina pigs (Xiaoqiang = cockroach) pull the country, I twist the Air (fuck / shit) fearA twist (= fuck / hybird) fixed section called [oral sex] the international press, the Department of Cock mother crab shabu (Cantonese foul language)? ! (Good ^^ Melody)-Sam Chan-Bandits; to blame! In fact, today's ruling Communist Party leaders are all corrupt officials, were only in foreign countries are domestic Dian! Bandits big thief against each other, help who considered justice? (Very good ^^ haha ..)-bug killer-United States Department of the CPC seem when Zo Hong Kong, you can do whatever they want, lawlessness! (Wow, so good! ^^).-Kongtak Chan-Pull teeth catch the sun does go to prison CPC classes, find rack after the expiration put rotten boat in high seas canal by canal to have to fend for themselves. (Good idea ... yeah ~ Melody agree ^^ haha ....).-Mei Zai Chou-Aberdeen bushy eyebrows that US imperialism will truly needless panic Hello, good senior agents or, over Zo Do not want to return to the United States mainland 㗎 le, every minute you can buy a two cans of powdered milk to the canal to it .....!More exciting, downtown Xinhua News Agency, "the United States is sitting corrupt ass in the end there is justice here?."(What is) what-Ge-based "justice here"? So funny!It heap big corrupt, precisely on the line from "just here" that is the output of New China over the past generous, then the nerve deficit Quzhong people know the ugly 㗎 Do not know (do not know shame!)! (Hahaha ... good! Melody ^^).
=====
http://hk.apple.nextmedia.com/international/art/20150818/19259788
派特工赴美捉令完成
中國遭白宮警告
中共秘密派特工赴美國要脅前中辦主任令計劃弟弟令完成,要他回國「配合調查」事件終惹惱白宮。《紐約時報》披露,美國國務院警告中國,不要派特工在美國境
內追捕逃犯,逼他們回國受審。美方此舉不但影響中方在海外的「獵狐行動」,還可能給習近平下月訪美平添波瀾。
報道引美方官員指,中國特工暗中在美國開展行動,向旅居美國的知名華人施壓,要他們回國受審,其中一些人在中國因涉貪污指控受通緝。對此奧巴馬政府已向北
京發出警告,要求北京停止有關活動,這反映華盛頓對中國特工在美國的恐嚇戰術不滿情緒正在高漲。
傳令完成有大量機密文件
美國官員稱,他們有確鑿證據證明中國特工用各種強硬手段,迫使在美逃犯回國,包括威脅要對他們在中國的家人採取不利行動。這些中國特工來美活動並非持公務 簽證,而是利用旅遊、商務簽證進入美國。美方官員們說,最近幾個月中國特工的工作力度在不斷加大。目前不清楚美方會否將這些中國特工驅逐出境。美 國聯邦調查局和國土安全局通過與旅居美國的華人交談及對中方特工監控,收集中方特工在美活動證據。被約談者包括去年逃往美國的令完成。令如他向美尋求政治 避難,將為中共史上最具破壞性的叛逃者。傳他攜帶有大量由其兄令計劃提供的中辦機密文件,包括對習近平、王岐山不利的文件。
斥美方做法「讓人驚異」
美方拒透露中國在美特工的身份及人數,但指這些特工來自中國公安部。公安部是負責「獵狐行動」的執法機構,中美都有情報人員在對方國土竊取對方的機密情 報,但「獵狐行動」中方特工在美的活動,打破兩國在對方的秘密情報工作幾十年來的常規做法,美方不能接受。由中紀委、監察部、公安部等部委發起的 「獵狐行動」以追捕跑到境外貪官和經濟犯罪分子為目標,去年7月開始今年1月1日結束。中國公安部、外交部沒有就《紐時》的報道作回應,但官方新華社昨發 文,斥美方做法「讓人驚異」,因美不止一次承諾加強同中方反腐合作,「美國的屁股到底是坐在貪官那邊還是在正義這邊」?
《紐約時報》
=====
評論-
-Ethlon Chan-
劉曉波等維權份子, 又何來罪過要無辜被監禁? 「共產黨的屁股到底是坐在私利那邊還是在正義這邊」?
-Rk Sha-
大陸佬真是癡線到別人的國家進行綁架活動,真是以為自己是金日成.
-Rk Sha-
有什麼不開心你咪去找國際刑警,當正自己真是國際刑警.
-永雄 黃-
支持美國處決共匪特工!
-Thomas Kam-
美國政府將所有捉到既支那特工全部遞解出境兼刑入黑名單, 終身不得再踏足美國半步!
-Eric Dunn-
大陸公安都唔可以直接落香港拉人啦!何況你去人地國家,招呼都無個,四維恐嚇勒索!講好二八分賬,梗有班扑街想自己袋曬,壞左你阿爺既好事!
Re:-CHENG WILLIAM-
香港公安都己經係大陸公安手臂的延伸啦.
-Esther Lam-
即係中共一直沒進步過。(hahahaa..ofcourse.)
-Rk Sha-
坐在邊一邊都冇可能到別人的國家執行自己國家法律! (Well^^ the point! Melody^)
-Lam AL-
掉撚番轉頭丫,美國D特工去你支那豬(小強=蟑螂)國度拉人,我睇撚(fuck/shit)怕
一撚(=fuck/hybird)定叫【口交部】出國際新聞,係度屌媽唰蟹(粤式粗口)?! (Good^^Melody)
-Sam Chan-
共匪;惡人先告狀!其實現今當權的中共領導人全都是貪官污吏,分別祇在國外丶國內的分別!土匪大賊互鬥,幫誰才算正義? (very good^^ haha..)
-bug killer-
中共似乎當咗美國係香港,可以為所欲為,無法無天! (wow, so good!^^).
-Kongtak Chan-
拉晒呢班中共抓牙去坐監,期滿後找架爛船放佢地在公海,由得佢地自生自滅。(Good idea...yeah~ Melody agree^^ haha....).
-Mei Zai Chou-
粗眉仔覺得美帝真係唔使驚囉,高官好特工也好,過咗美國就唔想返大陸㗎嘞,分分鐘一兩罐奶粉就可以收買到佢地呢.....!
仲有,新華社鬧「美國的屁股到底是坐在貪官那邊還是在正義這邊?」。
(甚麽才是)乜嘢係「正義這邊」?真好笑!
呢堆大貪官,正正就係由「正義這邊」即係新中国輸出過去嘅,虧佢仲好意思話人,知唔知醜㗎(不懂廉恥!)! (hahaha...good! Melody^^).
=====
http://hk.apple.nextmedia.com/realtime/news/20150818/54104399
Last year, involving attacks 葛珮帆 Crime
Squad arrested in Kwun Tong Fang Guoshan ??
Fangguo Shan Sai Kung District Council last July 3 while DAB Legislative Council葛珮帆to Jun Ying Estate, Tseung Kwan O mosquito during inspections, and residents attended the protest, to comply with the requirements of葛珮帆election promises, against the Tseung Kwan O landfill expansion, during which the two sides physical collision, followed by DAB Police.
After a lapse of more than one year later, Fang Guoshan expressed today during a meeting with residents in Members' offices, police arrested a sudden the door, that she allegedly attacked葛珮帆last year. Kwun Tong District Crime Squad, said today the arrest of a woman surnamed Fang, alleged last year that she jostled a 48-year-old woman surnamed Ge, has been charged with one count temporarily "common assault" crimes, will be 9 February 2, Kwun Tong Magistracy.
Fang Guoshan to "Apple," said the incident involved a year ago she sniper DAB Legislative Council葛珮帆issue, referring to the police charged her "common assault" (later confirmed as common assault) charges. 方国珊mean, think of the Attorney General and the police suddenly "settling old scores" and reiterated that day did not make attacks against葛珮帆: "I am absolutely Nuisance beaten canal system, which is probably generous when protests have hit the ditch GOD slogan" New Territories East葛珮帆Legislative Council, Fang Guoshan also in the last Legislative Council election but lost the New Territories East, rumored interested in the election next year to participate in Shinto.
Fang Guoshan questioned, police in the new East-election next year and the end of the District Council elections arrest she was "political pressure", questioning the DAB葛珮帆belongs have taken the pressure, "as long as the Department of Mi DAB system can only fully? "its supporters in the evening to the Tseung Kwan O Police Station solidarity protest police political pressure.
葛 珮帆reply to a query when the newspaper refers to July last year, went to the police station after the incident off the statement, followed by the police has not received any news that the event has entered the judicial process, to comment, but denied that police pressured " what a ridiculous argument, absolutely no Link generous thing. " 2012 Legislative Council election, the DAB葛珮帆team of election in New Territories East, where the platform is listed as 10 in Sai Kung and Tseung Kwan O for things, which includes an "ask the Government to set a timetable to close the Tseung Kwan O landfill." but last year the Finance Committee in the Tseung Kwan O Extension landfills 2.1 billion yuan grant application, was adopted in the Finance Committee of the Legislative Council to vote, it was proposed by Mr Pan hundred people have all been rejected by a number of amendments, and on the other establishment faction葛珮帆Members vote in favor. Tseung Kwan O residents accused葛珮帆violation of election promises, the DAB supports the expansion of the landfill http://bit.ly/1MvVz8x
=====
(Fuck Leung Chun-ying, shame !! Melody hate this beast! #ophk #opchina #OpISIS #OpTaiwan #OpRussian #Op_Tibet).
-Keyman Chan-Pakistani false Bo Shi cut back trouble! You step down hard cast votes!-Dreamfree Dreamfree-Seven police really are attacked.-Freddie Chu-What happened in Hong Kong?! Han called the attack?! Chest and
Department of weapons! System really hit, and I got me in jail and I
accuse!
Fuck the China-pig & China polices, same beast behavior!(Melody hate these all beast! #ophk #opchina #OpISIS #OpTaiwan #OpRussian #Op_Tibet).For My All Huge Anonymous ~ #Human Right, Fighting ~=====
http://hk.apple.nextmedia.com/realtime/news/20150818/54104399
去年涉襲擊葛珮帆 觀塘重案組拘捕方國珊??
西貢區議員方國珊去年7月3日趁民建聯立法會議員葛珮帆到將軍澳屋苑峻瀅視察蚊患其間,與居民到場抗議,要求葛珮帆遵守選舉承諾,反對將軍澳堆填區擴建, 其間雙方發生肢體碰撞,其後民建聯報警求助。事隔逾1年後,方國珊表示今日在議員辦事處接見居民期間,警方突然上門拘捕,指她涉嫌在去年襲擊葛珮帆。觀塘 警區重案組表示,今日拘捕1名姓方女子,指她涉嫌於去年推撞1名48歲姓葛女子,已被落案暫控以一項「普通襲擊」罪,將於9月2日到觀塘裁判法院應訊。
方 國珊向《蘋果》表示,事件涉及一年前她狙擊民建聯立法會議員葛珮帆一事,指警方落案起訴她「普通毆打」(後證實為普通襲擊)罪名。方國珊指,想不到律政司 及警方突然「翻舊帳」,重申當天沒有對葛珮帆作出襲擊行為:「我係絕對冇毆打過佢、可能係抗議嘅時候有啲標語撞到佢。」
葛珮帆為新界東立 法會議員,方國珊上屆立法會亦於新界東出選但落敗,盛傳有意於明年參與新東補選。方國珊質疑,警方在明年新東補選及年底區議會選舉前拘捕她是「政治打 壓」,質疑葛珮帆所屬的民建聯有份施壓,「係咪只要係民建聯就可以隻手遮天?」其支持者傍晚到將軍澳警署聲援,抗議警方政治打壓。
葛珮帆回覆本報查詢時指,去年7月事發後曾到警署落口供,其後一直未有收到警方消息,指事件已進入司法程序,不便評論,但否認曾向警方施壓,「呢個講法十分荒謬,絕對無咁嘅事」。
2012 年立法會選舉中,民建聯葛珮帆團隊出選新界東,其中政綱列出10件為西貢及將軍澳爭取的事,當中一項包括「要求政府定出時間表,關閉將軍澳堆填區。」惟去 年底財委會中的將軍澳擴建堆填區21億元撥款申請,於立法會財務委員會表決獲得通過,當時泛民議員提出百多項的修正案全部被否決,而葛珮帆就與其他建制派 議員投下贊成票。
將軍澳居民指責葛珮帆違反選舉承諾、民建聯支持擴建堆填區
http://bit.ly/1MvVz8x
=====
-Ka Ka Lee-
香港公安係民賤聯同建制派嘅打手。
-David Lam-
呢個狗閪葛珮帆係人見到都想打柒佢,
方國珊我支持妳,嗰班冚家鏟重案組根本就係奶共公安,遲早一定俾天[神處罰]收!
-Jacky Law-
姓葛 嘅 虛報博士誤導公眾就得!
民賤聯(民建聯支那奴隸)直頭(真的)無法無天就真!
-Waiman Chan-
浪费警力,仲要重案出手,小题大造!
-冠傳 劉-
葛珮帆在法庭影相又唔控告??
-ose Lowe-
大陸同隻689真係覺得香港人會怕高壓統治?
(Fuck Leung Chun-ying, shame!! Melody hate this beast! #ophk #opchina #OpISIS #OpTaiwan #OpRussian #Op_Tibet ).
-Keyman Chan-巴基假煿士 割背煩 !投硬你下台票 !
-Dreamfree Dreamfree-
七警就真的是襲擊。
-Freddie Chu-
香港發生了什麼事?!咁都叫襲擊?!胸部又係武器!真係打人,又吾拉去坐牢又吾控告!
Fuck the China-pig & China polices, same beast behavior!(Melody hate these all beast! #ophk #opchina #OpISIS #OpTaiwan #OpRussian #Op_Tibet ).
For My All Huge Anonymous~ #Human Right, Fighting~
=====
http://hk.apple.nextmedia.com/international/art/20150818/19259941
Household protesters "do not believe in the government report."
Cyanide exceeding 27 times the rain fear volatile
200 名 owners of homes were destroyed in a press conference outside the demonstrators. Reuters.
[Explosion] Big Tianjin
Tianjin big bang into the sixth day yesterday, authorities said the explosion occurred in a warehouse range measured cyanide is commonly known as toxic cyanide concentrations far exceeded up to 27 times! The SOA also known in the Tianjin Port to test the waters there are cyanide, cyanide because the water may volatilize in the air, inland observatory also forecast rain last night, authorities stepping up; homes have been destroyed about 200 Owner, yesterday held a press conference during an official demonstration outside, someone was shouting: "! man-made."
Wednesday's explosion occurred on the warehouse area of the fire and
white smoke still yesterday, due to store about 700 tons of cyanide
nearby, it has been a matter of great worry.
Authorities also admitted at a press conference yesterday, the blast
site surface water testing stations, a total of 17 inspection stations
coming out of Egypt, three of the warning area is located at the
detection station, appears excessive, the most serious one exceeded 27.4
times.
A burning sensation in the hand to touch items
And China Oceanic Administration, also known as sea experience coming from the Tianjin Port and Egypt; cyanide is known to the authorities discovered the most distant of one kilometer around the central area of the explosion; the cyanide water may produce toxic gases, or skin can cause poisoning by air Mainland observatory known as a chance of rain yesterday, so authorities yesterday into the dark days before the leak of cyanide should focus. Environmental group Greenpeace also said local winds blowing to the northeast, but also predict there will be thunderstorms, may cause water pollution and endanger marine life.Because of the explosive range close to many homes, more recently Vanke Harbour just 600 meters away from the shock wave caused by an explosion of multiple units affected, a serious injury. Also yesterday, a large number of residents to wear gas masks to go back home to retrieve the items, a resident of the "apple" reporter, said, "Two armed police and two staff members along with them, to get things finished picking up $ 6,000 relocation." There inhabitants said touching items, hand burning sensation. Tianjin Government yesterday morning press conference, saying that the residents will soon go back to live; but outside there are 200 residents affected by the explosion spread to the petition showed reluctance to go back. Miss Yang activist residents strive to "apple" reporter, said, "This is not just to escape the death of us yet again into the abyss?"
Household denounced man-made disasters never go back to live
Lee headed another business trip at the time of the explosion, but stay at home wife and daughter were injured, and now they all rest in my hometown in Henan, Tianjin was asked will be back live it? He outrightly said: "I do not believe the government would never assessment report!." He also angrily: "! Purely man-made, is entirely the government's responsibility."Yesterday also living near the blast site, a Hong Kong woman call the radio station, said his home adventure, picking up items, but then felt throat irritation, irritation substance suspected air. Also known as the Immigration Department would consider allowing passengers affected by delays Tianjin big bang back to Hong Kong, but it was not yet apply.
"Apple" Correspondent
=====
Review-Chan-Veritable Wrath grievances !!-Yt Kam-Letter government? Silly you, to believe and believe Thai Erawan, Thailand after the explosion, Erawan intact.-Kongtak Chan-Because you love the party, so she has no party wants you dead complaints, namely compensation system called anti-party party, the party will sentence you to disturb the crime.-bug killer-Love for the party, the letter ended Communist regime.-Kongtak Chan-Link slogans are even weak, so-called from the beginning of the Chinese people to stand up and I have never seen, to kneel on the Chinese Communist Party officials see much, the CCP will lose points, resigned it, do Chinese people line Link.-Ming Siu-Chengdu half blind faith ............. positive Gouguan!
see more at: http://hk.apple.nextmedia.com ; please login^ Thanks~
=====
http://hk.apple.nextmedia.com/international/art/20150818/19259941
住戶示威「不信政府報告」
山埃超標27倍遇雨恐揮發
200名家園被炸毀的業主在記者會外示威。路透社.
【天津大爆炸】
天津大爆炸昨踏入第六天,當局稱在發生爆炸的倉庫範圍測得俗 稱山埃的有毒氰化物,濃度嚴重超標達27倍!而海洋局亦稱在天津港海域驗到有山埃,由於山埃遇水有可能揮發於空氣之中,內地天文台亦預測昨晚會下雨,當局 加緊清理;家園被炸毀的約200名業主,昨在官方舉行記者會時在外示威,有人一度高呼:「人禍!」
天津大爆炸昨踏入第六天,當局稱在發生爆炸的倉庫範圍測得俗 稱山埃的有毒氰化物,濃度嚴重超標達27倍!而海洋局亦稱在天津港海域驗到有山埃,由於山埃遇水有可能揮發於空氣之中,內地天文台亦預測昨晚會下雨,當局 加緊清理;家園被炸毀的約200名業主,昨在官方舉行記者會時在外示威,有人一度高呼:「人禍!」
於上周三發生大爆炸的倉庫一帶昨仍有火光並冒出白煙,由於附近儲存約700噸山埃,一直令人十分擔心。當局昨於記者會亦承認,爆炸現場的地表水檢測站,共
有17個站驗出山埃,其中三個位於警戒區的檢測站,則出現超標,其中最嚴重一個超標27.4倍。
觸碰物品 手有灼燒感
而中國海洋局亦稱從天津港海域驗出山埃;據知當局發現山埃的最遠距離為爆炸中心區域一公里左右;由於山埃遇水可能會產生有毒氣體,或會通過空氣皮膚致中 毒,內地天文台昨亦稱有機會下雨,令當局昨日連日在入黑前要把洩漏的山埃集中處理。環保團體綠色和平亦稱,當地風勢向東北方吹,而亦預測將會有雷陣雨,可 能會造成水體污染,危害海洋生物。由於爆炸範圍鄰近多個住宅,最近的萬科海港城更只距600米,多個單位被爆炸造成的衝擊波波及,損傷嚴重。大批 居民昨亦戴上防毒面罩回去家中取回物品,一名居民對《蘋果》記者稱,「兩個武警和兩個工作人員跟着一起,拿完東西領了安置費6,000元。」有居民則稱觸 碰物品,手有灼燒感。天津政府於昨早記者會,稱會讓居民早日回去居住;但門外就有200名受爆炸波及的居民請願表明不願回去。力爭維權的居民楊小姐對《蘋 果》記者稱,「這不是把剛剛逃離死地的我們再次推向深淵嗎?」
住戶斥人禍 絕不回去住
另一戶主李先生在爆炸時出差了,但留在家的妻女均告受傷,目前他們都在河南老家休養,被問到還會回去天津居住嗎?他決絕稱:「絕對不會!我不會相信政府的 評估報告。」他更怒道:「純粹是人禍,完全是政府的責任!」昨日亦有一名居住在爆炸現場附近的香港女子致電電台,稱自己冒險回家執拾物品,但隨即感到喉嚨不適,疑空氣有刺激物質。入境處亦稱會考慮讓受天津大爆炸影響的旅客延遲回港,但暫時未有人申請。
《蘋果》記者
=====
評論
-Chan-
名副其實, 天怒民怨!!
-Yt Kam-
信政府?傻啦,要信就信泰國四面佛,泰國爆炸後,四面佛完整無缺。
-Kongtak Chan-
因為你地愛黨,所以黨要你死都冇怨言,叫黨賠償即係反黨,黨會判你地尋釁滋事罪。
-bug killer-
愛黨,信共匪政權的收場.
-Kongtak Chan-
連口號都咁軟弱,所謂中國人民從始站起來我從未見過,向中共黨官下跪就見得多,中共點會賠,認命啦,做中國人係咁。
-Ming Siu-
信半成都失明............. 正狗官!
see more at: http://hk.apple.nextmedia.com ; please login^ Thanks~
=====
http://hk.apple.nextmedia.com/realtime/news/20150818/54104064
|
[One] tuning hammer Wu Xiaodong, senior journalist before the deadline, today successful compliance, raised $ 3 million established news agency FactWire. He said more than 2,000 donors, the largest single donation was a $ 100,000 minimum is a hundred dollars.
Who would spend ten dollars to buy high-quality news? This caused Wu Xiaodong interest. He investigated, not dignitaries, but ordinary people.
Wu Xiaodong hope to two months time limit, raised three million yuan, the recruitment of seven editorial staff, made 15 months, specializing in high-quality news. Originally there one week deadline.
Wu Xiaodong accept the "One hammer tuning" chaired Li Huiling visit, described Hong Kong is the only one of China's territory, can and fundraising success with the public, the establishment of news agencies, many donors support a message saying press freedom. He said lead water, MTR Why Mainland carriages, legislators how to use the grant, he believes the media are well worth the time and effort put into the investigation report. Hui-ling said that this time there is a way Wu Xiaodong, Wu is not only a personal matter, which is also encouraged by the press, "at least free information demonstrates that even overflowing, but there are still people in Hong Kong would pay real money to buy high-quality news." What Hong Kong people who are willing to dig into their pockets to buy high-quality news? During the visit, Wu Xiaodong, detailing off nearly two months of fundraising process he met, sarcastic man..... he had visited in also thank the people who most want to thank you.
=====
http://hk.apple.nextmedia.com/realtime/news/20150818/54104064
【足本訪問】小市民捐十萬買優質新聞
【壹錘定音】資深新聞工作者吳曉東在限期前,今日成功達標,籌得300萬成立通訊社FactWire。他透露,2000多名捐款者,最多一筆單一捐款是十萬元,最少是一百多元。
誰會花十萬元買優質新聞?這引起吳曉東興趣。他調查過,並非達官貴人,只是普通老百姓。
吳曉東希望以兩個月時間為限,籌得300萬元,招聘7名編採人員,做15個月,專攻優質新聞。原本限期尚有一個星期。
吳曉東接受《壹錘定音》主持李慧玲訪問,形容香港是唯一一處中國領土,可以並成功以公眾籌款方式,成立新聞通訊社,很多捐款者留言都說支持新聞自由。他說,鉛水、港鐵為甚麼要用內地車卡、立法會議員如何運用津貼,都是他認為傳媒很值得投入時間精力偵查的報道。
慧玲說,今次吳曉東有志者事竟成,不單是吳個人的事,也令新聞界感到鼓舞,「起碼證明即使免費資訊爆棚,但仍然有香港人願意掏腰包真金白銀買優質新聞。」
究竟那些香港人願意掏腰包買優質新聞?吳曉東在訪問中,細述近兩個月的籌款過程他遇到的有心人、冷言冷語的人……他在訪過中亦多謝了最想多謝的人。
=====
http://hk.apple.nextmedia.com/news/art/20150818/19260090
University of British Columbia, Canada open Cantonese Mandarin courses showed contend hegemony
offer Cantonese courses UBC global row 43, compared with the Chinese University of Hong Kong is even higher. The Internet.
WASHINGTON implement "Putonghua to teach" on the occasion of the alleged harm Cantonese status, renowned overseas universities have introduced courses in Hong Kong Cantonese academia. Harvard University (Harvard University) Following, UBC (University of British Columbia) Canada has also announced that it will open the attached credit Cantonese course, is the local for the first time; and responsible scholars suggest that the move was to avoid being edge Cantonese of.
Reporter: Chen Kai Ying
Canada's University of British Columbia (UBC also known) Asian Studies
Department recently announced the opening of the 2015/16 school year
will be held next month, offering both Cantonese foundation courses,
mainly professors Cantonese speaking skills, for completely versed in
Cantonese students enrolled and intermediate courses offered in the
academic year 2016/17. Accounting for 3 credits per course, it is Canada's first Cantonese attached credit courses.
Ross King Asian Studies Program Director University of British Columbia to accept the "Economist (The Economist)" when accessing said that in Canada and the United States Chinatown, Cantonese is the main language, but with the economic development of the mainland in recent years, more and more Putonghua The people moved to the North American mainland, so Cantonese Mandarin facing marginalized, British universities to offer these courses, precisely in order to defend the Cantonese status.
Ross King Asian Studies Program Director University of British Columbia to accept the "Economist (The Economist)" when accessing said that in Canada and the United States Chinatown, Cantonese is the main language, but with the economic development of the mainland in recent years, more and more Putonghua The people moved to the North American mainland, so Cantonese Mandarin facing marginalized, British universities to offer these courses, precisely in order to defend the Cantonese status.
4 of refusing to expand the teaching of Putonghua
Ross King also said the University of British Columbia who has four times rejected by the Confucius Institute under the Government's investment in the mainland to further expand the teaching of Putonghua in schools to counter the hegemony of the culture of mandarin. Instead, the school in 2013 had received a pair of brothers living in Vancouver, Hong Kong philanthropist, donated $ 1.5 million to fund the Department launched Cantonese, Guangdong opera and opera culture and related courses.According to the British ranking agency QS World University Rankings, University of British Columbia in the global row 43, compared with the Chinese University of Hong Kong is even higher, the school's Department of Asian Studies, also offer Japanese and Korean courses. In fact, the internationally renowned Harvard University last autumn has also offered courses in Cantonese, Cantonese through movies, news or television shows, professor
Cantonese; courses in autumn next year will offer more advanced classes.
Oppose the implementation of our "Putonghua to teach" the organization "positive Kong pragmatics" member Huanghao Feng believes that overseas institutions Cantonese courses offered encouraging prove Cantonese language is noteworthy, Hong Kong Mandarin instead of Cantonese encourage scholars teach Chinese practice, people feel irony.
Publication of "Guangdong saying orthography test" and "Hong Kong Cantonese hard on top" and other books to defend Cantonese culture subculture 彭志铭 Church president also pointed out that in the 1970s, overseas Chinese communities, Cantonese quite popular, but now gradually being Mandarin replace, overseas institutions launched Cantonese course, show foreign community cultures including Guangdong cultural emphasis.
=====
101 comments --PH Wong-See support Cantonese foreign universities are Han, as sons and daughters of the inner part is really sad inexplicable!As the system now and down the country have Fan Link to identify the age of the Air Traditional Tang Poems content.Sun Yat-sen is set for the country the size of Putonghua different nationalities when founding a common language to communicate,Not to pseudo of other dialects!To carry forward the Chinese nation five thousand years of culture,To every ethnic group wants to retain their ethnic heritage and unique dialect,Wind race, culture .... honestly can spread a generation!(Wow .... very good ah ~ Melody ^^).-Ethlon Chan-Cantonese valued foreign universities, to a certain extent because the account of,Aliens generally thought Hong Kong is under China's one of the cities, nothing special !!But with the failure of the White Paper and the Joint Declaration on the public, representing the Hong Kong famous overseas !!(Yeah ~ ... but the theif wolf Leung Chun-ying was the slaves of China-pig, Shame! Melody hate..the beast #Fuck Leung Chun-ying).-Seki H-Good simple as wild, many countries have a Chinatown, most of them are all only speak Cantonese!Cantonese (Cantonese) already are independently a language, not a dialect!Department belongs to the ancient Chinese, really both Chinese,Chinese Zhongyou first system is the body both Chinese real, evolved from the hieroglyphics, meaning there are tables and tables sound effect.Really wanted to study Chinese language should learn Chinese and Cantonese is the body!(GooD ~)-yee d-That is more like a continent fake liar, foreigners Do not want to pour the verse with drainage Link solution!(Hahaha ... yeah!)
=====
http://hk.apple.nextmedia.com/news/art/20150818/19260090
加拿大卑詩大學 開粵語課程
表明抗衡普通話霸權
開設粵語課程的卑詩大學全球排43位,較本港的中文大學還要高。互聯網.
