China allegedly behind attack on Canadian research group

News by Doug Drinkwater

One day on from claims that Chinese hacker group 'Comment Crew' was behind the theft of confidential documents on an Israeli missile defense system, the country is also being cited for more recent attacks against a Canadian government research organisation.

On Tuesday, US firm Cyber Engineering Services (CES) confirmed that "Comment Crew" – also known as the "PLA Unit 61398" - had compromised the computer systems of three contractors working on the Israeli Arrows II missile interceptor between 2011 and 2012. 

The missile system, part of the £600 million Israel Iron Dome missile defence system, intercepts and destroys missiles from up to 43 miles away and has been used during the current conflict in Gaza.

But today news emerged that Chinese cyber-criminals – some of whom may be state-sponsored – have been working on compromising other targets, most notably a Canadian government research organisation which works with private industry on research and development in a bid to bring cutting-edge technologies to market.

The Canadian Treasury Board confirmed on Tuesday that the computer infrastructure of the National Research Council (NRC) had been breached by a “Chinese state-sponsored actor”.

Details on the attack itself are scarce with Canadian officials simply saying that it was a “highly-sophisticated” compromise that would take up to a year to restore its full computer infrastructure.

“We understand that this incident will affect on-going business operations and every step is being taken to minimise its impact on our clients and stakeholders,” the NRC said in a statement on its website.

Fortunately for the group, it says that there is “no evidence” of hackers compromising data in other, connected government systems but has isolated NRC computers from other government systems as a precaution.

The Chinese, though, have publicly refuted such claims with the Chinese embassy in Ottawa saying that the report is based on a “groundless allegation”.

"China-Canada relations have maintained a good momentum," said embassy spokesperson Yang Yundong. "We are ready to work together with the Canadian side to create a peaceful, secure, open and cooperative cyber space."

Clive Longbottom, founder and analyst at IT research outfit Quocirca, told that state-sponsored hacking is "by no means just a Chinese thing", but believes that much of the work may be being outsourced to the wider hacker community.

“State-sponsored hacking is by no means just a Chinese thing – I would place my life on it that our dear friends at the NSA and GCHQ are pretty active as well,” said Longbottom, who added that governments may break such systems for commercial gain, to slow down or stop an activity or just to see what other countries are up to.

“In many cases, there will be dedicated groups within security services that are carrying out the work (a lot of which will be attempting to get in and out of a target system without leaving any trace). However, increasingly, it is being outsourced" he said, adding that this was a culmination of factors, most notably that top-level hackers don't want to be seen working for the establishment, that governments don't pay well, and that this often offers the government "ultimate deniability".

Alan Woodward, a visiting professor at the department of computing at the University of Surrey, an academic adviser to the European Cybercrime Centre, agreed that ‘crime-as-a-service' is an emerging area and said that it was ‘in some cases inevitable' that the Chinese would target the Canadian agency - such is its undoubted collection of intellectual property.

“One thing that hackers are definitely after – especially in China – is IP” Woodward told SC, adding that social engineering was the most likely way into an organisation and that IP is often a ‘soft target' wrongly ignored by companies.

Woodward expressed surprise at the lengthy remediation and suggested that this would suggest a wide-spanning attack, possibly with spyware siting on thousands of worker laptops, for example.

Longbottom added: “The Chinese appear to have been caught out this time: we know that the NSA have been caught out as being perpetual snoopers, and it is pretty much a given that GCHQ has both helped the NSA and acted on its own.  Russia will be doing as much, if not more, than China.”

“The worrying thing here is that the NRC is stating that it could take the best part of a year to get things back to a good position.  This either means that the Chinese managed to infiltrate a massive amount of payload onto the system in such a way that it can't be cleansed; that it has been there for so long that the NRC cannot trust any of its backups to restore cleanly.”

Longbottom said that pattern recognition, better rights management and the use of data-based security (rather than database security) would have given them better protection.

Meanwhile, in related news, the Dell SecureWorks Counter Threat Unit (CTU) research team has discovered a Chinese Hacking group which has reportedly been targeting US-based video game companies since 2009.

The company says it has “medium confidence” that this hacking group – believed to be called the Threat Group-3279 – is focusing on the collection of video game source code so as to crack the games for free use or to use the source code for competing products.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews