Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:32 PM
Connect Directly

Chinese Cyberespionage: Brazen, Prolific, And Persistent

New research from multiple sources illustrates dominant role of China in cyberespionage

China, China, China: New data and intelligence is shedding more light on just how bold and pervasive Chinese cyberespionage activity is today.

Tracing malware and breaches to their attackers is not straightforward -- anyone can hide behind layers of IP addresses -- but China has been confirmed as a major player in cyberespionage in multiple reports this month, as both Verizon and FireEye independently have released data that points the finger at the country for the bulk of cyberspying activity. And even after Mandiant's exhaustive report on a long-suspected Chinese military link to cyberespionage against U.S. firms that was published in February, the APT1/Comment Crew gang behind that operation appears to be back in action despite the publicity the report drew.

The APT1/Comment Crew appears to have done little to change its tactics and methods of attack even after it was unmasked with key intelligence from Mandiant.

"I was personally part of the camp that thought these guys would change significantly" after the Mandiant report was published, says Rich Barger, chief intelligence officer with Cyber Squared, which last week unveiled new evidence of the group targeting the defense and aerospace community using many of the same techniques and command-and-control (C&C) capabilities as before.

"It's not to say that there [may be] other activity they are conducting which is different as night and day. But in this instance, I was surprised that the change was so minimal ... Unless the left hand is showing us some of the old ways whereas the right hand is doing new stuff, we're not seeing," Barger says.

Chinese cyberespionage actors accounted for 96 percent of those types of targeted attacks in Verizon's new Data Breach Investigations Report on attacks investigated in 2012. And one-fifth of all of the breaches in the Verizon report were Chinese cyberespionage-based.

FireEye found that infected machines phoning "home" to the bad guys mostly use advanced persistent threat tools used or developed by Chinese cyberspies. Most of the nearly 90 percent of those attacks use Chinese-born Gh0stRAT.

While other attackers in other countries have access to many of those same tools and likely are using them as well, it demonstrates what a mark Chinese cyberespionage attackers have made in hacking. "Their footprint is definitely there, and it's very large," says Rob Rachwald, director of market research at FireEye.

Rachwald says he's surprised other nations didn't make a bigger dent in cyberespionage in the Verizon report, but it may just be a matter of volume: "It makes sense to some extent. Volume is the game for [China]. They do some sophisticated things, but it's all about attack volume," he says. "They go after a company very intensively for a several-week period, with a very heavy spearphishing attack ... It makes sense that they would appear in so many attacks because they spend a lot of time with it."

[Mandiant calls out People's Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/aka the "Comment Crew," "Comment Group." See Chinese Military Tied To Major Cyberespionage Operation.]

The infamous APT1/Comment Crew cyberespionage group went quiet for a few weeks, Rachwald says, after the Mandiant report came out, which included indicators of compromise for organizations and forensics investigators to use.

But Cyber Squared spotted new activity from the group this month, as it launched a convincing spearphishing campaign using this week's NDIA MODSIM Aerospace and Defense conference in Hampton, Va., as a lure.

While much of the group's operations appears intact with no significant retooling of their technologies or C&C architecture, Barger says his team detected some subtle, simple changes. "The command strings were different" in the C&C communication, he says, and the crypto used within the string had been altered.

"They also used free dynamic DNS services versus self-registered domains" for this attack campaign, he says.

Otherwise, the malware was the same, as was its use of HTML command tags, he says. "There was not a drastic change, but they modified some of the things that were easier to change. That got them back in the game quicker," he says. "To recompile some of this code and test it may have taken a couple of hours of their time," tops, he says.

Chinese cyberespionage actors don't need to change their methods, and they don't even really need to hide, he says. "They can maintain their current level of survivability and operate behind the noise of us as a community scratching our chin and observing, saying, 'Why do we have this problem,' while meanwhile, everything is moving out the back door."

Meanwhile, the U.S. is the favorite home-away-from-home for C&C servers receiving calls from Chinese RAT tools, according to FireEye's data. "Given that the majority of victims of those attacks are based in the U.S., it is clear that attackers are housing CnC servers in the same country as their targets in order to help avoid raising suspicions," the FireEye report said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/1/2013 | 2:45:28 AM
re: Chinese Cyberespionage: Brazen, Prolific, And Persistent
yea, yea, so when are we going to hear about some specific actions taken to stop this activity besides lecturing the chinese government?
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.