【本報訊】在本港學界推行「普教中」被指危害廣東話地位之際,海外著名學府相繼推出廣東話課程。繼美國哈佛大學(Harvard
University)後,加拿大卑詩大學(University of British
Columbia)近日亦公佈將開辦附設學分的廣東話課程,是當地首次;負責的學者表明,此舉是為免廣東話被邊緣化。
記者:陳凱迎
記者:陳凱迎
加拿大卑詩大學(又稱英屬哥倫比亞大學)亞洲研究學系近日公佈,
將於下月開學的2015/16新學年,開辦兩個廣東話基礎課程,
內容主要教授廣東話口語技 巧,供完全不諳廣東話的學生修讀,
並於2016/17學年開辦中級課程。
每個課程佔3個學分,是加拿大首個附設學分的廣東話課程。
卑詩大學亞洲研 究課程主管Ross King接受《經濟學人(The Economist)》訪問時表示,
在加拿大和美國的唐人街,廣東話為主流語言,惟隨着近年內地經濟發展,
越來越多操普通話的內地人移居美加,令廣東話面 臨被普通話邊緣化,
卑詩大學開辦上述課程,正是為了捍衞廣東話的地位。
4度拒擴大教授普通話
Ross King亦透露,卑詩大學曾先後4次拒絕由內地政府轄下的孔子學院出資於校內進一步擴大教授普通話,以抗衡普通話在文化上的霸權。相反,該校於2013年 曾接受一對居於溫哥華的港人兄弟慈善家,捐出150萬美元,以資助該學系開辦廣東話、廣東文化與粵劇及粵曲的相關課程。根據英國排名機構QS世界 大學排名榜,卑詩大學於全球排43位,
較本港的中文大學還要高,該校的亞洲研究學系,亦有開設日語和韓語等課程。
事實上,國際著名的美國哈佛大學去年秋季 亦已開辦廣東話課程,
透過廣東話的電影、新聞或電視節目,教授廣東話;相關課程於明年秋季更會開設進階班。
反對本港推行「普教中」的組織「正港語學」成員黃浩鋒認為,
海外學府開辦廣東話課程令人鼓舞,證明廣東話是值得重視的語言,
本港學界鼓勵以普通話代替廣東話教授中文的做法,令人覺得諷刺。
出 版《廣東俗語正字考》及《香港粵語頂硬上》等書捍衞廣東話文化的次文化堂社長彭志銘亦指出,70年代於海外的華人社會,廣東話相當盛行,惟現在卻逐漸被普 通話取代,海外學府推出廣東話課程,顯示外國社會對各種文化包括廣東文化的重視。
=====
101個評論-
-PH Wong-
見到外國學府都咁撐廣東話,作為中華兒女一份子內心真是悲傷莫名!
正如現在係國內要有番咁上下年紀先識睇繁體唐詩三百首的內容。
孫中山先生立國時設定普通話為全國大小不同民族的溝通共同語言,
並不是要偽化其它方言!
要發揚光大中華民族五千多年的文化,
是要每一個族群都要保留和承傳其族裔的獨有方言、
風族、文化....一切切才能流傳世代!
(Wow....very good ah~ Melody^^).
-Ethlon Chan-
廣東話被外國大學重視, 某程度上是因為佔中,
一般外國人原本以為香港只是中國轄下的其中一個城市, 沒甚麼特別之處!!
可是隨著白皮書和聯合聲明失效論公諸於世, 佔中令香港名揚海外!!
(yeah~...but the theif wolf Leung Chun-ying was the slaves of China-pig, Shame! Melody hate..the beast #Fuck Leung Chun-ying ).
-Seki H-
好簡單一樣野,好多國家都有唐人街,大多都係講廣東話既!
粵語(廣東話)本來就係獨立一套語言,不算是方言!
係屬於古漢語,真真正正既中文,
仲有正體中文先係真正既中文,由象形文字演變出來,有表義及表音作用。
真正想研究中國語文就應該學習正體中文及粵語!
(GooD~)
-yee d-
即好似大陸多假貨騙子,外國人唔想同佢地傾偈咁解!
(hahaha...yeah!)
=====
http://hk.apple.nextmedia.com/news/art/20150818/19260022
Attitude (Li Yi) |
People's Daily" the obviously man-made explosion in Tianjin, easily said to be a security incident, the CCP has displayed "thorough investigation" accident statement.
[Small comment]
"People's Daily" published in Commentary, refers to the central Tianjin explosion resolute attitude is clear, thorough investigation severely punished, asked Zhou, Xu, Guo, make this major program, are investigated in the end and open process, what is necessary, of a security incidents have reservations, concealment and "Guanguanxianghu"? It also refers to the specific cause of the accident investigation were extremely difficult, takes a long time, hope that after the evidence is conclusive, released to the public again, this time most need public opinion to understand.
Even assuming for corrupt officials, "a check in the end," it is true, but what is coherent Tianjin big bang? Some corrupt officials check a check in the end, it does not mean that will not be retained for the bombing. Are "Guanguanxianghu" depends on "protecting" What officer? It is now political opponents of those in power, such as Zhou Xu et al., Or the authorities to "protect" the official authorities even itself? The difficulty of the investigation is large, but the explosion released Ruihai what is the nature of the company, should not be difficult, right? Is a private, state-owned enterprises or the central rate? Requirements Ruihai company responsible person to come forward to explain, difficult it? After the explosion, Ruihai shameful, difficult people not suspected "Guanguanxianghu" or fundamental inventory of chemicals is official supplies.
In fact, the "People's Daily" the big pile of human disaster, easily said to be "a case of accidents," has shown how the CPC Central Committee's attitude was "clear" carry on.
(Column Tuesdays, Thursdays published)
(Https://www.facebook.com/mrleeyee)
Li Yi
Chase real thing burst size city that like Apple [site] FB!
======
http://hk.apple.nextmedia.com/news/art/20150818/19260022
態度 (李怡)
我們最喜愛的著名作家:李怡先生.人民日報》把明明是人禍的天津爆炸,輕鬆說成是一宗安全事故,已顯示中共「嚴查」事故的表態。
【小評】
《人民日報》發表時評,指中央對天津爆炸事故,態度是明確堅決,嚴 查嚴辦,反問周永康、徐才厚、郭伯雄、令計劃這樣的大案,都一查到底及公開處理,還有甚麽必要,對一宗安全事故有所保留、隱瞞及「官官相護」?又指這宗事 故具體原因的調查難度極大,需要較長時間,希望在證據確鑿後,再向公眾發佈,這時候最需要公眾、輿論的理解。
即使假定對貪官的「一查到底」是真 的,但與天津大爆炸有甚麼相干?查幾個貪官一查到底,並不表示對爆炸案不會有所保留。是否「官官相護」要看「護」的是甚麼官?是現今當權者的政敵如周徐等 人,還是當權者要「護」的官甚至當權者本身?調查的難度大,但公佈發生爆炸的瑞海是甚麼性質的公司,應該沒有難度吧?是民企、國企還是央企?要求瑞海公司 負責人出面交代,有難度嗎?爆炸發生後,瑞海見不得人,很難使人不懷疑是「官官相護」,或根本庫存化學品就是官方物資。
其實,《人民日報》把一樁人為大災禍,輕鬆說成是「一宗安全事故」,已顯示中共中央的態度是如何「明確」矣。
(本欄每周二、四出版)
(https://www.facebook.com/mrleeyee)
李怡
《人民日報》發表時評,指中央對天津爆炸事故,態度是明確堅決,嚴 查嚴辦,反問周永康、徐才厚、郭伯雄、令計劃這樣的大案,都一查到底及公開處理,還有甚麽必要,對一宗安全事故有所保留、隱瞞及「官官相護」?又指這宗事 故具體原因的調查難度極大,需要較長時間,希望在證據確鑿後,再向公眾發佈,這時候最需要公眾、輿論的理解。
即使假定對貪官的「一查到底」是真 的,但與天津大爆炸有甚麼相干?查幾個貪官一查到底,並不表示對爆炸案不會有所保留。是否「官官相護」要看「護」的是甚麼官?是現今當權者的政敵如周徐等 人,還是當權者要「護」的官甚至當權者本身?調查的難度大,但公佈發生爆炸的瑞海是甚麼性質的公司,應該沒有難度吧?是民企、國企還是央企?要求瑞海公司 負責人出面交代,有難度嗎?爆炸發生後,瑞海見不得人,很難使人不懷疑是「官官相護」,或根本庫存化學品就是官方物資。
其實,《人民日報》把一樁人為大災禍,輕鬆說成是「一宗安全事故」,已顯示中共中央的態度是如何「明確」矣。
(本欄每周二、四出版)
(https://www.facebook.com/mrleeyee
)李怡
Chase real thing burst size city that like Apple [site] FB!
=====
Fuck Leung Chun-ying, shame!!
Melody hate this beast!
#ophk #opchina #OpISIS #OpTaiwan #OpRussian #Op_Tibet
Cantonese is a very special place language, Cantonese and more able to express the meaning of place 'essence', the essence of a leaner but more prominent,, we all love utilization Cantonese ^^! - Come to learn Cantonese^ haha...
Melody.Blog letter on ~
廣東話是很特別的地方語言,廣東話能把表達的意思更到位的'精粹',更精簡但神髓更突出,,我們都愛活用廣東話^^ - 快點來學習廣東話!^哈哈...
Melody.Blog致上~
=====
*Updated: Hong Kong's Apple Daily reported ^^ -
更新:香港蘋果日報報導^^-**All THe Would City Lauguage**-
http://melody-free-shaing.blogspot.com/2015/08/update-1508-2015by-hkapplenextmediacom.html
=====################
http://hk.apple.nextmedia.com/news/first/20150817/19258978
Zhongnanhai busy day power struggle explosion fifth final appearance Li Keqiang
Premier Li Keqiang yesterday with senior officials to the scene of the explosion Tianjin, overlooking the ruins of the explosion in the center of the viaduct meters away.
[Explosion] Big Tianjin
WASHINGTON Tianjin big explosion yesterday entered its fifth day, the official declaration of the latest death toll rose to 112 people, and the first to recognize 95 people missing, including 85 firefighters. To ensure there is no danger of explosion site after a final rate Premier Li Keqiang yesterday officials appeared in top overlooking the ruins of the explosion. Public and media to the Prime Minister late great dissatisfaction. Beijing scholar refers Lee belatedly to the site, in addition to security considerations, more importantly, with the Beidaihe meeting on fear, gentlemen Zhongnanhai busy power struggle, the political game, not leaving his post until the end of the game yesterday, only collective appearance.
Chinese Group
Tianjin big bang from last Wednesday (12) night occurred yesterday
afternoon full past 84 hours, Premier Li Keqiang yesterday afternoon
before the official mobilize people to go on-site inspections.
CCTV reported findings, Lee hundred meters far away from the explosion
viaduct overlooking the center of the explosion; it was flanked by a
detector to monitor pollution. King Party the most senior level disaster so late to the scene is really rare!
Last August 3 Ludian 6.5 earthquake, Lee will fly to the scene the next
morning; May 12, 2008 earthquake, when Prime Minister Wen Jiabao is now
on the scene.
Four days earlier, the CPC have been held three deputy national level the central leadership to guide disaster relief in the name arrived in Tianjin, including Deputy Prime Minister and Deputy Prime Minister Ma Kai Liu Yandong, but they have no one to the scene of the explosion, but rather indicates relief elsewhere Tianjin, condolences to the injured, the Chair and the like; and even Mayor Huang Xingguo of Tianjin acting secretary and as a high ranking official in Tianjin, he has not been to the scene after the accident, until yesterday, was accompanied by Li appeared. Communist dignitaries such fear scene of the explosion, caused by the mainland public and media outcry.
Four days earlier, the CPC have been held three deputy national level the central leadership to guide disaster relief in the name arrived in Tianjin, including Deputy Prime Minister and Deputy Prime Minister Ma Kai Liu Yandong, but they have no one to the scene of the explosion, but rather indicates relief elsewhere Tianjin, condolences to the injured, the Chair and the like; and even Mayor Huang Xingguo of Tianjin acting secretary and as a high ranking official in Tianjin, he has not been to the scene after the accident, until yesterday, was accompanied by Li appeared. Communist dignitaries such fear scene of the explosion, caused by the mainland public and media outcry.
"Found releasing cyanide may be present danger."
Many Internet users in micro-Bo said yesterday: "how do you come ah?" "Prime Minister, you came late!" Li Keqiang and senior officials hint of dissatisfaction. Some netizens directed senior officials not delay, fear and explosion hundreds of tonnes of toxic materials left at the scene did not find, as well as other related unknown explosives, "Of course you want to go to confirm the safety"; "sodium cyanide found, dangerous lifting, You can go. " The fourth day, the authorities sent more than 200 anti-chemical warfare troops after the explosion, using professional equipment and instruments for explosive core area sampling and analysis, declared the day before yesterday to find hundreds of tons of sodium cyanide, and to ensure that "no harm to the people."Beijing affairs analyst Zhang Lifan yesterday to accept the "Apple" correspondent telephone interview, said Li Keqiang reason for the delay was to the disaster scene, in addition to safety considerations, is probably more important is some time ago Beidaihe activities. Zhang said: "The official media said that this year will be no Beidaihe, but I think still there, but not necessarily called bigwigs will be in there for politics and power of the game, to make some important decisions, therefore, no one dared. without permission from the position until the end of this game yesterday, we see the CPC all the bigwigs and public appearances. "
■ authorities piled dirt around the scene of explosion, covered with canvas to prevent the leakage of toxic substances. Killed in the fire hall to a temporary bow
Since August 6th Communist veterans memorial Zhang Jinfu, Xi Jinping and other seven collective debut attend the Standing Committee, the Standing Committee has seven to 10 days yesterday, has not been seen in public, CNA and other overseas media refer to early August vacation Communist giants held in Beidaihe style meeting to discuss the party-state military aircraft event. 10 days yesterday morning, seven of the Standing Committee and the collective appearance, died on Friday at the Babaoshan farewell before the Standing Committee of the CPC Central Discipline Inspection Commission secretary Wei Jianxing; Wei Li is attending the funeral after the Tianjin. In addition to the scene of the explosion spent more than 10 minutes, Lee went to the hospital and temporary mourning sacrifice to the accident firefighters bowed.Tianjin explosion shocked the world, but can not shake the Zhong Guan Beidaihe, provoke the mainland public opinion questioned criticism. Official "Beijing Youth Daily" micro-channel public number "known political circles" tweets yesterday specially for escort Li Keqiang, Xi said after the incident, Lee repeatedly special instructions, "such an approach, in the past quite rare accident disposal"; the article also refers to, "eighteen of the accident disaster since the central disposal of the majority by the local responsible ',' even if the central level to the scene, when the local primary responsibility to bear." Some netizens exclaimed: "! It seems to be unlucky secretary of the mayor of Tianjin" "? This is not to shirk its responsibility to do."
=====
http://hk.apple.nextmedia.com/news/first/20150817/19258978
中南海忙權鬥
爆炸第五日李克強終現身
總理李克強昨與高官到天津爆炸現場,在爆炸中心點百米以外的高架橋上遠眺廢墟。
【天津大爆炸】
【本報訊】天津大爆炸昨進入第五天,官方宣告最新死亡人數上 升至112人,並首認95人失蹤,包括85名消防員。在保證爆炸現場不會有危險後,總理李克強昨終率高官現身,隔空眺望爆炸廢墟。民眾和輿論對總理姍姍來 遲大表不滿。北京學者指,李遲遲才到現場,除考慮安全,更重要恐與北戴河會議有關,中南海諸君忙於權鬥、政治博弈,不敢擅離崗位,直到昨日博弈結束,才集 體現身。
中國組
【本報訊】天津大爆炸昨進入第五天,官方宣告最新死亡人數上 升至112人,並首認95人失蹤,包括85名消防員。在保證爆炸現場不會有危險後,總理李克強昨終率高官現身,隔空眺望爆炸廢墟。民眾和輿論對總理姍姍來 遲大表不滿。北京學者指,李遲遲才到現場,除考慮安全,更重要恐與北戴河會議有關,中南海諸君忙於權鬥、政治博弈,不敢擅離崗位,直到昨日博弈結束,才集 體現身。
中國組
天津大爆炸從上周三(12日)深夜發生到昨日中午整整過去84小時,總理李克強才於昨午率眾官去現場視察。央視報道所見,李在距離爆炸中心百米遠外的高架
橋眺望爆炸點;其身邊還有一部探測儀,監測污染情況。中共最高層對特大災難如此晚才到現場實在罕見!去年8月3日雲南魯甸6.5級地震,次日一早李便飛抵
現場;2008年5月12日汶川大地震,時任總理溫家寶更是即日趕到現場。
此前四天,中共已先後有三位副國級的中央領導,以指導救災之名抵天津, 包括副總理劉延東及副總理馬凱,但他們無一到爆炸現場,而是在天津其他地方指示救災、慰問傷者、主持會議等;甚至連天津市代理書記兼市長黃興國,作為天津 父母官的他,出事後一直未有到現場,直到昨日才陪同李克強現身。中共高官政要如此忌憚爆炸現場,引起內地民眾和輿論譁然。
此前四天,中共已先後有三位副國級的中央領導,以指導救災之名抵天津, 包括副總理劉延東及副總理馬凱,但他們無一到爆炸現場,而是在天津其他地方指示救災、慰問傷者、主持會議等;甚至連天津市代理書記兼市長黃興國,作為天津 父母官的他,出事後一直未有到現場,直到昨日才陪同李克強現身。中共高官政要如此忌憚爆炸現場,引起內地民眾和輿論譁然。
「找到山埃 危險解除可到場」
不少網民昨在微博稱:「你怎麼才來啊?」「總理你來晚了!」暗示對李克強和高官不滿。有網民直指,高官遲遲不到,恐與爆炸現場遺留數百噸劇毒物沒找到,以 及其他爆炸物未明有關,「當然要確認安全才能去了」;「氰化鈉找到,危險解除,可以去了」。爆炸後第四天,當局派出200多名防化軍人,採用專業設備儀器 對爆炸核心區進行採樣分析,前天宣告找到數百噸氰化鈉,並保證「不會對群眾造成危害」。北京時事分析員章立凡昨接受《蘋果》記者電話訪問表示,李 克強之所以遲遲才到災難現場,除安全考慮外,恐怕更重要是與前段時間的北戴河活動有關。章說:「官媒稱今年北戴河無會,但我看還是有的,只是不一定叫會。 大佬們要在那裏進行政治和權力的博弈,做一些重大的決定,所以,誰也不敢擅自離位。直到昨天這場博弈結束,我們看到,中共眾大佬們又公開亮相了。」
到臨時靈堂向殉職消防鞠躬
自8月6日中共元老張勁夫追悼會,習近平等七名常委集體亮相出席後,至昨日七常委已10天未有公開露面,中央社等海外媒體均指,8月上旬中共巨頭們在北戴 河舉行休假式會議,商議黨國軍機大事。10天後的昨天上午,七常委又集體亮相,在八寶山送別上周五去世的中共前常委、中紀委書記尉建行;李克強是參加完尉 的葬禮後才到天津的。除在爆炸現場呆了10多分鐘,李還到醫院和臨時靈堂向事故中犧牲的消防人員鞠躬致意。天津大爆炸震驚世界,卻震動不了北戴河 的眾官,惹內地輿論質疑批評。官方《北京青年報》微信公眾號「政知圈」昨特意推文,為李克強保駕護航,稱事發後習、李多次專門批示,「這樣的做法,在過去 事故處置中相當罕見」;文章更指,「十八大以來中央對事故災難處置,大部份應由地方負責」,「即便中央高層到現場,主要責任也當由地方來負」。有網民驚 呼:「這不是要推卸責任嗎?」「看來天津書記市長要倒楣了!」
=====
http://hk.apple.nextmedia.com/news/art/20150817/19258983
Tianjin explosion opinion Six Questions
families of missing persons holding a 18-year-old family photos, tearful requires authorities to assist tracing. Agence France-Presse.
Why incident fifth day (84 hours), and Tianjin central leadership was "long overdue" on site, overlooking the explosion area, if there are other hidden unpublished?
Why put 10 tons of warehouse has put 700 tons of highly toxic cyanide? Why the fifth genius confirm cyanide stored on site? Why has not released its origin, purpose?
Why has not responded officially questioned, the accident Ruihai company has a relationship with the current Politburo Standing Committee, former Standing Committee?
Why accident Ruihai company executives and shareholders, has yet to declare events, interpret, respond? Are they really "abysmal"?
Why the incident five days yet to figure out what kind of dangerous explosions in the end? Even the Deputy Minister of the Publicity Department of the relief commander who is not sure?
Why "rumors" once again come true, more than 80 hours after the disappearance of recognition nearly a hundred firefighters, and send the message of Internet users was arrested POLICE investigation?
Source: "Apple" correspondent finishing
Knowledge Didi Message
Kam Wai Wong:If the Department of Premier Wen arrived at the scene first time acting, you late late GOD Well ah.
Fai Wingfai:
Chung that dare enter the disaster area! Far had only looked at post number!
I love how lazy hit me ah:
Do not blame me went wrong: always feel more secure points before coming!
Source: "Apple" facebook
=====
http://hk.apple.nextmedia.com/news/art/20150817/19258983
天津爆炸 輿論六問
失蹤者家屬拿着18歲親人的相片,聲淚俱下要求當局協助尋人。法新社.
為甚麼事發第五天(84小時後),中央和天津領導才「姍姍來遲」到現場,眺望爆炸區,是否有其他隱患未公佈?
為甚麼放置10噸的倉庫卻放了700噸劇毒山埃?為甚麽到第五天才確認現場存放山埃?何以至今未公佈其來歷、用途?
為甚麼官方至今不回應外界質疑,肇事的瑞海公司與現任政治局常委、前任常委有關係?
為甚麼肇事的瑞海公司及股東高層,至今未對事件有聲明、解釋、回應?他們是否真的「深不可測」?
為甚麼事發五天仍未搞清到底是何種危險品爆炸?甚至宣傳部副部長對誰是救災總指揮也搞不清?
為甚麼「謠言」再次成真,80多小時後才承認有近百名消防員失蹤,而發此消息的網民卻被公安拘查?
資料來源:《蘋果》記者整理
為甚麼放置10噸的倉庫卻放了700噸劇毒山埃?為甚麽到第五天才確認現場存放山埃?何以至今未公佈其來歷、用途?
為甚麼官方至今不回應外界質疑,肇事的瑞海公司與現任政治局常委、前任常委有關係?
為甚麼肇事的瑞海公司及股東高層,至今未對事件有聲明、解釋、回應?他們是否真的「深不可測」?
為甚麼事發五天仍未搞清到底是何種危險品爆炸?甚至宣傳部副部長對誰是救災總指揮也搞不清?
為甚麼「謠言」再次成真,80多小時後才承認有近百名消防員失蹤,而發此消息的網民卻被公安拘查?
資料來源:《蘋果》記者整理
識睇睇留言
Kam Wai Wong:如果係溫總第一時間到場演戲,你遲唔遲啲呀。
Fai Wingfai:
仲以為夠膽入災區!原來只遠遠地望下交數!
我就愛懶怎樣打我啊:
別怪我想歪了:總覺得是等着安全點才過來!
資料來源:《蘋果》facebook
=====
http://hk.apple.nextmedia.com/news/art/20150817/19258985
7.7 kilometers outside the park once experience water Hanshan Egypt
Wear protective clothing have used aerial machine, observe the terrain changes the blast site.
Tianjin after the explosion crater left at the scene, was to fill the water into a lake. Many people worried that the cyanide will pollute the environment, environmental group Greenpeace yesterday at the blast site, the surrounding water quality with test strips, one of which was display appears cyanide (ie cyanide). Although the authorities recognize the scene yesterday for the first time there cyanide, but the PLA general has said will not cause problems, but also to the reporters went to the site, for example, protective equipment claiming that they did not stay at the scene a few hours, no problem.
Greenpeace yesterday morning from the big bang center 5-10 km of four locations, with cyanide detection test quick test, at a distance of 7.7 km of the field test Haihe Bund Park, three strips have shown that water containing cyanide, one of which is more red, it shows a high concentration of cyanide, but in 覆查 Shique not found, and three other locations in the test, the test strip is not discolored, that the water did not cyanide. For the test results, Greenpeace means this does not mean there is no surface water quality by low cyanide pollution, but also does not mean that there is no contamination of other chemicals.
Cyanide authorities refused to disclose the distribution point
Yesterday for the first time to attend the press conference the chief of staff of the PLA Beijing Military Area Command Shi Luze confirmed that authorities have identified a few hundred tons of cyanide, mainly in two locations, but declined to disclose the specific location; as the number of site logistics company called history, container mountains, there have been there out into, "find the company can not tell." He stressed that chemicals are not harmful to people, but also to the reporter approached the scene as an example: "twelve hours to go all right, this is the most telling."Really no problem? British chemical hazards and respiratory protection specialists Thomson (Ian Thomerson) believe, cyanide is a very complex toxic chemicals, with acids, water and other substances have an effect, affecting their health, people should evacuate all means, even when wearing ordinary Masks are also useless, we must be able to isolate the chemicals wear full face mask.
"Apple" Correspondent
=====
http://hk.apple.nextmedia.com/news/art/20150817/19258985
7.7公里外公園 一度驗出水含山埃
|
穿上防護衣的人員利用航拍機,觀察爆炸現場的地形變化。
天津大爆炸發生後現場留下的巨坑,被積水填滿,變成一個湖泊。不少民眾擔心山埃會污染環境,環保組織綠色和平昨在爆炸現場周邊用試紙測試水質,其中一點一
度顯示出現氰化物(即山埃)。雖然當局昨首次承認現場存有氰化物,但解放軍將領卻稱不會引起問題,更以曾到現場採訪記者為例,聲稱他們沒有防毒裝備在現場
停留數小時,都沒出問題。
綠色和平成員昨晨在距離大爆炸中心5至10公里的四個地點,用氰化物檢測試紙進行快速測試,在距離現場7.7公里的海河 外灘公園測試時,三張試紙均顯示水中含氰化物,其中一張更出現紅色,顯示氰化物濃度較高,但在覆查時卻未有發現,而在另外三個地點的測試,試紙則未有變 色,即水裏沒有氰化物。對於測試結果,綠色和平指這不代表地表水質沒有受低度氰化物污染,亦不代表沒有受其他化學物質污染。
綠色和平成員昨晨在距離大爆炸中心5至10公里的四個地點,用氰化物檢測試紙進行快速測試,在距離現場7.7公里的海河 外灘公園測試時,三張試紙均顯示水中含氰化物,其中一張更出現紅色,顯示氰化物濃度較高,但在覆查時卻未有發現,而在另外三個地點的測試,試紙則未有變 色,即水裏沒有氰化物。對於測試結果,綠色和平指這不代表地表水質沒有受低度氰化物污染,亦不代表沒有受其他化學物質污染。
當局拒透露氰化物分佈點
昨日首度出席記者會的解放軍北京軍區參謀長史魯澤證實,當局已確定有幾百噸氰化物,主要分佈在兩個地點,但拒絕透露具體位置;至於數量,史則稱現場是物流 公司、貨櫃堆積如山,不斷有進有出,「找到公司都說不清」。他強調化學品不會對民眾造成危害,更以走近現場的記者為例:「進去一兩個小時也沒事,這也最能 說明問題。」是否真的沒問題?英國化學危害和呼吸道防護專家湯姆森(Ian Thomerson)認為,氰化物是非常複雜的劇毒化學品,能與酸、水等物質產生作用,影響健康,民眾應該用盡一切方法撤離,即使戴上普通口罩亦沒用,必須戴上能夠隔離化學物質的全罩式面罩。
《蘋果》記者
=====
http://www.ntdtv.com/xtr/b5/2015/08/15/a1217250.html
Tianjin explosion exposed a terrorist truth
Updated: 2015-08-15.
圖說:紅點為化工企業,藍點為居民小區。(網絡圖片)
[NTD August 14, 2015 Reuters (NTD reporter Yu-reported) Tianjin explosion casualties continues to increase. Cause of the explosion is still under investigation, however, a problem already highlighted. Residential area will be built in the next how dangerous chemicals? According to media reports and cartographic display, households with explosion Harbour from Tianjin Vanke three less than 600 meters, less than the state's 1000 meters. Nearby residents do not know, daily living at the edge of the jaws. There are media reports, the explosion occurred not only in Tianjin, in China, there are many cities people are living next to the time bomb.
Explosion occurred on August 12, Tianjin Vanke Harbour three tenants, is tantamount to the end of the world Zouliaoyizao. However, they did not think that they've been living next to the time bomb. On the 12th night, a time bomb was detonated. They did not expect 400 meters away, and death is their distance.
In 2001, the State Administration of Work Safety Bureau of the CPC promulgated the "dangerous chemicals business business conditions and technical requirements." Which explicitly states that dangerous chemicals and medium-sized warehouses should be located in urban areas and far away from residential areas, while in regions downwind and downstream river dominant wind; medium-sized storage of dangerous chemicals should be around public buildings, transportation routes (roads , railways, waterways), the mining industry equidistant keep at least 1000 meters.
Clearly, where the explosion Ruihai International Logistics Limited Tianjin serious breach of this provision. Ruihai International Logistics Limited Tianjin warehouse located in Tianjin Port International Logistics Center Ji Yun 95 2. According to reports, the company was founded in 2011. The strange thing is, Tianjin Ruihai International Logistics Limited official website shows that in August last year, they adopted a multifaceted examination of the public security department.
" Reasonable location "?
Surging News, May 24, 2013, "Tianjin Dongjiang Bonded Port Ruihai International Logistics Co., Yuejin Road Yard Project Environmental Impact Assessment of Public Participation second publicity" at the official website of Tianjin Academy of Environmental Sciences on the release.
Disclosure EIA concludes that the project "Environmental acceptable level of risk, the project site is reasonably practicable." EIA unit of Tianjin Academy of Environmental Sciences for the project, the contact for the EIA teacher Zhang Yuan.
In addition, the spread of the Internet a "Tianjin Dongjiang Bonded Port Ruihai International Logistics Co., Yuejin Road Yard reconstruction project environmental impact report" shows that the explosion occurred before the start of the warehouse, had distributed 130 questionnaires, recover 128 parts and 100% of the public believe that the project site is reasonable. From the perspective of environmental protection, the 51.6 percent of public support, 48.4% who "do not care attitude", that is no objection.
