Mandiant: China-backed Cyber Threats Show No Signs of Abatement

Mandiant fires another salvo at the PRC
Mandiant fires another salvo at the PRC

“One conclusion is inescapable: the list of potential targets has increased, and the playing field has grown,” the company said in the report. “Cyber-threat actors are expanding the uses of computer network exploitation to fulfill an array of objectives, from the economic to the political. Threat actors are not only interested in seizing the corporate crown jewels but are also looking for ways to publicize their views, cause physical destruction and influence global decision makers. Private organizations have increasingly become collateral damage in political conflicts. With no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important.”

In January 2013, the New York Times disclosed that an advanced persistent threat (APT) group known as APT12 with suspected ties to the People’s Republic of China (PRC) had compromised its networks over the course of the previous four months. Mandiant then uncovered evidence that the China-based cyber threat group, along with another known as APT1, are linked specifically to Unit 61398 of the People’s Liberation Army.

The PRC vehemently denied involvement, saying that “Chinese laws prohibit any action including hacking that damages Internet security,” and, “to accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless.” But Mandiant (recently aquired by FireEye) said that the observation of APT1 and APT12’s activity on active command-and-control sessions tells a different story.

In the wake of the allegations, both groups delayed their return to normal operations following the end of the Chinese New Year holidays in February 2013, until about July 22, 2013. However, both groups then quickly shifted their operational infrastructure to continue their activities.

“Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft,” the report noted. “This suggests the PRC believes the benefits of its cyber-espionage campaigns outweigh the potential costs of an international backlash.”

President Obama made China’s cyber espionage the primary focus of the June 2013 U.S.-China presidential summit, bringing high-level attention to an issue national security adviser Tom Donilon described as the “key to the future” of the U.S.-China relationship.

“Mandiant’s recent observations of China-based APT activity indicate that the PRC has no intention of abandoning its cyber campaigns, despite the Obama administration’s specific warnings that China’s continued cyber espionage ‘was going to be [a] very difficult problem in the economic relationship’ between the two countries,” the firm said.

Politically motivated attacks aren’t limited to China-backed spying. Over the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber-attacks that impacted the private sector. Specifically, Mandiant responded to incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of private organizations with the primary motive of raising awareness for their political cause.

Meanwhile, suspected Iran-based threat actors have been conducting reconnaissance on the energy sector and state governments, the firm found. Multiple investigations of suspected Iran-based network reconnaissance activity at energy sector companies and state government agencies indicates that threat actors are actively engaging in surveillance.

“While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities,” Mandiant said.

Entities of all stripes are warned to be vigilant, the company noted. But unfortunately, organizations still have difficulty detecting when they’ve been breached. In 2013, only 33% of the organizations to which Mandiant responded had discovered the intrusion themselves, versus 37% of the organizations that it helped in 2012. Spam was the preferred method of intrusion; and 44% of the observed phishing emails sought to impersonate the IT departments of the targeted organizations. Interestingly, the vast majority of these emails were sent on Tuesday, Wednesday and Thursday.

On the positive side, organizations are discovering compromises more quickly. In 2013, the median number of days attackers were present on a victim network before being discovered was 229 days, down from 243 days in 2012.

The takeaway message is to assume that someone’s trying to get in – and to take every step possible to be prepared.

“This evolving threat landscape, while complicated, need not be discouraging,” Mandiant concluded. “To attack the security gap, organizations need smart people, visibility into their networks, endpoints and logs. Organizations also need actionable threat intelligence that identifies malicious activity faster. When the inevitable happens, the speed and manner in which you respond is critical.”

What’s hot on Infosecurity Magazine?