Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 AM
Connect Directly

Nation-State Cyber Espionage, Targeted Attacks Becoming Global Norm

New report shows 2014 as the year of China's renewed resiliency in cyber espionage--with Hurricane Panda storming its targets--while Russia, Iran, and North Korea, emerging as major players in hacking for political, nationalistic, and competitive gain.

China unsurprisingly remains the number one most active and prolific nation waging cyber espionage attacks, according to a new report, but threat groups with ties to Russia and Iran--and North Korea--expanded their targeted attack campaigns in the past year as cyber espionage and politically motivated cyber attacks from various corners of the globe have become the new normal.

Security intelligence firm CrowdStrike's 2014 Global Threat Report published today showed how hacking last year became a popular and effective weapon in geopolitical conflicts in emerging nation-state associated groups, while gathering intelligence for economic competitive reasons as well as politics, continue to fuel China's vast cyber espionage machine.

Adam Meyers, vice president of intelligence at CrowdStrike, says his firm watched this activity overall increase dramatically in 2014, and with more nations involved than ever. "Just the increase in activity and seeing so many different states continuing to be active" was the most striking takeaway from last year, he says. "The more publicized and exposed this was, it seems to be almost becoming an advertisement [for this activity]:  'see, it's becoming effective.'"

In a year when the US Department of Justice issued an historic indictment of five Chinese military officers for association with cyber espionage against US companies--charges that named names and ultimately sent their pictures to the FBI's Most Wanted list--hacking by various nations against one another actually increased. While the DOJ's legal actions signaled a shift in US policy over China's well-known persistent and widespread hacking into US companies for trade secrets and other intelligence, in reality, it wasn't expected to incur much damage on China's hacking activities, nor result in any extraditions.

"It shows other countries that nothing's going to happen … We indicted five PLA officers, which is major from our standpoint. But it's not going to result in extradition," Meyers says. It was an example of how individuals involved in targeted cyber attacks by nation-states go unpunished in the end, and the hacking operations continue to be effective, according to Meyers.

CrowdStrike--which closely tracks some 39 different nation-state, criminal, nationalist, and hacktivist hacking groups, and Meyers notes that there are others out there as well--noticed a couple of interesting trends with Chinese cyber espionage gangs last year. For one, they are increasingly adaptive to hide their tracks when intel firms like CrowdStrike get too close to them.

One of the most advanced hacking groups in this realm, dubbed Hurricane Panda by CrowdStrike, was able to adjust to CrowdStrike researchers' constant tracking and detection of their activity, especially for domains for their command and control operations. Meyers says the Hurricane Panda team responded to the heat by hardcoding free dynamic DNS service Hurricane Electric's name servers into their PlugX malware. "The service allowed you to create any record regardless if it was a valid domain or one that you owned. The attacker set up legitimate domains like Pinterest.com, which would resolve to a location of their choosing if you queried Hurricane Electric name servers."

The hard-coded Hurricane Electric name servers in the malware made the domain request by PlugX appear to be querying Pinterest.

"That's kind of a cool tactic," Meyers says. "They know we track them, so this is one of the techniques they use" to hide, he says.

CrowdStrike warns that Hurricane Panda, which targets mainly Internet services, engineering, and aerospace firms, is one of the "more capable" attack groups out of China, "and run-ins with this actor should be treated with the utmost concern," the company said in its report. CrowdStrike says this group harbors "an arsenal of exploits" targeting privilege escalation bugs, and has employed at least two zero-day exploits since February of 2014.

Like many other Chinese nation-state hacking teams, Hurricane Panda is especially fond of using the PlugX remote access Trojan, a Chinese cyber spying tool. It was PlugX that allowed the group to abuse free DNS services, such as Hurricane Electric in California, in their quest to hide from CrowdStrike's investigators. "By abusing Hurricane Electric's free DNS service, the actors were able to resolve popular domains like www.pinterest.com, adobe.com, and github.com," the report says. "Hurricane Panda leveraged PlugX’s custom DNS feature to use the free DNS hosting services provided by Hurricane Electric to resolve these domains to PlugX C2 nodes instead of their legitimate IP addresses." 

Hurricane Panda also used Google Code project for surreptitiously hosting its PlugX C&C node.

But the so-called Goblin Panda hacking group was the most active last year, according to CrowdStrike, hitting mainly targets in Vietnam amid geopolitical tensions over control of the South China Sea, in rapid-fire attacks from late spring until early summer. That placed Vietnam as the number one most targeted nation, just ahead of the US.

[The US Department of Justice and the FBI indict five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. Read 'The New Normal': US Charges Chinese Military Officers With Cyber Espionage.]

Meanwhile, reports late last week pointed to attackers out of China as the possible culprits behind the massive breach at health insurer Anthem, which may have exposed personal information of some 80 million people. CrowdStrike's Meyers says while his firm is not involved in the investigation into the Anthem breach, they have seen the so-called Deep Panda cyber espionage group out of China targeting healthcare organizations in the past. "If it was China, it could possibly be Deep Panda … that's a natural first guess," Meyers says. "Customer name and address information could be used in support of activities leveraged toward collecting information to support human intel operations.

"They suck up everything they can get their hands on," he says of nation-state hacking groups out of China. "They [feel] it's better to over collect" information, he says.

North Korea's apparent role behind the destruction of Sony's data in that massive attack demonstrated the messier side of targeted attacks, when data is wiped from computers. "The North Korean attack on Sony was absolutely a watershed moment for everybody. Because within hours, they saw Sony pull a movie, and the President was on TV" talking about it, Meyers says. "It was a major international incident. They didn't have to launch a bomb … all they had to do was [plant] malware. Emerging countries are probably going to see" how this type of attack is effective, he says.

The malware used is more than ten years old, he says, and wiping doesn't require much technical expertise. "But the intrusion and recon shows some tradecraft," he says of the Sony attacks.

Meanwhile, CrowdStrike's report recapped cyber attack campaigns it tracked in Iran and Russia, including Flying Kitten and Charming Kitten out of Iran, and Fancy Bear and Berserk Bear out of Russia.

"There are a lot of different groups operating out of Iran," Meyers says. Flying Kitten is one of the most notable ones, he says. "They are targeting Western defense contractors and aerospace firms," he says.

CrowdStrike's report also recaps the activities of several cyber espionage groups tied to Russia, including Energetic Bear, Fancy Bear, and Venomous Bear. "Although the Chinese calendar predicted that 2014 would be the Year of the Horse, in many respects 2014 has been the Year of the Bear in the cyber realm, with several high-profile Russia-based actors receiving public attention," the report says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/10/2015 | 11:04:18 AM
Article content
Nice article Kelly!
User Rank: Ninja
2/10/2015 | 9:38:41 AM
Global Enforcement
Is there an enforcement agency that is not country exclusive that can govern instances of nation-state espionage? The DoJ trying to impose sanctions on another country seems like it wouldn't gain too much traction. A body that has no interests in any particular country may be a better avenue for enforcing laws between separate nation-states.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...