Ruihai company of another publicity EIA report is mentioned, most storage materials as hazardous, flammable material, there are some environmental risks, but "taking effective preventive measures to develop the premise of appropriate emergency plans, accident risk within an acceptable range. "
Public information display, the Binhai New Area, the total land area of 2270 square kilometers, a coastline of 153 kilometers, the resident population of 2.48 million, including several functional areas. Especially Wanke Harbour three tenants, the explosion of fire and loud noise came almost simultaneously - they too close from the center of the explosion, according to media reports and surveying and mapping, less than 600 meters.
This is not the only affected local community, Netease "roadmap" on-site investigation found that, in the store within one kilometer around the blast range of a large number of dangerous goods, there are three large residential communities. Developers data show that total occupancy households over 5600, pursuant to which the number is expected to affect thousands already. -
http://imgs.ntdtv.com/pic/2015/8-14/p6726271a42446519.jpg
Tianjin is a city of north China's chemical industry, but it is also the largest northern port. 2010, official data showed industrial output value before the Binhai New Area in the top 20 companies, there are 16 all heavy industry. According to incomplete statistics, there are over 5000 Tianjin entire chemical industry. Binhai New Area is not only a large number of chemical companies, but also with interlocking neighborhoods.
How many neighborhoods built next to hazardous chemicals?
According to NetEase to statistics, China has one-third of chemical projects and city neighborhood. A has been involved in too much of petrochemical projects in the petrochemical former executives to accept the "Southern Weekend" interview cited many examples: "Nanjing Jinling Petrochemical approximately 200 meters from the nearest residential area; Qingdao Lidong Chemical nearest residential area about 600 meters; Ningbo Zhenhai Refinery more than 20,000 people living in the area of three hundred meters outside ...... "
In 2006, former Communist State Environmental Protection Administration has organized a national environmental risks of chemical and petrochemical projects big investigation. Statistics show that in the investigation of all 7555 projects, laid in the city or near densely populated areas of 2489, accounting for 32.4%. This is the only official public data visible, but just confined since September 1, 2003 "Environmental Impact Assessment Law" has Pifu the proposed, under construction and put into operation in the chemical and petrochemical projects.
That is, at present, the whole of China and at least 2489 time bomb, hidden in populated areas, people eat and drink and sleep together. Explosive and non-explosive, blasting what point in time, it may're just a predisposing factor. -
See more at:http://www.ntdtv.com/xtr/b5/2015/08/15/a1217250.html&usg=ALkJrhixKoRW9fQgLFpWdKIBLxmQJkRaQQ#sthash.UknvGbPl.dpuf
Tianjin explosion exposed a terrorist truth
Updated: 2015-08-15
- See more at:
http://translate.googleusercontent.com/translate_c?depth=1&hl=zh-TW&rurl=translate.google.com&sl=zh-CN&tl=en&u=http://www.ntdtv.com/xtr/b5/2015/08/15/a1217250.html&usg=ALkJrhixKoRW9fQgLFpWdKIBLxmQJkRaQQ#sthash.UknvGbPl.dpuf=====
http://www.ntdtv.com/xtr/b5/2015/08/15/a1217250.html
天津大爆炸曝出了一個恐怖真相更新時間: 2015-08-15.
圖說:紅點為化工企業,藍點為居民小區。(網絡圖片).
新唐人2015年08月14日訊】(新唐人記者李昱報導)天津大爆炸死傷人數在不斷的增加。引發爆炸的原因尚在調查之中,但是,一個問題已經凸顯出來。居民區怎麼會建在危險化學品旁邊?據媒體報導與地圖測繪顯示,天津萬科海港城三期的住戶跟爆炸點距離不到600米,小於國家規定的1000米。附近的居民都不知道,每日活在鬼門關的邊緣。有媒體披露,不僅僅是發生爆炸的天津,在中國,還有很多城市的人們都活在定時炸彈的旁邊。
8月12日發生的爆炸,對天津萬科海港城三期的住戶來說,無異於到世界末日走了一遭。不過,他們沒想到的是,他們一直生活在定時炸彈的旁邊。12日深夜,定時炸彈被引爆了。他們也沒有想到,400米的距離,就是他們與死神的距離。
2001年,中共國家安監局頒布了《危險化學品經營企業開業條件和技術要求》。其中明確規定大中型危險化學品倉庫應選址在遠離市區和居民區,當在主導風向的下風向和河流下游的地域;大中型危險化學品倉庫應與週圍公共建築物、交通幹線(公路、鐵路、水路)、工礦企業等距離至少保持1000米。
顯然,爆炸所在的天津瑞海國際物流有限公司嚴重違反了這個規定。天津瑞海國際物流有限公司的倉庫位於天津港國際物流中心吉運2道95號。據介紹,該公司成立於2011年。但奇怪的是,天津瑞海國際物流有限公司官方網站顯示,去年8月,他們通過了公安部門的多方面檢查。
「選址合理」?
澎湃新聞報導,2013年5月24日,《天津東疆保稅港區瑞海國際物流有限公司躍進路堆場改造工程環境影響評價第二次公眾參與公示》在天津市環境保護科學研究院官網上發布。
環評公示信息結論認為,項目「環境風險水平可以接受,項目選址合理可行」。天津市環境保護科學研究院為該項目的環評單位,聯繫人為環評師張媛。
另外,網上流傳的一份《天津東疆保稅港區瑞海國際物流有限公司躍進路堆場改造工程環境影響報告書》顯示,發生爆炸的倉庫動工前,曾發放了130份調查表,收回128份,100%的公眾認為該項目選址合理。而從環境保護的角度來說,51.6%的公眾支持,48.4%持「無所謂態度」,即無人反對。
瑞海公司的另一份環評公示報告則提到,倉儲物料大多為危險、易燃物料,存在一定環境危險,但「在採取有效的防範措施、制定相應的應急預案的前提下,事故風險在可接受範圍內。」
公開信息顯示,濱海新區陸域總面積2270平方公里,海岸線總長153公里,常住人口248萬,下轄多個功能區。尤其對天津萬科海港城三期的住戶來說,爆炸的火光和巨響幾乎同時而來——他們離爆炸中心太近了,據媒體報導與地圖測繪,不到600米。
這不是唯一受波及的小區,網易《路標》現場勘查發現,就在儲藏了大量危險品的爆炸點週圍1公里範圍內,有3個大型居住社區。開發商數據顯示,合計入住戶數超過5600戶,據此預計影響人數已經上萬。 -
http://imgs.ntdtv.com/pic/2015/8-14/p6726271a42446519.jpg
圖說:紅點為化工企業,藍點為居民小區。(網絡圖片)
天津是中國北方的化工重鎮,同時又是北方最大的港口。2010年的官方數據顯示,濱海新區工業總產值排名前20的企業中,有16家都是重工業企業。而據不完全統計,整個天津有超過5000家化工企業。濱海新區的化工企業不僅數量眾多,而且與居民區犬牙交錯。還有多少居民區建在危險化學品旁邊?
據網易統計,全中國有1/3的化工項目與城為鄰。一位曾經參與過多地石化項目的前中石化高管接受《南方周末》採訪時舉了不少例子:「南京金陵石化距最近居民區約200米;青島麗東化工與最近居民區約600米;寧波鎮海煉化,兩萬多人口的生活區就在二三百米外……」
2006年,原中共國家環保總局曾組織了全國化工石化項目環境風險大排查。統計顯示,在排查的全部7555個項目中,布設於城市附近或人口稠密區的2489個,佔32.4%。這是唯一可見的官方公開數據,但只是局限於自2003年9月1日《環境影響評價法》實施以來已批覆的擬建、在建和建成投產的化工石化類項目。
也就是說,目前,全中國至少還有2489個定時炸彈,隱藏在人口密集的地區,與民眾吃喝睡在一起。爆與不爆,什麼時間點爆,可能只差一個誘發因素而已。 - See more at: http://www.ntdtv.com/xtr/b5/2015/08/15/a1217250.html#sthash.z6jkKm22.dpuf
=====
http://www.cna.com.tw/news/acn/201508170402-1.aspx
Tianjin explosion victims to compensation from the Government to answer
Press time: 2015/08/17.
(CNA
Dow Jones reported on the 17th Tianjin) China mainland port city of
Tianjin last week a serious explosion, because live near the blast site
were forced to flee their homes in the affected residents, angry today
gathered claim compensation from the Government and accused the
government turned a blind eye to their plight. Agence France-Presse reported, officials and police held a press conference today at a hotel, there are nearly 150 not face with a wound that is put on respirator victims uninvited, at the hotel outside petitioned the government for compensation, to answers.
People were shouting in unison "repo dangerous", asking the Government to compensate for their damaged houses and property.
Many victims say their home is just 600 meters from the explosion site. Tianjin 12 terrible explosion occurred near the blast site in ruins, devastated.
One lives in Tianjin Harbour City fashion designer Liu Liang (phonetic) complained that the government not only failed to answer to the victims, not when treated victims.
He said to reporters when the explosion occurred, he was seeking only to escape, leaving behind all their possessions and belongings. He opened the gauze, exposing shocking wound sutures.
He said: "The water, air and groundwater were contaminated." He, like most of the victims, expressing the fear.
He said: "We can not live here anymore."
Although angry, the protest victims still managed to authorities to be patient.
At the meeting a large banner hanging from the red and white that read: "Harbour property owner: We love the party, trust the government, asked the Government to repurchase dangerous."
Some people are armed with small signs that read: "We strongly urge the Government to repurchase dangerous."
According to Reuters, Credit Suisse Group (Credit Suisse) analyst cited preliminary estimates of Chinese media, Tianjin last week, two large explosions cause the death of more than 100 people, the total amount of claims 10 to 15 billion dollars.
Credit Suisse analyst Wen Yajun (Arjan Van Veen) collect relevant mainland media released a report that claims valuation: "At present you want to determine the amount of insurance claims is still too early to say, but claims the amount of accidents can be significant, preliminary estimates suggest that the value 10-1500000000 US dollars, a lot of the insurance industry caught will be affected. "(Translation: CNA Zhao Wei Lan) 1040817.
=====
http://www.cna.com.tw/news/acn/201508170402-1.aspx
天津大爆炸 災民要政府賠償給答案
發稿時間:2015/08/17. (中央社天津17日綜合外電報導)中國大陸港都天津上週發生嚴重爆炸事故,因住在爆炸現場附近而被迫逃離家園的受災居民,今天怒氣沖沖的齊聚一堂,要求政府賠償,並指責政府對他們的困境視若無睹。
法新社報導,官員與公安今天在一家飯店舉行新聞發佈會,有近150名不是臉上帶著傷口,就是戴上防護口罩的災民不請自來,在飯店外請願,要求政府賠償、給個答案。
災民們齊聲高喊「回購危樓」,要求政府賠償他們受損的房屋與財產。
許多災民說,他們的住家距離爆炸現場僅600公尺。天津12日發生驚天大爆炸,爆炸現場附近一片狼藉,滿目瘡痍。
一名住在天津海港城的時尚設計師劉良(音譯)抱怨,政府不僅沒有給災民答案,還不當對待災民。
他向記者說,爆炸發生時,他只顧著逃命,留下了所有的財產與家當。他並拉開紗布,露出怵目驚心的傷口縫合線。
他說:「水、空氣與地下水均被污染。」他和大多數災民一樣,表達了心中的恐懼。
他說:「我們不能住在這裡了。」
儘管怒氣沖天,這些抗議災民仍設法對當局保持耐心。
會場上懸起紅底白字大橫幅寫著:「海港城財產所有人:我們愛黨、信任政府,請政府回購危樓。」
有些人則手持較小的標語寫著:「我們堅決要求政府回購危樓。」
據路透社報導,瑞士信貸集團(Credit Suisse)分析師引述中國大陸媒體的初步估計,天津市上週造成逾百人死亡的二起大爆炸,總計理賠金額在10至15億美元。
瑞士信貸集團分析師溫雅俊(Arjan Van Veen)蒐集大陸各媒體相關理賠估值發佈報告說:「目前想要確定保險理賠額度仍言之過早,但這起事故的理賠金額可能會很大,初估值為10至15億美元,很多保險業者均將受到衝擊。」(譯者:中央社趙蔚蘭)1040817.
=====
http://www.epochtimes.com/b5/15/8/15/n4504947.htm
Tianjin after the big bang, there are 50 sites have been closed by authorities. Earlier, the Central Propaganda Department has been under the ban. (Internet photo) .Update: 2015-08-15 09:00:10 AM Tianjin explosion , 50 sites have been closed , the Central Propaganda Department
WASHINGTON August 15, 2015 Reuters (Epoch Times reporter Zhang Dayton roundup) mainland reported 50 sites in Tianjin because the big bang, "a radius of one kilometer to live free," "at least a thousand deaths," and other messages were Communist country Internet Information Office to investigate, and by permanently closed or shut down a month and other sanctions.
Surging News August 15 reported that Tianjin on the 12th explosion occurred, the mainland network reported "at least a thousand deaths", "no one km radius to live", "Tianjin has been chaotic, the mall was robbed," "Tianjin adjustment of the principal leaders of the city ", etc., be punished.
It reported that the CPC National Network Information Office in conjunction with relevant departments, the car groom network, the US line network, network, and other 18 Chinese military sites taken off permanently canceled filing penalties; fresh military network, 0668 forum, Azeroth country Geographic and other 32 sites penalties closed a month.
CPC National Network Information Office official website news on the 13th show, the Zhengzhou Evening News micro-channel official accounts for the publication of Tianjin explosion related news, fined closed the week; and asked Beijing Network Information Office closed @ six pinch week @ Hong Kong Daily, criticized the brother @ etc. Weibo account.
Around at 23:30 on August 12, Tianjin Binhai New Area exploded. So far, according to China's official bulletin, there have been 80 deaths, but Boxun network executives learned from the Chinese Communist armed police, to 15 noon, more than 1,400 people died.
August 13 mainland network spread a Central Propaganda Department notice said, Tianjin explosion must standardize Manuscripts, only use Xinhua News Agency, People's Daily, Tianjin Enorth three media information. Site does not allow unauthorized acquisition plus personal understanding, do not engage in information broadcast. Other than the total withdrawal of all 央媒 reporters.
China Digital Times website the day of the disclosure of overseas Chinese Communist network Informatization Office, Tianjin Municipal Party Committee Propaganda Department and other reports about the explosion in Tianjin ban content.
Editor: Lin Rui.
CPC
Tianjin explosion blockade news 50 sites have been closed - See more
at:
http://translate.googleusercontent.com/translate_c?depth=1&hl=zh-TW&rurl=translate.google.com&sl=zh-CN&tl=en&u=http://www.epochtimes.com/b5/15/8/15/n4504947.htm&usg=ALkJrhjBGR6VMwmVQIFM1pZroo7i0hFxsw#sthash.5MjtC6QH.dpuf
=====
http://www.epochtimes.com/b5/15/8/15/n4504947.htm
中共天津爆炸封鎖消息50網站已被關閉.
中共封鎖天津爆炸消息 50家網站被關
天津大爆炸後,有50個網站已被關閉,當局。此前,中宣部已經下了禁令。 (網絡圖片)。更新日期:2015年8月15日上午9點00分10秒發生爆炸天津,50個站點已經關閉,中宣部本報訊2015年8月15日訊(大紀元記者張頓綜合報導)大陸報導50個在天津,因為大爆炸,“一公里半徑的生活自由”,“至少有一千人死亡”等信息是共產主義國家互聯網信息辦公室進行調查,並永久關閉或一個月和其他制裁關機。澎湃的新聞8月15日報導,天津12日發生爆炸,大陸網絡報“至少有一千人死亡”,“沒有人公里為半徑的生活”,“天津已經亂成一團,商場被劫”,“天津調整城市“等主要領導,進行處罰。據報導,中國共產黨全國網絡信息辦公室會同有關部門,汽車新郎網,美線網,網絡和帶下永久取消備案的處罰等18個中國軍事網站結合;新的軍事網絡,0668論壇上,國家艾澤拉斯地理等32個網站的處罰封閉了一個月。13號秀中國共產黨全國網絡新聞辦公室官方網站消息,鄭州晚報微信官方的佔天津爆炸相關的新聞發布,罰款一周關閉;並要求北京網絡新聞辦公室關閉@ 6週捏@香港商報,批評哥@等微博帳號。周圍23:30 8月12日,天津濱海新區爆炸。到目前為止,根據中國官方的公告,已經有80人死亡,但博訊網高管從中國共產黨武警了解到,到15日中午,1400餘人死亡。8月13日中國大陸網絡上流傳的一個中央宣傳部通知稱,天津爆炸必須規範手稿,只能用新華社,人民日報,天津北方網三家媒體的信息。網站不允許擅自收購加上個人的理解,不從事信息廣播。除了所有央媒記者全部撤回。中國數字時代網站overseas中國共產黨的網絡信息化辦公室,天津市委宣傳部關於在天津禁令內容爆炸的其他報告披露之日。編輯:林銳.
=====
http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html
Mandiant revealed Chinese APT1 Cyber Espionage campaign
Few weeks after the discovery of the sophisticated cyber espionage campaign against principal US media The Mandiant® Intelligence Center ™ released an shocking report that reveals an enterprise-scale computer espionage campaign dubbed APT1. The term APT1 is referred to one of the numerous cyber espionage campaign that stolen the major quantity of information all over the world.
The evidences collected by the security experts link APT1 to China's
2nd Bureau of the People's Liberation Army (PLA) General Staff
Department's (GSD) 3rd Department (Military Cover Designator 61398) but
what is really impressive is that the operation have been started in the
distant 2006 targeting 141 victims across multiple industries.
During the attacks the attackers have took over APT1 malware families
and has revealed by the report APT1′s modus operandi (tools, tactics,
procedures) including a compilation of videos showing actual APT1
activity.
The Mandiant has also identified more than 3,000 indicators to improve
defenses against APT1 operations and is releasing a specific document
that will address them including APT1 indicators such as domain names,
IP addresses, and MD5 hashes of malware.
APt1 has systematically stolen hundreds of terabytes of data from
victim organizations and has demonstrated the capability and intent to
steal from dozens of organizations simultaneously.
APT1 is a persistent collector, once APT1 has established access, they
periodically access to victim's network stealing sensible information
and intellectual property for a long time, typically maintaining access
to victim networks for an average of 356 days.
The longest time period APT1 maintained access to a victim's network was 1,764 days, or four years and ten months.
Mandiant managers have decided to make an exception to its traditional
non-disclosure policy due the risks related to the imposing cyber
espionage campaign and its impact on global economy, many states and
related industries are victims of the offensive.
Following a meaningful declaration of the security firm:
“ It
is time to acknowledge the threat is originating from China, and we
wanted to do our part to arm and prepare security professionals to
combat the threat effectively. The issue of attribution has always been a missing link in the public's understanding of the landscape of APT cyber espionage. Without
establishing a solid connection to China, there will always be room for
observers to dismiss APT actions as uncoordinated, solely criminal in
nature, or peripheral to larger national security and global economic
concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches. ”
The cyber war has started a long time ago!
=====
http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html
Mandiant透露中國APT1網絡間諜活動
在複雜的網絡間諜活動的發現對美國主要媒體後幾週Mandiant®情報中心 ™發布了一個令人震驚的報告 ,揭示了企業級的計算機間諜活動被稱為APT1。 術語APT1被稱為被盜信息的主要數量在世界各地眾多的網絡間諜活動之一。
由安全專家收集的證據鏈接APT1到人民解放軍(PLA)總參的(GSD)第3部(軍事封面代號61398)的中國的第二局,但什麼是真正令人印象深刻的是,該操作已在遙遠啟動2006年針對多個行業的141受害者。
在攻擊的攻擊者接管APT1惡意軟件家族,並透露該報告APT1的作案手法(工具,手段,程序),包括視頻顯示實際APT1活動的彙編。
該Mandiant還確定了3000多個指標,提高對APT1操作的防禦,並釋放一個特定的文件,將解決這些問題,包括APT1指標,如域名,IP地址和惡意軟件的MD5哈希值。
APT1系統地偷走數百TB從受害者組織的數據,並表現出的能力和意圖,從幾十個組織同時竊取。 APT1是一個持久的收藏家,一旦APT1已建立連接,他們定期訪問受害者的網絡偷了很長的時間敏感信息和知識產權,通常保持訪問受害者的網絡,平均356天。
最長的一段時間保持APT1訪問受害者的網絡是1764天,四年零十個月。
Mandiant經理已決定破例其傳統的非披露政策,由於涉及到氣勢宏偉的網絡間諜活動及其對全球經濟的影響的風險,許多國家和相關行業是進攻的受害者。
繼保公司的一個有意義的聲明:
“ 現在是時候承認威脅來自中國,我們希望盡自己的力量來武裝,並準備安全專業人員有效地打擊的威脅。 歸屬問題一直在APT網絡間諜的風景公眾的理解一個缺失的環節。 如果沒有建立與中國建立穩固的連接,總是會有餘地觀察員解僱APT行動是不協調的,在本質上只是犯罪,或外圍較大的國家安全和全球經濟的擔憂。 我們希望,這份報告將導致更多的理解和應對APT網絡漏洞採取協調一致的行動 。“
網絡戰爭已經開始很久以前!
=====
http://thehackernews.com/2015/08/lenovo-rootkit-malware.html
Lenovo Caught Using Rootkit to Secretly Install Unremovable Software
Two years ago Chinese firm Lenovo got banned from supplying equipment for networks of the intelligence and defense services various countries due to hacking and spying concerns.
Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware .
One of the most popular Chinese computer manufacturers 'Lenovo' has
been caught once again using a hidden Windows feature to preinstall
unwanted and unremovable rootkit software on certain Lenovo laptop and
desktop systems it sells.
The feature is known as " Lenovo Service Engine " (LSE) – a piece of code presents into the firmware on the computer's motherboard.
If Windows is installed, the LSE automatically downloads and installs
Lenovo's own software during boot time before the Microsoft operating
system is launched, overwriting Windows operating system files.
More worrisome part of the feature is that it injects software that
updates drivers, firmware, and other pre-installed apps onto Windows
machine – even if you wiped the system clean.
So even if you uninstall or delete the Lenovo's own software programs,
the LSE hidden in the firmware will automatically bring them back as
soon as you power-on or reboot your machine.
Users at a number of online forums are criticizing Lenovo for this move
and suspecting that the Chinese computer maker has installed a
"bootkit" that survives a full system wipe-and-reinstall.
The issue was first discovered and reported by users back in May when using new Lenovo laptops but was widely reported Tuesday.
What these Unwanted Program Does?
For Desktops:
In case of desktops, Lenovo's own description states that the software
doesn't send any personally identifying information, but sends some
basic information, including the system model, date, region, and system
ID, to a Lenovo server.
Moreover, the company claims that this process is done only one-time,
sending the information to its server only when a machine first connects
to the Internet.
For Laptops:
However, in case of Laptops, the software does rather more. LSE installs a software program called OneKey Optimizer (OKO) that bundles on many Lenovo laptops.
According to the company, the OKO software is used for enhancing computer performance by " updating the firmware, drivers, and pre-installed apps " as well as " scanning junk files and find factors that influence system performance. "
OneKey Optimizer falls under the category of " crapware ". The worst part is that both LSE as well as OKO appears to be insecure.
Back in April, security researcher Roel Schouwenberg reported some
security issues, including buffer overflows and insecure network
connections, to Lenovo and Microsoft.
This forced Lenovo to stop including LSE on its new systems that built since June.
The company has also provided firmware updates for vulnerable laptops
and issued instructions to disable the option on affected machines and
clean up the LSE files.
Among others, many Flex and Yoga machines running an operating system
including Windows 7, Windows 8, and Windows 8.1 are affected by this
issue. You can see the full list of affected notebooks and desktops on Lenovo's website.
Lenovo has since released an official statement, which notes that the
systems made from June onwards have BIOS firmware that eliminates the
issue, and it's no longer installing Lenovo Service Engine on PCs.
Expert way! How to Remove Lenovo Service Engine (Rootkit)
In order to remove LSE from your affected machines, you have to do it manually. Follow these simple steps in order to do so:
- Know your System Type (whether it's a 32-bit or 64-bit version of Windows)
- Browse to the Lenovo Security Advisory, and select the link for your specific Lenovo machine.
- Click the "Date" button for the most recent update.
- Search for "Lenovo LSE Windows Disabler Tool" and Click the download icon next to the version that matches your version of Windows.
- Open the program once it downloads. It will remove the LSE software.
=====
http://thehackernews.com/2015/08/lenovo-rootkit-malware.html
聯想不得不選擇的Rootkit偷偷安裝軟件無法移動
兩年前,中國企業聯想集團得到了提供設備禁止用於因黑客和間諜的擔憂情報和國防服務的各個國家的網絡。
今年早些時候,聯想被逮個正著 出售筆記本電腦預裝了惡意軟件快魚 。
其中最流行的中國計算機製造商聯想已使用隱藏的Windows功能預裝在某些聯想筆記本電腦,它的售價桌面系統不必要的和不可移除rootkit的軟件抓到一次。
該功能被稱為“ 聯想服務引擎 ”(LSE) -一段代碼呈現到計算機主板上的固件。
如果Windows安裝,倫敦證交所將自動下載並在啟動期間安裝聯想自己的軟件微軟操作系統啟動之前,覆蓋Windows操作系統文件。
該功能的更令人擔憂的是,它注入軟件更新驅動程序,固件和其他預安裝的應用程序到Windows機器 - 即使你抹了系統的清潔。
所以,即使你卸載或刪除聯想自己的軟件程序,倫敦證交所隱藏在固件將自動把他們回來,只要你開機或重新啟動計算機。
在一些網上論壇的用戶都批評為聯想這一舉動,並懷疑中國的電腦製造商已經安裝了“的bootkit”的生存完整的系統擦除並重新安裝。
這個問題被首次發現並利用新聯想的筆記本電腦時,在五月份報告的用戶,但被廣泛週二報導。
這是什麼有害程序呢?
對於台式機:
如果台式機,聯想自己的描述指出該軟件不會發送任何個人身份信息,但是發送的一些基本信息,包括系統模型,日期,地區和系統ID,以聯想服務器。
此外,該公司聲稱,這個過程只需進行一次,只發送當機器第一次連接到Internet的信息,它的服務器。
對於筆記本電腦:
然而,在筆記本電腦,軟件確實相當多。 LSE安裝了一個叫做一鍵優化器(OKO)的軟件程序捆綁在許多聯想的筆記本電腦。
據該公司介紹,該OKO軟件是由“ 更新固件,驅動程序和預裝的應用程序 ”,以及用於提高計算機性能“ 掃描垃圾文件,發現影響系統性能的因素。”
一鍵優化瀑布下的“crapware”的範疇。 最糟糕的是,無論是倫敦經濟學院以及OKO似乎是不安全的。
在四月份,安全研究人員羅埃爾Schouwenberg報導了一些安全問題,包括緩衝區溢出和不安全的網絡連接,以聯想和微軟。
這迫使聯想到,包括停止對倫敦證交所的新系統,因為六月份建成。 該公司還提供了脆弱的筆記本電腦並發出指令的固件更新,禁用受影響的機器的選項,並清理LSE文件。
其中,運行的操作系統包括Windows 7,Windows 8中,和Windows 8.1的許多Flex和瑜伽機器受此問題的影響。 你可以看到受影響的筆記本電腦和台式機聯想的網站上的完整列表。
聯想自發布了官方聲明,其中指出,從6月提出的系統開始有BIOS固件,消除了問題,它不再在PC上安裝聯想服務引擎。
得心應手! 如何刪除聯想服務引擎(Rootkit的)
為了從您的受影響的計算機中刪除LSE,你必須做手工。 遵循以做到這些簡單的步驟:
- 了解你的系統類型(無論是32位或64位版本的Windows)
- 瀏覽到聯想安全顧問,並選擇鏈接為您的特定機器的聯想。
- 點擊查看最新的更新的“日期”按鈕。
- 搜索“聯想LSE的Windows功能停止工具”,然後點擊旁邊的下載圖標,以符合您的Windows版本的版本。
- 打開程序一旦下載。 它會刪除該軟件LSE。
=====
http://thehackernews.com/2013/05/blueprints-of-australias-top-spy-agency.html
Blueprints of Australia's top spy agency headquarters stolen by Chinese hackers
Secret and highly sensitive and $630 million building blueprints outlining the layout of Australia's top spy agency's new headquarters have been stolen by Chinese hackers.
According to a report by the ABC 's Four Corners, the blueprints included floor plans, communications cabling, server locations and the security systems.
The cyber attack, launched on a contractor involved in work at the
site, is one of the reasons completion of the new building has been
delayed.
Companies including BlueScope Steel and Adelaide-based Codan, which
makes radios for military and intelligence agencies, are also said have
been targeted by the Chinese.
Under this major hacking operations, hackers successfully breached the
Defence Department's classified email system, the Department of Prime
Minister and Cabinet, and the Department of Foreign Affairs and Trade.
A separate attack on the Defence Department involved an employee
sending a highly classified document from his desk computer to his home
email account. Hackers had targeted the officer's home computer, allowing a copy of the document to be sent back to China once opened at home.
