Kevin Fogarty
June 19, 2014
Is China the World’s Leading Cyberspy?
This is first of a three-part series examining the industry fallout from China’s alleged cyberspying, and specifically if the spying has hurt the tech industry. Today we review history, piecing together evidence of spying with China’s pattern of denial. Science writer Kevin Fogarty takes an in-depth look for EE Times.
Despite years of accusations and mounting evidence that its military intelligence divisions are among the most aggressive cyberspies in the world, China categorically denies digital spying of any kind. Period.
The US indictment of five Chinese military officers for attacks on US companies is an “absurd” effort based on “fabricated facts” made for “ulterior motives” against a country that is the “victim” of online espionage, not the perpetrator, according to a spokesman from the Chinese Foreign Ministry.
"China is a staunch defender of cyber security" that has never "engaged or participated in the theft of trade secrets through cyber means," according to a published statement from Chinese Foreign Ministry spokesman Qin Gang.
No matter how serious the charges or how damning the evidence, the response from China is always an absolute denial, usually followed by counter accusations that China’s accusers are the real victimizers.
In April, for example, China deplored the “groundless accusation” in a US government report recommending tighter controls on space technology due to China’s efforts to steal it.
In 2013, China categorically denied spying on European diplomats, and went on to say the detailed report from security company Mandiant that laid out details of China’s digital spy operation lacked “technical proof” and was inherently flawed because it didn’t differentiate between cyberespionage and “everyday gathering” of online information.
Still, the evidence piles up.
The indictment announced by the Dept. of Justice May 19 charged five members of the People’s Liberation Army (PLA) of stealing data from the networks of five US companies and one trade union.
The five are officers, senior staffers, or contractors working for the Shanghai-based Unit 61398 of the PLA, which is infamous for the high-volume, heavily automated attacks blamed for the theft of “hundreds of terabytes” of technology blueprints, negotiation strategies, pricing, and financial data and other information from 141 companies and organizations between 2006 and 2013, the vast bulk of them in the US, according to the February 2013 report from security firm Mandiant, which is the most detailed publicly available analysis of the attacks.
Mandiant used more than 3,000 bits of data residue from Advanced Persistent Threat (APT) attacks back to a building in Shanghai that houses the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, Unit 61398.
The same unit, and its role as a leading cyberspy for both the Chinese military and commercial enterprises, was also described in a 2011 report from similar reports from China-watching think tank the Project 2049 Institute.
Many of the same indicators pointing to Unit 61398’s involvement in a five-year series of attacks on more than 70 companies that investigators dubbed Operation Shady RAT were found by McAfee in a 2011 report, later confirmed by Symantec Inc.
"This is the biggest transfer of wealth in terms of intellectual property in history," McAfee VP of threat research Dmitri Alperovitch told Reuters after release of the Shady Rat report. "The scale at which this is occurring is really, really frightening."
A 2011 report from the US Office of the National Counterintelligence Executive titled “Foreign Spies Stealing US Economic Secrets in Cyberspace" used the findings of 14 US intelligence agencies to conclude that "Chinese actors are the world’s most active and persistent perpetrators of economic espionage" against US government agencies and private companies.
The Dept. of Defense, which had previously identified attacks as coming from within China but didn’t say from whom, narrowed down the suspects enough to conclude in a 2013 report to Congress that “China is using its computer network exploitation capability to support intelligence collection against U.S. diplomatic, economic and defense industrial base sectors.”
The theft of intellectual property costs US businesses more than $300 billion per year, close to the total value of all US exports to Asia, according to a 2013 reportfrom the White House-appointed Commission on the Theft of American Intellectual Property.
Russia, India, and other countries contribute to the problem, but China is responsible for between 50% and 80% of all IP theft from US companies, according to the commission, which based its conclusions on reports from the US Trade Representative and research from private companies.
In 2013, Verizon’s annual Data Breach Investigations Report, which examined data on more than 47,000 attacks and 621 confirmed breaches that compromised 44 million records, estimated that 20% of successful data breaches were attempts by state-sponsored intelligence agencies to steal trade secrets.
Of the approximately 124 cyberespionage incidents it examined, Verizon concluded, China was behind 95%.
China is so persistent and aggressive about “technology transfer” by fair means or foul play that there’s no doubt it is heavily involved in online industrial espionage against US companies, according to Jeffrey Carr, author of Inside Cyber Warfare: Mapping the Cyber Underworld and founder of Taia Global, a security firm specializing in cyberwar research.
It is not clear, however, how much of that spying is being done on the orders of the Chinese government, how much is being done by PLA hackers working on private side projects, or by the legions of civilian “hobbyist” hackers, or even by hackers whose only presence in China is a malware-infected machine enlisted as a proxy to hide the attacker’s actual whereabouts, Carr said. He continued:
Both the PLA and hackers are causing problems, and not just for the U.S. China has a huge problem with hacking against its own networks, so there could be any number of rogue actors involved in the attacks listed in the indictment. But, in China, more than half the computers are running pirated software or are infected with malware – so it’s pretty easy to own a computer inside China’s IP space, which means you don’t know what the actual origin[of the attack] is.
It’s possible that some of the attacks are spoofed, according to Laura Galante, manager of threat intelligence at Mandiant, who worked on both the February 2013 APT1 and an update published in April of this year.
Galante said in an interview with EE Times:
It took years to put together the APT1 report because we wanted it to be definitive. It’s a matter of following breadcrumbs to find the larger story. The persona called Ugly Gorilla, say, would sign his malware tools and we’d see that a lot in 2010 and 2009. Then those signatures would fade out in 2011 and 2012, but we continued to see the same tools, so we’d look to see where he had posted under that name in an email or a message bloc or a domain registry or anyplace he might have used that name.
Mandiant was able to identify between 20 and 25 separate groups launching attacks on its customers outside China. The group nicknamed Comment Crew for the notations made in their malware tools, however “blew everyone else out of the water,” Galante said.
"They specifically were so pervasive in networks of clients in the Fortune 50 or Fortune 500 that we felt it was clear there was something different about them," Galante said.
It’s impossible to know for certain that the Comment Crew was working on the orders of Chinese government officials, but evidence tying it to specific attacks, the companies chosen as targets and the type of information stolen match up so closely with priorities or goals announced by the central government that it’s hard to imagine anyone not working for the government would go to the trouble.
"Making a specific attribution takes a lot of work because you want to be right," Galante said. "But we did the research and were able to make a solid judgment of who might be supporting that activity."
The Mandiant report made enough of a splash, however, that China’s dismissal of it as “groundless accusations” came not from a Foreign Ministry spokesman, but from Chinese Premier Li Keqiang, just two days after taking office.
Hacking is a “worldwide problem and in fact China itself is a main victim of such attacks,” Li said at a press briefing March 15 shortly after being sworn in as Premier. “China does not support — in fact it is opposed to — hacking attacks.”
No comments:
Post a Comment