Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:32 PM
Connect Directly

Chinese Cyberespionage: Brazen, Prolific, And Persistent

New research from multiple sources illustrates dominant role of China in cyberespionage

China, China, China: New data and intelligence is shedding more light on just how bold and pervasive Chinese cyberespionage activity is today.

Tracing malware and breaches to their attackers is not straightforward -- anyone can hide behind layers of IP addresses -- but China has been confirmed as a major player in cyberespionage in multiple reports this month, as both Verizon and FireEye independently have released data that points the finger at the country for the bulk of cyberspying activity. And even after Mandiant's exhaustive report on a long-suspected Chinese military link to cyberespionage against U.S. firms that was published in February, the APT1/Comment Crew gang behind that operation appears to be back in action despite the publicity the report drew.

The APT1/Comment Crew appears to have done little to change its tactics and methods of attack even after it was unmasked with key intelligence from Mandiant.

"I was personally part of the camp that thought these guys would change significantly" after the Mandiant report was published, says Rich Barger, chief intelligence officer with Cyber Squared, which last week unveiled new evidence of the group targeting the defense and aerospace community using many of the same techniques and command-and-control (C&C) capabilities as before.

"It's not to say that there [may be] other activity they are conducting which is different as night and day. But in this instance, I was surprised that the change was so minimal ... Unless the left hand is showing us some of the old ways whereas the right hand is doing new stuff, we're not seeing," Barger says.

Chinese cyberespionage actors accounted for 96 percent of those types of targeted attacks in Verizon's new Data Breach Investigations Report on attacks investigated in 2012. And one-fifth of all of the breaches in the Verizon report were Chinese cyberespionage-based.

FireEye found that infected machines phoning "home" to the bad guys mostly use advanced persistent threat tools used or developed by Chinese cyberspies. Most of the nearly 90 percent of those attacks use Chinese-born Gh0stRAT.

While other attackers in other countries have access to many of those same tools and likely are using them as well, it demonstrates what a mark Chinese cyberespionage attackers have made in hacking. "Their footprint is definitely there, and it's very large," says Rob Rachwald, director of market research at FireEye.

Rachwald says he's surprised other nations didn't make a bigger dent in cyberespionage in the Verizon report, but it may just be a matter of volume: "It makes sense to some extent. Volume is the game for [China]. They do some sophisticated things, but it's all about attack volume," he says. "They go after a company very intensively for a several-week period, with a very heavy spearphishing attack ... It makes sense that they would appear in so many attacks because they spend a lot of time with it."

[Mandiant calls out People's Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/aka the "Comment Crew," "Comment Group." See Chinese Military Tied To Major Cyberespionage Operation.]

The infamous APT1/Comment Crew cyberespionage group went quiet for a few weeks, Rachwald says, after the Mandiant report came out, which included indicators of compromise for organizations and forensics investigators to use.

But Cyber Squared spotted new activity from the group this month, as it launched a convincing spearphishing campaign using this week's NDIA MODSIM Aerospace and Defense conference in Hampton, Va., as a lure.

While much of the group's operations appears intact with no significant retooling of their technologies or C&C architecture, Barger says his team detected some subtle, simple changes. "The command strings were different" in the C&C communication, he says, and the crypto used within the string had been altered.

"They also used free dynamic DNS services versus self-registered domains" for this attack campaign, he says.

Otherwise, the malware was the same, as was its use of HTML command tags, he says. "There was not a drastic change, but they modified some of the things that were easier to change. That got them back in the game quicker," he says. "To recompile some of this code and test it may have taken a couple of hours of their time," tops, he says.

Chinese cyberespionage actors don't need to change their methods, and they don't even really need to hide, he says. "They can maintain their current level of survivability and operate behind the noise of us as a community scratching our chin and observing, saying, 'Why do we have this problem,' while meanwhile, everything is moving out the back door."

Meanwhile, the U.S. is the favorite home-away-from-home for C&C servers receiving calls from Chinese RAT tools, according to FireEye's data. "Given that the majority of victims of those attacks are based in the U.S., it is clear that attackers are housing CnC servers in the same country as their targets in order to help avoid raising suspicions," the FireEye report said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/1/2013 | 2:45:28 AM
re: Chinese Cyberespionage: Brazen, Prolific, And Persistent
yea, yea, so when are we going to hear about some specific actions taken to stop this activity besides lecturing the chinese government?
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.