Did 'China' do it? SC speaks to Laura Galante, FireEye's director of threat intelligence

News by Max Metzger

SC sat down with FireEye's director of threat intelligence to talk about the recent cyber-talks between China and the US and what exactly we mean when say 'China did it'

‘It was China' is not a rare expression in this industry. The super-powered monolith is apparently at fault for the large majority of cyber-crime and APT if this expression is to be heeded too closely. 

Strange that an industry so concerned with specificity should satisfy themselves with identifying the ‘big bad' of the world as country of one billion people.

Luckily, SC spoke to Laura Galante, a person well equipped to cure that mental fog.  She's a trained attorney and regularly appears in print and television helping to explain international cyber-threats to the public. These days she heads up the global intelligence programmes and threat intelligence production at FireEye, the cyber-security giant of the west. And she's been busy.

We sat down (in a figurative sense at least) to talk about the recently completed China-US talks and what exactly we mean when we say, China did it.

“I think the trap that a lot of analysts have fallen into on this is that anything out of China must be either with the knowledge of or directed by the government,” Galante told SC. "I think we're looking at a much more of a wild west.” 

The kind of threat actors that Galante sees coming out of China often fit more into the description of entrepreneur than they do bureaucrat.

Generally, Galante told SC, FireEye parses these groups apart at the technical level: “At the most granular, atomic level of this, you're taking it all from different data sources. Some of it will be about the infrastructure that a group uses,” that is to say the domains or the websites used to the stage the attacks.

At the next level, one might look at the kinds of tools and malware that a particular group is using. Reverse engineering these tools can show telling fingerprints. "You start to see different timestamps on it from when someone actually wrote the code,” she said. 

A long running, well backed campaign might go back a decade. “One indication that you're looking at a long running campaign is a tool that's been used for a long time.” 

There are other indicators, too: “How does the malware work? Will it only drop a certain piece of the code when a certain thing is implicated on a network? Are there functions that search for a particular keyword?”

The next level is how they're using these tools. Specifically, who is this group targeting? What are they taking? And who are the victims? “It's that entire core of analysis, bringing infrastructure to tools to targeting to the actual tools on the network that can sometimes give you a complete picture.”

But authoritarian governments are often not the monoliths they appear; they work on the stacked power of internal factions and rent-seeking bureaucrats. Those bureaucrats might also have their own agendas. The gradient of state sponsorship is wide, said Galante, and in her job, “I think in shades of grey. Precision in how we're talking about this kind of activity is massively important for this.”

When someone sees a cyber-criminal group coming out of Russia and simply say Russia did it: “Russia is an absolute fallacy here.”

News of supposed ‘Russian' attacks on the financial sector, in FireEye's estimation, did not equate to Russia: “There really hasn't been a wide demonstrated link between that criminal activity having sponsorship or overlap with what the Kremlin is interested in.”

The Kremlin, a shadowy conspiratorial organisation perhaps, does sponsor certain un-Christian activity. Just the other day it admitted finally, and for the first time to employing hackers to well, hack for them, but, as Galante told us, there are “two distinct patterns of operation between criminal groups in Russia and state sponsored groups”.

She's seeing that kind of bifurcation more and more in China too, between groups that were military sponsored “and were regimented in what they went after, indicating a really large bureaucratic apparatus behind that and other groups that feel more like contractors,” without the same voluminous approach.

In fact, Galante thinks that the Chinese state probably never had the kind of control over rogue elements within its country that some thought: “I think it was a much more fluid environment for how groups could operate and I think that pendulum will only more swing in the direction of groups that operate independently rather than some sort of attempt by the government to cement this in a really structured way.”

Fingers are still pointing at China for the Office of Personnel Management (OPM) breach last year, which resulted in the theft of the personal details of 20 million US government employees. The Chinese government deny they were behind the theft and early on in the recent US-China cyber-talks, the Xinhua news agency announced the arrest of the hackers who perpetrated the breach. The state news outlet said at the time that this had all “turned out to be a criminal case rather than a state-sponsored cyber-attack as the US side has previously suspected”.

We may never know the truth of the situation, said Galante, but one thing she could say is that the command and control infrastructure associated with the alleged hackers "has not been very active for quite some time”.

Galante worries that OPM is almost a distraction, from the intentions that the US came to the table with, which was to get China to cease state-sponsored industrial espionage and intellectual property theft. “China seems to think that non-state sponsored groups that do that need to be stopped,” said Galante. “The bigger piece that these talks represent was how do we make the schism between political espionage and economic espionage? How do we make that a clear distinction?"

Cynicism might be the default position for many, and perhaps it's realistic to take that line, but Galante is encouraged by the fact that these talks are happening at all: “I have to say that to have the President of China coming out and talking about it publicly is a wild shift."

Acknowledgement is not outright, but even if it's partial, it's still there. The very fact that “there is discussion from the Chinese side of this rather than ‘take your baseless accusations and go away' is a marked change. If we don't see that as progress, I don't know what we can see as progress.”

To be sure, we're not going to see Chinese state-sponsored cyber-espionage turn on a dime in 2016 but surely we will see some change, however incremental.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews