Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/13/2018
08:15 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

China Suspected of Massive Marriott Data Breach Report

A New York Times report finds that investigators believe China-backed attackers pulled off the massive data breach at Marriott, exposing the records of 500 million guests. It's a continuation of the tensions between China and the US.

Cyber spies working for China are suspected of pulling off the massive data breach at Marriott, which involved personal data of 500 million Starwood customers, in an effort to gather intelligence on specific US citizens, according to a published report in the New York Times.

Citing unnamed intelligence and law enforcement sources, the Times reported that attackers working for China's Ministry of State Security were behind the original breach, which occurred in 2014, but was only discovered during the last several weeks. (See Marriott: 500 Million Guest Records Compromised in Data Breach.)

In addition to Marriott, the cyber spies targeted health insurance firms and security clearance files to gather information.

One key piece of evidence that points to China is that passport numbers and information on 327 million Starwood customers were part of the breach. This would allow China to create a database on US citizens that it wanted to track, according to the Times.

"Given that these attacks are most probably interrelated and from the same APT [Advanced Persistent Threat], the suspicion that the Chinese are attempting to build more complete personality, or psychographic, profiles of individuals is further credible and downright scary," Mukul Kumar, chief information security officer and vice president of Cyber Practice at security vendor Cavirin, wrote in an email to Security Now.

"The potential damage is an order of magnitude more than simple hacks based on demographic data, giving a whole new meaning to the term 'life hacking,' " he added.

The Chinese government denies that it orchestrated the Marriott breach.

The Times report comes during a period of growing tension between China and the US on a range of issues, including cyberattacks, industrial espionage and trade issues.

To bolster its argument that China is breaking the rules, the Times reported that the Trump administration plans to declassify intelligence reports, as well as criminal indictments, which show wide-spread spying and cyber espionage campaigns conducted by China.

Over the last month, the US Justice Department charged ten Chinese nationals in an elaborate espionage campaign aimed at stealing designs and intellectual property tied to a new generation of turbofan engines. (See DoJ Charges 10 Chinese Nationals in Elaborate Cyberespionage Case.)

Over the last week, those tensions increased when Canadian authorities detained Huawei CFO Meng Wanzhou at the request of the Justice Department as she attempted to switch planes in Vancouver. The full details of the case against her remain shrouded in secrecy, but Wanzhou is suspected on helping the company violate US sanctions against Iran. (See Unknown Document 748229.)

China is demanding that Wanzhou, who is also the daughter of the company's founder, be allowed to return home. She's now free on bail.

There are no direct ties between the Marriott attack and these other incidents, but there's growing concern of what could happen next, especially with two nations that have an arsenal of cyber weapons at their disposal.

Chris Morales, the head of security analytics at Vectra, which makes automated threat management tools, noted in an email that with more and more data being digitized, these types of attacks, whether from cyber criminals or nation-states, are only going to get bigger.

"Part of the reason hacks are now getting so large is because the volume of data generated on the Internet every single day is so large," Morales explained. "Everything is digital. Just like a user would use a search engine to learn information, a cyber spy would want to search a massive online database for information. The difference is the databases used to gain information in this new form of cyber warfare happen to belong to private companies. Intelligence agencies love big data."

In this specific case, however, Morales noted that identity theft is not the end goal.

"A nation state actor would be far more interested in the intelligence gained on military and government officials who are patrons of the hotels," he added. "The Starwood and Marriott hotel chains have large federal contracts with many high-ranking officials staying at their hotels both domestically and internationally."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.