7 November 2018

China Has ‘Taken the Gloves Off’ in New Hacking Attacks on US - Report


A new report using ‘incident response’ data reveals sources inside China are leading the rapidly increasing sophistication of destructive cyber attacks against US-based targets.

On Wednesday, the US government warned that a hacking group dubbed "Cloud Hopper" has been attacking technology service providers as a means to steal client data. The hacking campaign, allegedly involved in cyber espionage and intellectual property theft, has been linked to the Chinese Ministry of State Security's Tianjin Bureau, according to Reuters. The US Department of Homeland Security (DHS) issued a statement this week reporting that experts from two US cybersecurity firms are warning that Chinese hacking activity has increased amid the ongoing trade war between Washington and Beijing. The trade war escalated in June when US President Donald Trump slapped a 25 percent tariff on $50 billion worth of Chinese goods, with Beijing quickly responding in kind.

Trump accused China of "unfair trade," including alleged state-led efforts to steal US technology and intellectual property, as well as "discriminatory technology licensing practices." Chinese authorities have repeatedly denied allegations by US cyber security firms that it is involved in illegal hacking. In September, Trump issued new tariffs on $200 billion in Chinese goods, prompting a tariff hike on $60 billion of American products from Beijing.

"These cyber threat actors are still active and we strongly encourage our partners in government and industry to work together to defend against this threat," DHS official Christopher Krebs said in a recent statement, Reuters reported.

"I can tell you now unfortunately the Chinese are back," Dmitri Alperovitch, chief technology officer of US cybersecurity firm CrowdStrike, said at a security conference in Washington DC on Tuesday, Reuters reported.

"We've seen a huge pickup in activity over the past year and a half. Nowadays they are the most predominant threat actors we see threatening institutions all over this country and western Europe," he added.

A report published this month by Carbon Black, a cybersecurity company based in Waltham, Massachusetts, claimed that out of 113 investigations conducted by the firm's incident response partners during the third quarter of 2018, 47 of those — nearly half — are claimed as being from China and Russia. Recent attacks also stemmed from Iran, North Korea and Brazil. Half of today's attacks use ‘island hopping,' which, according to Carbon Black, is the process of "attackers targeting organizations with the intention of accessing an affiliate's network," indicating that an organization's data, as well as its customers' and partners', is also at risk.

"What was notable was that we saw a resurgence of Chinese attacks," Carbon Black's chief cybersecurity officer, Tom Kellermann, recently asserted to ArsTechnica.

"And I think that's in direct line with the increasing tension with the South China Sea coupled with the trade war. Essentially, the Chinese have taken the gloves off." 

US-Chinese relations deteriorated further last month when Washington claimed that a Chinese destroyer came close to colliding with the USS Decatur, as it was conducting a ‘freedom of navigation operation' within 12 nautical miles of the remote Spratly Islands claimed by China, Sputnik previously reported.

The South China Sea is one of the world's most contested maritime regions. Beijing's extensive territorial claims in the waters, which include islands, banks, reefs and maritime ways, are challenged by Vietnam, Malaysia, the Philippines, Brunei and Taiwan.

"The Verizon data-breach report, which we all appreciate as being probably the best report out on data breaches, always failed to explain why [dwell time] was over 130 days," Kellermann told ArsTechnica, referring to Verizon's 2018 Data Breach Investigations Report evaluating the impact of malware and US Department of Homeland Security (DHS) attacks by studying thousands of data breaches.

According to Kellermann, the Verizon report "talked about the vector and some of the weaknesses in security but never described why that dwell time was so expansive. This [Carbon Black] report is specifically trying to drive out how are they [hackers] are getting in, how are they are staying in, how are they are moving laterally, how are they are changing, and are they becoming more punitive," Kellermann added, also noting that Chinese attackers have improved their hacking game.

"They're doing a much better job of operational security for their campaigns and doing a tremendous amount of 'island hopping'-targeting the major service providers and corporations' brands in order to island hop into their constituencies," Kellermann explained.

The cyberstealth demonstrated in current Chinese state-sponsored hacking operations is a departure from the more prosaic hacking techniques they have used in the past, Kellermann noted.

"The joke used to be that when the Chinese would come after you, they would throw the kitchen sink at you, and inevitably they would get into your house, and it would sound like a bunch of drunks in your kitchen at night. The Russians, if they targeted you- you would just wake up feeling funny in the morning," he quipped.

However, Chinese groups are now using techniques typically used by what are claimed to be Russian underground and ‘cyber militias.' Some of these techniques include using multiple command and control (C&C) systems to communicate with other malware, with one of the systems being on ‘sleep cycle,' which means that it is inactive until other C&C systems have been cleared by the security team of the organization being attacked.

Another technique is ‘living off the land,' which involves using a target organization's own system credentials, legitimate software packages and system tools to move through their network, infecting and collecting data along the way. ‘Process Hollowing' involves concealing malicious code on systems by using existing system processes.

In addition, the Carbon Black report revealed that the financial sector was the most commonly targeted, followed by healthcare groups.

"With North Korea and Iran […] they're understanding how they can offset economic sanctions by targeting the financial sector," Kellerman noted.

However, during the third quarter of 2018, there was a spike in the number of attacks against manufacturing companies.

"Hacking a manufacturing entity, it's very hard to create a liquid asset to capitalize financially on that," Kellermann told ArsTechnica, "unless it's for the purpose of economic espionage or economic sabotage."

There has also been a marked shift toward "a more punitive adversary," Kellermann noted, citing the fact that in 32 percent of the investigations evaluated by Carbon Black over the past quarter, the attackers took part in some sort of data destruction.

"We're seeing destruction of logs-not just the logs specific to the footprint of the adversary on various hosts, but just massive amounts of logs," Kellermann said, "and that should be concerning to all of us. In the first three months we looked at, back in the spring of this year, we were at 10 percent for destructive attacks. Now we're at 32 percent."

"Is it the geopolitical context," Kellermann suggested, "or is it just that the actors have become far more punitive?"

This shift is evidence that the ‘straight burglary' of data is no longer used as attackers are instead using ‘home invasion' tactics instead. Most companies' approach to dealing with hackers is comparable to "standing at the top of the steps and shouting 'I've got a gun and the police know you're here' and assuming that would scare them away," said Kellermann. 

The issue with that form of reaction, according to Kellermann, is that it assumes that there is only a single intruder, that the threat is enough to scare the intruder away and the intruder(s) "would not get punitive enough to come upstairs and set the house on fire."

On Tuesday, a Chinese Ministry of State Security officer, Yanjun Xu, was extradited to the US, where he was charged with attempting to steal trade secrets from American aerospace and aviation firms, the US Justice Department announced Wednesday, Sputnik reported.

Xu is the second alleged Chinese intelligence operative charged by federal US authorities since September 26, after Ji Chaoqun, 27, was taken into custody for allegedly working at the direction of a Ministry of State Security officer. Ji had been a student at Illinois Institute of Technology in Chicago and was serving as a reservist in the US Army at the time of his arrest. He is accused of being part of a Chinese plot to identify American engineers for potential recruitment.

No comments: