Risk
10/22/2009
03:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Evidence Points To China In Cyber Attacks

A Northrup Grumman report suggests that the Chinese government is behind a coordinated series of attacks on U.S. government and private sector computer systems.

Evidence "strongly suggests" that the Chinese government is conducting a sophisticated hacking campaign to steal U.S. government and industry secrets, according to a new report prepared for a Congressional panel.

"The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months," according to the report, written by Northrop Grumman for The US-China Economic and Security Review Commission.

The attacks have resulted in deeper access to resources and system schematics than cyber criminals typically accomplish, and most of the data that has been stolen has been defense- and policy-related, suggesting a state actor, the report says. The network intrusions are thought to be part of a broader "information warfare" strategy that China has been developing for the past 10 years.

A time line in the report, supported mostly by news reports, shows a series of attacks from within China on U.S. government computers, including those belonging to the Department of State, White House, NASA, and Department of Defense agencies.

One reason China has been so successful is that the U.S. government and private sector continue to focus more on reacting to vulnerabilities and malware than on stopping zero-day attacks, the report maintains.

The U.S. government is developing its own cybersecurity and cyberwar capabilities, most recently bringing cyberwar responsibilities under the leadership of a new Cyber Command, headed by NSA director Keith Alexander.

"Nation states have realized the force multiplier effect [of cyber attacks]. That's an issue that is upon us today," said Paul Kurtz, a partner with Good Harbor Consulting and former White House cybersecurity advisor, in an interview. "We've seen Russia use attacks. We see China documenting that they're developing and will use those capabilities. It's only prudent that the U.S. develop the resources it needs to respond."

The report details an attack that was "likely associated with a state sponsored operation," believed to be China based on IP addresses, on a large U.S. business and several other companies over several weeks within the last few years. The hackers stole specific files, for which they had gained file permissions. However, they didn't open the files before downloading them, which suggests that they knew what they were looking for.

"Analysis of the operation suggests that the adversaries previously identified specific directories, file shares, servers, user accounts, employee full names, password policies, and group memberships on the network, likely during their detailed reconnaissance phase," the report says.

The investigation concluded that the attack used one team to breach the company's systems and another to steal data. Before taking the data, the hackers moved it from file servers to the company's Exchange servers, which had higher throughput, for faster downloading.

China's non-government hacking community is also a concern, the report said. In 2008, Chinese hackers defaced French diplomatic Web sites and mounted an unsuccessful distributed denial of service attack on CNN. China expanding its anti-hacking laws in February.



Read InformationWeek's first-ever analysis of top CIOs in federal, state, and local government, and how they're embracing new expectations. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?