=====
http://thehackernews.com/2013/05/blueprints-of-australias-top-spy-agency.html
澳大利亞頂級的間諜機構總部藍圖由中國黑客竊取
秘密和高度敏感和6.3億美元建設藍圖勾勒出澳大利亞最大的間諜機構的新總部的佈局已被盜用中國黑客。
據一份報告ABC的四個角落,藍圖包括平面圖,通信電纜,服務器位置和安全系統。
網絡攻擊,對在現場參與工作的承包商展開,是新樓的建成,被推遲的原因之一。 公司包括博思格鋼鐵和阿德萊德市的柯頓,這使得無線電,軍方和情報機構,也都表示,已經有針對性的由中國。
在這一重大的黑客行動,成功的黑客突破國防部的機密電子郵件系統,總理和內閣,以及外交和貿易部部。
在國防部的獨立攻擊涉及的員工將來自他的辦公桌上的電腦一個高度機密的文件,他家的電子郵件帳戶。 黑客們瞄準了官員的家用電腦,允許發送的文件的副本回中國一旦打開家裡。
=====
http://www.abc.net.au/4corners/stories/2013/05/27/3766576.htm
By Andrew Fowler and Peter Cronau
Updated
"HACKED!" - Monday 27 May 2013
Next on Four Corner's reporter Andrew Fowler reveals that hackers,
working from locations overseas, have targeted key Federal Government
departments and major corporations in Australia.
Next on Four Corners reporter Andrew Fowler reveals that hackers, working from locations overseas, have targeted key Federal Government departments and major corporations in Australia. Their intention is to steal national security secrets and vital business information.
In one case, an Australian company that supplies secret communications equipment used by military across the globe had its computer network hacked. It appears the hackers accessed the system holding vital design information involving a military radio system. The break-in meant secure communications used by Australia's allies could be compromised.
Speaking with security specialists and insiders, Four Corners also details a number of specific high level break-ins involving Government departments. In each case it explains how the security system might have been breached.
A deafening silence surrounds this issue. Companies won't speak about the break-ins because they fear it will alarm clients and shareholders. Governments refuse to speak up because inevitably they will be asked, who is doing this? The answer is uncomfortable.
A number of people, including former government advisors in cyber security, claim the digital trail leads to China. Although it's unclear if the hackers are working for the Chinese Government, those same experts believe that any company doing significant business in China must assume it will be the target of corporate espionage.
HACKED!, reported by Andrew Fowler and presented by Kerry O'Brien, goes to air on Monday 27th May at 8.30pm on ABC1 . The program is repeated on Tuesday 28th May at 11.35pm . It can also be seen on ABC News 24 on Saturday at 8.00pm, ABC iview or at abc.net.au/4corners .
=====
http://www.abc.net.au/4corners/stories/2013/05/27/3766576.htm
由安德魯·福勒和彼得Cronau
更新日期
接下來的四角的記者安德魯·福勒發現,黑客從海外地區工作,有針對性地重點聯邦政府部門和澳大利亞大型企業。
“黑客攻擊”! -週一2013年5月27日.
而爭論不休了澳大利亞邊境安全,有越來越多的證據表明,澳大利亞的國家安全的最大威脅可能來自外國電腦黑客。 在一些政府或企業將承認非法闖入的嚴重程度,用一位專家稱這是一個“骯髒的小秘密”。
接下來的四個角落記者安德魯·福勒發現,黑客從海外地區工作,有針對性地重點聯邦政府部門和澳大利亞大型企業。 他們的目的是竊取國家安全機密和重要的商業信息。
在一個案例中,一家澳大利亞公司,它提供全球各地使用的軍事機密通信設備有其計算機網絡黑客攻擊。 看來黑客訪問的系統保持重要的設計信息,涉及軍事無線電系統。 磨合使用澳大利亞的盟友意味著安全的通信可能受到影響。
談到與安全專家和業內人士, 四角還詳細介紹了一些特定的高層次,涉及政府部門闖入的。 在每種情況下它說明了如何安全系統可能已被破壞。
震耳欲聾的沉默圍繞著這個問題。 公司不會談論破門而入,因為他們擔心這會報警的客戶和股東。 政府拒絕說話,因為他們不可避免地會問,是誰做的? 答案是不舒服的。
許多人,包括前政府顧問的網絡安全,聲稱數字足跡導致中國。 雖然目前還不清楚,如果黑客正在為中國政府,同樣是這些專家認為,任何在中國開展業務顯著公司必須承擔這將是企業間諜活動的目標。
HACKED!報導由安德魯·福勒和克里奧布萊恩介紹,進入空氣週一5月27日晚上八時三十分在ABC1, 該方案是重複週二5月28日下午11時35時 , 它也可以被看作對ABC新聞24對週六晚8:00, 美國廣播公司的iView或abc.net.au/4corners。
=====
http://snip.ly/giNB
Threat Group-3390 Targets Organizations for Cyberespionage
- Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence
- Date: 05 August 2015
- URL: www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390 [1] (TG-3390). Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China. The threat actors target a wide range of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects, but also targeting other industry verticals and attacking organizations involved in international relations. The group extensively uses long-running strategic web compromises [2] (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.
CTU researchers divided the threat intelligence about TG-3390 into two sections: strategic and tactical. Strategic threat intelligence includes an assessment of the ongoing threat posed by the threat group. Executives can use this assessment to determine how to reduce risk to their organization's mission and critical assets. Tactical threat intelligence is based on incident response investigations and research, and is mapped to the kill chain. Computer network defenders can use this information to reduce the time and effort associated with responding to TG-3390.
Key points
Explanations of how CTU researchers identify attribution and gauge confidence levels are available in the Appendix A .
- CTU researchers assess with moderate confidence that TG-3390 is based in the People's Republic of China.
- CTU researchers have evidence that the threat group compromised US and UK organizations in the following verticals: manufacturing (specifically aerospace (including defense contractors), automotive, technology, energy, and pharmaceuticals), education, and legal, as well as organizations focused on international relations. Based on analysis of the group's SWCs, TG-3390 operations likely affect organizations in other countries and verticals.
- TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication. Through an IP address whitelisting process, the threat group selectively targets visitors to these websites.
- After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.
- The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal.
- CTU researchers recommend the following practices to prevent or detect TG-3390 intrusions:
- Search web log files for evidence of web server scanning using the URIs listed in the Exploitation section and evidence of exfiltration using the User-Agent in the Actions on objective section.
- Require two-factor authentication for all remote access solutions, including OWA.
- Audit ISAPI filters and search for web shells on Microsoft Exchange servers.
CTU researchers assess the threat posed by a threat group by reviewing intent and capability (see Figure 1). Threat groups pose varying threats to different organizations, and even a very capable group may pose a low threat if it does not have the intent to target a particular organization.
Figure 1. Threat is based on a threat group's intent and capability. (Source: Dell SecureWorks)
Intent
CTU researchers infer intent by aggregating observations, analyzing a threat group's activity, and placing the information in a wider context.
Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also known as watering hole attacks, on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information. CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control. Most websites compromised by TG-3390 actors are affiliated with five types of organizations around the world:
- large manufacturing companies, particularly those supplying defense organizations
- energy companies
- embassies in Washington, DC representing countries in the Middle East, Europe, and Asia, likely to target US-based users involved in international relations
- non-governmental organizations (NGOs), particularly those focused on international relations and defense
- government organizations
Attribution
To assess attribution, CTU researchers analyze observed activity, third-party reporting, and contextual intelligence. For the following reasons, CTU researchers assess with moderate confidence that TG-3390 has a Chinese nexus:
- The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group, a Muslim minority group primarily found in the Xinjiang region of China. Threat groups outside of China are unlikely to target the Uyghur people.
- TG-3390 uses the PlugX remote access tool. The menus for PlugX's server-side component are written exclusively in Standard Chinese (Mandarin), suggesting that PlugX operators are familiar with this language.
- CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC, which is 12:00 to 17:00 local time in China (UTC +8). The timeframe maps to the second half of the workday in China.
- The threat actors have used the Baidu search engine, which is only available in Chinese, to conduct reconnaissance activities.
- CTU researchers have observed the threat group obtaining information about specific US defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in US military capability, or both.
Capability
To assess a threat group's capability, CTU researchers analyze its resources, technical proficiency, and tradecraft.
Resources
TG-3390 has access to proprietary tools, some of which are used exclusively by TG-3390 and others that are shared among a few Chinese threat groups. The complexity and continual development of these tools indicates a mature development process. TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments. This ability is further demonstrated by analysis of interactions between TG-3390 operators and a target environment. CTU researchers found no evidence of multiple operators working simultaneously against a single organization. This efficiency of operation (a 1:1 ratio of operator to observed activity) suggests that TG-3390 can scale to conduct the maximum number of simultaneous operations. These characteristics suggest that the threat group is well resourced and has access to a tools development team and a team focused on SWCs.
Technical proficiency
TG-3390's obfuscation techniques in SWCs complicate detection of malicious web traffic redirects. Malware used by the threat group can be configured to bypass network-based detection; however, the threat actors rarely modify host-based configuration settings when deploying payloads. CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers, which requires a technical grasp of Internet Information Services (IIS). TG-3390 uses older exploits to compromise targets, and CTU researchers have not observed the threat actors using zero-day exploits as of this publication. The threat actors demonstrated the ability to adapt when reentering a network after an eviction, overcoming technical barriers constructed by network defenders.
Tradecraft
In addition to using SWCs to target specific types of organizations, TG-3390 uses spearphishing emails to target specific victims. CTU researchers assess with high confidence that the threat actors follow an established playbook during an intrusion. They quickly move away from their initial access vector to hide their entry point and then target Exchange servers as a new access vector. As of this publication, CTU researchers have not discovered how TG-3390 keeps track of the details associated with its compromised assets and credentials. However, the threat actors' ability to reuse these assets and credentials, sometimes weeks or months after the initial compromise, indicates the group is disciplined and well organized. After gaining access to a target network in one intrusion analyzed by CTU researchers, TG-3390 actors identified and exfiltrated data for specific projects run by the target organization, indicating that they successfully obtained the information they sought. Data exfiltration occurred almost four weeks after the initial compromise and continued for two weeks (see Figure 2).
Figure 2. Data exfiltration timeline. (Source: Dell SecureWorks)
| Note: The adversary's end goal is to exfiltrate, not infiltrate. Organizations often miss multiple opportunities to detect and disrupt the threat actors before they can achieve their objective. Alerts for credential theft tools and privileged account lockouts should be investigated. |
Known tools
CTU researchers have observed TG-3390 actors using tools that are favored by multiple threat groups:
- PlugX — A remote access tool notable for communications that may contain HTTP headers starting with "X-" (eg, "X-Session: 0"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system.
-
HttpBrowser (also known as TokenControl) — A backdoor notable for HTTPS
communications with the HttpBrowser/1.0 User-Agent (see Figure 3). HttpBrowser's executable code may be obfuscated through structured exception handling and return-oriented programming.
Its presence on a compromised system allows a threat actor to spawn a
reverse shell, upload or download files, and capture keystrokes. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B .
Figure 3. HttpBrowser URI. (Source: Dell SecureWorks) -
ChinaChopper web shell — A web-based executable script (see Figure 4)
that allows a threat actor to execute commands on the compromised
system. The server-side component provides a simple graphical user interface for threat actors interacting with web shells.
Figure 4. ChinaChopper web shell. (Source: Dell SecureWorks)
Passwords, like "admin-na-google123!@#" shown in Figure 4, are required to interact with the web shell. TG-3390 has used additional web shells containing similarly formatted passwords. -
Hunter — A web application scanning tool written by @tojen to identify
vulnerabilities in Apache Tomcat, Red Hat JBoss Middleware, and Adobe
ColdFusion (see Figure 5). It can also identify open ports, collect web banners, and download secondary files.
Figure 5. Hunter usage. (Source: Dell SecureWorks)
- OwaAuth web shell — A web shell and credential stealer deployed to Microsoft Exchange servers. It is installed as an ISAPI filter. Captured credentials are DES-encrypted using the password "12345678" and are written to the log.txt file in the root directory. Like the ChinaChopper web shell, the OwaAuth web shell requires a password. However, the OwaAuth web shell password contains the victim organization's name. More information about the OwaAuth web shell is available in Appendix C .
- ASPXTool — A modified version of the ASPXSpy web shell (see Figure 6). It is deployed to internally accessible servers running Internet Information Services (IIS).
Figure 6. ASPXTool web shell. (Source: Dell SecureWorks)
- Windows Credential Editor (WCE) — obtains passwords from memory
- gsecdump — obtains passwords from memory
- winrar — compresses data for exfiltration
- nbtscan — scans NetBIOS name servers
Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions.
Reconnaissance
CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations. As discussed in the Actions on objectives section, the threat actors appear to wait until they have established a foothold.
Development
TG-3390 actors use command and control (C2) domains for extended periods of time but frequently change the domains' IP addresses. The new IP addresses are typically on the same subnet as the previous ones.
TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars. The most common registrar used by the adversary is HiChina Zhicheng Technology Ltd. The threat actors have a demonstrated ability to move from one network provider to another, using some infrastructure for extended periods of time and other domains for only a few days. Seemingly random activity patterns in infrastructure deployment and usage, along with the ability to use a wide variety of geographically diverse infrastructure, help the threat actors avoid detection.
TG-3390 SWCs may be largely geographically independent, but the group's most frequently used C2 registrars and IP net blocks are located in the US Using a US-based C2 infrastructure (see Figure 7) to compromise targets in the US helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense.
Figure 7. Geolocation of TG-3390 infrastructure observed by CTU researchers. The dark green signifies a high count of C2 registrars and IP net blocks, while the light green represents a smaller count. (Source: Dell SecureWorks)
The threat actors create PlugX DLL stub loaders that will run only after a specific date. The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8, 2013 date, indicating that the code might be reused from previous tools.
The OwaAuth web shell is likely created with a builder, given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size. The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells.
Weaponization
As of this publication, CTU researchers are unsure if TG-3390 relies on weaponizers to package tools and exploits.
Delivery
TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments. The ZIP archives have names relevant to the targets and contain both legitimate files and malware. One archive sample analyzed by CTU researchers contained a legitimate PDF file, a benign image of interest to targets (see Figure 8), and an HttpBrowser installer disguised as an image file.
Figure 8. Decoy image. (Source: Dell SecureWorks)
In SWCs analyzed by CTU researchers, the threat actors added the Dean Edwards packed JavaScript code shown in Figure 9 to the end of a legitimate website's menu page.
Figure 9. SWC code. (Source: Dell SecureWorks)
As shown in Figure 10, the unpacked JavaScript code reveals an iframe pointing to an IP address that is hosting the exploit.
Figure 10. Unpacked JavaScript code. (Source: Dell SecureWorks)
Both the redirect code on the compromised site and the exploit code appear and disappear, indicating that the adversaries add the code when they want to leverage the SWC and remove the code when it is not in use to limit the visibility of their operations. The threat actors have evolved to whitelisting IP addresses and only delivering the exploit and payload to specific targets of interest. CTU researchers have observed TG-3390 compromising a target organization's externally and internally accessible assets, such as an OWA server, and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware.
Exploitation
TG-3390 actors have used Java exploits in their SWCs. In particular, the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment, to deliver the HttpBrowser backdoor; and CVE-2010-0738 , a vulnerability in JBoss, to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code.
In activity analyzed by CTU researchers, TG-3390 executed the Hunter web application scanning tool against a target server running IIS. Hunter queried the following URIs in a specific order to determine if the associated software configurations are insecure, and all queries contained the HttpClient User-Agent:
- GET /manager/html/ — Tomcat web application manager
- GET /jmx-console/ — JBoss configuration
- GET /CFIDE/administrator/login.cfm — ColdFusion configuration
TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. CTU researchers have observed the threat actors employing legitimate Kaspersky antivirus variants in analyzed samples. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system.
| Note: DLL side loading is a prevalent persistence technique that is used to launch a multitude of backdoors. The challenge is detecting known good software loading and running malware. As security controls have improved, DLL side loading has evolved to load a payload stored in a different directory or from a registry value. |
Command and control
To traverse the firewall, C2 traffic for most TG-3390 tools occurs over ports 53, 80, and 443. The PlugX malware can be configured to use HTTP, DNS, raw TCP, or UDP to avoid network-based detection. In one sample analyzed by CTU researchers, PlugX was configured with hard-coded user credentials to bypass a proxy that required authentication. Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications.
TG-3390 actors frequently change the C2 domain's A record to point to the loopback IP address 127.0.0.1, which is a variation of a technique known as "parking." Other variations of parking point the IP address to Google's recursive name server 8.8.8.8, an address belonging to Confluence, or to other non-routable addresses. When the adversaries' operations are live, they modify the record again to point the C2 domain to an IP address they can access. A domain name parking example is available in Appendix D .
Actions on objective
CTU researchers have discovered numerous details about TG-3390 operations, including how the adversaries explore a network, move laterally, and exfiltrate data. As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain.
Figure 11. Timeline, in Eastern Time, of TG-3390's initial entry into a victim's network. (Source: Dell SecureWorks)
The threat actors use the Hunter and nbtscan tools, sometimes renamed, to conduct network reconnaissance for vulnerable servers and online systems (see Figure 12). TG-3390 actors favor At.exe to create scheduled tasks for executing commands on remote systems.
Figure 12. nbtscan batch script (renamed ipcan.exe) used to profile network. (Source: Dell SecureWorks)
Over a few days' span, the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance. They use At.exe to schedule tasks to run self-extracting RAR archives, which install either HttpBrowser or PlugX. CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN (see Figure 13).
Figure 13. Copying of .pcf files. (Source: Dell SecureWorks)
To facilitate lateral movement, the adversaries deploy ASPXTool web shells to internally accessible systems running IIS.
CTU researchers have observed the threat actors encrypting data using the password "admin-windows2014" and splitting the RAR archives into parts in the recycler directory, with the same name as the uncompressed data (see Figure 14).
Figure 14. Batch script used to archive data. (Source: Dell SecureWorks)
The number at the end of the password corresponds to the year of the intrusion. For example, the password "admin-windows2014" shown in Figure 14 was changed to "admin-windows2015" for TG-3390 intrusions conducted in 2015.
| Note: CTU researchers frequently observe threat actors renaming archiving tools and storing data for exfiltration in uncommon directories. In some instances, adversaries exceed disk space limits during the exfiltration process, requiring the staging of archives on multiple systems. Unexplained disk quota alerts on typically underutilized systems warrants immediate investigation. |
Figure 15. Batch script used to rename exfiltrated data. (Source: Dell SecureWorks)
CTU researchers have observed TG-3390 actors staging RAR archives, renamed with a .zip file extension, on externally accessible web servers. The adversaries then issue HTTP GET requests, sometimes with the User-Agent MINIXL, to exfiltrate the archive parts from the victim's network (see Figure 16).
Figure 16. Example GET request from IIS log. (Source: Dell SecureWorks)
In other intrusions, data was exfiltrated using the PlugX remote access tool. Figure 17 shows network data transfer sizes for a month-long period beginning with TG-3390's re-entry into a network. Approximately 300 GB of data was exfiltrated during that span.
Figure 17. Network data transfer sizes to C2 servers after TG-3390 reentry into a network. (Source: Dell SecureWorks)
CTU observations
Figure 18 is a UTC time wheel depicting which hours the threat actors actively operated in one target environment during a three-day intrusion observed by CTU researchers. The concentric bands represent the days of the week, with Saturday as the outside band and Sunday as the innermost band, and each cell represents an hour. The darker the cell color, the higher the activity level; white indicates no observed activity. TG-3390 was most active between 04:00 and 09:00 UTC.
Figure 18. Mapping of TG-3390's interactions with web shells during an intrusion responded to by CTU researchers. The legend across the bottom of the figure lists the upper bound of interactions that are represented by each color variation on the wheel. Times are based on UTC. (Source: Dell SecureWorks)
Response to eviction
Successfully evicting TG-3390 from an environment requires a coordinated plan to remove all access points, including remote access tools and web shells. Within weeks of eviction, the threat actors attempt to access their ChinaChopper web shells from previously used IP addresses. Finding the web shells inaccessible, the adversaries search google.co.jp for remote access solutions. CTU researchers discovered the threat actors searching for "[company] login," which directed them to the landing page for remote access. TG-3390 attempts to reenter the environment by identifying accounts that do not require two-factor authentication for remote access solutions, and then brute forcing usernames and passwords. After reestablishing access, the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used. CTU researchers believe legitimate websites are used to host tools because web proxies categorize the sites as benign.
| Note: Numerous threat groups use legitimate remote access solutions (VPN, Citrix, OWA, etc.) to enter or reenter a network. After executing an eviction plan, it is paramount to reset all credentials, including those for third-party accounts, preferably after implementing two-factor authentication. |
Figure 19. Timeline, in Eastern Time, of TG-3390's reentry into a compromised network. (Source: Dell SecureWorks)
| Note: Relying primarily on network-based security controls will not deter most threat groups from achieving their objective. Adversaries can overcome blacklisted infrastructure in minutes, as TG-3390 actors did when they staged tools on compromised web servers. |
Analysis of the OwaAuth web shell revealed a PDB string with the "SyberSpace" username (see Figure 20).
Figure 20. OwaAuth web shell PDB string. (Source: Dell SecureWorks)
Further research revealed additional tools containing the same username (see Figure 21).
Figure 21. PDB strings containing the 'SyberSpace' username. (Source: Dell SecureWorks)
CTU researchers have no evidence to determine if these tools are also used by TG-3390.
Conclusion
TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers. Despite the group's proficiency, there are still many opportunities to detect and disrupt its operation by studying its modus operandi . The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390's determination, organizations should formulate a solid eviction plan before engaging with the threat actors to prevent them from reentering the network.
Threat indicators
The indicators in Table 1 are associated with TG-3390 activity. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.
