General Lt Morten Haga Lunde, head of the Norwegian intelligence agency E-tjenesten, has gone on the record to accuse China of involvement in cyber-espionage activities in the country, stating that threat actors in China have stolen confidential information from Norwegian companies which is now being used in Chinese military technology. The companies hit and technology stolen was not revealed. This is believed to be the first time this Nato government has unequivocally accused China – though with attribution in hacking being so difficult, threat actors in China could be taken to mean non-government Chinese hackers working with government sanction.
Lunde was reported by Norwegian Broadcasting (NRK), while on the Norwegian defence department's annual threat assessment, Fokus 2016 as saying both Russian and Chinese intelligence posed digital threats to Norway. He also noted that the threat coming from these nations applies not only to Norwegian companies, but is a global challenge.
Robert Aranjelovic, director security strategy for EMEA at Blue Coat Systems told SCMagazineUK.com that while some may consider Norway an unlikely target due to its distance from China and its relatively small size, it could be considered a valuable target for cyber-espionage due to its strategic location and role as a leading oil producer make it a valuable intelligence target for future claims in the anticipated resource boom expected to follow the melting of the Arctic ice shelf. Also Norway is a disproportionately large in the global defence industry with extremely valuable weapons-related intellectual property, but primarily, because it is a NATO country. Also, the general secretary of NATO, Jens Stoltenberg, is Norwegian.
He added, “What's important here is that its not just the boogie man out there, this is an official government statement saying that this is a real threat.”
Snorre Fagerland, senior principal security researcher at Blue Coat's Oslo-based research team backed up the government assertions and explained that his team has observed activities of threat actors with a profile consistent with those cited by Lunde. This includes what was described as overwhelming circumstantial evidence. This ranged from time zone, geolocating IP addresses, source-code, language used including that being used on the machines employed, type of malware including new malware using elements of past attacks – all points to China.
He told SC: “Threat actors presumed to be coming out of China have been really active for quite a long time, but we are still seeing significant threat activity from these actors. We have seen high threat activity globally against various countries. Just today I have been looking at activity against Japan. Their methodology seems to match what you can expect from presumed Chinese threat actors. It's really, really hard to pinpoint any activity in this space as coming from government, and particularly in China because there is an underground which sympathises with government policy and so you get a grey area which might be government driven or sponsored, but you don't know to what extent.
“Certainly the targets here would be of most interest to government associated interests, but it could also be a case of privateers trying to get hold of information that they hope to sell."
Aranjelovic added that what could also be noted with state-sanctioned actors was, “some of the sophistication of some of the attacks, for instance developing a really sophisticated piece of malware, the amount of time and resource that's gone into it. They indicate its probably not some kid in a basement doing this.”
Fagerland continued, “We are developing profiles of specific groups that we see originating in different areas. So we are tracking groups – and in China there is a multitude. Some are probably related to semi-commercial threat actors, security companies, some related to private underground hackers and some are unknown, certainly capable, but we don't have enough information to pin them to any specific organisation."
Aranjelovic adds: “Part of the game being played is the obfuscation of attribution. To make it very shady where the attack came from geographically, but more importantly, any involvement from the state itself – there is even more effort and a lot of intermediaries to mask all of that."
According to Fagerland: “It's usually easier to follow the attack down to an individual than it is to an organisation. Chinese hackers have traditionally been negligent or indifferent to operational security. They can hack and then blog about it – more prevelant five years back. Now they are getting better, but they still make mistakes, like when they were more careless, and some of the attribution comes from this. You can go back and look at their history, the technology, what they have done before, and even though they are quite good now, they will often do things they did back then. Language, not only in the source code, the machines that host the malware, the code itself, where did it come from. Some of the code has been adapted from earlier known stuff, and Chinese tend to favour their own stuff and typically don't go out and fetch US open source, they get Chinese open source – probably because of language. No single factor is being considered, it's the big picture and then create a confidence score – but rarely is it 100 percent confidence.”
Regarding defence against such attacks, Aranjelovic advises organisations to improve their incident response capabilities with the help of advanced threat protection and forensics technologies. This also includes cooperation and information sharing with others on threat intelligence. Fagerland noted how, as a nation-state you can sit on the nodes where the traffic flows through, and monitor or sometimes inject things into that traffic with a great deal of access. When it comes to other nations you don't have that kind of access, so in those cases spear-phishing attacks tend to be quite efficient.”
Aranjelovic reiterated the issue that the older barrier approach had been superceded and the capability of current actors at the top end were unlikely to be kept out. A dedicated state player with a vested interest in infiltrating your organisation is likley to get in. Therefore any company which has information that it would hurt them if it were lost, needs to protect against that loss. So its important to quickly identify when there has been a breach and identify what data has been compromised, who did it and how they got in so you can close off those avenues.
Fagerland adds, "Its not just what you own, but who you know. If you have powerful companies who are customers or clients then you also become a target to be used as a stepping stone to breach them. Lawyers' offices are prime targets because they serve many of these powerful companies, and when you get a pdf from your lawyer you tend to click on it." (Spoofed targetted phishing emails with malware are widely used by the presumed Chinese actors).
An upcoming Blue Coat Research report provides detailed observations of a group – believed to be situated in the region – which has been engaging in an extensive campaign of cyberattacks against a wide range of Japanese companies and organisations since mid-2012. The report will provide detailed examples of some of the techniques used. It also shows consistency with what has been happening in Europe.