Attacks/Breaches
5/20/2014
06:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Indictments open the door for more aggressive US litigation of intellectual property theft by China -- but with possible costs to US businesses.

Call it a calculated risk: The US Department of Justice conducted an unprecedented naming and shaming yesterday of five members of an infamous Chinese military unit known for spying on US companies for intellectual property and other valuable commercial intelligence.

A day after pictures of the men (two in military uniform) were plastered on the FBI's Most Wanted posters, the fallout already has begun. No one expects China to extradite the defendants to the US, to fess up to stealing corporate secrets from US firms to assist its state-owned businesses, or to promise to curtail that activity. The hope is that the aggressive US strategy of taking very public legal action against China's cyberespionage activity at the least will send a chill among China's advanced persistent threat operatives.

As expected, China has strongly denied the charges, which cite specific incidents of cybertheft from major US corporations by the five defendants: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui of Unit 61398 of the Third Department of China's People's Liberation Army in Shanghai. Chinese officials confronted the US ambassador to China, Max Baucus, about the indictment and warned that it would have consequences. Today officials released data from the nation's CERT that they say shows US botnet servers controlling 1.18 million host machines in China.

"This [the DOJ indictment] is the first salvo in a tit-for-tat that is going to go on. China is going to retaliate," says Timothy Ryan, a managing director with Kroll Advisory Solutions' cyber investigations practice and a former FBI official who headed its cybersquad.

That may mean an escalation of targeted hacking, experts say. But retaliatory hacking could backfire on China, which is now under criminal scrutiny by the US and could face further exposure and indictments of its hackers. Robert Anderson, executive assistant director of the FBI, said yesterday that criminal charges for such activity by China or other nations would be "the new normal," and that the indictment opens the floodgates for other charges.

"The United States has chosen the old stick and carrot approach -- rewards and punishments -- when it comes to conducting cyber diplomacy with China. What we are seeing now with the announcement yesterday is the stick, a shot across the bow, and it should be taken seriously by the Chinese. In the past few weeks, the US was primarily using the carrot as an incentive," says Franz-Stefan Gady, senior fellow with the EastWest Institute. "It is now China's turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions."

Though China quit the new China-US working group on cyber security yesterday in protest of the latest developments, Gady says China isn't likely to make any moves to derail the recent military dialogue between US Secretary of Defense Chuck Hagel and General Chang Wanquan.

Also, Gady doesn't expect the indictment controversy to hurt the US-China anti-spam collaboration effort, which the EastWest Institute helped establish in February 2011. "I do think that cooperation on the technical level will continue unhindered. The great thing, but also the downside, of tech-tech cooperation is that it is inherently apolitical and not subject to temporary political ill winds."

It is highly unlikely that the five indicted members of Unit 61398 will ever be tried for these crimes, but they now have some significant travel restrictions. "If they have kids in school in other countries," the members won't necessarily be free to travel there, says Michael Quinn, associate managing director with Kroll's Cyber Investigations Practice and a former FBI supervisory special agent in the Cyber Division. "If they want to see their kid graduate" from a US college, "they may not travel there now, because they're going to get arrested." They also could be taken into custody "if they are IDed outside the country somewhere friendly to the US."

Quinn says the indictment handed down yesterday had been in the works for a long time. "What we saw yesterday was the outcome of a very long process."

And experts say there are plenty more in the pipeline.

The indictment also may have some unintended consequences for the victim organizations named in the case, which include Alcoa, Allegheny Technologies Incorporated, SolarWorld, US Steel, and Westinghouse Electric. "It could go from the criminal realm to the civil realm," Ryan says. "Now that these very persistent breaches were made public, you're going to have shareholders asking you: What did you do? When did you know it? How many times were you breached? Was this in the prospectus?"

Kristen Verderame, CEO of Pondera International, says the DOJ move should be a wakeup call for US companies doing business in China and with Chinese companies. "It will open the eyes of US companies to the dangers. If you are doing joint ventures, you need to have your cyber security [strategy] up front and be very careful" sharing information electronically, for example. "If you deal with China, you have to do so with your eyes open."

That level of scrutiny could make it more difficult for China to steal intellectual property from its corporate US partners without the threat of exposure by US law enforcement, experts say. China culturally is loath to such public embarrassment, they say.

"The US is looking to get some sort of agreement from China... that moderates their behavior," Ryan says. "I don't think anyone would fault China for spying to protect its political and economic security... but you can't have it both ways. You can't be a capitalist nation but use a state-sponsored apparatus to create this uneven playing field. That's no different than China subsidizing all exports so no one [from other countries] can compete in China."

This new pressure on China to dial back its cyberspying for commercial profit is unlikely to yield major results anytime soon. "I wouldn't think these allegations will stop the Chinese in stealing trade secrets, as I'm sure they will change their TTPs [tactics, techniques, and procedures] and will likely start looking for a mole or any internal leaks," says John Pirc, CTO of NSS Labs and a former CIA agent.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThreatTrack Security
50%
50%
ThreatTrack Security,
User Rank: Author
5/22/2014 | 2:01:19 PM
Wakeup Call
Don't forge about Huawei.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/22/2014 | 10:05:14 AM
Re: Stick in the Eye
I agree, this sounds like job security for the IT Security folks. Attempting to monitor activity of employees will result in needing more staff, thoughts?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/22/2014 | 9:48:33 AM
Re: Stick in the Eye
As we saw with Snowden, the human element is difficult to manage. Organizations just need to be more vigilant and do a better job monitoring user behavior and minimizing access to data they don't need.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/22/2014 | 9:22:17 AM
Re: Stick in the Eye
Good point, you want to hire the best person for the job regardless of where they are from but in today's climate you must consider the risks of employees leaking information even casually to friends and family.
ThomasL787
50%
50%
ThomasL787,
User Rank: Apprentice
5/21/2014 | 8:48:26 PM
Re: Stick in the Eye
It's all well and good to point fingers at various and sundry groups outside of the United States, but are they the only ones we have to worry about?  Every time a US company hires a foreign (H1B) worker, they are potentially exposing their intellectual property to the world. 

Even if the worker is trying to be trustworthy, they can inadvertantly expose crucial information to their friends "back home" in casual conversations. 

If they are malcious, they can do a fair amount of damage as we have seen with Mr. Snowden.  After all, if the company is harmed by the loss of some secret formula or algorithm, it's no problem for the worker because they will probably only be in the position for a year or two before they go back home.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/21/2014 | 9:57:51 AM
Re: Stick in the Eye
I think one of the key outcomes here is awareness....putting faces and names to the deeds humanizes the seemingly abstract and invisible activity. Oh--and the named defendants won't be doing much world travel now.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
5/21/2014 | 9:54:35 AM
Stick in the Eye
It can be satisfying to poke a stick in the eye of your opponent, and to get the reprehensible behavior of the NSA off the front page for a day or two, but those are the only effects these charges will have.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.