Hackers inside Chinese military steal U.S. corporate trade secrets

In May, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges of hacking and economic espionage, according to a May 19 U.S. Department of Justice media release. Per the same release, the targets were six U.S. enterprises operating in the solar products, nuclear power, and metals industries. The attacks began as early as 2006 and were carried out over many years and into this year, according to the same release.

[Chinese cyberspies targeting U.S., European defense, space sectors]

The five indictees were Wang Dong a.k.a. Ugly Gorilla (hacker handle), Sun Kailiang, a.k.a. Jack Sun, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, a.k.a. KandyGoo. The indictees were officers in Unit 61398 of the Third Department of the Chinese People's Liberation Army. According to the charges, the five men compromised computers belonging to the six U.S. enterprises and stole trade secrets and strategic information useful to those enterprises' Chinese competitors. The U.S. companies that fell victim were Westinghouse, SolarWorld, U.S. Steel, ATI, the USW, and Alcoa, Inc., according to the May 19 U.S. Department of Justice media release.

After much preparation, the attackers launched very specially tailored spear phishing email attacks. CSOs, CISOs, and IT and security executives and staff should reconsider the technical and social nature of these kinds of attacks. Security leadership should revisit the measures they apply to their organizations to determine whether they are sufficient to mitigate costly nation state hacker threats.

Attacks by members of the Chinese military

"The Chinese were probably probing their systems for years prior to launching the social engineering email attacks," says Damon Petraglia, Director of Forensic and Information Security Services, Chartstone Consulting, speaking of the ground work the five members of the Chinese military would have to have laid before sending the spear phishing emails to the six enterprises. These probes enabled them to know who to target the emails to and what the corporate network topologies were in order to stage successful attacks against network vulnerabilities.

"They already knew what firewalls the targeted companies were using," says Petraglia, who developed and taught information security training at a large U.S. government agency. According to Petraglia, these Chinese hackers would have built entire networks to the same specifications as the ones they planned to attack. "These were military and intelligence level officers who had the resources and the funding to do this. They were highly trained," says Petraglia. Once the attacks they were working on were successful against the duplicate network, without detection, they could confidently send the attacks against the six U.S. entities.

Petraglia's assertions are not speculation. "Military organizations duplicate towns, areas, and buildings to run practice drills prior to attack or rescue missions. From a technical perspective, duplicating a network based on electronic and physical reconnaissance is cheaper and easier than building a town, area, or building. Reconnaissance is a major part of red team / blue team exercise scenarios. From a military and intelligence perspective, this behavior is expected of the adversary," says Petraglia.

[Chinese hackers switched targets to U.S. experts on Iraq]

Then came the slow, steady exfiltration. "Most of these high profile cases are the result of spear phishing, unless the attackers have an insider in the target company," says Rahul Kashyap, Head of Security Research, Bromium. In the case of attacks by nation states you almost always see very well designed spear phishing emails that appear to come from the CEO or a similar high official within the organization. "A spear phishing email sent to employees of Alcoa appeared to come from a corporate board member," says Kashyap of one example of an email sent during these attacks. The idea here was to create a sense of urgency so that employees responded without thinking and began clicking links or opening attachments containing malware. "Attackers spray bunches of emails at employees. All they need is for one person to open one email and respond for an attack to progress," says Kashyap.

Employees ultimately requested the data via port 80 or another port used for web traffic. Enterprises expect this port to see a lot of traffic. Because the malware was designed to push / pull just a little bit of malicious traffic at a time together with expected web traffic, enterprise security did not detect the attacks. Meanwhile, the malware kit acquired increasing degrees of access on the network until it got to the databases and servers that contained the intellectual property and confidential documents the attackers sought and highly prized. "Anyone who had access to the kinds of material these hackers stole would have a huge advantage over the targeted U.S. competitors," says Kashyap.

Previous state sponsored attacks have used kernel exploits like Stuxnet, Duqu, Gapz, TDL4, Gameover, and the recent Adobe Reader Sandbox bypass; these hackers may have used kernel exploits in these attacks as well. "The Windows kernel is the core of the operating system. If you compromise the kernel, you own the machine, including the security software on it," says Kashyap.

Mitigating similar attacks

"I trained people at government agencies who had no clue that they were under attack as much as they were," says Petraglia. Given that, every day businesses outside the government are certainly not up to speed on securing against state-sponsored attacks, concludes Petraglia. Enterprises need to educate and train their people that they are definitely military and intelligence level targets of hackers.

[U.S. files indictments against Chinese officials for espionage]

Several layered technical measures are necessary to mitigate state-sponsored attacks that hackers levy for economic gain. Enterprises need solid definitions as to what is sensitive data. They need absolute rules about data access. "Use Data Loss Prevention tools so people can't copy sensitive data to their laptop, which then ends up unattended in the back of their car," says Petraglia.

"Encryption is key," Petraglia continues. Encrypt all data in transit and at rest. Don't make it easy for the hackers to get the data. Follow egress traffic to where it terminates in so far as it is possible. Watch the packet sizes leaving the enterprise as well as their destinations. Watch for unexpected sizes and destinations.

Use a tiered security architecture with different security protocols and entirely different security devices at every level. "The firewalls at different layers should not all come from the same vendor," says Petraglia; "they should be three different versions of firewalls from three different companies." This helps to prevent an attacker from breaking through multiple layers of security using the same kind of attack on the same kind of vulnerability at all layers.

According to Kashyap, the threat landscape has changed over the last few years. "Hackers know the perimeter is well protected so they compromise the employees. Companies that care about their intellectual property should invest in security technology that assumes their employees are gullible and will make mistakes like the end users made during these state-sponsored attacks," says Kashyap.

[Shipping companies' computers compromised by malware-infected Chinese scanners]

Enterprises should reevaluate any legacy security tools because the hackers' approaches are more advanced than the capabilities of these tools. "Use multiple tools to recognize anomalous behavior," says Kashyap. Isolate the behavior and don't permit it to proceed any further on the network.

Join the CSO newsletter!

Error: Please check your email address.

Tags trade secretshackersU.S. Department of JusticeChinese militaryapplicationsChinasoftwaredata protection

More about Adobe SystemsAlcoa AustraliaATI GroupDepartment of JusticeInc.Wang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place