Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Experts: CrowdStrike China Hacker Report Raises Red Flags For Business

The second report on China's hacking teams supports Department of Justice's accusations, offers insight on Chinese attackers.

The release of another report on state-sponsored hacking activities in China earlier this week should remove all doubt: The intellectual property of Western enterprises is being targeted for data theft.

That's the consensus of most security experts in the wake of Monday night's release of a new CrowdStrike report detailing the activities of an organized group of Chinese cyber attackers affiliated with the People's Liberation Army (PLA). The report, which describes the attackers' activities down to the military unit, buildings, and even individuals involved, offers a sobering insight into the way China's state-sponsored groups target Western enterprises -- in this case, satellite and aerospace communications.

CrowdStrike published the report partly as a red flag to US businesses, and partly as a response to the Chinese government's continued denials of Department of Justice allegations of state-sponsored corporate espionage by China three weeks ago.

"We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials," says CrowdStrike CEO and co-founder George Kurtz in a blog written for Dark Reading. "Most executives and boards of directors have no idea just what damage is being done to their corporations."

"This is a smoking keyboard," says Adam Meyers, vice president of intelligence at CrowdStrike. "We've got a guy in China registering [malicious] domains on behalf of the third General Staff Department of the 12th Bureau of the PLA. It doesn't get tied up with a neat little bow any better than that."

The report also outlines some of the tactics used by the attackers, including exploits of Adobe Acrobat and Microsoft Office that are two years old or more. "Some of what we see is not particularly sophisticated, but it's working," Meyers says. "And this group is very active."

Industry experts said the CrowdStrike report is a cautionary tale that should get enterprises thinking about defenses not only against financially motivated cyber criminals, but against state-sponsored hacking of intellectual property.

"Cyber attacks are on the rise -- from nation-sponsored espionage to cyber criminals stealing data from major retailers and universities," says Eric Chiu, president and co-founder of security firm HyTrust. "Based on this, no company is immune, and security needs to be a top priority, rather than an afterthought or insurance plan. Also, attackers are getting more sophisticated -- in many cases using APTs and social engineering to steal credentials and gain access to corporate networks." 

"The recent discovery by CrowdStrike constitutes another link in the chain of evidence of the growing determination, sophistication, and craftsmanship of mission-driven hackers," says Eyal Firstenberg, vice president of cyber research at security company Light Cyber. "While traditional security measures have been optimized to stop run-of-the-mill viruses and bots, the nation-state mission-driven actors follow a different dynamic. It should therefore come as no surprise that a crafted PDF attachment tailor-made for a specific victim can bypass that victim's mail attachment scanner and other specific security measures.

"These sophisticated attacks highlight the need for organizations to deepen their security posture beyond the traditional intrusion prevention and focus on detecting and reacting to breaches in ways that don't assume a specific, predictable point of intrusion."

"These attacks show how effective the combination of social engineering and exploits can be," says Jerome Segura, senior security researcher at Malwarebytes. "A considerable amount of effort is put into identifying the target by combing through any data found on social networking sites, press releases, etc. Then, carefully crafted exploit documents with a theme that would appeal to the victim are sent as spear phishing emails.

"Those files, which are not malware executables, are able to defeat spam and antivirus protection and find their way to the target's inbox," Segura tells us. "While most people have been trained to be careful with zip attachments that may contain malware, very few would think twice before opening a PDF document. All it takes is a vulnerable version of Adobe Reader or Office, and the booby-trapped file will start downloading and installing malware on the system -- at which point it's already too late."

Meyers hopes the report will be a wakeup call for businesses. "We have a group that takes its instructions from the military collecting data from Western enterprises in a $180 billion market in order to give a competitive advantage to Chinese industry," he says. "Make no mistake -- they are stealing intellectual property from Western businesses."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/11/2014 | 11:51:10 AM
Documented Orders
Having been on the wrong end of accusations as a young man where evidence appeared to point to me for something I wasn't involved in, I'm a fan of seeing a proper document trail when reaching conclusions as weighty as these - playing Devil's advocate, I'd love to see Anonymous or WikiLeaks produce some emails or other official Chinese Gov't documentation that documents direct orders for the activities documented in these reports.

That said, what is our response?  I've mentioned before that the US white hatters need to start thinking like black hatters, skipping gray and jumping straight to the dark side.  The ability of our cyber crime specialists to do this is there, just as the military has "black ops" and uses them to great efficiency - so we imagine – we need to do the same in our fight against cyber crime; the field is still fresh, and there is room for creativity.  The better, more aggressive, more offensive and thorough our cyber crime teams become, the harder a time teams like those in China will have getting a foothold in our cyber territory.

 
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20466
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
CVE-2020-20467
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
CVE-2020-20468
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.