Chinese hackers master the art of lying in wait
What they are really good at is remaining hidden, security experts say in wake of Pentagon report
The remarkable success that Chinese state-sponsored groups have had in infiltrating U.S. government, military and corporate networks in recent years should not be mistaken as a sign of growing technical superiority over the U.S. in cyberspace, security experts said.
Chinese state-sponsored hacking groups are no more -- or less -- sophisticated than criminal and politically motivated cyber groups anywhere. What's made them different is their targeting of victims, their persistence and their ability to stay hidden in a breached network for extended periods.
The Pentagon on Monday released a report accusing China of performing cyberespionage intended to modernize its defense and high technology industries.
The unusually candid report warned of Chinese policymakers and military planners using stolen information to build a picture of U.S. defense networks, logistics and related military capabilities that could be exploited during a crisis. The espionage activities are helping China build a sophisticated electronic warfare capability designed to neutralize U.S. technological superiority in traditional warfare and other areas, the report cautioned.
The report marked the first time the U.S government has officially said what many others in industry, and even within government, have said for years about the Chinese government's support for cyberespionage.
As ominous sounding as the report is, the reality is more mundane, according to several security experts.
"The Chinese don't have super duper techniques," said John Pescatore, director of emerging security trends at the SANS Institute in Bethesda, Md. "They are not smarter in software than us. If they are, we would see them starting up new companies," instead of engaging in espionage, Pescatore said.
While state-sponsored hackers in China likely have an arsenal of zero-day vulnerabilities and new attack techniques, in most cases, they have only had to exploit commonly available vulnerabilities and techniques to gain a foothold on a target network.
"It's not that the Chinese have some unbeatable way of breaking into a network. What is innovative is their targeting," Pescatore said. U.S. contractors and defense companies that are often the target of Chinese espionage efforts should not be too concerned about where the attacks are coming from, he said. Instead, they should simply focus on shutting down the basic vulnerabilities and configuration errors that enable attackers to breach their networks.
"What we have definitely seen from China over the years is that they use the least amount of force necessary to accomplish their goals," said Dan McWhorter, managing director of threat intelligence at security firm Mandiant. "If you are not very savvy at keeping people out, they will use the lowest level of tools and their easiest means to get in. If you are a sophisticated company, they will up their game."
Mandiant in February released a detailed report identifying a unit of the People's Liberation Army (PLA) of China as the source of a systematic cyberespionage campaign against the U.S. and several other countries since at least 2006. According to the report, over the past few years, the attackers breached more than 140 large companies from 20 major industries considered as strategic by China.
The report has been widely lauded for its depth of information and is believed to have provided the impetus for the U.S. government's decision to come out this week and officially accuse China of cyberespionage.
In addition to the PLA group, Mandiant tracked about 25 other apparently state-sponsored hacking groups within China and found them to have varying degrees of technical skill and sophistication.
"There's a broad array of capabilities inside China," ranging from the very sophisticated to the average, McWhoter said. He has little doubt that China has the skills to develop a Stuxnet-like piece of malware, if needed. Stuxnet is the notorious malware that was used to sabotage computers running centrifuges at Iran's uranium enrichment facility in Natanz. The malware is widely believed to have been jointly developed and deployed by U.S and Israeli intelligence.
For the most part, the approach Chinese hackers have used is to quietly penetrate U.S. networks using spearphishing or some other low-tech method and to then remain hidden and extract data over extended periods of time.
Many hackers operating out of China have become adept at stealing legitimate corporate network credentials and using those to log in and move around a target network just like an employee with legitimate access would, McWhorter said.
Once the attackers have access to such credentials, they are quick to erase all signs of a break-in so it becomes difficult for a company to even know it has been compromised.
"If you can obtain legitimate VPN credentials and start logging in as a real person, the situation becomes very difficult," for the targets, McWhorter said. Hackers are often able to extract huge quantities of data through the VPN tunnel without attracting any suspicion, he said.
Even when companies discover a breach, they have to exercise great care not to tip off the hackers and drive them even deeper into the network, he said.
Unlike cybergangs operating out of Europe, most of the malicious hacking activity from China appears to be focused on industrial espionage and trade secret theft. Even when there is an opportunity for the hackers to grab financial and personally identifiable information, Chinese hackers have preferred not to go after such data, he said.
"Almost everything we track out of China is state-sponsored," McWhorter said. "It's a whole different genre of crime compared to what tends to come out of places like East Europe. Persistence isn't a big deal to East European gangs. Their approach has been to smash the glass, grab the jewelry and run. They are not there to be stealthy. They are not there to remain hidden for months and years."
The best measurement of the capability of the adversary isn't always the sophistication of the malware used, said Rocky DeStefano, founder and CEO of security analytics firm Visible Risk. Often, the tactics employed by the adversary to maintain or advance control within the network in response to defender activities is important as well.
So also is the actual information, people or systems that are being targeted by the hackers. "Was it only the latest updates to your most advanced research" that the hackers were after? "Or was it a general dump of information?" he asked.
Based on such measures, Chinese hacking groups would appear to rank behind the U.S., Israel and the U.K in terms of raw capability, DeStefano said.
"At the end of the day, it's not about latent vulnerabilities or advanced attacks," said Anup Ghosh, founder and CEO of security firm Invincea. "It's about what works for the least amount of effort or expertise required."
Over the past several years there has been a systematic compromise of all major sectors of the U.S. economy. "To scale to this size and scope there is necessarily heavy re-use of known vulnerabilities and their exploits. These often work because of the difficulty in patching software particularly in the enterprise space," Ghosh said.
Though the actors behind these exploits may be different, the methods used to compromise computer systems are shared among cybercriminals and nation states, he said. "Bottom line is, if you can be successful with conventional toolkit exploits, you use them instead of burning zero-days."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.