Chinese hackers master art of lying low

State-sponsored cybercriminals use simple weapons to infiltrate U.S. networks, and then quietly steal data while remaining undetected.

China's remarkable success at infiltrating U.S. government, military and corporate networks in recent years shouldn't be seen as a sign that the country is gaining on the U.S. lead in cybertechnology expertise.

State-sponsored hacking groups in China are no more -- or less -- sophisticated than criminal and politically motivated cybercrime gangs elsewhere. The difference, experts say, is how the Chinese hackers target victims, their persistence and their ability to lie low and secretly maintain access to breached networks for long periods of time.

The U.S. Department of Defense earlier this month, in a departure from its usually thinly veiled innuendos, openly accused state-sponsored hacking groups in China of launching cyberattacks aimed at extracting information from the U.S. government, military and businesses.

Outside of the Pentagon, such allegations aren't new. Security experts and major corporations like Google and Microsoft have long maintained that hackers in China use cyberattacks to steal military, government and corporate secrets.

The Chinese government has denied that it coordinates hacking campaigns.

However, said Anup Ghosh, CEO and founder of security firm Invincea, "the acknowledgement by the Pentagon is a first step in publicly declaring the threat."

Though the tone of the government's report on Chinese cybercrime is ominous, the reality of cyber expertise in the country is more mundane, say security experts.

"It's not that the Chinese have some unbeatable way of breaking into a network," said John Pescatore, director of emerging security trends at the SANS Institute. "What is innovative is their targeting."

Pescatore said U.S. contractors and defense and high-tech companies that could be targets of Chinese espionage efforts should be less concerned about the origin of the attacks than about the need to shut down basic vulnerabilities and fix configuration errors in their corporate networks.

While China likely does have an arsenal of attack techniques and zero-day assault tools, it usually "uses the lowest level of tools and the easiest means to get in" to networks, said Dan McWhorter, managing director of threat intelligence at security firm Mandiant. If the Chinese hackers do come up against a sophisticated company, "they will up their game," he added.

Many of the hackers operating out of China have become adept at stealing legitimate corporate network credentials and then using them to log in as an employee, McWhorter said.

After they strike, the attackers are quick to erase all signs of a break-in, making it difficult for a company to even know that it was compromised. Therefore, the hackers are able to extract a lot of data without attracting suspicion, McWhorter said.

If a company does discover such a breach, IT managers must exercise great care not to tip off the hackers, he said.

Unlike the exploits of many European cybergangs, most of the malicious hacking activity originating in China focuses on industrial espionage and theft of trade secrets. McWhorter said Chinese hackers generally don't bother taking financial data and other personal information from individuals.

Jeremy Kirk of the IDG News Service contributed to this story.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of DefenseCybercrime and HackingGoogleMicrosoftsecuritygovernmentGovernment/Industries

More about GoogleIDGMicrosoftSANS InstituteTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place