Chinese state hackers revealed - victims fail to report breaches

News by Steve Gold

China's unit 61398 identified as a 24-person operation; three US companies fail to report breaches.

The US Justice Department has charged five Chinese state hackers with attacking US company servers as part of an ongoing investigation into state-sponsored attacks on the country's national infrastructure. 

The hackers are thought to form part of a 24-person Unit 61398 - which Mandiant's report of last year identified as a Chinese military division working out of a 12-story white tower on the outskirts of Shanghai. The unit – aka the Comment Crew, the Shanghai Group and APT1 - is now infamous in Western IT security circles.

In parallel with the indictments, three US public companies have been named as Chinese attack victims, but officials say they did not report the theft of trade secrets and other data to investors, despite rules designed to disclose significant events.

According to the New York Times, which broke the story about the five Chinese uber-hackers, "one man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not have much ambition, but wanted to wander the world with a sword, an idiot.”

All five have been indicted by the US Justice Department this week, charged with being part of a Chinese military unit that has hacked the computers of key US companies to steal commercial secrets.

The paper says that Chinese Web sites - as well as interviews with cybersecurity experts - "reveal some common traits among those and other hackers, and show that China's hacking culture is a complex mosaic of shifting motivations, employers and allegiances."

These traits include a typical age group of 20 to 30-somethings, who were trained at People's Liberation Army Universities, who are then employed through various state agencies, but working for the Chinese military. Interestingly, some of the state-sponsored hackers are `moonlighting' for the state and private companies, says the paper, in addition to their regular day jobs.

Unit 61398 is not the only hacker group in China, as the New York Times says that a smaller unit - the Kunming Group – operating from Kunming, the capital of Yunnan Province, and concentrate on attacks on Vietnam's IT infrastructure.

The Bloomberg newswire, meanwhile, quotes two of the three firms identified as failing to report data breaches to their investors - Alcoa and Allegheny Technologies Inc – as saying that the thefts were not material to their businesses and did not have to be reported under Securities and Exchange Commission rules of disclosure.

Commenting on the emerging revelations about the apparent failure of the three firms to abide by SEC rules, Tom Cross, security research director with Lancope, said it is important to distinguish between security incidents and data breaches.

"Sophisticated attackers can often get past the perimeter defences of a company's computer network, but with the right awareness and visibility, that company's incident responders may be able identify and contain an incident before valuable information is stolen. If nothing valuable is stolen, the security incident doesn't become a material data breach that needs to be disclosed to investors and the public," he said, adding that it is important to note that, where there is doubt, the presumption should be that valuable data may have been exposed.

Rob Bamforth, a principal analyst with Quocirca, said there are parallels between the three firms' apparent failure to disclose and the actions of eBay and Target, who both seemed to take a lengthy period of time to report their breaches to stakeholders.

"It's clear that the process of notifications really does need to improve. Aside from adhering to the rules, I believe there are very real reputational damage issues involved. We really do need a set of full disclosure guidelines for all companies," he explained.

Bamforth's view was shared by fellow analyst Sarb Sembhi, a director of consulting with Incoming Thought, who also compared the three companies' situation with the eBay and Target breaches, noting that the existing SEC rules were drawn up before computers - and the Internet - became commonplace.

There is, however, room for self-regulation on the disclosure front, he told, as `good guy' companies can then differentiate themselves against the competition.

"My own view is that, if a company is found not to have disclosed a successful attack, then they must demonstrate they performed a full risk analysis on their security systems. Corporates must get this right," he said.

The bottom line, adds Sembhi - who is also a leading light in ISACA, the not-for-profit IT security association - is that cyber attacks is a fast-moving field, and both attacks - and the security techniques to counter them - have improved over time.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews