Cyber Pirates Sail the Digital Seas
In the late 16th century, the British Empire granted official documents called “letters of marque” to seafarers, authorizing them to attack and pillage Spanish vessels in the New World. These privateers became known as Queen Elizabeth’s Sea Dogs; among them were the famous Sir Francis Drake and Sir Walter Raleigh. These privateers were essentially granted a license to commit piracy and help England gain a foothold in new territories–even when Spain and England were not at war. But some Sea Dogs decided to turn away from their queen and seek personal gain instead. One such man, Captain Kidd, was eventually arrested and executed for his mutiny.
Sea Dogs like Captain Kidd strayed far from their original purpose of helping build up the British Empire, and instead brought embarrassment to the crown. Eirik Iverson, director of product management at Tangible Security, compares such privateers to the Chinese nationals who have been accused of stealing trade secrets from U.S. firms.
Research by U.S.-based cybersecurity firms and, most recently, charges by the U.S. Justice Department, indicate that China is funding its own cyber privateers to spy on and steal secrets from U.S. businesses. But Iverson predicts that, like the British Sea Dogs, eventually the Chinese are going to feel some pain from their own privateers. He says the hackers “go where the opportunities are, and eventually that opportunity is going to be in China.”
As the evidence shows, China is not punishing its own cybercriminals who are attacking other nations. But the U.S. government took a broad step in prosecuting Chinese cybercrime in May when, for the first time, the Justice Department brought cyber espionage charges against five nation-state actors, all members of the Chinese People’s Liberation Army (PLA).
A grand jury in the Western District of Pennsylvania brought the charges, which accuse the hackers of infiltrating the networks of six U.S. companies and stealing information “from those entities that would be useful to their competitors in China,” according to the official indictment.
Advanced Persistent Threats
In February 2013, cybersecurity firm Mandiant released a well-publicized 60-page report on a group it refers to as APT1 (Advanced Persistent Threat 1), which it had suspected for some time was a state-funded group of Chinese cyberthreat actors. The Justice Department indictment alleges that the five hackers were a part of the same unit Mandiant names in its report.
From 2004 on, Mandiant collected IP addresses, command and control information, and other important data about the hacking group. In January 2010, Mandiant released limited information in a small public report to see how the group’s cyber activity was affected.
“We put out a ton of indicators about the infrastructure, the sort of nuts and bolts of where these actors were coming from,” says Laura Gallante, manager of threat intelligence at FireEye, a firm acquired by Mandiant earlier this year. “Then what we were able to do was watch what happened from that released infrastructure for the next year.”
Gallante explains that criminal activity generated by the machines belonging to those addresses subsided, and eventually stopped. The infrastructure Mandiant made public was no longer in use. “So there was an entire shift in the IP addresses, in the infrastructure that this group was using,” she says.
After further observation of how the group operated, Mandiant concluded that there was evidence the group was linked to the Chinese PLA. For example, much of the malicious cyber activity was coming out of the army unit’s headquarters in Shanghai. In its report, Mandiant revealed that at least 141 breaches were directly attributable to the group. Further, Mandiant determined that the Chinese government was almost certainly directly sponsoring the hackers.
“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support,” the APT1 report stated.
Understanding that the group behind the recent cyber espionage charges is state-funded makes the allegations substantial, says Paul Tiao, a partner at Hunton & Williams and former senior cybersecurity counselor to the FBI. “What’s different here is that these are actually Chinese government employees. It’s the implications of the charges that are really damaging, as opposed to the nature of the charges themselves,” he notes.
The 56-page indictment outlines in detail the alleged cyber theft carried out by Chinese hackers against six U.S. companies: Alcoa, U.S. Steel, Westinghouse, Solar World AG, Allegheny Technologies Inc., and the United Steel Workers. The indictment brings 31 counts in total, including conspiring to commit computer fraud, accessing a computer without authorization for the purpose of commercial advantage and private financial gain, damaging computers through the transmission of code and commands, aggravated identity theft, economic espionage, and theft of trade secrets.
The charges brought by the Justice Department are historic, but in some ways not surprising, as the White House has been ramping up efforts to combat cyber espionage over the past two years. The 2013 National Intelligence Estimate revealed that China and Russia were the most aggressive nation-states going after U.S. intellectual property and other sensitive information via cyber espionage. “Russia and China remain the most capable and persistent intelligence threats and are aggressive practitioners of economic espionage against the United States,” the report stated. “Countering such foreign intelligence threats is a top priority for the Intelligence Community for the year ahead.”
Tiao explains that there have been many criminal cases involving Chinese nationals and trade theft. The Computer Crimes and Intellectual Property Section (CCIPS) of the Justice Department investigates and prosecutes cybercrime cases, but these usually do not involve nation-state hackers. “They’re private actors; they’re individuals either acting for themselves or for criminal organizations or for hacker organizations, and they read like these indictments do,” he says.
The companies that were targeted are large, but Tiao, who formerly served as a federal prosecutor in the cyberspace unit, says he handled cases on much smaller scales, and believes the U.S. government wants to protect organizations of all sizes. “I’m hoping that the public doesn’t think that that U.S. government only goes after the biggest hackers,” he notes.
The Justice Department made its intentions clear in its official announcement of the charges, stating that it intends to prosecute any cybercrime against U.S. critical infrastructure. “With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources,” FBI Director James Comey said in a joint statement with Attorney General Eric Holder and other U.S. officials.
Critical infrastructure. Experts say the companies targeted by the Chinese hackers are noteworthy because each business is considered to be critical infrastructure. “This is about as opposite as you can get from the Target and Neiman Marcus and retail store hackings,” says Craig Newman, managing partner at Richards Kibbe & Orbe LLP. “This is more aimed, clearly, at sabotaging U.S. companies and undermining competition in a free-market system. These [attacks] were meant to go to the heart of competition and create an unlevel playing field when it comes to commercial transactions.”