| Indicator | Type | Context |
|---|---|---|
| american.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| api.apigmail.com | Domain name | TG-3390 infrastructure Confidence: High |
| apigmail.com | Domain name | TG-3390 infrastructure Confidence: High |
| backup.darkhero.org | Domain name | TG-3390 infrastructure Confidence: High |
| bel.updatawindows.com | Domain name | TG-3390 infrastructure Confidence: High |
| binary.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| castle.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| ctcb.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| darkhero.org | Domain name | TG-3390 infrastructure Confidence: High |
| dav.local-test.com | Domain name | TG-3390 infrastructure Confidence: High |
| test.local-test.com | Domain name | TG-3390 infrastructure Confidence: High |
| dev.local-test.com | Domain name | TG-3390 infrastructure Confidence: High |
| ocean.local-test.com | Domain name | TG-3390 infrastructure Confidence: High |
| ga.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| helpdesk.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| helpdesk.csc-na.com | Domain name | TG-3390 infrastructure Confidence: High |
| helpdesk.hotmail-onlines.com | Domain name | TG-3390 infrastructure Confidence: High |
| helpdesk.lnip.org | Domain name | TG-3390 infrastructure Confidence: High |
| hotmail-onlines.com | Domain name | TG-3390 infrastructure Confidence: High |
| jobs.hotmail-onlines.com | Domain name | TG-3390 infrastructure Confidence: High |
| justufogame.com | Domain name | TG-3390 infrastructure Confidence: High |
| lnip.org | Domain name | TG-3390 infrastructure Confidence: High |
| local-test.com | Domain name | TG-3390 infrastructure Confidence: High |
| login.hansoftupdate.com | Domain name | TG-3390 infrastructure Confidence: High |
| long.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| longlong.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| longshadow.dyndns.org | Domain name | TG-3390 infrastructure Confidence: High |
| longshadow.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| longykcai.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| lostself.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| mac.navydocument.com | Domain name | TG-3390 infrastructure Confidence: High |
| mail.csc-na.com | Domain name | TG-3390 infrastructure Confidence: High |
| mantech.updatawindows.com | Domain name | TG-3390 infrastructure Confidence: High |
| micr0soft.org | Domain name | TG-3390 infrastructure Confidence: High |
| microsoft-outlook.org | Domain name | TG-3390 infrastructure Confidence: High |
| mtc.navydocument.com | Domain name | TG-3390 infrastructure Confidence: High |
| navydocument.com | Domain name | TG-3390 infrastructure Confidence: High |
| mtc.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| news.hotmail-onlines.com | Domain name | TG-3390 infrastructure Confidence: High |
| oac.3322.org | Domain name | TG-3390 infrastructure Confidence: High |
| ocean.apigmail.com | Domain name | TG-3390 infrastructure Confidence: High |
| pchomeserver.com | Domain name | TG-3390 infrastructure Confidence: High |
| registre.organiccrap.com | Domain name | TG-3390 infrastructure Confidence: High |
| security.pomsys.org | Domain name | TG-3390 infrastructure Confidence: High |
| services.darkhero.org | Domain name | TG-3390 infrastructure Confidence: High |
| sgl.updatawindows.com | Domain name | TG-3390 infrastructure Confidence: High |
| shadow.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| sonoco.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| test.logmastre.com | Domain name | TG-3390 infrastructure Confidence: High |
| up.gtalklite.com | Domain name | TG-3390 infrastructure Confidence: High |
| updatawindows.com | Domain name | TG-3390 infrastructure Confidence: High |
| update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| update.deepsoftupdate.com | Domain name | TG-3390 infrastructure Confidence: High |
| update.hancominc.com | Domain name | TG-3390 infrastructure Confidence: High |
| update.micr0soft.org | Domain name | TG-3390 infrastructure Confidence: High |
| update.pchomeserver.com | Domain name | TG-3390 infrastructure Confidence: High |
| urs.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| wang.darkhero.org | Domain name | TG-3390 infrastructure Confidence: High |
| webs.local-test.com | Domain name | TG-3390 infrastructure Confidence: High |
| word.apigmail.com | Domain name | TG-3390 infrastructure Confidence: High |
| wordpress.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| working.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| working.darkhero.org | Domain name | TG-3390 infrastructure Confidence: High |
| working.hotmail-onlines.com | Domain name | TG-3390 infrastructure Confidence: High |
| www.trendmicro-update.org | Domain name | TG-3390 infrastructure Confidence: High |
| www.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| x.apigmail.com | Domain name | TG-3390 infrastructure Confidence: High |
| ykcai.update-onlines.org | Domain name | TG-3390 infrastructure Confidence: High |
| ykcailostself.dyndns-free.com | Domain name | TG-3390 infrastructure Confidence: High |
| ykcainobody.dyndns.org | Domain name | TG-3390 infrastructure Confidence: High |
| zj.blackcmd.com | Domain name | TG-3390 infrastructure Confidence: High |
| laxness-lab.com | Domain name | TG-3390 infrastructure Confidence: High |
| google-ana1ytics.com | Domain name | TG-3390 infrastructure Confidence: High |
| www.google-ana1ytics.com | Domain name | TG-3390 infrastructure Confidence: High |
| ftp.google-ana1ytics.com | Domain name | TG-3390 infrastructure Confidence: High |
| hotmailcontact.net | Domain name | TG-3390 infrastructure Confidence: High |
| 208.115.242.36 | IP address | TG-3390 infrastructure Confidence: High |
| 208.115.242.37 | IP address | TG-3390 infrastructure Confidence: High |
| 208.115.242.38 | IP address | TG-3390 infrastructure Confidence: High |
| 66.63.178.142 | IP address | TG-3390 infrastructure Confidence: High |
| 72.11.148.220 | IP address | TG-3390 infrastructure Confidence: High |
| 72.11.141.133 | IP address | TG-3390 infrastructure Confidence: High |
| 74.63.195.236 | IP address | TG-3390 infrastructure Confidence: High |
| 74.63.195.236 | IP address | TG-3390 infrastructure Confidence: High |
| 74.63.195.237 | IP address | TG-3390 infrastructure Confidence: High |
| 74.63.195.238 | IP address | TG-3390 infrastructure Confidence: High |
| 103.24.0.142 | IP address | TG-3390 infrastructure Confidence: High |
| 103.24.1.54 | IP address | TG-3390 infrastructure Confidence: High |
| 106.187.45.162 | IP address | TG-3390 infrastructure Confidence: High |
| 192.151.236.138 | IP address | TG-3390 infrastructure Confidence: High |
| 192.161.61.19 | IP address | TG-3390 infrastructure Confidence: High |
| 192.161.61.20 | IP address | TG-3390 infrastructure Confidence: High |
| 192.161.61.22 | IP address | TG-3390 infrastructure Confidence: High |
| 103.24.1.54 | IP address | TG-3390 infrastructure Confidence: High |
| 67.215.232.179 | IP address | TG-3390 infrastructure Confidence: High |
| 96.44.177.195 | IP address | TG-3390 infrastructure Confidence: High |
| 49.143.192.221 | IP address | TG-3390 infrastructure Confidence: Moderate |
| 67.215.232.181 | IP address | TG-3390 infrastructure Confidence: Moderate |
| 67.215.232.182 | IP address | TG-3390 infrastructure Confidence: Moderate |
| 96.44.182.243 | IP address | TG-3390 infrastructure Confidence: Moderate |
| 96.44.182.245 | IP address | TG-3390 infrastructure Confidence: Moderate |
| 96.44.182.246 | IP address | TG-3390 infrastructure Confidence: Moderate |
| 49.143.205.30 | IP address | TG-3390 infrastructure Confidence: Moderate |
| working_success@163.com | Email address | TG-3390 email address Confidence: High |
| ykcaihyl@163.com | Email address | TG-3390 email address Confidence: High |
| working_success@163.com | Email address | TG-3390 email address Confidence: High |
| yuming@yinsibaohu.aliyun.com | Email address | TG-3390 email address Confidence: Low |
| 1cb4b74e9d030afbb18accf6ee2bfca1 | MD5 hash | HttpBrowser RAT dropper |
| b333b5d541a0488f4e710ae97c46d9c2 | MD5 hash | HttpBrowser RAT dropper |
| 86a05dcffe87caf7099dda44d9ec6b48 | MD5 hash | HttpBrowser RAT dropper |
| 93e40da0bd78bebe5e1b98c6324e9b5b | MD5 hash | HttpBrowser RAT dropper |
| f43d9c3e17e8480a36a62ef869212419 | MD5 hash | HttpBrowser RAT dropper |
| 57e85fc30502a925ffed16082718ec6c | MD5 hash | HttpBrowser RAT dropper |
| 4251aaf38a485b08d5562c6066370f09 | MD5 hash | HttpBrowser RAT dropper |
| bbfd1e703f55ce779b536b5646a0cdc1 | MD5 hash | HttpBrowser RAT dropper |
| 12a522cb96700c82dc964197adb57ddf | MD5 hash | HttpBrowser RAT dropper |
| 728e5700a401498d91fb83159beec834 | MD5 hash | HttpBrowser RAT dropper |
| 2bec1860499aae1dbcc92f48b276f998 | MD5 hash | HttpBrowser RAT dropper |
| 014122d7851fa8bf4070a8fc2acd5dc5 | MD5 hash | HttpBrowser RAT |
| 0ae996b31a2c3ed3f0bc14c7a96bea38 | MD5 hash | HttpBrowser RAT |
| 1a76681986f99b216d5c0f17ccff2a12 | MD5 hash | HttpBrowser RAT |
| 380c02b1fd93eb22028862117a2f19e3 | MD5 hash | HttpBrowser RAT |
| 40a9a22da928cbb70df48d5a3106d887 | MD5 hash | HttpBrowser RAT |
| 46cf2f9b4a4c35b62a32f28ac847c575 | MD5 hash | HttpBrowser RAT |
| 5436c3469cb1d87ea404e8989b28758d | MD5 hash | HttpBrowser RAT |
| 692cecc94ac440ec673dc69f37bc0409 | MD5 hash | HttpBrowser RAT |
| 6a39a4e9933407aef31fdc3dfa2a2a95 | MD5 hash | HttpBrowser RAT |
| 8b4ed3b392ee5da139c16b8bca38ea5e | MD5 hash | HttpBrowser RAT |
| 8ea5d8bb6b28191e4436456c35477e39 | MD5 hash | HttpBrowser RAT |
| 9271bcfbba056c8f80c7f04d72efd62d | MD5 hash | HttpBrowser RAT |
| 996843b55a7c5c7a36e8c6956e599610 | MD5 hash | HttpBrowser RAT |
| a554efc889714c70e9362bdc81fadd6a | MD5 hash | HttpBrowser RAT |
| c9c93c2d62a084031872aab96202ee3e | MD5 hash | HttpBrowser RAT |
| ddbdf0efdf26e0c267ef6155edb0e6b8 | MD5 hash | HttpBrowser RAT |
| e7df18a17d8e7c2ed541a57020444068 | MD5 hash | HttpBrowser RAT |
| ea4dcafc224f604c096032dde33a1d6d | MD5 hash | HttpBrowser RAT |
| f658bb17d69912404f34532901edad0e | MD5 hash | HttpBrowser RAT |
| f869a1b40f6438dfdd89e73480103211 | MD5 hash | HttpBrowser RAT |
| 81ed752590752016cb1c12f3e9ab3454 | MD5 hash | HttpBrowser RAT |
| 5ef719f8aeb9bf97beb24a5c2ed19173 | MD5 hash | HttpBrowser RAT |
| 7ec91768376324be2bad4fd30b1c2051 | MD5 hash | HttpBrowser RAT |
| 20c446ad2d7d1586138b493ecddfbbc7 | MD5 hash | HttpBrowser RAT |
| 44cf0793e05ba843dd53bbc7020e0f1c | MD5 hash | HttpBrowser RAT |
| 02826bb6636337963cc5162e6f87745e | MD5 hash | HttpBrowser RAT |
| 1606ab7a54735af654ee6deb7427f652 | MD5 hash | HttpBrowser RAT |
| 1539b3a5921203f0e2b6c05d692ffa27 | MD5 hash | HttpBrowser RAT |
| c66e09429ad6669321e5c69b1d78c082 | MD5 hash | HttpBrowser RAT |
| 225e10e362eeee15ec64246ac021f4d6 | MD5 hash | HttpBrowser RAT |
| a631fc7c45cbdf80992b9d730df0ff51 | MD5 hash | HttpBrowser RAT |
| af785b4df71da0786bcae233e55cf6c1 | MD5 hash | HttpBrowser RAT |
| e3e0f3ad4ff3b981b513cc66b37583e8 | MD5 hash | HttpBrowser RAT |
| 5cd0e97a1f09001af5213462aa3f7eb1 | MD5 hash | HttpBrowser RAT |
| 15fd9c04d6099273a9acf8feab81acfe | MD5 hash | HttpBrowser RAT |
| ea8b9e0bf95fc0c71694310cb685cd3b | MD5 hash | HttpBrowser RAT |
| 5c3ab475be110ec59257617ee1388e01 | MD5 hash | HttpBrowser RAT |
| 6aac7417ea1eb60a869597af9049b8fa | MD5 hash | HttpBrowser RAT |
| 372f5370085a63f5b660fab635ce6cd7 | MD5 hash | HttpBrowser RAT |
| fac4885324cb67bd421d6250fdc9533c | MD5 hash | HttpBrowser RAT |
| e7e555615a07040bb5dbe9ce59ac5d11 | MD5 hash | HttpBrowser RAT |
| ff34cb1d90d76a656546293e879afe22 | MD5 hash | HttpBrowser RAT |
| 2abf7421c34c60d48e09325a206e720e | MD5 Hash | HttpBrowser RAT |
| 396b4317db07cc8a2480786160b33044 | MD5 hash | HttpBrowser RAT |
| e404873d3fcd0268db10657b53bdab64 | MD5 hash | HttpBrowser RAT |
| 6e4189b20adb253b3c1ad7f8fdc95009 | MD5 hash | HttpBrowser RAT |
| bff424289c38d389a8cafb16b47dfe39 | MD5 hash | HttpBrowser RAT |
| 7294c7f3860315d51f74152e8ad353df | MD5 hash | HttpBrowser RAT |
| 40092f76fea082b05e9631d91975a401 | MD5 hash | HttpBrowser RAT |
| e42fce74bbd637c35320cf4e95f5e055 | MD5 hash | HttpBrowser RAT |
| d0dafc3716a0d0ce393cde30b2b14a07 | MD5 hash | HttpBrowser RAT |
| ae66bad0c7de88ab0ab1050c4bec9095 | MD5 hash | HttpBrowser RAT |
| c7c2be1cd3780b2ba4638cef9a5422c7 | MD5 hash | HttpBrowser RAT |
| 405949955b1cb65673c16bf7c8da2f4d | MD5 hash | HttpBrowser RAT |
| ff4f052dbe73a81403df5e98313000fb | MD5 hash | HttpBrowser RAT |
| b30fcd362c7b8ac75b7dddfe6cb448c7 | MD5 hash | HttpBrowser RAT |
| 1d24f4d20b80562de46a8ac95d0ff8c2 | MD5 hash | HttpBrowser RAT |
| 9538bbdb3a73201b40296e9d4dc80ade | MD5 hash | HttpBrowser RAT |
| 46bb2caeda30c09a6337fd46ec98c32c | MD5 hash | HttpBrowser RAT |
| 0c8842e48e80643d91dd290d0f786147 | MD5 hash | HttpBrowser RAT |
| 0fc975c3c4e6c546b4f2b5aaed50dd78 | MD5 hash | HttpBrowser RAT |
| 41be449f687828466ed7d87f0f30a278 | MD5 hash | HttpBrowser RAT |
| 2b95caf3307ebd36cf405b1133b30aa8 | MD5 hash | HttpBrowser RAT |
| ccc715a4d9d0157b9776deacdb26bf78 | MD5 hash | HttpBrowser RAT |
| 37933acfa8d8e78c54413d88ca705e17 | MD5 hash | HttpBrowser RAT |
| 2813c5a1c87f7e3d33174fed8b0988a1 | MD5 hash | HttpBrowser RAT |
| 8f22834efe52ccefb17e768569eb36b9 | MD5 hash | HttpBrowser RAT |
| 6f01628a0b5de757a8dbe99020499d10 | MD5 hash | HttpBrowser RAT |
| 7f8d9f12f41156512b60ab17f8d85fe9 | MD5 hash | HttpBrowser RAT |
| debe5ef2868b212f4251c58be1687660 | MD5 hash | HttpBrowser RAT |
| e136d4ebab357fd19df8afe221460571 | MD5 hash | HttpBrowser RAT |
| a86a906cfafaf1d7e3725bb0161b0cfe | MD5 hash | HttpBrowser RAT |
| 03e1eac3512a726da30fff41dbc26039 | MD5 hash | HttpBrowser RAT |
| baac5e5dd3ce7dae56cab6d3dac14e15 | MD5 hash | HttpBrowser RAT |
| 0f7dde31fbeb5ddbb6230c401ed41561 | MD5 hash | HttpBrowser RAT |
| 36d957f6058f954541450f5a85b28d4b | MD5 hash | HttpBrowser RAT |
| 42d874f91145bd2ddf818735346022d8 | MD5 hash | HttpBrowser RAT |
| 3468034fc3ac65c60a1f1231e3c45107 | MD5 hash | HttpBrowser RAT |
| 4e3b51a6a18bdb770fc38650a70b1883 | MD5 hash | HttpBrowser RAT |
| 3647068230839f9cadf0fd4bd82ade84 | MD5 hash | HttpBrowser RAT |
| 550922107d18aa4caad0267997709ee5 | MD5 hash | HttpBrowser RAT |
| d8f0a6450f9df637daade521dc90d29d | MD5 hash | HttpBrowser RAT |
| bf2e2283b19b0febc4bd1f47aa82a94c | MD5 hash | HttpBrowser RAT |
| d0eec2294a70ceff84ca8d0ed7939fb5 | MD5 hash | HttpBrowser RAT |
| e91d2464c8767552036dd0294fc7e6fb | MD5 hash | HttpBrowser RAT |
| f627bc2db3cab34d97c8949931cb432d | MD5 hash | HttpBrowser RAT |
| b313bbe17bd5ee9c00acff3bfccdb48a | MD5 hash | PlugX RAT dropper |
| f7a842eb1364d1269b40a344510068e8 | MD5 hash | PlugX RAT dropper |
| 8dacca7dd24844935fcd34e6c9609416 | MD5 hash | PlugX RAT dropper |
| 7cffd679599fb8579abae8f32ce49026 | MD5 hash | PlugX RAT dropper |
| 462fd01302bc40624a44b7960d2894cd | MD5 hash | PlugX RAT dropper |
Appendix A — Identifying attribution and gauging confidence
Identifying attribution
In most cases, CTU researchers not have intelligence to directly attribute a threat group, so attribution relies on circumstantial evidence and is an assessment rather than a fact. CTU researchers draw on three distinct intelligence bases for evidence of attribution:
- Observed activity is gathered from CTU researchers' observation and investigation of a threat group's activity on a target network and across Dell SecureWorks data, and analysis of tactics, techniques, and procedures (TTPs) the threat group employs.
- Third-party intelligence is gained from trusted relationships within the security industry and with other private and public sector organizations, as well as analysis of open source intelligence.
- Contextual analysis compares threat group targets against intelligence requirements of nation states and other threat actors and compares tradecraft employed by a threat group to tradecraft of known threat actors.
CTU researchers have adopted the grading system published by the US Office of the Director of National Intelligence to indicate confidence in their assessments:
- High confidence generally indicates that judgments are based on high-quality information, and/or that the nature of the issue makes it possible to render a solid judgment. A "high confidence" judgment is not a fact or a certainty, however, and such judgments still carry a risk of being wrong.
- Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.
- Low confidence generally means that the information's credibility and/or plausibility is questionable, or that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that [there are] significant concerns or problems with the sources.
HttpBrowser is a remote access tool whose name originates from the hard-coded "HttpBrowser/1.0" User-Agent. CTU researchers also identified a PDB string in the binaries, J:\TokenControlV3\ServerDll\Release\ServerDll.pdb, which implies that the threat actors may refer to the tool as "TokenControl." Table 2 lists the commands available to threat actors in one of the HttpBrowser variants.
| Command | Functionality |
|---|---|
| Init | Create a reverse shell |
| Write | Write a file to the compromised system from the C2 server |
| List | List the files in a directory |
| Upload | Upload a file from the compromised system to the C2 server |
Other variants of the backdoor may include additional commands such as setcmd, settime, uninstall, and down. Table 3 shows the unencrypted URL parameters, along with sample data and a description of the data.
| URL parameter | Sample data | Description |
|---|---|---|
| c= | Victim->Administrator | Hostname and username |
| l= | 192.168.1.100 | Compromised system's IP address |
| o= | 5,1,1,32 | Windows major and minor version, coupled with architecture (32 v. 64) |
| u= | {B5B70BD7-87FC-499A-B4D1- 98163306F0D8} | A GUID |
| r= | 1 | Boolean value if the malware is running as injected code |
| t= | 8035187 | Number of milliseconds the computer has been running |
Appendix C — OwaAuth web shell analysis
OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. Like ChinaChopper, it parses HTTP requests for the Z1 and Z2 parameters (see Table 4). The legitimate owaauth.dll file resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\ while CTU researchers have observed the backdoor using the same filename in the %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\ directory. In addition to acting as a web shell, the malware captures and DES-encrypts credentials before writing the username and password to disk. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries.
Each web shell instance is configured to contain SP, Key, and Log variables. The SP variable is a string containing the victim's username. When the malicious ISAPI filter captures a username matching this variable, it knows to handle the incoming HTTP request as a command to the web shell. The DES key to encrypt the credentials in the configuration observed by CTU researchers is 12345678, and the log file is c:\log.txt. The decrypted contents of the log file adhere to the format in Figure 22.
Figure 22. Decrypted OwaAuth log file format. (Source: Dell SecureWorks)
Table 4 lists the OwaAuth web shell commands available to the adversary.
| Command | Functionality |
|---|---|
| A | List logical drives |
| B | List directory (Z1 = directory name to list) |
| C | Read data from file (Z1 = filename to read) |
| D | Write content to file (Z1 = filename to write, Z2 = content to write) |
| E | Delete file in directory (Z1 = file) |
| F | Generate custom web response "->|value in Z1|<-" |
| G | Write hex-encoded content to file (Z1 = filename to write, Z2 = hex encoded content to write) |
| H | Call _Notice(Z1, Z2) |
| I | Move/rename file or directory (Z1 = target, Z2 = new name) |
| J | Create directory (Z1 = directory name) |
| K | Timestomp file or directory (Z1 = target, Z2 = time/date string to stomp to) |
| L | Download file from Internet (Z1 = URL, Z2 = filename to write to) |
| M | Launch process (Z1 = process name, Z2 = arguments) |
| N | Test connect to SQL database (Z1 = SqlConnect String) |
| O | SQL Get database table scheme (Z1 = \r delimited parameters to command) |
| P | SQL Get database table scheme with restrictions (Z1 = \r delimited parameters to command) |
| Q | SQL execute SQL command (Z1 = \r delimited parameters to command) |
Appendix D — Domain name parking example
CTU researchers have observed TG-3390 parking domains by pointing their A record to a non-routable IP space, including the 127.0.0.[x] loopback address. Table 5 demonstrates how the threat actors change one of their C2 domains to point to routable and non-routable IP addresses over time.
| Start date | End date | IP change | Location |
|---|---|---|---|
| 7/9/13 | 7/31/13 | 210.116.106.66 | Seoul, Korea |
| 7/31/13 | 10/12/13 | 127.0.0.1 | N/A |
| 10/12/13 | 11/5/13 | 122.10.10.196 | Hong Kong |
| 11/5/13 | 1/12/14 | 198.100.107.107 | California, US |
| 1/12/14 | 3/5/14 | 127.0.0.1 | N/A |
| 3/5/14 | 3/31/14 | 103.24.0.142 | Hong Kong |
| 3/31/14 | 10/27/14 | 103.24.1.54 | Hong Kong |
| 10/27/14 | 11/9/14 | 127.0.0.1 | N/A |
| 11/9/14 | 5/25/15 | 127.0.0.3 | N/A |
| 5/25/15 | Current as of this publication | 127.0.0.1 | N/A |
Endnotes
[1]
The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team tracks
threat groups by assigning them four-digit randomized numbers (3390 in
this case), and compiles information from first-hand incident response
observations and from external sources. [2]
Threat groups use strategic web compromises (SWCs), also known as
watering hole attacks, to target a wide array of potential victims.
Threat actors compromise a website used by their target demographic
(eg, compromising a website specializing in oil and gas industry news
when targeting the energy vertical).
Visitors to the compromised website are redirected to a server under
the threat group's control, where their system is compromised with the
threat group's malware. With this tactic, a threat group increases the likelihood of compromising systems that possess desired information. =====
http://snip.ly/giNB
威脅集團3390目標為組織網絡間諜
- 作者:戴爾SecureWorks公司反威脅單位™威脅智能感知系統
- 日期:2015年8月5日
- URL: www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage
戴爾SecureWorks公司反威脅單位(TM)(CTU)的研究人員研究了威脅集團3390相關的活動[1] (TG-3390)。 TG-3390的操作,分析目標和工具帶領研究人員CTU中度信心集團位於中國的人民共和國評估。 威脅者瞄準了廣泛的組織:CTU研究人員觀察到TG-3390獲得的演員在防守上製造項目的機密數據,也針對其他垂直行業和攻擊參與國際組織的關係。 該組廣泛使用長期運行戰略捲筒紙妥協[2] (的SWC),並且依賴於白名單提供有效載荷來選擇受害者。 相較於其他威脅的群體,TG-3390是著名的為它的傾向妥協使用定制的後門和憑證記錄的Microsoft Exchange服務器。
CTU研究者劃分了威脅情報有關TG-3390分為兩個部分:戰略與戰術戰略威脅的情報 ,包括通過威脅組提出的持續威脅的評估。 管理人員可以使用這一評估來確定如何將風險降低到其組織的使命和重要資產。 戰術威脅情報是基於事件響應的調查和研究,並映射到殺傷鏈。 計算機網絡維護者可以使用該信息,以減少與響應的TG-3390相關聯的時間和精力。
關鍵點
如何CTU研究人員解釋確定歸屬和衡量的信心水平在現有的附錄A 。
- CTU研究人員評估與TG-3390是基於在中國人民共和國適度的信心。
- CTU研究人員有證據表明,威脅組損害美國和英國組織在以下垂直:製造業(特別是航空航天(包括國防承包商),汽車,科技,能源和醫藥),教育,法律,以及組織專注於國際關係。 根據本集團的的SWC的分析,TG-3390的操作有可能影響組織在其他國家和垂直。
- TG-3390工作廣泛而長期運行的SWC的活動,並已危及大約100個網站作為本出版物。 通過IP地址白名單的過程中,威脅組選擇性靶向訪問者這些網站。
- 在最初的妥協,TG-3390提供了HttpBrowser借殼受害者。 威脅者,然後迅速採取行動,損害微軟Exchange服務器,並獲得目標環境的完全控制。
- 威脅者是善於發現關鍵數據存儲和選擇所有出入穿插與他們的目標相關的高價值的信息。
- CTU研究人員建議採取以下措施來預防或發現TG-3390的入侵:
