Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2016
08:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

China Still Successfully Hacking US, But Less

New FireEye report shows significant decline in the number of Chinese cyber espionage attacks on the US since 2014, but China has definitely not stopped the intellectual property theft.

Successful cyberattacks by China hacker groups targeting corporate networks in the US and other regions have dramatically decreased since mid-2014, a new report finds. Even so, China continues to wage attacks in order to steal intellectual property despite political pressure by the US government -- and China's cyber espionage campaigns appear to be more streamlined.

So in case you were wondering whether the historic “no-hack” pact in September 2015 between President Barack Obama and Chinese president Xi Jinping -- where the two leaders promised not to wage cyberattacks for economic gain -- has made a difference, the answer is both yes and no. While no one expected major change in the wake of the pact, there have been some noticeable shifts in the volume of attacks by China in the past couple of years, according to new findings from FireEye. The pact is one of several factors, including earlier political and economic forces that were already under way beforehand, according to FireEye.

FireEye concluded that since 2013 when it first exposed China’s infamous APT1 cyber espionage operation led by the PLA, China’s hacking is “less voluminous but more focused, calculated, and still successful in compromising” companies’ networks. Of a total of 262 compromises, FireEye found that China had executed more than 70 successful attacks in April 2014; 40 in July 2015; and fewer than five in May 2016.

Jordan Berry, principal threat analyst with FireEye, says the findings show some changes in the way China’s hacking machine operates, but the groups are still very much active and targeting companies’ intellectual property and personally identifiable information. “We observed an overall cyber activity decline in mid-2014 [by China], although they did not cease operations and they continue … albeit in lower volume,” Berry says. “A confluence of events” drove the decline in attacks, he says.

FireEye studied the number of network compromises by suspected China-based hackers starting in early 2013 through June 2016, drawing from its Mandiant incident response cases, and FireEye’s cloud-based network monitoring as well as its threat intelligence data. They found 262 successful network attacks by 72 different suspected China-based groups: of those attacks, 182 hit US companies.

From September 2015 until this month, FireEye says just 13 suspected China-based hacking teams broke into corporate networks in the US, Europe, and Japan, as well as commercial, government, and military organizations in nations near China, including Russia. “However, since mid-2014, we have observed an overall decrease in successful network compromises by China-based groups against organizations in the U.S. and 25 other countries. These shifts have coincided with ongoing political and military reforms in China, widespread exposure of Chinese cyber activity, and unprecedented action by the U.S. government,” FireEye’s report says.

Among the factors likely behind the decline in the number of cyberattacks on the US, according to FireEye: Xi’s military reforms as well as centralization of China’s cyber operations since he first took office in 2012; research exposing Chinese cyber espionage activity; and intensified US pressure on China, including the US indictment of five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel.

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

“Although many in the U.S. initially doubted that these actions would have any effect, they may have prompted Beijing to reconsider the execution of its network operations,” according to FireEye's report.

Other security research firms have seen some shifts in China’s intellectual theft hacking over the past year as well. Costin Raiu, director of the global research and analysis team at Kaspersky Lab, in an interview in February said his firm’s researchers witnessed a dramatic drop in Chinese-speaking APTs going after US and UK organizations’ intellectual property in the wake of the Obama-Xi pact. But Kaspersky Lab also witnessed at 300% increase in attacks on Russian targets by Chinese groups in a period of two months.

“Immediately after the signing of the agreement, there was silence” in attacks against the US, Raiu said. “Then there were some small bits and pieces of random noise … but after that, they [Chinese-speaking APTs] completely went silent in the US and UK,” Raiu said, referring to Xi’s similar no-hack deal in October with Prime Minister Cameron in the UK.

CrowdStrike also saw an uptick in Chinese attacks on Russia, specifically from Hammer Panda against Russian Federation countries. But it also saw continued attacks on US companies by China-based groups.

Meanwhile, there’s no sign of various China-based hacking groups becoming more coordinated in their tactics. “Some groups have changed quite a bit over the past year, and some have [remained] the same over the past two years,” says Mike Oppenheim, senior manager of threat intelligence at FireEye.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.