Attacks/Breaches
6/11/2014
10:35 AM
Connect Directly
RSS
E-Mail
50%
50%

Experts: CrowdStrike China Hacker Report Raises Red Flags For Business

The second report on China's hacking teams supports Department of Justice's accusations, offers insight on Chinese attackers.

The release of another report on state-sponsored hacking activities in China earlier this week should remove all doubt: The intellectual property of Western enterprises is being targeted for data theft.

That's the consensus of most security experts in the wake of Monday night's release of a new CrowdStrike report detailing the activities of an organized group of Chinese cyber attackers affiliated with the People's Liberation Army (PLA). The report, which describes the attackers' activities down to the military unit, buildings, and even individuals involved, offers a sobering insight into the way China's state-sponsored groups target Western enterprises -- in this case, satellite and aerospace communications.

CrowdStrike published the report partly as a red flag to US businesses, and partly as a response to the Chinese government's continued denials of Department of Justice allegations of state-sponsored corporate espionage by China three weeks ago.

"We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials," says CrowdStrike CEO and co-founder George Kurtz in a blog written for Dark Reading. "Most executives and boards of directors have no idea just what damage is being done to their corporations."

"This is a smoking keyboard," says Adam Meyers, vice president of intelligence at CrowdStrike. "We've got a guy in China registering [malicious] domains on behalf of the third General Staff Department of the 12th Bureau of the PLA. It doesn't get tied up with a neat little bow any better than that."

The report also outlines some of the tactics used by the attackers, including exploits of Adobe Acrobat and Microsoft Office that are two years old or more. "Some of what we see is not particularly sophisticated, but it's working," Meyers says. "And this group is very active."

Industry experts said the CrowdStrike report is a cautionary tale that should get enterprises thinking about defenses not only against financially motivated cyber criminals, but against state-sponsored hacking of intellectual property.

"Cyber attacks are on the rise -- from nation-sponsored espionage to cyber criminals stealing data from major retailers and universities," says Eric Chiu, president and co-founder of security firm HyTrust. "Based on this, no company is immune, and security needs to be a top priority, rather than an afterthought or insurance plan. Also, attackers are getting more sophisticated -- in many cases using APTs and social engineering to steal credentials and gain access to corporate networks." 

"The recent discovery by CrowdStrike constitutes another link in the chain of evidence of the growing determination, sophistication, and craftsmanship of mission-driven hackers," says Eyal Firstenberg, vice president of cyber research at security company Light Cyber. "While traditional security measures have been optimized to stop run-of-the-mill viruses and bots, the nation-state mission-driven actors follow a different dynamic. It should therefore come as no surprise that a crafted PDF attachment tailor-made for a specific victim can bypass that victim's mail attachment scanner and other specific security measures.

"These sophisticated attacks highlight the need for organizations to deepen their security posture beyond the traditional intrusion prevention and focus on detecting and reacting to breaches in ways that don't assume a specific, predictable point of intrusion."

"These attacks show how effective the combination of social engineering and exploits can be," says Jerome Segura, senior security researcher at Malwarebytes. "A considerable amount of effort is put into identifying the target by combing through any data found on social networking sites, press releases, etc. Then, carefully crafted exploit documents with a theme that would appeal to the victim are sent as spear phishing emails.

"Those files, which are not malware executables, are able to defeat spam and antivirus protection and find their way to the target's inbox," Segura tells us. "While most people have been trained to be careful with zip attachments that may contain malware, very few would think twice before opening a PDF document. All it takes is a vulnerable version of Adobe Reader or Office, and the booby-trapped file will start downloading and installing malware on the system -- at which point it's already too late."

Meyers hopes the report will be a wakeup call for businesses. "We have a group that takes its instructions from the military collecting data from Western enterprises in a $180 billion market in order to give a competitive advantage to Chinese industry," he says. "Make no mistake -- they are stealing intellectual property from Western businesses."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/11/2014 | 11:51:10 AM
Documented Orders
Having been on the wrong end of accusations as a young man where evidence appeared to point to me for something I wasn't involved in, I'm a fan of seeing a proper document trail when reaching conclusions as weighty as these - playing Devil's advocate, I'd love to see Anonymous or WikiLeaks produce some emails or other official Chinese Gov't documentation that documents direct orders for the activities documented in these reports.

That said, what is our response?  I've mentioned before that the US white hatters need to start thinking like black hatters, skipping gray and jumping straight to the dark side.  The ability of our cyber crime specialists to do this is there, just as the military has "black ops" and uses them to great efficiency - so we imagine – we need to do the same in our fight against cyber crime; the field is still fresh, and there is room for creativity.  The better, more aggressive, more offensive and thorough our cyber crime teams become, the harder a time teams like those in China will have getting a foothold in our cyber territory.

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.