Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Experts: CrowdStrike China Hacker Report Raises Red Flags For Business

The second report on China's hacking teams supports Department of Justice's accusations, offers insight on Chinese attackers.

The release of another report on state-sponsored hacking activities in China earlier this week should remove all doubt: The intellectual property of Western enterprises is being targeted for data theft.

That's the consensus of most security experts in the wake of Monday night's release of a new CrowdStrike report detailing the activities of an organized group of Chinese cyber attackers affiliated with the People's Liberation Army (PLA). The report, which describes the attackers' activities down to the military unit, buildings, and even individuals involved, offers a sobering insight into the way China's state-sponsored groups target Western enterprises -- in this case, satellite and aerospace communications.

CrowdStrike published the report partly as a red flag to US businesses, and partly as a response to the Chinese government's continued denials of Department of Justice allegations of state-sponsored corporate espionage by China three weeks ago.

"We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials," says CrowdStrike CEO and co-founder George Kurtz in a blog written for Dark Reading. "Most executives and boards of directors have no idea just what damage is being done to their corporations."

"This is a smoking keyboard," says Adam Meyers, vice president of intelligence at CrowdStrike. "We've got a guy in China registering [malicious] domains on behalf of the third General Staff Department of the 12th Bureau of the PLA. It doesn't get tied up with a neat little bow any better than that."

The report also outlines some of the tactics used by the attackers, including exploits of Adobe Acrobat and Microsoft Office that are two years old or more. "Some of what we see is not particularly sophisticated, but it's working," Meyers says. "And this group is very active."

Industry experts said the CrowdStrike report is a cautionary tale that should get enterprises thinking about defenses not only against financially motivated cyber criminals, but against state-sponsored hacking of intellectual property.

"Cyber attacks are on the rise -- from nation-sponsored espionage to cyber criminals stealing data from major retailers and universities," says Eric Chiu, president and co-founder of security firm HyTrust. "Based on this, no company is immune, and security needs to be a top priority, rather than an afterthought or insurance plan. Also, attackers are getting more sophisticated -- in many cases using APTs and social engineering to steal credentials and gain access to corporate networks." 

"The recent discovery by CrowdStrike constitutes another link in the chain of evidence of the growing determination, sophistication, and craftsmanship of mission-driven hackers," says Eyal Firstenberg, vice president of cyber research at security company Light Cyber. "While traditional security measures have been optimized to stop run-of-the-mill viruses and bots, the nation-state mission-driven actors follow a different dynamic. It should therefore come as no surprise that a crafted PDF attachment tailor-made for a specific victim can bypass that victim's mail attachment scanner and other specific security measures.

"These sophisticated attacks highlight the need for organizations to deepen their security posture beyond the traditional intrusion prevention and focus on detecting and reacting to breaches in ways that don't assume a specific, predictable point of intrusion."

"These attacks show how effective the combination of social engineering and exploits can be," says Jerome Segura, senior security researcher at Malwarebytes. "A considerable amount of effort is put into identifying the target by combing through any data found on social networking sites, press releases, etc. Then, carefully crafted exploit documents with a theme that would appeal to the victim are sent as spear phishing emails.

"Those files, which are not malware executables, are able to defeat spam and antivirus protection and find their way to the target's inbox," Segura tells us. "While most people have been trained to be careful with zip attachments that may contain malware, very few would think twice before opening a PDF document. All it takes is a vulnerable version of Adobe Reader or Office, and the booby-trapped file will start downloading and installing malware on the system -- at which point it's already too late."

Meyers hopes the report will be a wakeup call for businesses. "We have a group that takes its instructions from the military collecting data from Western enterprises in a $180 billion market in order to give a competitive advantage to Chinese industry," he says. "Make no mistake -- they are stealing intellectual property from Western businesses."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/11/2014 | 11:51:10 AM
Documented Orders
Having been on the wrong end of accusations as a young man where evidence appeared to point to me for something I wasn't involved in, I'm a fan of seeing a proper document trail when reaching conclusions as weighty as these - playing Devil's advocate, I'd love to see Anonymous or WikiLeaks produce some emails or other official Chinese Gov't documentation that documents direct orders for the activities documented in these reports.

That said, what is our response?  I've mentioned before that the US white hatters need to start thinking like black hatters, skipping gray and jumping straight to the dark side.  The ability of our cyber crime specialists to do this is there, just as the military has "black ops" and uses them to great efficiency - so we imagine – we need to do the same in our fight against cyber crime; the field is still fresh, and there is room for creativity.  The better, more aggressive, more offensive and thorough our cyber crime teams become, the harder a time teams like those in China will have getting a foothold in our cyber territory.

 
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Post a Comment
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21439
PUBLISHED: 2021-06-14
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTR...
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.