Crouching tiger, hidden dragon, stolen data
US claims 12 Chinese groups are behind cyber attacks
Cyber attacks that originate in China have grown in both size and scope.
According to a whitepaper from penetration tester and security consultancy Context, Chinese attacks are targeted and designed to steal data that will furnish the perpetrator with political, commercial and security/intelligence information. It claimed that these requirements are carefully and clearly identified, shared with a number of government departments and constantly updated, and while there is evidence of worldwide targeting, only a minority of attacks are identified and fewer still are made public.
It said that the main protagonists in China are believed to be the Third Department of the People's Liberation Army, while the likely recipients of stolen commercial data are the 117 state-owned enterprises that dominate the economy. It said that these companies are closely linked to the Communist Party, which has power over strategy, senior management and even wages.
Spear-phishing tactics are often used, according to the paper, with attackers targeting one person with an email containing a malicious payload. Attackers also utilise website vulnerabilities to download malicious code onto a machine when a user clicks on a link in an email. Once the attacker has this foothold on the network, they typically look to download and use further hacking tools to escalate privileges to gain administrative access to key internal servers such as domain controllers or file servers. Once this is achieved, the attackers typically use another remote desktop or laptop on the network to collate the data stolen and exfiltrate it to their remote servers.
The main government targets that the Chinese state is most interested in fall into three groups: its nearest neighbours: Japan, Taiwan, Tibet, Mongolia and the Muslim ‘Stans' to the west; other powerful states with international influence such as the US, Russia, the UK, Germany, France and India; and finally states with strong economic links to China, including Brazil, Iran, Australia, parts of Africa and South-East Asia.
The paper also claimed that while the attacks have been going on since 2003, there is no incentive for China to stop as the more stolen data is exploited for the benefit of companies and the government, the greater the motive to continue with these operations.
It added that governments and large companies do not appear to be making much headway in solving this problem. It said that a combination of a reluctance to act, chronic under-investment in IT and a lack of user education about how to spot the warning signs of a potential attack means companies and organisations are extremely vulnerable.
It said: “In order to start rectifying the problem there is a need in the first instance to understand the problem. There needs to be an acceptance that this problem is not going to go away, that this is a business risk not at IT issue. Doing business with China carries extra risk in terms of data security, and traditional security products are unable to defend your data against this type of attack.
“Investigation of compromises needs to be thorough and conducted by people familiar with this problem and not simply the technical aspects of it. Above all, sensitive data must be segregated – it is not possible to defend everything.”