Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Experts: CrowdStrike China Hacker Report Raises Red Flags For Business

The second report on China's hacking teams supports Department of Justice's accusations, offers insight on Chinese attackers.

The release of another report on state-sponsored hacking activities in China earlier this week should remove all doubt: The intellectual property of Western enterprises is being targeted for data theft.

That's the consensus of most security experts in the wake of Monday night's release of a new CrowdStrike report detailing the activities of an organized group of Chinese cyber attackers affiliated with the People's Liberation Army (PLA). The report, which describes the attackers' activities down to the military unit, buildings, and even individuals involved, offers a sobering insight into the way China's state-sponsored groups target Western enterprises -- in this case, satellite and aerospace communications.

CrowdStrike published the report partly as a red flag to US businesses, and partly as a response to the Chinese government's continued denials of Department of Justice allegations of state-sponsored corporate espionage by China three weeks ago.

"We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials," says CrowdStrike CEO and co-founder George Kurtz in a blog written for Dark Reading. "Most executives and boards of directors have no idea just what damage is being done to their corporations."

"This is a smoking keyboard," says Adam Meyers, vice president of intelligence at CrowdStrike. "We've got a guy in China registering [malicious] domains on behalf of the third General Staff Department of the 12th Bureau of the PLA. It doesn't get tied up with a neat little bow any better than that."

The report also outlines some of the tactics used by the attackers, including exploits of Adobe Acrobat and Microsoft Office that are two years old or more. "Some of what we see is not particularly sophisticated, but it's working," Meyers says. "And this group is very active."

Industry experts said the CrowdStrike report is a cautionary tale that should get enterprises thinking about defenses not only against financially motivated cyber criminals, but against state-sponsored hacking of intellectual property.

"Cyber attacks are on the rise -- from nation-sponsored espionage to cyber criminals stealing data from major retailers and universities," says Eric Chiu, president and co-founder of security firm HyTrust. "Based on this, no company is immune, and security needs to be a top priority, rather than an afterthought or insurance plan. Also, attackers are getting more sophisticated -- in many cases using APTs and social engineering to steal credentials and gain access to corporate networks." 

"The recent discovery by CrowdStrike constitutes another link in the chain of evidence of the growing determination, sophistication, and craftsmanship of mission-driven hackers," says Eyal Firstenberg, vice president of cyber research at security company Light Cyber. "While traditional security measures have been optimized to stop run-of-the-mill viruses and bots, the nation-state mission-driven actors follow a different dynamic. It should therefore come as no surprise that a crafted PDF attachment tailor-made for a specific victim can bypass that victim's mail attachment scanner and other specific security measures.

"These sophisticated attacks highlight the need for organizations to deepen their security posture beyond the traditional intrusion prevention and focus on detecting and reacting to breaches in ways that don't assume a specific, predictable point of intrusion."

"These attacks show how effective the combination of social engineering and exploits can be," says Jerome Segura, senior security researcher at Malwarebytes. "A considerable amount of effort is put into identifying the target by combing through any data found on social networking sites, press releases, etc. Then, carefully crafted exploit documents with a theme that would appeal to the victim are sent as spear phishing emails.

"Those files, which are not malware executables, are able to defeat spam and antivirus protection and find their way to the target's inbox," Segura tells us. "While most people have been trained to be careful with zip attachments that may contain malware, very few would think twice before opening a PDF document. All it takes is a vulnerable version of Adobe Reader or Office, and the booby-trapped file will start downloading and installing malware on the system -- at which point it's already too late."

Meyers hopes the report will be a wakeup call for businesses. "We have a group that takes its instructions from the military collecting data from Western enterprises in a $180 billion market in order to give a competitive advantage to Chinese industry," he says. "Make no mistake -- they are stealing intellectual property from Western businesses."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/11/2014 | 11:51:10 AM
Documented Orders
Having been on the wrong end of accusations as a young man where evidence appeared to point to me for something I wasn't involved in, I'm a fan of seeing a proper document trail when reaching conclusions as weighty as these - playing Devil's advocate, I'd love to see Anonymous or WikiLeaks produce some emails or other official Chinese Gov't documentation that documents direct orders for the activities documented in these reports.

That said, what is our response?  I've mentioned before that the US white hatters need to start thinking like black hatters, skipping gray and jumping straight to the dark side.  The ability of our cyber crime specialists to do this is there, just as the military has "black ops" and uses them to great efficiency - so we imagine – we need to do the same in our fight against cyber crime; the field is still fresh, and there is room for creativity.  The better, more aggressive, more offensive and thorough our cyber crime teams become, the harder a time teams like those in China will have getting a foothold in our cyber territory.

 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.