Looking to gain the upper hand in any future cyber conflicts, China is probably spying on U.S. companies and government, according to a report commissioned by a Congressional advisory panel monitoring the security implications of trade with China.
The report outlines the state of China’s hacking and cyber warfare capabilities, concluding that “China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long term, sophisticated computer network exploitation campaign.” Published Thursday, the report was written by Northrop Grumman analysts commissioned by the US-China Economic and Security Review Commission.
Government agencies and military contractors have been hit with targeted, well-crafted attacks for years now, many of which appear to have originated in China. But this report describes in detail how many of these attacks play out, including an attack that exploited an unpatched flaw in Adobe Acrobat that was patched earlier this year.
Citing U.S. Air Force data from 2007, the report says at least 10 to 20 terabytes of sensitive data has been siphoned from U.S. government networks as part of a “long term, persistent campaign to collect sensitive but unclassified information.” Some of this information is used to create very targeted and credible phishing messages that then lead to the compromise of even more computers.
Northrop Grumman based its assessment largely on publicly available documents, but also on information collected by the company’s information security consulting business.
The report describes sophisticated, methodical techniques, and speculates on possible connections between Chinese government agencies and the country’s hacker community, increasingly a source of previously unknown “zero-day” computer attacks.
“Little evidence exists in open sources to establish firm ties between the [People’s Liberation Army] and China’s hacker community, however, research did uncover limited cases of apparent collaboration between more elite individual hackers and the [People’s Republic of China’s] civilian security services,” the report says.
If true, that wouldn’t be much of a surprise. The U.S. government has had a presence at the Defcon hacker convention for years now, and the U.S. Department of Defense has even started using it as a recruitment vehicle in recent years.
The Adobe Acrobat attack was supplied by black hat programmers to attackers who targeted an unnamed U.S. firm in early 2009. Working nonstop in shifts, the attackers snooped around the network until an operator error caused their rootkit software to crash, locking them out of the system.
In a typical targeted attack, the victim receives an email message containing a maliciously crafted office document as an attachment. It might be disguised to look like the schedule or registration form for an upcoming conference, for example. When it’s opened, the zero-day attack executes and cyberthieves start collecting information that might be used in future campaigns. They sniff network and security settings, look for passwords, and even alter virtual private network software so they can get back into the network. In some cases they’ve installed encrypted rootkits to cover their tracks, or set up staging points to obscure the fact that data is being moved off the network.
In another case cited by Northrop Grumman, the attackers clearly had a predefined list of what they would and would not take, suggesting that they had already performed reconnaissance on the network. “The attackers selected the data for exfiltration with great care,” the report states. “These types of operational techniques are not characteristic of amateur hackers.”
Earlier this year, Canadian researchers described a similarly sophisticated cyberespionage network, called GhostNet, launched against international government agencies and pro-Tibetan groups such as the Office of His Holiness the Dalai Lama.
Although the GhostNet report authors did not link the spying to the Chinese government, some researchers did.