CTU研究人員評估所構成的威脅組通過審查的意圖和能力的威脅(見圖1)。 威脅人群構成威脅的變化,以不同的組織,甚至是一個非常有能力的一群可能構成威脅的低,如果它沒有意圖針對特定組織。
圖1.威脅是基於威脅組的意圖和能力。 (來源:戴爾SecureWorks公司)
意圖
CTU研究人員通過匯總意見,分析了威脅組的活動,並把在更大範圍內的信息推斷意圖。
像許多威脅組,TG-3390進行戰略網頁妥協(的SWC),也被稱為水坑攻擊,網站上相關聯的目標組織的垂直或人口來增加找到受害者提供相關信息的可能性。 CTU研究人員評估與TG-3390使用從之前的偵察活動收集的選擇性破壞誰訪問其控制下的網站用戶信息高可信度。 大多數通過TG-3390的演員妥協網站隸屬於五種類型的世界各地的組織:
- 大型製造企業,尤其是那些提供國防機構
- 能源公司
- 大使館在華盛頓特區代表在中東,歐洲和亞洲國家,有可能針對美國的用戶參與了國際關係
- 非政府組織(NGO),特別是那些專注於國際關係和國防
- 政府機構
歸因
為了評估歸屬,CTU研究人員分析觀測活動,第三方報告,以及上下文智能。 基於以下原因,研究人員CTU評估的中度信心,TG-3390具有中國關係:
- 一個維吾爾文化網站的SWC表明意圖針對維吾爾民族,穆斯林少數群體主要是在中國的新疆地區發現的。 中國以外的威脅人群不太可能針對維吾爾人。
- TG-3390採用了PlugX遠程訪問工具。 該菜單PlugX的服務器端組件都寫在專用中國標準(普通話),這表明運營商PlugX熟悉這種語言。
- CTU研究人員觀察到04:00和09:00 UTC,它是12:00在中國本地17:00時(UTC +8)之間的TG-3390的活性。 該時間表映射到在中國的工作日下半年。
- 威脅者已經使用百度搜索引擎,這是只有在中國可用,進行偵察活動。
- CTU研究人員已經發現的威脅組獲得有關特定美國國防項目,這將是最好的一個生產基地,有興趣在美國的軍事能力,或兩者一國之內的操作信息。
能力
為了評估威脅組的能力,研究人員CTU分析其資源,技術熟練程度和諜報。
資源
TG-3390已獲得專利的工具,其中有一些是專門用TG-3390和其他人都在幾個中國威脅組共享使用。 的複雜性和這些工具不斷發展表示成熟的發展過程。 在操作過程中的TG-3390能夠迅速利用網絡受損的基礎設施,可以同時進行侵入多個環境。 這種能力是通過TG-3390運營商和目標環境之間相互作用的分析進一步證實。 CTU研究人員沒有發現任何證據多個運營商同時合作對單個組織。 這種操作效率(以1:1的比例操作者觀察到的活性)表明,TG-3390可擴展以進行同步操作的最大數量。 這些特徵表明,威脅組充分的資源,並已獲得一個工具的開發團隊和團隊專注於的SWC。
技術熟練
中的SWC TG-3390的混淆技術複雜的檢測惡意網絡流量重定向。 所使用的威脅組惡意軟件可以被配置為旁路基於網絡的檢測; 然而,這種威脅演員部署的有效載荷時很少修改基於主機的配置設置。 CTU研究人員觀察到安裝憑證記錄器和後門Microsoft Exchange服務器上,這需要一個技術把握的威脅演員Internet信息服務 (IIS)。 TG-3390採用較舊的漏洞妥協目標,CTU研究人員沒有發現利用零日漏洞根據本刊物的威脅者。 威脅者展示了一個驅逐後重新進入網絡時的適應能力,克服網絡維護者構成技術壁壘。
諜報
除了使用的SWC針對特定類型的組織,TG-3390採用spearphishing電子郵件,以針對特定的受害者。 CTU的研究人員以高置信度評估的入侵過程中的威脅者遵循既定的劇本。 他們很快從最初訪問向量搬走隱藏自己的切入點,然後目標Exchange服務器作為一個新的接入載體。 至於本次發表,研究人員CTU沒有發現如何TG-3390跟踪其受損資產和證書相關的詳細信息。 然而,威脅者“後,最初的妥協重用這些資產和憑據,有時幾個星期或幾個月的能力,表示該集團是紀律和良好的組織。 獲得訪問到目標網絡中的一個通過入侵CTU研究人員分析後,TG-3390確定的演員和exfiltrated由目標組織運行特定項目的數據,這表明他們成功地獲得他們想要的信息。 發生數據洩露後,幾乎四周初步妥協並持續兩週(見圖2)。
圖2.數據洩露的時間表。 (來源:戴爾SecureWorks公司)
| 注:敵手的最終目標是exfiltrate,不滲透。 組織往往錯過多次機會發現和破壞的威脅者才可以實現自己的目標。 警報憑據盜竊工具和特權帳戶鎖定應進行調查。 |
已知工具
CTU研究人員已經發現使用的工具,由多個團體的威脅青睞TG-3390的演員:
- PlugX - 遠程訪問工具,值得注意的是,可能含有以“X-”HTTP頭通信(例如,“X-會話:0”)。 它是一種妥協的系統上存在使得威脅的演員來執行各種命令,包括上傳和下載文件,並生成一個反向殼。 惡意軟件可被配置為使用多個網絡協議,以避免基於網絡的檢測。 DLL側負荷經常被用來維持持久性感染的系統上。
- HttpBrowser(又稱TokenControl) - 用於HTTPS通信的後門值得注意的HttpBrowser / 1.0用戶代理(見圖3)。 HttpBrowser的可執行代碼可以通過結構化異常處理被混淆和返回導向編程。 它是一種妥協的系統上存在使得威脅的演員來產生一個反向的外殼,上傳或下載文件,並捕捉按鍵。 防病毒檢測HttpBrowser極低,並且典型地基於啟發式簽名。 DLL側面裝載已被用於維持持久性感染的系統上。 有關HttpBrowser更多信息,可以在附錄B 。
圖3. HttpBrowser URI。 (來源:戴爾SecureWorks公司) - ChinaChopper網殼 - 一種基於Web的可執行腳本(見圖4),它允許一個威脅演員受損系統上執行命令。 服務器端組件提供者的威脅與網絡交互的砲彈簡單的圖形用戶界面。
圖4. ChinaChopper網殼。 (來源:戴爾SecureWorks公司)
密碼,如“管理娜-google123!@#”,如圖4中所示,需要與web殼相互作用。 TG-3390使用了含有類似格式密碼的其他網絡砲彈。 - 亨特 - 寫@tojen識別的Apache Tomcat,紅帽的JBoss中間件和Adobe ColdFusion的(見圖5)漏洞的Web應用程序掃描工具。 它還可以識別開放的端口,收集網頁橫幅,並下載輔助文件。
圖5.使用亨特。 (來源:戴爾SecureWorks公司)
- OwaAuth網殼 - 一種基於Web的外殼和憑證竊取部署到Microsoft Exchange服務器。 它安裝為一個ISAPI篩選器。 捕獲的憑據DES加密使用的密碼“12345678”,並寫入到根目錄下的log.txt文件。 像ChinaChopper網絡外殼,OwaAuth網殼需要密碼。 然而,OwaAuth網殼的密碼包含了受害者組織的名稱。 關於OwaAuth網殼的更多信息,可以在附錄C中 。
- ASPXTool - 在ASPXSpy網殼的修改版本(見圖6)。 它被部署到運行的Internet信息服務(IIS)訪問內部服務器。
圖6. ASPXTool網殼。 (來源:戴爾SecureWorks公司)
- Windows憑據編輯器(WCE) - 獲得從內存密碼
- gsecdump - 從獲取密碼記憶
- WinRAR的 - 壓縮數據滲出
- NBTSCAN - 掃描NetBIOS名稱服務器
事件響應訂婚給CTU研究人員洞悉戰術入侵期間TG-3390採用。
偵察
CTU研究人員沒有發現之前,損害組織執行偵察TG-3390的演員。 正如在討論關於目標操作部分,威脅行為出現等待,直到他們已經站穩了腳跟。
發展
TG-3390使用演員的指揮與控制(C2)的域長時間,但頻繁更換域名的IP地址。 新的IP地址通常在同一子網以前的。
TG-3390能夠使用C2基礎設施跨越多個網絡和註冊的。 所使用的對手的最常見的註冊機構是萬網志成科技有限公司的威脅行為者必須從一個網絡提供者移動到另一個,使用一些基礎設施的時間和其他領域過長僅幾天表現出來的能力。 在基礎設施的部署和使用看似隨意的活動規律,以及使用各種不同地理位置的基礎設施,幫助者的威脅逃避檢測的能力。
TG-3390的SWC可能在很大程度上地理上獨立,但集團的最常用的C2註冊服務商和IP網絡模塊都位於美國使用美國的C2基礎設施(見圖7)妥協的目標,在美國幫助TG-3390演員避免地緣阻塞和網絡防禦用地理標記的措施。
圖7.通過地理位置CTU研究人員觀察到TG-3390的基礎設施。 深綠色表示C2註冊和IP網塊的高支,而淺綠色表示小計。 (來源:戴爾SecureWorks公司)
威脅者創造PlugX DLL存根裝載機,將只在特定日期後運行。 由CTU研究者分析樣品的編譯日期都晚於硬編碼2013年8月8日的日期,這表明該代碼可能會被從先前的工具重用。
所述OwaAuth幅殼有可能與一個構建器創建,因為在PE編譯的二進制時間被填充到一個特定的尺寸實例和配置字段之間不改變。 敵手修改公開可用的工具,如ASPXSpy刪除識別網絡維護者用它來識別網頁彈的特點。
武器
至於本次發表,研究人員CTU不確定是否TG-3390憑藉weaponizers打包工具和漏洞。
交貨
TG-3390進行的SWC或發送電子郵件spearphishing與ZIP文件的附件。 Zip文件有相關的指標名稱,並包含兩個合法的文件和惡意軟件。 通過CTU研究人員分析了一個存檔樣品含有一個合法的PDF文件,感興趣的目標(見圖8)一個良性的圖像,以及HttpBrowser安裝程序偽裝成一個圖像文件。
圖8.遊子形象。 (來源:戴爾SecureWorks公司)
在的SWC由CTU研究人員分析,威脅行為者添加的Dean Edwards的填充在圖9所示的是一個合法網站的菜單頁的結束JavaScript代碼。
圖9. SWC代碼。 (來源:戴爾SecureWorks公司)
如圖10,在解壓後的JavaScript代碼顯示一個iframe指向承載攻擊的IP地址。
圖10.未包裝的JavaScript代碼。 (來源:戴爾SecureWorks公司)
既對受損部位的重定向代碼和攻擊代碼出現和消失,這表明對手添加代碼時,他們希望利用深港西部通道,並刪除代碼,當它不使用限制其業務的可視性。 威脅行為已經發展到白名單的IP地址,只提供了開發和有效載荷感興趣的特定目標。 CTU研究人員觀察到TG-3390影響目標組織的內部和外部訪問的資產,如OWA服務器,並添加重定向代碼指向內部用戶承載的漏洞和惡意軟件提供外部網站。
開發
TG-3390的演員在他們的SWC使用的Java漏洞。 特別是,威脅行為者利用CVE-2011-3544 ,在Java運行時環境中的漏洞,為客戶提供HttpBrowser後門; 和CVE-2010-0738 ,在JBoss中的一個漏洞,妥協內外兼修用於重定向用戶的網頁瀏覽器漏洞利用代碼訪問的資產。
在活動由CTU研究人員分析,TG-3390執行針對目標服務器運行IIS的獵人Web應用程序掃描工具。 亨特查詢以下的URI以特定的順序來確定,如果相關的軟件配置都是不安全的,並且所有查詢包含在HttpClient的用戶代理:
- GET /經理/ HTML / - Tomcat Web應用程序管理器
- GET / JMX控制台/ - JBoss的配置
- GET /CFIDE/administrator/login.cfm - ColdFusion配置
TG-3390採用DLL側負荷,這涉及到運行一個合法的,通常是數字簽名技術,程序加載一個惡意DLL。 CTU研究人員已經發現的威脅行為分析用人樣品中合法的卡巴斯基反病毒變種。 該DLL作為存根加載器,它加載並執行shell代碼。 在對手已經用這項技術允許PlugX和HttpBrowser堅持一個系統上。
| 注:DLL側面裝載是用來發射多種後門的一個普遍的持久性技術。 目前的挑戰是檢測已知良好的軟件加載和運行惡意軟件。 作為安全控制有所改善,DLL側面裝載已經發展到加載存儲在不同的目錄或註冊表值的有效載荷。 |
指揮和控制
通過防火牆,C2流量最TG-3390的工具發生在端口53,80,和443的PlugX惡意軟件可以被配置為使用HTTP,DNS原始TCP或UDP來避免基於網絡的檢測。 在一個樣品中CTU研究人員分析,PlugX用硬編碼的用戶憑據配置為繞過代理服務器需要身份驗證。 較新的版本HttpBrowser使用SSL使用自簽名證書來網絡通信進行加密。
TG-3390的演員經常更換C2結構域的A記錄指向回送地址127.0.0.1,這是被稱為技術的一個變種“停車。” 停車的其他變點的IP地址,以谷歌的遞歸名稱服務器8.8.8.8,屬於合流,或其它非可路由地址的地址。 當對手“操作是活,他們再次修改記錄的C2結構域指向他們可以訪問的IP地址。 域名停車場例子是可用附錄D 。
客觀行為
CTU研究人員已經發現了約TG-3390的操作細節很多,包括如何對手探索網絡,橫向移動,和exfiltrate數據。 如圖11,降低初始受害者的系統(病人0)後,威脅使用演員在百度搜索引擎來搜索受害者的組織名稱。 然後,他們確定在Exchange服務器,並嘗試安裝OwaAuth網殼。 如果OwaAuth網殼是無效的,因為受害者使用雙因素認證的網絡郵件,在對手確定其他外部訪問服務器和部署ChinaChopper網殼。 在6小時進入環境中,威脅演員損害多個系統和竊取憑據整個域。
圖11.時間軸TG-3390最初進入受害者的網絡,在美國東部時間。 (來源:戴爾SecureWorks公司)
威脅者使用亨特和nbtscan的工具,有時改名,來進行網絡偵察存在漏洞的服務器和在線系統(見圖12)。 TG-3390的演員青睞At.exe為在遠程系統上執行命令來創建計劃任務。
圖12. NBTSCAN批處理腳本(改名ipcan.exe)用於分析網絡。 (來源:戴爾SecureWorks公司)
在幾天的範圍,威脅者安裝在基於網絡的偵察結果其他系統的遠程訪問工具。 他們使用At.exe計劃任務運行自解壓RAR壓縮文件,其中無論是安裝還是HttpBrowser PlugX。 CTU研究人員觀察到的威脅者收集思科VPN配置文件的訪問通過VPN受害者的網絡時使用(見圖13)。
圖13.複製的文件.PCF。 (來源:戴爾SecureWorks公司)
為了方便橫向移動,在敵人部署ASPXTool網頁彈到運行IIS訪問內部系統。
CTU研究人員已經發現的威脅者使用密碼“admin-windows2014”和分裂成零件的回收目錄中的RAR壓縮文件數據加密,具有相同名稱的未壓縮數據(見圖14)。
用於歸檔數據圖14.批處理腳本。 (來源:戴爾SecureWorks公司)
在密碼的末尾的數量對應於入侵的年份。 例如,在圖14所示的密碼“admin-windows2014”改為“管理-windows2015”為在2015年進行的TG-3390的入侵。
| 注:CTU研究人員經常觀察威脅的演員重新命名存檔工具和存儲數據的滲出中少見的目錄。 在一些情況下,對手超出在滲出過程磁盤空間限制,需要在多個系統的檔案的分期。 不明原因的磁盤配額上的警報通常未充分利用的系統保證立即進行調查。 |
圖15.批處理腳本用於重命名exfiltrated數據。 (來源:戴爾SecureWorks公司)
CTU研究人員觀察到TG-3390分期演員RAR壓縮文件,重命名一個.zip文件擴展名,對外部訪問的Web服務器。 在對手然後發出HTTP GET請求,有時會與用戶代理MINIXL,以exfiltrate從受害者的網絡歸檔部分(見圖16)。
圖16.示例得到IIS日誌的請求。 (來源:戴爾SecureWorks公司)
在其它入侵,數據被使用PlugX遠程訪問工具exfiltrated。 圖17顯示了與TG-3390的重新進入網絡開始長達一個月的時間網絡數據傳輸大小。 大約300 GB的數據是在跨越exfiltrated。
TG-3390重新進入網絡後圖17.網絡數據傳輸大小為C2的服務器。 (來源:戴爾SecureWorks公司)
CTU意見
圖18是UTC時間輪描繪哪個小時威脅行為期間由CTU研究人員觀察到三天入侵積極操作在一個目標環境。 同心帶代表的星期幾,與星期六作為外部帶和星期日作為最內層帶,並且每個單元代表一個小時。 較暗的單元格顏色,較高的活性水平; 白色表示沒有觀察到的活性。 TG-3390是最活躍的4時00分至09:00(UTC)之間。
圖18.映射與網殼TG-3390的相互作用入侵期間CTU研究者回應。 橫跨圖的底部的圖例列出的上限是由在車輪上的每個顏色變化所代表的相互作用。 時間是根據UTC。 (來源:戴爾SecureWorks公司)
回應驅逐
成功驅逐TG-3390從環境需要一個協調的計劃,以消除所有的接入點,包括遠程訪問工具和Web砲彈。 幾週之內驅逐的威脅者試圖從以前使用的IP地址訪問他們的網絡ChinaChopper砲彈。 尋找網頁無法訪問砲彈的敵人搜索google.co.jp的遠程訪問解決方案。 CTU研究人員發現威脅者搜索“[公司]登錄”,它引導他們到登陸頁面進行遠程訪問。 TG-3390嘗試通過識別帳戶不需要進行遠程訪問解決方案的雙因素身份驗證,然後暴力破解用戶名和密碼重新進入環境。 重新建立連接後,對手下載如gsecudmp和WCE正在對以前受到影響TG-3390,但從未使用網站暫時上演工具。 CTU研究人員認為,合法的網站被用來舉辦的工具,因為Web代理分類網站為良性。
| 注:許多威脅的群體使用合法的遠程接入解決方案(VPN,思傑,OWA等)進入或重新進入網絡。 執行驅逐計劃之後,這是最重要的重置所有憑證,包括對第三方帳戶,最好是實施雙因素身份驗證後。 |
圖19.時間軸中,東部時間,TG-3390的折返到一個妥協的網絡。 (來源:戴爾SecureWorks公司)
| 注:基於網絡的安全控制主要依托不會阻止大多數的威脅團體實現他們的目標。 對手可以克服列入黑名單的基礎設施在幾分鐘內,作為TG-3390做演員時,他們上演工具上妥協的Web服務器。 |
在OwaAuth網殼的分析顯示PDB字符串以“SyberSpace”的用戶名(見圖20)。
圖20. OwaAuth網殼PDB字符串。 (來源:戴爾SecureWorks公司)
進一步的研究表明,含有相同的用戶名(見圖21)的附加工具。
圖21. PDB字符串包含“SyberSpace”的用戶名。 (來源:戴爾SecureWorks公司)
CTU研究人員沒有證據,以確定是否這些工具也被TG-3390。
結論
TG-3390是已知的,通過妥協的SWC組織和快速移動到Exchange服務器上安裝後門。 儘管該集團的能力,還是有很多機會來檢測並研究其作案手法破壞其運作。 威脅的演員合作,以克服現有的安全控制,或參與在那些到位,完成出入穿插知識產權的使命。 由於TG-3390的決心,組織應與威脅的演員參與,以防止他們重新進入網絡之前,制定一個堅實的驅逐計劃。
威脅指標
表1中的指標與TG-3390的活性相關聯。 該域名和IP地址可能包含惡意內容,因此在瀏覽器中打開它們之前考慮風險。
| 指示器 | 類型 | 上下文 |
|---|---|---|
| american.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| api.apigmail.com | 域名 | TG-3390基礎設施 信心:高 |
| apigmail.com | 域名 | TG-3390基礎設施 信心:高 |
| backup.darkhero.org | 域名 | TG-3390基礎設施 信心:高 |
| bel.updatawindows.com | 域名 | TG-3390基礎設施 信心:高 |
| binary.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| castle.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| ctcb.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| darkhero.org | 域名 | TG-3390基礎設施 信心:高 |
| dav.local-test.com | 域名 | TG-3390基礎設施 信心:高 |
| test.local-test.com | 域名 | TG-3390基礎設施 信心:高 |
| dev.local-test.com | 域名 | TG-3390基礎設施 信心:高 |
| ocean.local-test.com | 域名 | TG-3390基礎設施 信心:高 |
| ga.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| helpdesk.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| helpdesk.csc-na.com | 域名 | TG-3390基礎設施 信心:高 |
| helpdesk.hotmail-onlines.com | 域名 | TG-3390基礎設施 信心:高 |
| helpdesk.lnip.org | 域名 | TG-3390基礎設施 信心:高 |
| hotmail-onlines.com | 域名 | TG-3390基礎設施 信心:高 |
| jobs.hotmail-onlines.com | 域名 | TG-3390基礎設施 信心:高 |
| justufogame.com | 域名 | TG-3390基礎設施 信心:高 |
| lnip.org | 域名 | TG-3390基礎設施 信心:高 |
| local-test.com | 域名 | TG-3390基礎設施 信心:高 |
| login.hansoftupdate.com | 域名 | TG-3390基礎設施 信心:高 |
| long.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| longlong.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| longshadow.dyndns.org | 域名 | TG-3390基礎設施 信心:高 |
| longshadow.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| longykcai.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| lostself.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| mac.navydocument.com | 域名 | TG-3390基礎設施 信心:高 |
| mail.csc-na.com | 域名 | TG-3390基礎設施 信心:高 |
| mantech.updatawindows.com | 域名 | TG-3390基礎設施 信心:高 |
| micr0soft.org | 域名 | TG-3390基礎設施 信心:高 |
| microsoft-outlook.org | 域名 | TG-3390基礎設施 信心:高 |
| mtc.navydocument.com | 域名 | TG-3390基礎設施 信心:高 |
| navydocument.com | 域名 | TG-3390基礎設施 信心:高 |
| mtc.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| news.hotmail-onlines.com | 域名 | TG-3390基礎設施 信心:高 |
| oac.3322.org | 域名 | TG-3390基礎設施 信心:高 |
| ocean.apigmail.com | 域名 | TG-3390基礎設施 信心:高 |
| pchomeserver.com | 域名 | TG-3390基礎設施 信心:高 |
| registre.organiccrap.com | 域名 | TG-3390基礎設施 信心:高 |
| security.pomsys.org | 域名 | TG-3390基礎設施 信心:高 |
| services.darkhero.org | 域名 | TG-3390基礎設施 信心:高 |
| sgl.updatawindows.com | 域名 | TG-3390基礎設施 信心:高 |
| shadow.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| sonoco.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| test.logmastre.com | 域名 | TG-3390基礎設施 信心:高 |
| up.gtalklite.com | 域名 | TG-3390基礎設施 信心:高 |
| updatawindows.com | 域名 | TG-3390基礎設施 信心:高 |
| update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| update.deepsoftupdate.com | 域名 | TG-3390基礎設施 信心:高 |
| update.hancominc.com | 域名 | TG-3390基礎設施 信心:高 |
| update.micr0soft.org | 域名 | TG-3390基礎設施 信心:高 |
| update.pchomeserver.com | 域名 | TG-3390基礎設施 信心:高 |
| urs.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| wang.darkhero.org | 域名 | TG-3390基礎設施 信心:高 |
| webs.local-test.com | 域名 | TG-3390基礎設施 信心:高 |
| word.apigmail.com | 域名 | TG-3390基礎設施 信心:高 |
| wordpress.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| working.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| working.darkhero.org | 域名 | TG-3390基礎設施 信心:高 |
| working.hotmail-onlines.com | 域名 | TG-3390基礎設施 信心:高 |
| www.trendmicro-update.org | 域名 | TG-3390基礎設施 信心:高 |
| www.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| x.apigmail.com | 域名 | TG-3390基礎設施 信心:高 |
| ykcai.update-onlines.org | 域名 | TG-3390基礎設施 信心:高 |
| ykcailostself.dyndns-free.com | 域名 | TG-3390基礎設施 信心:高 |
| ykcainobody.dyndns.org | 域名 | TG-3390基礎設施 信心:高 |
| zj.blackcmd.com | 域名 | TG-3390基礎設施 信心:高 |
| laxness-lab.com | 域名 | TG-3390基礎設施 信心:高 |
| google-ana1ytics.com | 域名 | TG-3390基礎設施 信心:高 |
| www.google-ana1ytics.com | 域名 | TG-3390基礎設施 信心:高 |
| ftp.google-ana1ytics.com | 域名 | TG-3390基礎設施 信心:高 |
| hotmailcontact.net | 域名 | TG-3390基礎設施 信心:高 |
| 208.115.242.36 | IP地址 | TG-3390基礎設施 信心:高 |
| 208.115.242.37 | IP地址 | TG-3390基礎設施 信心:高 |
| 208.115.242.38 | IP地址 | TG-3390基礎設施 信心:高 |
| 66.63.178.142 | IP地址 | TG-3390基礎設施 信心:高 |
| 72.11.148.220 | IP地址 | TG-3390基礎設施 信心:高 |
| 72.11.141.133 | IP地址 | TG-3390基礎設施 信心:高 |
| 74.63.195.236 | IP地址 | TG-3390基礎設施 信心:高 |
| 74.63.195.236 | IP地址 | TG-3390基礎設施 信心:高 |
| 74.63.195.237 | IP地址 | TG-3390基礎設施 信心:高 |
| 74.63.195.238 | IP地址 | TG-3390基礎設施 信心:高 |
| 103.24.0.142 | IP地址 | TG-3390基礎設施 信心:高 |
| 103.24.1.54 | IP地址 | TG-3390基礎設施 信心:高 |
| 106.187.45.162 | IP地址 | TG-3390基礎設施 信心:高 |
| 192.151.236.138 | IP地址 | TG-3390基礎設施 信心:高 |
| 192.161.61.19 | IP地址 | TG-3390基礎設施 信心:高 |
| 192.161.61.20 | IP地址 | TG-3390基礎設施 信心:高 |
| 192.161.61.22 | IP地址 | TG-3390基礎設施 信心:高 |
| 103.24.1.54 | IP地址 | TG-3390基礎設施 信心:高 |
| 67.215.232.179 | IP地址 | TG-3390基礎設施 信心:高 |
| 96.44.177.195 | IP地址 | TG-3390基礎設施 信心:高 |
| 49.143.192.221 | IP地址 | TG-3390基礎設施 信心:中等 |
| 67.215.232.181 | IP地址 | TG-3390基礎設施 信心:中等 |
| 67.215.232.182 | IP地址 | TG-3390基礎設施 信心:中等 |
| 96.44.182.243 | IP地址 | TG-3390基礎設施 信心:中等 |
| 96.44.182.245 | IP地址 | TG-3390基礎設施 信心:中等 |
| 96.44.182.246 | IP地址 | TG-3390基礎設施 信心:中等 |
| 49.143.205.30 | IP地址 | TG-3390基礎設施 信心:中等 |
| working_success@163.com | 電子郵件地址 | TG-3390的電子郵件地址 信心:高 |
| ykcaihyl@163.com | 電子郵件地址 | TG-3390的電子郵件地址 信心:高 |
| working_success@163.com | 電子郵件地址 | TG-3390的電子郵件地址 信心:高 |
| yuming@yinsibaohu.aliyun.com | 電子郵件地址 | TG-3390的電子郵件地址 信心:低 |
| 1cb4b74e9d030afbb18accf6ee2bfca1 | MD5哈希 | HttpBrowser RAT滴管 |
| b333b5d541a0488f4e710ae97c46d9c2 | MD5哈希 | HttpBrowser RAT滴管 |
| 86a05dcffe87caf7099dda44d9ec6b48 | MD5哈希 | HttpBrowser RAT滴管 |
| 93e40da0bd78bebe5e1b98c6324e9b5b | MD5哈希 | HttpBrowser RAT滴管 |
| f43d9c3e17e8480a36a62ef869212419 | MD5哈希 | HttpBrowser RAT滴管 |
| 57e85fc30502a925ffed16082718ec6c | MD5哈希 | HttpBrowser RAT滴管 |
| 4251aaf38a485b08d5562c6066370f09 | MD5哈希 | HttpBrowser RAT滴管 |
| bbfd1e703f55ce779b536b5646a0cdc1 | MD5哈希 | HttpBrowser RAT滴管 |
| 12a522cb96700c82dc964197adb57ddf | MD5哈希 | HttpBrowser RAT滴管 |
| 728e5700a401498d91fb83159beec834 | MD5哈希 | HttpBrowser RAT滴管 |
| 2bec1860499aae1dbcc92f48b276f998 | MD5哈希 | HttpBrowser RAT滴管 |
| 014122d7851fa8bf4070a8fc2acd5dc5 | MD5哈希 | HttpBrowser RAT |
| 0ae996b31a2c3ed3f0bc14c7a96bea38 | MD5哈希 | HttpBrowser RAT |
| 1a76681986f99b216d5c0f17ccff2a12 | MD5哈希 | HttpBrowser RAT |
| 380c02b1fd93eb22028862117a2f19e3 | MD5哈希 | HttpBrowser RAT |
| 40a9a22da928cbb70df48d5a3106d887 | MD5哈希 | HttpBrowser RAT |
| 46cf2f9b4a4c35b62a32f28ac847c575 | MD5哈希 | HttpBrowser RAT |
| 5436c3469cb1d87ea404e8989b28758d | MD5哈希 | HttpBrowser RAT |
| 692cecc94ac440ec673dc69f37bc0409 | MD5哈希 | HttpBrowser RAT |
| 6a39a4e9933407aef31fdc3dfa2a2a95 | MD5哈希 | HttpBrowser RAT |
| 8b4ed3b392ee5da139c16b8bca38ea5e | MD5哈希 | HttpBrowser RAT |
| 8ea5d8bb6b28191e4436456c35477e39 | MD5哈希 | HttpBrowser RAT |
| 9271bcfbba056c8f80c7f04d72efd62d | MD5哈希 | HttpBrowser RAT |
| 996843b55a7c5c7a36e8c6956e599610 | MD5哈希 | HttpBrowser RAT |
| a554efc889714c70e9362bdc81fadd6a | MD5哈希 | HttpBrowser RAT |
| c9c93c2d62a084031872aab96202ee3e | MD5哈希 | HttpBrowser RAT |
| ddbdf0efdf26e0c267ef6155edb0e6b8 | MD5哈希 | HttpBrowser RAT |
| e7df18a17d8e7c2ed541a57020444068 | MD5哈希 | HttpBrowser RAT |
| ea4dcafc224f604c096032dde33a1d6d | MD5哈希 | HttpBrowser RAT |
| f658bb17d69912404f34532901edad0e | MD5哈希 | HttpBrowser RAT |
| f869a1b40f6438dfdd89e73480103211 | MD5哈希 | HttpBrowser RAT |
| 81ed752590752016cb1c12f3e9ab3454 | MD5哈希 | HttpBrowser RAT |
| 5ef719f8aeb9bf97beb24a5c2ed19173 | MD5哈希 | HttpBrowser RAT |
| 7ec91768376324be2bad4fd30b1c2051 | MD5哈希 | HttpBrowser RAT |
| 20c446ad2d7d1586138b493ecddfbbc7 | MD5哈希 | HttpBrowser RAT |
| 44cf0793e05ba843dd53bbc7020e0f1c | MD5哈希 | HttpBrowser RAT |
| 02826bb6636337963cc5162e6f87745e | MD5哈希 | HttpBrowser RAT |
| 1606ab7a54735af654ee6deb7427f652 | MD5哈希 | HttpBrowser RAT |
| 1539b3a5921203f0e2b6c05d692ffa27 | MD5哈希 | HttpBrowser RAT |
| c66e09429ad6669321e5c69b1d78c082 | MD5哈希 | HttpBrowser RAT |
| 225e10e362eeee15ec64246ac021f4d6 | MD5哈希 | HttpBrowser RAT |
| a631fc7c45cbdf80992b9d730df0ff51 | MD5哈希 | HttpBrowser RAT |
| af785b4df71da0786bcae233e55cf6c1 | MD5哈希 | HttpBrowser RAT |
| e3e0f3ad4ff3b981b513cc66b37583e8 | MD5哈希 | HttpBrowser RAT |
| 5cd0e97a1f09001af5213462aa3f7eb1 | MD5哈希 | HttpBrowser RAT |
| 15fd9c04d6099273a9acf8feab81acfe | MD5哈希 | HttpBrowser RAT |
| ea8b9e0bf95fc0c71694310cb685cd3b | MD5哈希 | HttpBrowser RAT |
| 5c3ab475be110ec59257617ee1388e01 | MD5哈希 | HttpBrowser RAT |
| 6aac7417ea1eb60a869597af9049b8fa | MD5哈希 | HttpBrowser RAT |
| 372f5370085a63f5b660fab635ce6cd7 | MD5哈希 | HttpBrowser RAT |
| fac4885324cb67bd421d6250fdc9533c | MD5哈希 | HttpBrowser RAT |
| e7e555615a07040bb5dbe9ce59ac5d11 | MD5哈希 | HttpBrowser RAT |
| ff34cb1d90d76a656546293e879afe22 | MD5哈希 | HttpBrowser RAT |
| 2abf7421c34c60d48e09325a206e720e | MD5哈希 | HttpBrowser RAT |
| 396b4317db07cc8a2480786160b33044 | MD5哈希 | HttpBrowser RAT |
| e404873d3fcd0268db10657b53bdab64 | MD5哈希 | HttpBrowser RAT |
| 6e4189b20adb253b3c1ad7f8fdc95009 | MD5哈希 | HttpBrowser RAT |
| bff424289c38d389a8cafb16b47dfe39 | MD5哈希 | HttpBrowser RAT |
| 7294c7f3860315d51f74152e8ad353df | MD5哈希 | HttpBrowser RAT |
| 40092f76fea082b05e9631d91975a401 | MD5哈希 | HttpBrowser RAT |
| e42fce74bbd637c35320cf4e95f5e055 | MD5哈希 | HttpBrowser RAT |
| d0dafc3716a0d0ce393cde30b2b14a07 | MD5哈希 | HttpBrowser RAT |
| ae66bad0c7de88ab0ab1050c4bec9095 | MD5哈希 | HttpBrowser RAT |
| c7c2be1cd3780b2ba4638cef9a5422c7 | MD5哈希 | HttpBrowser RAT |
| 405949955b1cb65673c16bf7c8da2f4d | MD5哈希 | HttpBrowser RAT |
| ff4f052dbe73a81403df5e98313000fb | MD5哈希 | HttpBrowser RAT |
| b30fcd362c7b8ac75b7dddfe6cb448c7 | MD5哈希 | HttpBrowser RAT |
| 1d24f4d20b80562de46a8ac95d0ff8c2 | MD5哈希 | HttpBrowser RAT |
| 9538bbdb3a73201b40296e9d4dc80ade | MD5哈希 | HttpBrowser RAT |
| 46bb2caeda30c09a6337fd46ec98c32c | MD5哈希 | HttpBrowser RAT |
| 0c8842e48e80643d91dd290d0f786147 | MD5哈希 | HttpBrowser RAT |
| 0fc975c3c4e6c546b4f2b5aaed50dd78 | MD5哈希 | HttpBrowser RAT |
| 41be449f687828466ed7d87f0f30a278 | MD5哈希 | HttpBrowser RAT |
| 2b95caf3307ebd36cf405b1133b30aa8 | MD5哈希 | HttpBrowser RAT |
| ccc715a4d9d0157b9776deacdb26bf78 | MD5哈希 | HttpBrowser RAT |
| 37933acfa8d8e78c54413d88ca705e17 | MD5哈希 | HttpBrowser RAT |
| 2813c5a1c87f7e3d33174fed8b0988a1 | MD5哈希 | HttpBrowser RAT |
| 8f22834efe52ccefb17e768569eb36b9 | MD5哈希 | HttpBrowser RAT |
| 6f01628a0b5de757a8dbe99020499d10 | MD5哈希 | HttpBrowser RAT |
| 7f8d9f12f41156512b60ab17f8d85fe9 | MD5哈希 | HttpBrowser RAT |
| debe5ef2868b212f4251c58be1687660 | MD5哈希 | HttpBrowser RAT |
| e136d4ebab357fd19df8afe221460571 | MD5哈希 | HttpBrowser RAT |
| a86a906cfafaf1d7e3725bb0161b0cfe | MD5哈希 | HttpBrowser RAT |
| 03e1eac3512a726da30fff41dbc26039 | MD5哈希 | HttpBrowser RAT |
| baac5e5dd3ce7dae56cab6d3dac14e15 | MD5哈希 | HttpBrowser RAT |
| 0f7dde31fbeb5ddbb6230c401ed41561 | MD5哈希 | HttpBrowser RAT |
| 36d957f6058f954541450f5a85b28d4b | MD5哈希 | HttpBrowser RAT |
| 42d874f91145bd2ddf818735346022d8 | MD5哈希 | HttpBrowser RAT |
| 3468034fc3ac65c60a1f1231e3c45107 | MD5哈希 | HttpBrowser RAT |
| 4e3b51a6a18bdb770fc38650a70b1883 | MD5哈希 | HttpBrowser RAT |
| 3647068230839f9cadf0fd4bd82ade84 | MD5哈希 | HttpBrowser RAT |
| 550922107d18aa4caad0267997709ee5 | MD5哈希 | HttpBrowser RAT |
| d8f0a6450f9df637daade521dc90d29d | MD5哈希 | HttpBrowser RAT |
| bf2e2283b19b0febc4bd1f47aa82a94c | MD5哈希 | HttpBrowser RAT |
| d0eec2294a70ceff84ca8d0ed7939fb5 | MD5哈希 | HttpBrowser RAT |
| e91d2464c8767552036dd0294fc7e6fb | MD5哈希 | HttpBrowser RAT |
| f627bc2db3cab34d97c8949931cb432d | MD5哈希 | HttpBrowser RAT |
| b313bbe17bd5ee9c00acff3bfccdb48a | MD5哈希 | PlugX RAT滴管 |
| f7a842eb1364d1269b40a344510068e8 | MD5哈希 | PlugX RAT滴管 |
| 8dacca7dd24844935fcd34e6c9609416 | MD5哈希 | PlugX RAT滴管 |
| 7cffd679599fb8579abae8f32ce49026 | MD5哈希 | PlugX RAT滴管 |
| 462fd01302bc40624a44b7960d2894cd | MD5哈希 | PlugX RAT滴管 |
附錄A -確定歸屬和測量信心
確定歸屬
在大多數情況下,CTU研究者不具有智能來直接屬性的威脅基,所以歸因依賴旁證和是一個評估,而不是一個事實。 CTU研究人員利用歸屬的證據,三個不同的情報基地:
- 觀察活動是由CTU研究者的觀察與目標網絡上和整個戴爾SecureWorks公司數據的威脅集團的活動進行調查,戰術,技術分析和程序(的TTP)的威脅組員工聚集。
- 第三方的情報是從內部安全行業和其他私營和公共部門組織,以及開源智能分析信任關係獲得的。
- 語境分析比較了威脅組對目標的民族國家和其他威脅的演員智能化的要求和比較諜報被威脅組用於諜報已知威脅的演員。
CTU研究人員採用了分級系統發表的美國國家情報總監的美國辦公室,表示信心,他們的評估:
- 高置信度通常表示判斷是基於高品質的信息,和/或該問題的性質使得能夠呈現固體的判斷。 A“高可信度”的判斷是不是事實或必然的,然而,這樣的判斷仍然繼續被錯誤的風險。
- 中等置信度通常意味著該信息是可信來源的和可信的,但不具有足夠的質量或證實足以保證信任一個更高的水平。
- 低可信度通常意味著信息的可信性和/或合理性是值得懷疑的,或者說,信息過於分散或證實不佳,使固體分析推斷,或[有]與源顯著的擔憂和問題。
HttpBrowser是一個遠程訪問工具,其名稱來自硬編碼“HttpBrowser / 1.0”用戶代理發起。 CTU研究人員還發現了PDB字符串中的二進制,J:“TokenControl”\ TokenControlV3 \ ServerDll \發布\ ServerDll.pdb,這暗示著威脅者可參閱該工具 表2列出了可在HttpBrowser變種之一威脅者的命令。
| 命令 | 功能 |
|---|---|
| 在裡面 | 創建反向殼 |
| 寫 | 從C2服務器寫一個文件到系統受損 |
| 名單 | 列表中的目錄中的文件 |
| 上傳 | 上傳從受感染系統中的文件,以C2服務器 |
後門的其他變體可能包括額外的命令,如SETCMD,SETTIME,卸載和向下。 表3顯示了未加密的URL參數,連同採樣數據和數據的描述。
| URL參數 | 樣本數據 | 描述 |
|---|---|---|
| C = | 被害人>管理員 | 主機名和用戶名 |
| L = | 192.168.1.100 | 受到威脅的系統的IP地址 |
| O = | 5,1,1,32 | 窗口主要和次要版本,加上 建築(32訴64) |
| U = | {B5B70BD7-87FC-499A-B4D1- 98163306F0D8} | 一個GUID |
| R = | 1 | 如果惡意軟件正在作為注入的代碼布爾值 |
| T = | 8035187 | 計算機已運行的毫秒數 |
附錄C - OwaAuth網殼分析
OwaAuth是安裝作為Exchange服務器和共享特性與ChinaChopper網殼一個ISAPI篩選器的Web外殼。 像ChinaChopper,它解析為Z1和Z2參數(見表4)HTTP請求。 正 當owaauth.dll文件駐留到%ProgramFiles%\微軟\ Exchange服務器\ CLIENTACCESS \ OWA \驗證\而CTU研究人員已經發現使用相同的文件名中的%ProgramFiles%\微軟\ Exchange服務器\ CLIENTACCESS \ OWA \ bin中的後門\目錄下。 除了充當Web外殼,書寫的用戶名和密碼到磁盤之前的惡意軟件捕獲和DES-加密憑據。 該OwaAuth網殼使威脅演員來上傳和下載文件,啟動過程和執行SQL查詢。
每個web shell實例被配置為包含SP,重點和日誌變量。 SP的變量是一個包含受害人的用戶名的字符串。 當惡意ISAPI篩選器捕獲用戶名匹配這個變量,它知道來處理傳入的HTTP請求作為命令到網絡外殼。 DES密鑰在由CTU研究人員觀察到配置的憑據進行加密是12345678,和日誌文件為c:\ log.txt的。 該日誌文件的解密的內容堅持格式在圖22中。
圖22.解密的OwaAuth日誌文件格式。 (來源:戴爾SecureWorks公司)
表4列出了可用的仇敵OwaAuth網絡shell命令。
| 命令 | 功能 |
|---|---|
| 一個 | 列出的邏輯驅動器 |
| B | 列出目錄(Z1 =目錄名列表) |
| C | 從文件中讀取數據(Z1 =文件名讀取) |
| D | 寫入文件內容(Z1 =文件名來寫,Z2 =內容來寫) |
| Ë | 刪除目錄文件(Z1 =文件) |
| F | 生成自定義Web響應“ - > |在Z1值| < - ” |
| G | 寫十六進制編碼的內容文件(Z1 =文件名來寫,Z2 =十六進制編碼的內容來寫) |
| H | 呼叫_Notice(Z1,Z2) |
| 一世 | 移動/重命名文件或目錄(Z1 =目標,Z2 =新名稱) |
| J | 創建目錄(Z1 =目錄名) |
| ķ | Timestomp文件或目錄(Z1 =目標,Z2 =時間/日期字符串踩至) |
| L | 從網上下載文件(Z1 =網址,Z2 =文件名寫入) |
| M | 啟動過程中(Z1 =進程名,Z2 =參數) |
| ñ | 測試連接到SQL數據庫(Z1 = SQLCONNECT字符串) |
| Ø | SQL數據庫獲取表方案(Z1 = \ r分隔參數命令) |
| P | SQL獲取有限制的數據庫表方案(Z1 = \ r分隔參數命令) |
| Q | SQL執行SQL命令(Z1 = \ r分隔參數命令) |
附錄D -域名例如停車
CTU研究人員觀察到TG-3390停車域指向自己的記錄到一個不可路由的IP地址空間,包括127.0.0。[X]回環地址。 表5顯示的威脅者如何改變自己的C2結構域的一個指向路由和非路由的IP地址,隨著時間的推移。
| 開始日期 | 結束日期 | IP變化 | 地點 |
|---|---|---|---|
| 13年7月9日 | 13年7月31日 | 210.116.106.66 | 韓國首爾 |
| 13年7月31日 | 10/12/13 | 127.0.0.1 | N / A |
| 10/12/13 | 13年11月5日 | 122.10.10.196 | 香港 |
| 13年11月5日 | 14年1月12日 | 198.100.107.107 | 加利福尼亞州,美國 |
| 14年1月12日 | 14年3月5日 | 127.0.0.1 | N / A |
| 14年3月5日 | 14年3月31日 | 103.24.0.142 | 香港 |
| 14年3月31日 | 14年10月27日 | 103.24.1.54 | 香港 |
| 14年10月27日 | 14年11月9日 | 127.0.0.1 | N / A |
| 14年11月9日 | 15年5月25日 | 127.0.0.3 | N / A |
| 15年5月25日 | 目前根據本刊物的 | 127.0.0.1 | N / A |
尾注
[1]戴爾SecureWorks公司反威脅單位(TM)(CTU)的研究團隊追踪威脅組通過賦予他們(在這種情況下,3390)四位隨機號碼,並匯集了來自第一手事件響應的意見和來自外部來源的信息。 [2]威脅人群使用網絡戰略妥協(的SWC),也被稱為水坑攻擊,目標潛在受害者廣泛。 威脅者危及使用他們的目標人口統計網站(例如,犧牲一個網站時,針對能源垂直專業從事石油和天然氣行業的新聞)。 遊客到破壞的網站將被重定向到威脅集團的控制,他們的系統受到損害的威脅集團的惡意軟件的下一個服務器。 這種戰術,威脅組增加妥協是擁有所需的信息系統的可能性。 ==========
What rubbish mainland China-pig Highbrid Department 'masturbation' what! These beasts are not as!
