Report: Chinese Far Outstrip U.S. Cyber-Spy Fight for Military, Business Secrets

While most of the IT world was fretting over the break-in at Epsilon that probably netted some organized crime group a few million pre-confirmed email addresses, U.S. IT espionage specialists were finishing up a report showing the Epsilon hack is small potatoes compared to China.

U.S. investigators told Reuters that attackers working for the Chinese government have stolen terabytes of sensitive data ranging from usernames and passwords for State Department computers to the designs of major weapons systems.

Secret State Dept. cables held by WikiLeaks and given to Reuters by someone else, traced a series of attacks back to the Chinese government - one trace even identifying the specific unit of the Chinese military that launched it.

Code-named "Byzantine Hades," the breaches represent attacks that have been going on since at least 2006 and are accelerating.

The months-long attack on Google in late 2009 and early 2010, which compromised the emails of Chinese dissidents and accessed Google source code, also came from China, according to Joel Brenner, former counterintelligence chief for the Office of the Director of National Intelligence.

Thousands of U.S. companies were part of the same series of attacks - code-named "Aurora" - though only 34 were publicly identified, Brenner told Reuters.

Companies ranging from IT developers to defense companies to Formula One teams also complain of attacks that go after proprietary information.

Brenner called the Aurora attacks "heavy handed use of state espionage" to steal information of military political or industrial value.

A March 28 study from McAfee and government consulting company DAIC called corporate intellectual property "the latest cybercrime currency."

"Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents," said Simon Hunt, vice president and chief technology officer, endpoint security at McAfee in the report.

The change in target means corporate security has to change, too according to Scott Aken, vice president for cyber operations at SAIC.

Rather than assuming a good perimeter means tight security, end-user companies have to assume attackers will get through the first layer of defense, he said. Real protection means having security that can slow down or wall out attackers who already look like legitimate users.

"Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely - just as an insider would," Aken said in the report. "Having defensive strategies against these blended insider threats is essential, and organizations need insider threat tools that can predict attacks based on human behavior."

The most common method of attack is spear-phishing - directing phony email requests at people with legitimate access to get entry credentials for a specific network.

Once into a network, hackers install keyloggers and command-and-control programs that gather other usernames and passwords, and give attackers control over systems attached to the network, where they can work unimpeded.

The technique is so successful military and civilian security specialists have almost given up keeping attackers out completely.

"We have given up on the idea we can keep our networks pristine," according to Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency.

The Center for Strategic and International Studies (CSIS) in Washington - a think tank specializing in security - have been negotiating with the Chinese over digital conflicts between the two countries' militaries, law enforcement and trade groups. So far with no progress on the cyberwar front.

CSIS itself was the target of a spear-phishing attack containing malicious code that could be tentatively traced to China.

Though it contains little about American capabilities or practice, the report concludes that in agressiveness, volume and success rate, the Chinese cyberattackers are scoring far higher than their U.S. counterparts.

Which doesn't mean the Epsilon email snatch was small potatoes. It was big potatoes.

Epsilon is just lucky they didn't take the whole kitchen.

Subscribe to the Security Watch Newsletter

Comments