That undermining of the competition is apparent, for example, in the SolarWorld AG case outlined in the indictment. The Oregon-based company was “rapidly losing its market share to Chinese competitors that were systematically pricing exports well below production costs; at or around the same time, members of the conspiracy stole cost and pricing information from the Oregon producer,” the indictment states.
In the Westinghouse case, the Pennsylvania nuclear power company was negotiating the construction of four power plants in China when hackers stole data. The information included “proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing for those nuclear power plants that would enable any competitor looking to build a similar plant to save on research and development costs in the development of such designs.”
In both instances, the Justice Department says national security, not just competitive advantage, is a concern because hackers stole “sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.”
Newman points out that there are critical Chinese-U.S. business relationships that drive the economies of both nations, making the diplomatic consequences of the case a significant factor. “The United States and China will probably do their best to minimize the commercial consequences, but at the same time the U.S. government is making clear that it’s not going to stand for this sort of widespread hacking, especially against companies that are so important to America’s critical infrastructure,” he notes.
Sponsorship. According to Lance James, head of cyber intelligence at Deloitte, nation-state threat actors don’t necessarily have a modus operandi, so businesses across all verticals should be vigilant about protecting against potential attacks. “In some cases, such as APT1, the motive is to seize intellectual property for financial gain, though unlike other forms of financial crime, the financial interest is presumably tied to overall global economic standing and trade deficits,” he notes.
In other cases, the nation-state actors could be operating under an ideological agenda, or trying to launch “kinetic warfare” with denial of service attacks or other tactics designed to shut down infrastructure.
Gallante echoes this sentiment, noting that the nation-state actors often want to find out how to build the program that made the plane–not just obtain the blueprints for the plane. “It’s the broader understanding, the business know-how that makes U.S. and global businesses so much more competitive” that the hackers are after, she explains.
As the APT1 report demonstrates, the 141 companies hacked by the Chinese group represent 20 different industry verticals, but Gallante adds that “there are certain sectors…aerospace, manufacturing, pharmaceuticals, clean energy, energy in general, high-tech, that have a broad targeting profile” that attract the Chinese hacking groups.
In the case of the six U.S. companies that were breached, experts agree it is unlikely the suspects will ever see the inside of a U.S. courtroom. But the indictment should serve as a wake-up call for companies wanting to protect their intellectual property and other assets. “A lot of folks don’t think they’re the target,” says Iverson of Tangible Security. “This indictment…helps to manage the denial that’s out there, and instills a sense of vigilance that is absolutely needed,” he explains, adding that U.S. companies should not look at this case as an indication that the U.S. government is going to solve all their cybersecurity issues for them.
Still, the message sent by the U.S. government that it intends to help businesses with cases involving cyber theft is an effective one, says Tiao. “I think it does send a strong message and it does create some level of deterrence, even if those people are never actually brought into court.”
Iverson says that employing reliable security architecture is the basis of a sound security program, from the basics, like firewalls and signature-based detection, up to more advanced offerings, like sandboxing, vulnerability scanning, and penetration testing. With penetration testing, skilled network professionals are hired to essentially breach an enterprise’s defenses to find out where the holes exist. “Face them in the practice yard, rather than in the battlefield, where the Chinese make real theft and deliver real harm,” says Iverson.
James says starting with the basics is key. “Know your environment, your network, and what assets you need to protect,” he says. “What secrets need to be protected, and where are they? How are they used, and are they stored securely?”
He says that once an organization has established those answers, risk management controls can be applied. For example, companies can physically segment network servers and apply stricter controls on e-mails and virtual private networks.
Education. Gallante notes that user education cannot be overstressed for potentially protecting an organization against a full-scale attack. An attacker can gain a foothold in the network by infiltrating the account of a single employee.
The recent charges by the Justice Department reveal just how successful this technique can be–several attacks outlined in the indictment began with spear phishing e-mails. Such messages are disguised to appear as if they come from a legitimate source, and trick the recipient into clicking on a URL or downloading a document that contains malicious content.
In one case outlined in the indictment, 20 employees of U.S. Steel received spear phishing e-mails from one of the attackers, who disguised himself as the company’s chief executive. In another case, the hacker purportedly “attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.”
Once the malware is downloaded to the user’s machine, the hackers have an entryway into the network. They can then move through the rest of the company’s infrastructure and do damage, often remaining undetected for long periods of time.
Gallante says a particularly successful phishing e-mail for attackers is one in which the hackers purport to be the organization’s IT department and prompt the recipient to change his or her password in fields contained within the message. She says this type of e-mail has tricked employees at all levels of organizations, from the CEO down.
“Over 90 percent of the compromises that we see start with a phishing e-mail,” Gallante adds.
Companies should be vigilant about training their employees to be on their guard against such e-mails and always think twice before clicking on any links or downloading attachments coming from a source that’s possibly unknown.
Information sharing. Any amount of intelligence provided by an organization that’s suffered a breach can be useful in preventing future attacks by the same entity with the same toolkit, says James. “It is critical that information-sharing exists. We run up against the challenge of over-classification when it comes to ‘national security’ issues, and this can hinder the sharing flow,” he notes.
James says focusing on remediation and minimizing impact when actors have infiltrated one’s network is important, but taking that extra step to share threat intelligence is helpful to other organizations.
But when it comes to combating cyber incidents, industry operators involved in threat intelligence “have a responsibility to respect the limits of our reach when it comes to nation-state activities,” James says.
James further notes that getting law enforcement involved immediately is crucial when it comes to state-sponsored activity, and may even help prevent future escalation internationally between nations. “It is not always wise to expose such actors publicly without this coordination,” he says.