To death or wrong does not regret! Take human rights lawyer, to take the people on the mainland dissidents to take life as cannon fodder!
Tianjin peoples because 'Is man-made' destroyed their homes,
Peoples do not get a dime of money compensation,
lucky by survivors support every day blockade zone extending to outside complaints!
Do you know the report found that this incident is 3000000-400000000$ basic accident the amount of compensation ?!
In so many victims, compensation will be multiplied by the number of victims!
But mainland garbage China-pig corrupt officials and accident Ruihai company and current Politburo Standing Committee, the Standing Committee and they have colluded with relationship?!
Since such a large number of accidents ,,They known the amount of compensation may know how a big amout! The Communist dictator garbage China-pig would not such a huge amount of compensation awarded in full bombing victims and their families their loved ones?!
Communist mainland China-pig is the most Filthy means unbearable! corrupt collusion in the world known, looting people's property and even life!
Of course, this sum of money of the Communist mainland garbage China-pig unscrupulous government ,
After a few months after turning greedy magistrate, the municipal party committee,evil urban management, public security departments theif behavior,
The rest probably is not much money to be able to compensate the victims of the bombings and their families loved ones!
That means people on the mainland are known to refuse China-pig Communist mainland government's dark filthy behavior,!
Do not forget that it is not moral, not fair and transparent mechanism, no human rights, no freedom of religion, no freedom of choice, no privacy, in the global human rights, Communist mainland China-pig from freedom ranking of the most tail.
What rubbish Communist mainland Shina pig 'hybrid Department' in 'masturbation' what!
By their Cold tongue official media - China Times reported - US warns Lu "fox hunting" Miss ,, [garbage China Highbrid portion reply]: WTF?
China-pig so uncivilized 'Highbrid Department', Really backwards corrupt!!
Shameless not recognize miss!
See these 'beasts not as' aggression evidence,, their garbage China-pig 'hybrid Department' until death do not recognize mistake !?
There is such a cold-blooded and inhuman dictatorial Communist mainland government garbage, there are so many Communist trash Fifty Cent Party!
Much more corrupt officials ,, ate peoples blood and sweats ,
Even buried in the ground and explode Tianjin, loss of life !!
Shameful "beast than"!!
Melody.Blog extremely angry ``
=====
究竟大陸垃圾支那豬雜交部在''自瀆''甚麽呢!這些畜牲也不如!
到死還是不悔錯!拿維權律師,拿內地人民,拿異見人士的生命當成砲灰!
天津人們被破壞了家園,
人們沒得到一毛金錢的補償,
還要每天靠生還者扶持到封鎖區外伸訴!
大家可知這起事件是有3000000至40000000萬的基本意外賠償金額嗎?
在這麼多的受害者下,賠償金額將乘以受害者數目!
可是大陸垃圾支那豬貪官污吏與肇事的瑞海公司和現任政治局常委、前任常委和他們有勾結關係?!
既然這麼大數目的意外賠償金額,,可知道中共獨裁垃圾支那豬怎麼會把這麼龐大的補償金額全數給予爆炸事件的受害者和他們的家屬親人?!
大陸共產黨垃圾支那豬最懂的便是貪污勾結,搶掠人民的資產以至生命!
當然這筆巨款經過大陸共產黨垃圾支那豬的無良政府後,
幾經轉折數個貪婪縣官,市委,黨委,城管,公安各部分贓後,
剩下的大概没多少金錢能夠補償於爆炸事件的受害者和他們的家屬親人!
這是內地人民共知的大陸共產黨垃圾支那豬政府的黑暗污穢不堪的手段!
別忘記它是沒道德,沒公平公正透明機制,沒人權,没宗教自由,沒選擇自由,沒個人隱私的垃圾地,在全球人權,民自,自由的排行最尾.
究竟大陸共產黨垃圾支那豬'雜交部'在''自瀆''甚麽呢!
由它們的冷毒舌官方媒體-中時電子報報導 - 美警告陸「獵狐」,,陸[垃圾支那豬雜交部回覆]:搞什麼飛機?
這麼不文明的支那豬'雜交部'真的是倒退腐化墮落!無恥的不承認錯失!!
看到這群'畜牲也不如'的侵略證據,,它們的垃圾支那豬'雜交部'還可至死不承認侮錯!?
有這樣獨裁冷血不人道的大陸共產黨垃圾政府,便有那麼多共產黨垃圾五毛黨!
再有更多的貪官污吏,,吃盡了人民的血與汗,
甚至被埋在爆炸天津的地裡,喪失生命!!
可恥的禽獸不如!!
Melody.Blog憤怒極``
=====
*-Update [17/08-2015]in the end garbage continent China-pig ''(Ministry of Foreign Affairs, also known as "Hybrid intercourse,, below) '' in '' masturbation 'what?! Shameful "beast than"! -By -hk.apple.nextmedia.com -&- Ntdtv. com -&- cna.com.tw/news-&-epochtimes.com-&-thehackernews.com-&-abc.net.au-&-snip.ly/giNB-
-Update[17/08-2015]到底大陸垃圾支那豬''(外交部 又名雜交 部,,下同)''在''自瀆''甚麽呢!這些禽獸不如!由-hk.apple.nextmedia.com-&-ntdtv.com-&-cna.com.tw/news-&-epochtimes.com-&-thehackernews.com-&-abc.net.au-&-snip.ly/giNB-**All The World Country Lauguage**-
http://melody-free-shaing.blogspot.com/2015/08/update-1508-2015by-hkapplenextmediacom.html
===Melody.Blog===FOLLOW FOLLOW===
==========################
http://hk.apple.nextmedia.com/realtime/international/20150815/54090906
[70 years after the war] Pearl Harbor fireworks display commemorating the war ended with Japan and the US
Pearl Harbor (Picture).
Today is the 70th anniversary of the end of World War II, when the Japanese attack on Pearl Harbor, the US opened the Pacific War, today also held in commemoration of the famous battle site, to mourn the dead and celebrate the peace.
Officials in Hawaii with sister cities in Japan, Niigata Nagaoka city, in conjunction with the US Navy after the war began on Friday attended the 70th anniversary commemoration at Pearl Harbor. Japan then surrendered on August 15, due to the time difference between Pearl Harbor was still August 14th.
Nagaoka City is the home of the wartime Japanese army commander Yamamoto, also rich in local fireworks, one of this commemoration is shaped like a white chrysanthemum issuing fireworks, will offer garlands, turn on the water lanterns to mourn the dead.
December 7, 1941, Japanese attack on Pearl Harbor, killing about 2,400 US troops died.
Associated Press
Chase real thing burst size city that like Apple [site] FB!
=====
http://hk.apple.nextmedia.com/realtime/international/20150815/54090906
【戰後70年】珍珠港放煙花 日美同紀念戰爭
結束
珍珠港(資料圖片).
今日是第二次世界大戰結束70周年,日本當年偷襲美軍珍珠港掀開太平洋戰爭,今天這個著名戰場地點也舉行紀念活動,悼念死難者同時慶祝和平。
美國夏威夷與姊妹城市日本新潟縣長岡市的官員、聯同美國海軍,周五開始一起在珍珠港出席戰後70周年的紀念活動。日本當年於8月15日投降,由於時差關係珍珠港當時仍是8月14日。
長岡市是戰時日軍司令山本五十六的家鄉,當地也盛產煙花,這次紀念活動之一就是發放形如白菊花的煙花,又會獻上花環、放水上燈籠悼念死難者。
1941年12月7日,日軍偷襲珍珠港,造成約2,400名美軍死亡。
美聯社
Chase real thing burst size city that like Apple [site] FB!
=====
http://hk.apple.nextmedia.com/realtime/international/20150817/54096598
Undercover public security force of corrupt US latent repatriation by the US warning
China Gong'an undercover sneak into the United States means the United States, harassment corrupt officials fleeing abroad, forcing them to return home. The US State Department warned China in recent weeks to stop those behaviors.
"New York Times" reported on Sunday that undercover likely to tourism and trade visas to enter the United States to "get tough" to force suspects to return home, will intimidate the fugitive's family in the country, but in recent months the situation becoming more frequent.
Report is unclear whether the FBI or Department of Homeland Security has the Obama administration proposed to deport those undercover, but the White House is determined by the State Council, the Chinese government issued a warning could be the first step in the deployment of expulsion.
Chinese Ministry of Public Security's "Foxfire" main pursuit of fleeing abroad corrupt CCP. "New York Times" quoted the Chinese Ministry of Public Information, "Foxfire" Since last year more than 930 suspects have been repatriated to China.
Chinese President Xi Jinping first state visit to the United States next month. Olympic events will make the study adds.
"The New York Times" / Reuters / AFP
=====
http://hk.apple.nextmedia.com/realtime/international/20150817/54096598
臥底公安潛美 迫貪官返國 遭美國警告
|
美國指中國公安派臥底潛入美國,騷擾逃亡境外的貪官,迫他們返國。美國國務院最近數周警告中國停止那些行為。
《紐約時報》周日報道,那些臥底很可能以旅遊和商貿簽證進入美國,以「強硬手段」迫疑犯回國,亦會恐嚇逃亡者在國內的家人,而近月情況越趨頻密。
報道不清楚美國聯邦調查局或國土安全部有否向奧巴馬政府建議將那些臥底驅逐出境,但白宮決定由國務院向中國政府發警告,可能是部署驅逐的第一步。
中國公安部的「獵狐行動」主要追捕逃亡到境外的中共貪官。《紐約時報》引述中國公安部資料,「獵狐行動」自去年以來已將逾930疑犯遣返中國。
中國國家主席習近平下月首次國事訪問美國。事件將令習奧會增添。
美國《紐約時報》/路透社/法新社
=====
http://www.bbc.com/zhongwen/trad/world/2015/08/150814_us_china_rights_dialogue
Mei Gaoguan: China should improve its human rights to ensure the study visit success
August 14, 2015. 
Senior US State Department official responsible for human rights, said
China should improve its human rights situation, to ensure that US
President Barack Obama and Chinese President Xi Jinping, the success of
next month's summit.
US Department of State for Democracy, Human Rights and Labor Affairs, Assistant Secretary of State Tom Malinowski is working with Chinese officials in Washington to attend the two-day US-China human rights dialogue.
Malinovsky Thursday (August 13) that the US government development of the human rights situation in China, and China's crackdown on the practice of Western "cultural infiltration" of surprise.
He pointed out that if expectations for the US-China summit set a positive tone, China should be "made special progress" on human rights issues.
Malinowski said that senior Chinese officials mentioned recent incidents of police brutality in the United States human rights dialogue, including the police occurred in Missouri Ferguson shot unarmed black man event. But most of the issues are still around China to expand the dialogue.
He said the talks referred to China recently to suppress lawyers and religious freedom, including the requirement to remove part of the church building ten sub-frame, and the proposed amendments to regulations strictly limit NGO activities in China.
Malinowski said that the dialogue "very detailed and substantive" and consultations on human rights issues and pave the way for summit. US-summit agenda is expected to include close economic ties between the two countries, as well as the South China Sea islands and reefs dispute over sovereignty issues.
Xi Jinping is expected to visit the United States in late September week, he held talks with Obama in Washington and attend the UN General Assembly in New York.
The US Senate has 10 senators on Tuesday urged the United States well-known use when President Barack Obama, Chinese President Xi Jinping's visit to Washington next month, to put pressure on China on human rights issues.
10 senators, including a senior Democratic Senate Foreign Relations Committee Senator Cardin, chairman of the Senate Armed Services Committee, including John McCain, said Obama should put human rights as the chairman Xi Jinping visited the United States in September of a "key objective."
(Compiler / Zebian: Xiao Er).
http://www.bbc.com/zhongwen/trad/world/2015/08/150814_us_china_rights_dialogue
美高官:中國應改善人權確保習訪美成功
2015年 8月 14日
美國國務院負責人權事務的高級官員表示,中國應改善人權狀況,確保美國總統奧巴馬和中國國家主席習近平下月的首腦峰會取得成功。
美國國務院負責民主、人權和勞工事務的助理國務卿湯姆·馬利諾夫斯基正與中國官員在華盛頓出席為期兩天的美中人權對話。
馬利諾夫斯基星期四(8月13日)表示,美國政府對中國的人權狀況發展狀況,以及中國打擊西方「文化滲透」的作法感到吃驚。
他指出,如果中國期望為美中首腦峰會定下積極的基調,中國就應當在人權問題上「取得特別的進步」。
馬利諾夫斯基說,中國高級官員在人權對話中提到了美國近日發生的警察暴力事件,包括密蘇里州費格森發生的警察槍殺手無寸鐵黑人男子事件。但對話的大部分議題仍圍繞中國展開。
他表示,會談提到了中國近來打壓律師和宗教自由,包括要求部分教堂建築去掉十子架,以及提議修訂嚴格限制非政府組織在華活動的法規。
馬利諾夫斯基說,有關對話「非常詳細和有實質內容」,並將為首腦峰會磋商有關人權議題鋪路。美中首腦峰會議題預料包括兩國緊密的經濟聯繫,以及中國南海島礁主權爭議問題。
習近平預料將在9月下旬訪美一周,與奧巴馬在華盛頓舉行會談,並在紐約出席聯合國大會。
美國國會參議院10位知名參議員周二敦促美國總統奧巴馬利用中國國家主席習近平下月訪問華盛頓時,就人權問題向中國施壓。
包括美國參議院外交關係委員會資深民主黨參議員卡丹、參議院軍事委員會主席麥凱恩在內的10名參議員表示,奧巴馬政府應當把人權作為與習近平主席9月訪美的一個「關鍵目標」。
(編譯/責編:蕭爾).
=====
http://www.voacantonese.com/content/nc-dc-us-china-human-rights-dialogue/2917798.html
The key issue of human rights will be listed at the Xi Jinping visit
Last Update 14.08.2015 20:53javascript:opened=winOpened();%20if%20(!opened)%20window.__playerWindow%20=%20window.open(winUrl(4,'2917814',false),winName(),winSettings);%20winSetup(4,'2917814',false,%20opened);
US-China human rights dialogue held in the State Department: The following key human rights issues when Xi Jinping will visit the United States.+Play sequence.
In Malinovsky ﹑ State Council for Democracy Human Rights and Labor, said the recent deterioration in the human rights situation in China; China is increasingly stressed the need to fight against "Western cultural infiltration and influence" within the US government also caused concern.
US State Department White House ﹑ ﹑ ﹑ Department of Commerce and the Ministry of Justice and other officials attended the dialogue across sectors. Malinowski described the dialogue "detailed", "substantial", but there are still significant differences between the two governments.
He said that although the party is expected to be a breakthrough in the day did not, but the United States to lift the concern for human rights issues to the Chinese side, the dialogue can be a success.
The Chinese side by the International Department of Foreign Affairs Li Junhua delegation to attend.
State Department spokesman Kirby said Thursday at a regular briefing: "Human Rights Dialogue reflects the importance of human rights issues in US-China bilateral relations and provides the key human rights issues between the two countries continue to discuss opportunities for the end of June in the strategic and economic. Dialogue has discussed human rights issues. And in September, Chinese President Xi Jinping's state visit to the United States when the issue of human rights will also be discussed. "
To combat the infiltration of Western culture in the name of concern
Malinovsky in the media roundtable briefing pointed out that the recent deterioration of the human rights situation in China and the Chinese government has stressed the need to adopt legislation against "Western cultural infiltration and influence", raised some serious questions: Does China still strike more open and with the world's long-term road? Or it has started to go in the opposite direction? This trend will not only hurt the Chinese people, because of China's importance and influence, but also a major concern of the international community.
Malinowski urged China to release immediately lawyers detained, including Wang Yu Zhou Shifeng ﹑ ﹑ Li Heping and Liu Xiaoyuan, et al. The United States also filed ﹑ Pu Zhiqiang Gao Zhisheng and Ilham Tohti and other cases to China. US-China human rights dialogue held on the same day, a protest against Beijing's repression of human rights lawyers held protests in front of the Chinese Embassy.
According to statistics from China Human Rights Lawyers Concern Group, currently has nearly 270 lawyers, law firms workers and activists XingJu, residential surveillance, lost contact, subpoena, interviews or short-term restriction of personal freedom.
US Secretary of State Warren attended the US-China Human Rights Dialogue and delivered a speech. Last time the US human rights dialogue in July 2013, held in Kunming, China.
=====
http://www.voacantonese.com/content/nc-dc-us-china-human-rights-dialogue/2917798.html
人權將在習近平訪美時被列關鍵議題
最後更新 14.08.2015 20:53
美中舉行人權對話 國務院:人權將在習近平訪美時被列關鍵議題
javascript:opened=winOpened();%20if%20(!opened)%20window.__playerWindow%20=%20window.open(winUrl(4,'2917814',false),winName(),winSettings);%20winSetup(4,'2917814',false,%20opened);華盛頓 - 第十九輪美中人權對話星期四(8月13日)在華盛頓開始。率領美方參加對話的美國國務院助理國務卿馬利諾夫斯基呼籲中國立刻釋放被拘禁的維權律師,他還說,人權將被美國列為中國國家主席習近平九月對美國事訪問時的關鍵議題。
在國務院主管民主﹑人權和勞工事務的馬利諾夫斯基說,近來中國的人權狀況惡化;中國越來越強調要打擊“文化滲透與西方影響力”在美國政府內部也引起了憂慮。
美國白宮﹑國務院﹑商務部﹑以及司法部等跨部門官員出席了對話。馬利諾夫斯基形容這次對話“詳盡” ﹑ “具有實質性”,但兩國政府仍然存在顯著差異。
他說,儘管沒有一方預期在一天的時間內會有突破性的進展,但美方得以向中方提起對人權問題的關注,對話可以說是成功的。
中國方面由外交部國際司司長李軍華率團參加。
國務院發言人柯比星期四在例行簡報中說:“人權對話反應了人權議題在美中雙邊關係的重要性,並且提供了兩國繼續討論關鍵人權議題的機會。六月底在美中戰略與經濟對話中曾經討論人權問題。而九月份在中國國家主席習近平對美國進行國事訪問的時候,人權問題也將被討論。”
以打擊西方文化滲透為名令人關注
馬利諾夫斯基在對傳媒的圓桌簡報中指出,中國最近惡化的人權狀況以及中國政府不斷強調要通過法律,打擊“文化滲透與西方影響力”,引起了一些嚴肅問 題:中國是否仍然走向更加開放和與世界接軌的長期道路?還是已經開始走反方向?這個趨勢不但傷害了中國人民,由於中國的重要性和影響力,也引起國際社會的 重大關注。
馬利諾夫斯基敦促中國立刻釋放被拘留的律師,包括王宇﹑周世鋒﹑李和平以及劉曉原等人。美方還向中方提起浦志強﹑高智晟以及伊力哈木土赫提等案例。美中人權對話舉行當天,一個抗議北京鎮壓維權律師的示威活動在中國駐美大使館前舉行。
根據中國維權律師關注組的統計數據,目前有將近270名律師、律所工作人員和維權人士被刑拘、監視居住、失聯、傳喚、約談或短期限制人身自由。
美國國務卿克里出席了美中人權對話並且發表講話。上回美中人權對話是2013年7月份在中國昆明舉行。
=====
按照2015年阿斯彭安全論壇
註冊為2015年阿斯彭安全論壇現已關閉 。 要按照論壇,請訪問我們的多媒體頁面,我們的現場流和視頻檔案。 加入Twitter上的對話通過以下@AspenSecurity並使用包括hashtag #AspenSecurity
NYTimes.com
Why Turkey Is Fighting
the Kurds Who Are Fighting ISIS
author: Sarah ALMUKHTAR and TIM Wallace released
On the same day that Turkey announced it would help fight the Islamic State,
Turkish forces began an airstrike campaign against one of the very
groups that has been crucial to stopping the advance of the Islamic
State.
Since the July 24 announcement, Turkey
has launched several waves of airstrikes against elements of a Kurdish
separatist group known as the P.K.K., which is widely listed as a
terrorist group. But that group and its allies in Syria, who have been closely working with American forces, are pushing Islamic State militants out of areas they once controlled.So
while the United States had long sought Turkey’s help in fighting ISIS,
the events since the agreement reveal the tangle of diverging interests
in the region.
Kurds ↔ U.S.
Coordinating Against ISIS
Kurdish fighters have been coordinating with the American military since last October. From cloaked rooms in northern Syria,
members of the militia known as the Y.P.G. have relayed intelligence
and coordinates for potential airstrike targets to an American
operations center hundreds of miles away.The
resulting strikes have in turn helped the Kurds seize a broad stretch
of territory along the Turkish border from the Islamic State. “The role
of the coalition jets has been essential to these victories,” said Idris
Nassan, a senior Kurdish official from Kobani.
Y.P.G. control, May 28, 2015
Y.P.G. gains since May
ISIS control
TURKEY
Adana
Incirlik
air base
Gaziantep
Qamishli
Kobani
Jarablus
Kilis
Government
controlled
Tal Abyad
Ras al-Ain
Manbij
Al Bab
Aleppo
IRAQ
Hasaka
Ain Issa
SYRIA
Area
of detail
Raqqa
SYRIA
25 MI
The New York Times|Sources: Institute for the Study of War; Kurdish officials
The Y.P.G. is perhaps America’s most
effective ally in Syria against the Islamic State. But American
officials, though they will broadly acknowledge that they are working
with the Y.P.G., take pains not to detail just how closely the forces
are working together, given the group’s ties to the outlawed P.K.K.
Kurdish Y.P.G. fighters check maps as they coordinate an airstrike on an Islamic State position in Hasaka.
Mauricio Lima for The New York Times
Turkey ↔ U.S.
Allies, but With Conditions
The United States has sought Turkey’s
help in the fight against ISIS since last year. Turkey, which has been a
NATO member since 1952 and is considered by American officials to be
critical to weakening the Islamic State in Syria, was reluctant to
participate. Turkey finally agreed to assist, but with some conditions,
including the creation of an ISIS- and Kurdish-free zone in Syria on the
Turkish border.In return, the United
States will be allowed to launch military operations against the Islamic
State from Incirlik Air Base and other bases in Turkey “within a
certain framework,” according to President Recep Tayyip Erdogan.
American officials have been careful not to offend Turkey and have
publicly supported its campaign against the P.K.K..In
a statement on Twitter, Brett H. McGurk, President Obama’s envoy to the
coalition fighting the Islamic State, said, “We fully respect our ally
Turkey’s right to self-defense.”
Y.P.G. control
ISIS control
TURKEY
Adana
Incirlik
air base
Gaziantep
Qamishli
Kobani
Jarablus
Kilis
Government
controlled
Tal Abyad
Ras al-Ain
Manbij
Al Bab
Aleppo
Hasaka
Ain Issa
IRAQ
SYRIA
Approximate zone where U.S. and Turkish forces seek to clear ISIS militants.
Area
of detail
Raqqa
SYRIA
25 MI
The New York Times|Sources: Institute for the Study of War; Kurdish officials.
