informa
4 MIN READ
News

Chinese Cyberespionage: Brazen, Prolific, And Persistent

New research from multiple sources illustrates dominant role of China in cyberespionage
China, China, China: New data and intelligence is shedding more light on just how bold and pervasive Chinese cyberespionage activity is today.

Tracing malware and breaches to their attackers is not straightforward -- anyone can hide behind layers of IP addresses -- but China has been confirmed as a major player in cyberespionage in multiple reports this month, as both Verizon and FireEye independently have released data that points the finger at the country for the bulk of cyberspying activity. And even after Mandiant's exhaustive report on a long-suspected Chinese military link to cyberespionage against U.S. firms that was published in February, the APT1/Comment Crew gang behind that operation appears to be back in action despite the publicity the report drew.

The APT1/Comment Crew appears to have done little to change its tactics and methods of attack even after it was unmasked with key intelligence from Mandiant.

"I was personally part of the camp that thought these guys would change significantly" after the Mandiant report was published, says Rich Barger, chief intelligence officer with Cyber Squared, which last week unveiled new evidence of the group targeting the defense and aerospace community using many of the same techniques and command-and-control (C&C) capabilities as before.

"It's not to say that there [may be] other activity they are conducting which is different as night and day. But in this instance, I was surprised that the change was so minimal ... Unless the left hand is showing us some of the old ways whereas the right hand is doing new stuff, we're not seeing," Barger says.

Chinese cyberespionage actors accounted for 96 percent of those types of targeted attacks in Verizon's new Data Breach Investigations Report on attacks investigated in 2012. And one-fifth of all of the breaches in the Verizon report were Chinese cyberespionage-based.

FireEye found that infected machines phoning "home" to the bad guys mostly use advanced persistent threat tools used or developed by Chinese cyberspies. Most of the nearly 90 percent of those attacks use Chinese-born Gh0stRAT.

While other attackers in other countries have access to many of those same tools and likely are using them as well, it demonstrates what a mark Chinese cyberespionage attackers have made in hacking. "Their footprint is definitely there, and it's very large," says Rob Rachwald, director of market research at FireEye.

Rachwald says he's surprised other nations didn't make a bigger dent in cyberespionage in the Verizon report, but it may just be a matter of volume: "It makes sense to some extent. Volume is the game for [China]. They do some sophisticated things, but it's all about attack volume," he says. "They go after a company very intensively for a several-week period, with a very heavy spearphishing attack ... It makes sense that they would appear in so many attacks because they spend a lot of time with it."

[Mandiant calls out People's Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/aka the "Comment Crew," "Comment Group." See Chinese Military Tied To Major Cyberespionage Operation.]

The infamous APT1/Comment Crew cyberespionage group went quiet for a few weeks, Rachwald says, after the Mandiant report came out, which included indicators of compromise for organizations and forensics investigators to use.

But Cyber Squared spotted new activity from the group this month, as it launched a convincing spearphishing campaign using this week's NDIA MODSIM Aerospace and Defense conference in Hampton, Va., as a lure.

While much of the group's operations appears intact with no significant retooling of their technologies or C&C architecture, Barger says his team detected some subtle, simple changes. "The command strings were different" in the C&C communication, he says, and the crypto used within the string had been altered.

"They also used free dynamic DNS services versus self-registered domains" for this attack campaign, he says.

Otherwise, the malware was the same, as was its use of HTML command tags, he says. "There was not a drastic change, but they modified some of the things that were easier to change. That got them back in the game quicker," he says. "To recompile some of this code and test it may have taken a couple of hours of their time," tops, he says.

Chinese cyberespionage actors don't need to change their methods, and they don't even really need to hide, he says. "They can maintain their current level of survivability and operate behind the noise of us as a community scratching our chin and observing, saying, 'Why do we have this problem,' while meanwhile, everything is moving out the back door."

Meanwhile, the U.S. is the favorite home-away-from-home for C&C servers receiving calls from Chinese RAT tools, according to FireEye's data. "Given that the majority of victims of those attacks are based in the U.S., it is clear that attackers are housing CnC servers in the same country as their targets in order to help avoid raising suspicions," the FireEye report said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.