The release of another report on state-sponsored hacking activities in China earlier this week should remove all doubt: The intellectual property of Western enterprises is being targeted for data theft.
That's the consensus of most security experts in the wake of Monday night's release of a new CrowdStrike report detailing the activities of an organized group of Chinese cyber attackers affiliated with the People's Liberation Army (PLA). The report, which describes the attackers' activities down to the military unit, buildings, and even individuals involved, offers a sobering insight into the way China's state-sponsored groups target Western enterprises -- in this case, satellite and aerospace communications.
CrowdStrike published the report partly as a red flag to US businesses, and partly as a response to the Chinese government's continued denials of Department of Justice allegations of state-sponsored corporate espionage by China three weeks ago.
"We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials," says CrowdStrike CEO and co-founder George Kurtz in a blog written for Dark Reading. "Most executives and boards of directors have no idea just what damage is being done to their corporations."
"This is a smoking keyboard," says Adam Meyers, vice president of intelligence at CrowdStrike. "We've got a guy in China registering [malicious] domains on behalf of the third General Staff Department of the 12th Bureau of the PLA. It doesn't get tied up with a neat little bow any better than that."
The report also outlines some of the tactics used by the attackers, including exploits of Adobe Acrobat and Microsoft Office that are two years old or more. "Some of what we see is not particularly sophisticated, but it's working," Meyers says. "And this group is very active."
Industry experts said the CrowdStrike report is a cautionary tale that should get enterprises thinking about defenses not only against financially motivated cyber criminals, but against state-sponsored hacking of intellectual property.
"Cyber attacks are on the rise -- from nation-sponsored espionage to cyber criminals stealing data from major retailers and universities," says Eric Chiu, president and co-founder of security firm HyTrust. "Based on this, no company is immune, and security needs to be a top priority, rather than an afterthought or insurance plan. Also, attackers are getting more sophisticated -- in many cases using APTs and social engineering to steal credentials and gain access to corporate networks."
"The recent discovery by CrowdStrike constitutes another link in the chain of evidence of the growing determination, sophistication, and craftsmanship of mission-driven hackers," says Eyal Firstenberg, vice president of cyber research at security company Light Cyber. "While traditional security measures have been optimized to stop run-of-the-mill viruses and bots, the nation-state mission-driven actors follow a different dynamic. It should therefore come as no surprise that a crafted PDF attachment tailor-made for a specific victim can bypass that victim's mail attachment scanner and other specific security measures.
"These sophisticated attacks highlight the need for organizations to deepen their security posture beyond the traditional intrusion prevention and focus on detecting and reacting to breaches in ways that don't assume a specific, predictable point of intrusion."
"These attacks show how effective the combination of social engineering and exploits can be," says Jerome Segura, senior security researcher at Malwarebytes. "A considerable amount of effort is put into identifying the target by combing through any data found on social networking sites, press releases, etc. Then, carefully crafted exploit documents with a theme that would appeal to the victim are sent as spear phishing emails.
"Those files, which are not malware executables, are able to defeat spam and antivirus protection and find their way to the target's inbox," Segura tells us. "While most people have been trained to be careful with zip attachments that may contain malware, very few would think twice before opening a PDF document. All it takes is a vulnerable version of Adobe Reader or Office, and the booby-trapped file will start downloading and installing malware on the system -- at which point it's already too late."
Meyers hopes the report will be a wakeup call for businesses. "We have a group that takes its instructions from the military collecting data from Western enterprises in a $180 billion market in order to give a competitive advantage to Chinese industry," he says. "Make no mistake -- they are stealing intellectual property from Western businesses."