Kurds ↔ Turkey
Suspicion and Violence
Analysts say that Turkey’s decision to
join the fight against the Islamic State was driven in part by the
threat posed by the Y.P.G.’s rapid territorial gains within Syria. Kurds
across the region have historically sought an independent state, which
the Turkish government strongly opposes. Mr.
Erdogan has said that Turkey “will never allow the establishment of a
new state on our southern frontier in the north of Syria.”
Some areas of violence between Turkey and the P.K.K. since March 2013
Areas of Turkish airstrikes on P.K.K. positions, July 24 to August 3
Kurdish-inhabited areas
Area of
detail
Armenia
Kayseri
Bingol
Turkey
Mus
Diyarbakir
Siirt
Iran
Orumiyeh
Adana
Gaziantep
Kobani
Iraqi
Kurdistan
Iraq
Hasaka
Aleppo
Syria
Mosul
50 MILES
Raqqa
The New York Times|Sources:
International Crisis Group (airstrikes and areas of violence); Michael
Izady, Columbia University’s Gulf 2000 project (Kurdish areas).
For now, Turkey is more actively
targeting Kurdish insurgents with the P.K.K. than it is fighters with
the Islamic State. In Turkey’s recent roundup of 1,300 people it
identified as terrorism suspects, 137 of those arrested were linked to
the Islamic State and 847 were linked to the P.K.K. At the same time,
Turkey bombed P.K.K. positions in southeastern Turkey and northern Iraq,
claiming that the militants could attack Turkish areas from across the
border.The Turkish airstrikes effectively
ended a two-year cease-fire with the P.K.K. and has set off rounds of
protests and clashes between Turkish security forces and Kurdish
militants throughout Turkey. In the meantime, Turkish operations against
the Islamic State have been slow to develop.Mr.
Erdogan’s strategy, according to analysts, is also politically
motivated. In June, his party lost its parliamentary majority partly
because of the electoral success of a pro-Kurdish party. By bombing the
P.K.K., Mr. Erdogan stands to win back votes of nationalists who oppose
Kurdish autonomy.
Turkish airstrikes hitting P.K.K. targets in northern Iraq in late July.
Reuters
Sources: Chatham House, the Royal Institute of International Affairs (Kurdish factions); Caerus Associates
Additional work and reporting by Tim Arango, Jeremy Ashkenas, Rukmini Callimachi and K.K. Rebecca Lai
Correction: August 14, 2015
An earlier version of this article misstated the day that Turkey announced that it would help fight the Islamic State. It was July 24, not June 24.
An earlier version of this article misstated the day that Turkey announced that it would help fight the Islamic State. It was July 24, not June 24.
=====
按照2015年阿斯彭安全論壇
註冊為2015年阿斯彭安全論壇現已關閉 。 要按照論壇,請訪問我們的多媒體頁面,我們的現場流和視頻檔案。 加入Twitter上的對話通過以下@AspenSecurity並使用包括hashtag #AspenSecurity
NYTimes.com
為什麼土耳其是戰鬥的庫爾德人誰是戰鬥ISIS
同日,土耳其宣布將有助於對抗伊斯蘭國家 ,土耳其部隊開始空襲反對運動已經至關重要停止伊斯蘭國家的進步非常的群體之一。
自7月24日宣布,土耳其已對被稱為庫爾德工人黨,它被廣泛列為恐怖組織庫爾德分裂主義集團的元素空襲發起幾波。 但是,這組及其在敘利亞的盟友,誰一直在密切合作的美國的力量,是推動伊斯蘭國家武裝走出他們曾經控制的地區。因此,儘管美國長期以來一直尋求土耳其的幫助,在打擊ISIS,該事件由於該協議顯示發散在該地區利益的糾結。
庫爾德人↔美國
協調打擊ISIS
庫爾德戰士已與協調去年10月以來美國軍方。 從敘利亞北部隱形室 ,
被稱為耀皮玻璃民兵成員傳遞情報,並協調潛在的空襲目標,
以美國運營中心數百英里遠,
得到的罷工已經反過來幫助庫爾德人抓住了廣闊的舒展領土沿著從伊斯蘭國土耳其邊境。
“聯軍飛機的作用是必不可少的這些勝利,
”伊德里斯納蘇,從艾因阿拉伯高級庫爾德官員說。
被稱為耀皮玻璃民兵成員傳遞情報,並協調潛在的空襲目標,
以美國運營中心數百英里遠,
得到的罷工已經反過來幫助庫爾德人抓住了廣闊的舒展領土沿著從伊斯蘭國土耳其邊境。
“聯軍飛機的作用是必不可少的這些勝利,
”伊德里斯納蘇,從艾因阿拉伯高級庫爾德官員說。
耀皮玻璃的控制,2015年5月28日.
五月以來漲幅耀皮玻璃
ISIS控制
火雞
阿達納
因斯里克
空軍基地
加濟安泰普
卡米甚利
艾因阿拉伯
Jarablus
基利斯
政府
受控
塔爾艾卜耶德
在Ras al-Ain的
Manbij
巴布鋁
阿勒頗
伊拉克
Hasaka
艾因·伊薩
敘利亞
區域
詳細
Raqqa
敘利亞
25 MI
紐約時報|來源:學院戰爭研究; 庫爾德官員.
庫爾德戰士鹽田港集團的地圖檢查,他們協調了空襲在Hasaka一個伊斯蘭國家的位置。 毛里西奧·利馬對紐約時報.
土耳其↔美國
盟友,但隨著條件
美國一直尋求土耳其在去年以來對ISIS的鬥爭幫助。
土耳其,自1952年以來這一直是北約成員,
被認為是美國的官員是削弱伊斯蘭國家在敘利亞的關鍵,是不願意參加。
土耳其終於同意協助,但也有一些條件,
包括建立對土耳其邊境的ISIS-和庫爾德自由區在敘利亞。
作為回報,美國將允許發動軍事行動,打擊來自空中因吉爾利克伊斯蘭國基地和其他基地在土耳其“在一定範圍內,”根據總統雷傑普·塔伊普·埃爾多安。 美國官員一直小心,不要冒犯土耳其,並公開支持其競選反對庫爾德工人黨。
在Twitter上發表聲明,布雷特H. McGurk,奧巴馬總統的特使聯軍作戰的伊斯蘭國家,說,“我們完全尊重我們的盟友土耳其有權自衛。“
土耳其,自1952年以來這一直是北約成員,
被認為是美國的官員是削弱伊斯蘭國家在敘利亞的關鍵,是不願意參加。
土耳其終於同意協助,但也有一些條件,
包括建立對土耳其邊境的ISIS-和庫爾德自由區在敘利亞。
作為回報,美國將允許發動軍事行動,打擊來自空中因吉爾利克伊斯蘭國基地和其他基地在土耳其“在一定範圍內,”根據總統雷傑普·塔伊普·埃爾多安。 美國官員一直小心,不要冒犯土耳其,並公開支持其競選反對庫爾德工人黨。
在Twitter上發表聲明,布雷特H. McGurk,奧巴馬總統的特使聯軍作戰的伊斯蘭國家,說,“我們完全尊重我們的盟友土耳其有權自衛。“
耀皮玻璃控制
ISIS控制
火雞
阿達納
因斯里克
空軍基地
加濟安泰普
卡米甚利
艾因阿拉伯
Jarablus
基利斯
政府
受控
塔爾艾卜耶德
在Ras al-Ain的
Manbij
巴布鋁
阿勒頗
Hasaka
艾因·伊薩
伊拉克
敘利亞
近似區,在美國和土耳其軍隊試圖清除ISIS武裝分子。
區域
詳細
Raqqa
敘利亞
25 MI
紐約時報|來源:學院戰爭研究; 庫爾德官員.
猜疑和暴力
分析人士說,土耳其決定加入反對伊斯蘭國的戰鬥是由耀皮玻璃的內迅速敘利亞領土的收益造成的威脅驅動部分。 整個地區的庫爾德人在歷史上尋求一個獨立的國家,這對土耳其政府的強烈反對。先生 埃爾多安說,土耳其“絕不允許建立一個新的國家我們在敘利亞北部邊境南部。”
土耳其和庫爾德工人黨之間的暴力,因為2013年3月一些地區
對庫爾德工人黨的位置,7月24日土耳其空襲地區8月3日
庫爾德人聚居區
面積
細節
亞美尼亞
開塞利
賓格爾
火雞
畝
迪亞巴克爾
錫爾特
伊朗
Orumiyeh
阿達納
加濟安泰普
艾因阿拉伯
伊拉克人
庫爾德斯坦
伊拉克
Hasaka
阿勒頗
敘利亞
摩蘇爾
50英里
Raqqa
紐約時報|來源:國際危機集團(空襲和暴力的地區); 邁克爾Izady,哥倫比亞大學的海灣2000年項目(庫爾德地區).
目前,土耳其是更加積極地針對庫爾德叛亂分子與庫爾德工人黨比它的戰士與伊斯蘭國家。
在 土耳其最近對1300人就認定為恐怖嫌疑人圍捕,被捕者有聯繫的伊斯蘭國家和847分別連接到庫爾德工人黨與此同時137,土耳其轟炸了在土耳其東南部與 伊拉克北部的庫爾德工人黨的立場,聲稱武裝分子可以從越過邊界襲擊土耳其的地區。
土耳其空襲有效地結束了為期兩年的停火與庫爾德工人黨,並掀起了幾輪抗 議,土耳其安全部隊與庫爾德武裝分子在土耳其之間的衝突。 在此期間,對伊斯蘭國家土耳其的業務一直發展緩慢。
先生 埃爾多安的戰略,據分析,也出於政治動機。 今年六月,他的黨失去了親庫爾德政黨的選舉成功的部分原因是其議會的多數席位。 通過轟炸庫爾德工人黨,埃爾多安先生代表贏回誰反對庫爾德人自治的民族主義者的選票。
土耳其空襲打擊在伊拉克北部的庫爾德工人黨武裝目標,7月下旬。 路透.
=====
http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html
Friday, August 14, 2015.
Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm
Introduction
As predicted following the leak of Hacking Team exploit codes covered here
, the Zscaler security research team has recently started seeing a
Chinese cyber espionage group weaponizing malware payloads using the
0-day exploits found in the leaked Hacking Team archives.
As such, this new attack represents a dangerous new hybrid combining
the work of a notorious cyber criminal gang with Chinese cyber espionage
group to attack a financial services firm.
Zscaler's cloud sandboxes recently detected a Remote Access Trojan
(RAT) being delivered by a well-known Chinese cyber espionage group
using the Hacking Team's 0-day exploits. This attack was specifically targeting a well-known financial services firm.
The exploit files involved were identical to the Hacking Team's leaked
exploit HTML, JavaScript, and ShockWave Flash 0-day files.
The end payload that was installed is the HttpBrowser RAT, known to be
used by the Chinese group in previous targeted attacks against
governments.
 |
| Figure 1: Chinese APT attack cycle to plant HttpBrowser RAT |
Hacking Team Exploits
The attack involved targeted users visiting a malicious URL delivered via a spear phishing attack.
The malicious URL points to a remote server located in Hong Kong (IP
Address - 210.209.89.162) that downloads and executes a malicious
ShockWave Flash payload through a specially crafted HTML &
JavaScript.
The exploit files involved are identical to the ones that we found
during our analysis of the Hacking Team leaked code as seen below:
 |
| Figure 2: Resemblance with Hacking Team's exploit HTML |
 |
| Figure 3: Resemblance with Hacking Team's SWF exploit |
The Adobe ShockWave exploit ( CVE-2015-5119
) if successful will download and install a variant of the HttpBrowser
RAT from the same Hong Kong based server which eventually also serves as
the Command & Control (C&C) server.
 |
| Figure 4: Hong Kong based server used in the attack [credit: domaintools.com] |
Malware Payload - HttpBrowser RAT
HttpBrowser is a RAT that has become extremely popular in past two
years among the APT adversaries, leveraged in various targeted attacks.
The RAT has been leveraged as the primary payload by the APT group that
is also known to install the nasty Backdoor PlugX RAT during lateral
movement in the victim environment after compromise.
The HttpBrowser payload used for the attack was compiled just few days before the attack as seen below:
| |
| Figure 5: HttpBrowser payload compilation time |
The HttpBrowser installer archive structure is very similar to that observed in previous PlugX attacks. The installer archive in our case was svchost.exe (saved as xox.exe) that consisted of the following three files:
- VPDN_LU.exe - A legitimate digitally signed Symantec Antivirus executable to evade detection
 |
| Figure 6: Legitimate Symantec Antivirus executable used in the attack |
- navlu.dll - A fake Symantec DLL to decrypt and run the HttpBrowser RAT
- navlu.dll.url - Encrypted HttpBrowser RAT payload
The HttpBrowser RAT installer is responsible for dropping the above
three files and running the legitimate Symantec Antivirus binary
VPDN_LU.exe. The legitimate binary contains the navlu.dll in the import table ensuring that the DLL will be loaded before it runs.
The navlu.dll that gets loaded in this case will be the fake Symantec
DLL file present in the same directory and it will patch the entry point
of the main executable file with a jump instruction to run the DLL's
code instead.
 |
| Figure 7: Legitimate executable entry point patched |
 |
| Figure 8: Incremental XOR routine to decrypt RAT payload |
The HttpBrowser installer structure ensures that the malware evades
detection by running in the context of the legitimate signed binary. This also ensures that the malicious DLL will not run by itself in automated analysis environments.
The malware then deletes the original installer file and moves the dropped files to the following location:
- %ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe
- %ALLUSERPROFILE%\%APPDATA%\vpdn\navlu.dll
- %ALLUSERPROFILE%\%APPDATA%\vpdn\navlu.dll.dll
The malware also creates the following registry entry to ensure persistence:
- HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe”
Command & Control communication
The HttpBrowser RAT variant was configured to connect to the following Command & Control server upon successful infection:
- update.hancominc[.]com:8080
It relays the following information of the victim machine in an encrypted format over SSL:
/loop?c=<computerName & userName>&l=<IP Address>&o=<Operating System details>&u=<GUID>&r=<Injection Status (Boolean)>&t=<Running Time>
The commands supported by this RAT variant are:
Command
|
Description
|
init
|
start reverse shell and send list of drives on infected system.
|
setcmd
|
change the default (cmd.exe) shell
|
settime
|
Set sleep time
|
uninstall
|
uninstall itself
|
write
|
write command to shell
|
list
|
Send list of files and folders to C&C
|
upload
|
Download file from C&C
|
down
|
Upload file to C&C
|
Here are some sample decrypted C&C transactions from the HttpBrowser RAT:
 |
| Figure 9: List of drives sent as part of the init command |
 |
| Figure 10: List of files sent as part of the list command |
Conclusion
HttpBrowser RAT, due to the range of features including SSL based
C&C channel, anti-detection & anti-analysis techniques, remains
the popular malware of choice for APT attacks.
There have been multiple instances where this RAT co-existed with PlugX
RAT on the compromised network indicating an APT adversary group with a
set attack tool arsenal. The network infrastructure leveraged in this attack against the financial services firm shows involvement of a previously known Cyber espionage APT group of Chinese origin. The main motive of this group is to monitor and exfiltrate intellectual property data from the target organization.
Zscaler's ThreatLabZ has confirmed coverage for these exploits and for
the HttpBrowser variant, ensuring protection for organizations using
Zscaler's Internet security platform.
Research by: Abhay Yadav, Avinash Kumar, Nirmal Singh, Deepen Desai
=====
http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html
週五,2015年8月14日.
介紹
正如預測的那樣跟隨黑客團隊的洩漏漏洞的代碼覆蓋這裡 ,在Zscaler的安全研究團隊最近開始使用看,在洩露的黑客團隊檔案中發現的0-day漏洞是中國網絡間諜組武器化的惡意軟件的有效載荷。 因此,這種新的攻擊是一個危險的新的混合動力一個臭名昭著的網絡犯罪團伙的工作結合中國的網絡間諜群攻一家金融服務公司。
Zscaler的雲沙箱最近檢測到一個遠程訪問木馬(RAT)交付使用黑客團隊的0-day漏洞的著名中國網絡間諜小組。 這種攻擊是專門針對某知名金融服務公司。 參與該漏洞的文件是相同的黑客團隊的洩露漏洞的HTML,JavaScript和的Shockwave Flash 0天的文件。 已安裝的有效載荷到底是HttpBrowser RAT,已知以前有針對性的對政府的攻擊中使用了中國隊。
| |
| 圖1:中國APT攻擊週期來廠HttpBrowser RAT |
黑客利用漏洞隊
參與這次襲擊的目標用戶訪問通過魚叉式釣魚攻擊提供惡意網址。 惡意URL指向位於香港的遠程服務器(IP地址 - 210.209.89.162)的下載,並通過特製的HTML和JavaScript的執行一個惡意的Shockwave Flash的有效載荷。 涉及的漏洞文件是相同的,我們在我們的團隊黑客的分析過程中發現的洩露代碼如下所示的那些:
| |
| 圖2:相似性與黑客小組的利用HTML |
| |
| 圖3:形似與黑客團隊的SWF利用 |
Adobe的衝擊波漏洞( CVE-2015-5119 ),如果成功將下載並安裝在同一個香港的服務器,它最終也作為指揮和控制(C&C)服務器HttpBrowser RAT的一個變種。
| |
| 圖4:在攻擊中使用香港的服務器[來源:domaintools.com] |
惡意軟件有效載荷 - HttpBrowser RAT
HttpBrowser是RAT已成為過去兩年非常流行的APT對手中,利用各種有針對性的攻擊。 大鼠被利用作為由也被稱為妥協後,受害人的環境橫向移動過程中安裝後門討厭RAT PlugX的APT組的主要有效載荷。
用於攻擊HttpBrowser有效載荷被編譯在襲擊前剛剛幾天,如下所示:
| |
| 圖5:HttpBrowser有效載荷編譯時間 |
所述HttpBrowser安裝程序存檔結構非常相似,在前面的觀察PlugX攻擊。 在我們的例子中安裝程序存檔是svchost.exe的(保存為xox.exe)是由以下三個文件:
- VPDN_LU.exe - 一個合法的數字簽名的賽門鐵克殺毒軟件的可執行文件,以逃避檢測
| |
| 圖6:在攻擊中使用合法Symantec防病毒可執行文件 |
- navlu.dll - 一個假賽門鐵克DLL來解密和運行HttpBrowser RAT
- navlu.dll.url - 加密HttpBrowser RAT有效載荷
該HttpBrowser RAT安裝人員負責下探上述三個文件和運行合法賽門鐵克殺毒軟件的二進制VPDN_LU.exe。 合法的二進制文件包含導入表確保運行之前它DLL將被加載的navlu.dll。 即得到在這種情況下,裝載的navlu.dll將是假的賽門鐵克DLL存在於同一目錄中的文件,它將修補主可執行文件的入口點與一個跳轉指令以運行該DLL的代碼代替。
| |
| 圖7:合法的可執行文件入口點補丁 |
| |
| 圖8:增量XOR常規解密RAT有效載荷 |
該HttpBrowser安裝結構,確保惡意軟件檢測逃避通過在合法的符號二進制的上下文中運行。 這也確保了惡意DLL本身不會在自動分析環境中運行。
該惡意軟件,然後刪除原始安裝程序文件,移動文件回落到以下位置:
- %ALLUSERPROFILE%\%APPDATA%\ VPDN \ VPDN_LU.exe
- %ALLUSERPROFILE%\%APPDATA%\ VPDN \ navlu.dll
- %ALLUSERPROFILE%\%APPDATA%\ VPDN \ navlu.dll.dll
該惡意軟件還會創建如下註冊表項,以確保持久性:
- HKEY_USERS \軟件\微軟\的Windows \ CurrentVersion \ Run中VPDN“%ALLUSERPROFILE%\%APPDATA%\ VPDN \ VPDN_LU.exe”
指揮與控制通信
該HttpBrowser RAT變種被配置為連接到在成功感染下面的命令和控制服務器:
- [] update.hancominc COM:8080
它繼電器在受害者機器在通過SSL加密格式的下列信息:
/循環?C = <計算機和用戶名>&L = <IP地址>&O = <操作系統詳細資料>&U = <GUID>&R = <注射狀態(布爾)>&T = <運行時間>
該變種RAT支持的命令是:
命令
|
描述
|
在裡面
|
反向啟動外殼和發送驅動器列表中受感染的系統。
|
SETCMD
|
更改默認的(CMD.EXE)外殼
|
設置時間
|
設置睡眠時間
|
卸載
|
自行卸載
|
寫
|
寫命令殼
|
名單
|
發送文件和文件夾列表C&C
|
上載
|
從C&C下載文件
|
向下
|
上傳文件到C&C
|
下面是一些示例解密的C&C的HttpBrowser RAT交易:
| |
| 圖9:驅動器列表將作為init命令的一部分 |
| |
| 圖10:文件列表發送的列表命令的一部分 |
結論
HttpBrowser RAT,由於特徵的範圍包括基於SSL的C&C信道,反檢測與抗分析技術,仍首選APT攻擊流行惡意軟件。 在有些情況下這種RAT共存與PlugX RAT的網絡受損指示APT攻擊者組,一組攻擊工具庫上的多個實例。 在槓桿對金融服務公司這種攻擊的網絡基礎架構顯示先前參與已知的原產於中國的網絡間諜APT組。 該小組的主要動機是為了監視和目標組織exfiltrate知識產權數據。
Zscaler的ThreatLabZ已經確認覆蓋這些漏洞,並為HttpBrowser變種,確保保護利用Zscaler的互聯網安全平台的組織。
通過研究:阿沛·亞達夫,阿維納什·庫馬爾·辛格尼爾默爾,深化德賽
=====
We think, we often newspaper quoted swastika broadcast media only: Hong Kong's Apple Daily, the New Tang Dynasty TV and some of the US, and Europe media now!
We have the not to see Seoul Koren- 'Park Hui' accused Japanese Prime Minister, Mr. Shinzo Abe ,,
We feel scared!
'Park would like to sell out the benefits of moral,, we Seoul Korean peoples!
Same China-pig Communism collusion with Seoul Korea- 'Park Hui , insult our people Probity Features!
[70] described the post-war thing happened the last century,Mr. Abe did not look like 70 years old now!
The Japan Mikado should be the responsible person ,,
His oblique accusations; make us disgusted..
Obviously you this year involved the Emperor of Japan,
Dare to accuse an interval of 70 years; not stained knife shot of Mr. Abe ,,
Sadly, the old emperor really shame and sad!!
Every day by China rogue livestock military attack Our Great American Empire network!Russia rat Snowden sell out any American citizen, the US government, the US industry, the American resources .. and so on!
Russia this mouse Baichibaihe get American civil rights;
We then took a large American empire of resources betrayed!?
Pretend Heroes; mounted IS Crimea rebels; but the poor man to get any evil Bitcoin charity!
So performing arts classes Russia rat Snowden,, so in love Pretend hero!?How not to kill and get the head of the Communist Party,,get the continent China pigs corrupt officials ah? !!
Those kill people as the Communist Party of China pig ;
This is you- why the Russia-rat can not did it??! Hu@Fuck!...
Your is the epitome of hero and the coward . -hate you-
you alone to live - A life in the dark, rat caught in Russia; this is your hell! "
Please stop pollution tweets,, but do not pretend to be Anonymous!We have absolutely no corruption's chivalrous Anonymous, no greed, no trouble, only for moral swastika fight !!
Melody.Blog sigh ``
=====
"看到近日各式媒體在對日本【戰後70年】首相安倍晉三先生的挑剔冷毒言詞來發佈新聞!真的讓我們驚訝:眼界大開!
我們在想,我們時常引用的卍報播媒介只剩下:香港蘋果日報,新唐人電視和一些美日歐媒體吧!
再看到樸謹惠指責日本首相安倍晉三先生,,我們感到心寒!樸謹惠出賣我們韓國人民的道德,,
跟共產主義支那豬勾結,污辱我們南韓人們的清廉結特色!
【戰後70年】說明上一世紀發生的事情,看安倍晉三先生沒有70歲吧!
日本天皇才是應該負責任的人,,
他的指桑罵槐;令我們反感..
明明是你這日本天皇當年參與其中,
還敢指責隔了70年;不沾上一刀一槍的安倍晉三先生,,
真的可笑可悲的老皇帝!!
我們大美帝國每天都被支那牲畜流氓網軍攻擊!俄國老鼠斯諾登出賣任何一位美國公民,美國政府機關,美國產業,美國資源..等等!
這俄羅斯老鼠白吃白喝白拿了美國公民權利;
然後拿著我們大美帝國的資源出賣!
裝英雄;裝IS克里米亞的叛亂份子;裝可憐博取任何人施捨邪惡的比特幣!
這麼個演藝班俄羅斯老鼠斯諾登,,那麽愛裝英雄!?
怎麽不去拿下大陸共產黨支那豬的貪污官員的人頭啊?!!
那些殺人民如公務的大陸共產黨支那豬劊子手;
你這俄羅斯老鼠不敢幹嗎??!嘿嘿
英雄和狗熊便是你的縮影了.
一生活在黑暗中,在俄羅斯老鼠夾縫中;這是你的地獄!"
請你別再污染推特,,更別自命為匿名!我們的俠義匿名們絶對不貪污,不貪婪,不鬧事,只為卍道德而戰!!
Melody.Blog 感嘆``
=====
Updated: Hong Kong's Apple Daily reported ^^ -
更新:香港蘋果日報報導^^-**All THe Would City Lauguage**-
http://melody-free-shaing.blogspot.com/2015/08/update-1508-2015by-hkapplenextmediacom.html
-Update [17/08-2015]in the end garbage continent China-pig ''(Ministry of Foreign Affairs, also known as "Hybrid intercourse,, below) '' in '' masturbation 'what?! Shameful "beast than"! -By -hk.apple.nextmedia.com -&- Ntdtv. com -&- cna.com.tw/news-&-epochtimes.com-&-thehackernews.com-&-abc.net.au-&-snip.ly/giNB-
-Update[17/08-2015]到底大陸垃圾支那豬''(外交部 又名雜交 部,,下同)''在''自瀆''甚麽呢!這些禽獸不如!由-hk.apple.nextmedia.com-&-ntdtv.com-&-cna.com.tw/news-&-epochtimes.com-&-thehackernews.com-&-abc.net.au-&-snip.ly/giNB-**All The World Country Lauguage**-
http://melody-free-shaing.blogspot.com/2015/08/update-1508-2015by-hkapplenextmediacom.html
*Update [15/08-2015]By-hk.apple.nextmedia.com released - [] Pearl Harbor 70 years[] after the war,, fireworks mark the end of the war with Japan and the US !- and - [17/08-2015] '' undercover public security latent US,,forced repatriation of corrupt officials by the US warnings!- and - by the bbc.com[14/08-2015] released - "Mei Gaoguan: China should improve its human rights study visit to ensure success"! - and - by the voacantonese.com [17/08 hair -2015] cloth - "Human rights will be listed when Xi Jinping visited the United States on key issues ...!" - and - by the NYTimes.com [12/08-2015] - author: Sarah ALMUKHTAR and TIM Wallace released - "Why Turkey is fighting the Kurds who are fighting ISIS !!" -and -research.zscaler.com[14/08-2015] issued - "Chinese spy network leveraging APT group recently leaked by hackers team utilized positioning , a financial services company!"-
更新[15/08-2015]hk.apple.nextmedia.com發佈的-【戰後70年】珍珠港放煙花,,日美同紀念戰爭結束~和-[17/08-2015]''臥底公安潛美,,迫貪官返國,,遭美國警告!-和-由bbc.com[14/08-2015]發佈的-"美高官:中國應改善人權確保習訪美成功"-和-由voacantonese.com[17/08發-2015]發佈的-"人權將在習近平訪美時被列關鍵議題~"-和-由NYTimes.com[12/08-2015]-作者:莎拉ALMUKHTAR和 TIM華萊士發佈的-"為什麼土耳其是戰鬥的庫爾德人誰是戰鬥ISIS !!"-和-research.zscaler.com[14/08-2015]發佈的-"中國網絡間諜APT組借力最近洩露黑客團隊利用定位一個金融服務公司!"-
Aktualisieren [15/08-2015] By-hk.apple.nextmedia.com veröffentlicht - [] Pearl Harbor 70 Jahre [] nach dem Krieg ,, Feuerwerk das Ende des Krieges mit Japan und den USA -und - [17/08-2015] '' Undercover öffentliche Sicherheit latent US ,,Zwangsrückführung von korrupten Beamten von den US-Warnungen -und- durch die bbc.com [14/08-2015] veröffentlicht- "Mei Gaoguan: China sollte seine Menschen verbessern Rechte Studienbesuch zum Erfolg zu gewährleisten!''- Und- durch die voacantonese.com [17/08 Haare -2015] Tuch - "Die Menschenrechte werden aufgelistet, wenn Xi Jinping besuchte die Vereinigten Staaten in Schlüsselfragen ..." - Und - durch die NYTimes.com [12/08-2015] - Autor:Sarah ALMUKHTAR und TIM Wallace veröffentlicht - "Warum die Türkei im Kampf gegen die Kurden, die Bekämpfung von ISIS werden !!" -und -research.zscaler.com [14/08-2015] abgegeben - "Chinese Spionagenetz nutzt APT Gruppe kürzlich von Hacker-Team genutzt Positionierung, ein Finanzdienstleistungsunternehmen ausgelaufen!"-
**All The World City Lauguage**-
http://melody-free-shaing.blogspot.com/2015/08/update-1508-2015by-hkapplenextmediacom.html
===elody.Blog===FOLLOW FOLLOW===>/
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
沒有留言:
張貼留言
window.___gcfg = {
lang: 'zh-CN',
parsetags: 'onload'
};