"What we have definitely seen from China over the years is that they use the least amount of force necessary to accomplish their goals," said Dan McWhorter, managing director of threat intelligence at security firm Mandiant. "If you are not very savvy at keeping people out, they will use the lowest level of tools and their easiest means to get in. If you are a sophisticated company, they will up their game."
Mandiant in February released a detailed report identifying a unit of the People's Liberation Army (PLA) of China as the source of a systematic cyberespionage campaign against the U.S. and several other countries since at least 2006. According to the report, over the past few years, the attackers breached more than 140 large companies from 20 major industries considered as strategic by China.
The report has been widely lauded for its depth of information and is believed to have provided the impetus for the U.S. government's decision to come out this week and officially accuse China of cyberespionage.
In addition to the PLA group, Mandiant tracked about 25 other apparently state-sponsored hacking groups within China and found them to have varying degrees of technical skill and sophistication.
"There's a broad array of capabilities inside China," ranging from the very sophisticated to the average, McWhoter said. He has little doubt that China has the skills to develop a Stuxnet-like piece of malware, if needed. Stuxnet is the notorious malware that was used to sabotage computers running centrifuges at Iran's uranium enrichment facility in Natanz. The malware is widely believed to have been jointly developed and deployed by U.S and Israeli intelligence.
For the most part, the approach Chinese hackers have used is to quietly penetrate U.S. networks using spearphishing or some other low-tech method and to then remain hidden and extract data over extended periods of time.
Many hackers operating out of China have become adept at stealing legitimate corporate network credentials and using those to log in and move around a target network just like an employee with legitimate access would, McWhorter said.
Once the attackers have access to such credentials, they are quick to erase all signs of a break-in so it becomes difficult for a company to even know it has been compromised.