China Resumes Cyber-Attacks on U.S. Corporate, Government Networks

By Wayne Rash  |  Posted 2013-05-20

China Resumes Cyber-Attacks on U.S. Corporate, Government Networks

The Chinese Army suddenly stopped their cyber-attacks on the U.S. almost immediately after their actions became public in February.

Then, a Pentagon report revealed that a People's Liberation Army unit on the outskirts of Shanghai and known as Unit 61398—which works out of a fortified, heavily guarded 12-story white building—was behind the broad series of attacks. Those attacks targeted intellectual property, trade secrets and classified information stored on private and government computers.

Suddenly, after the attacks were made public, Unit 61398 quietly broke into the computers it had penetrated again, and removed the traces of their hacking tools. Unfortunately for the Chinese, they didn't get out soon enough. Cyber-security experts at Mandiant Corp. had already spotted the Chinese hackers at work, and had traced them back to their lair.

Once again, they're back. According to a report released by Mandiant, the Chinese hacking squad took their time off to improve their tools and sharpen their skills. Now, they're hacking again. And once again they're trying to steal everything, from blueprints to trade negotiation strategies to test results. The media company that reported the return to operations by the Chinese was The New York Times, which was one of several media organizations attacked by the Chinese hackers earlier in 2013.

While the attacks aren't up to their previous levels yet, the fact is that they're just as dangerous as they were in the past. Companies that were attacked previously probably haven't had time to institute adequate defenses, and the Chinese have refined their methods to be more effective.

But things have changed, as well. For one thing, the Pentagon has confirmed details on the Chinese attacks on the U.S. For another, security researchers now know what to look for and can identify such an attack and take action much more quickly than in the past.

But that doesn't necessarily help you very much. Because the methods that the Chinese use to gain access in the first place change frequently, you can't point to a specific action as the one action that predicts that an attack is about to take place. But there are some things you can do that will help.

First, it helps to be aware that the Chinese frequently make their first entry into a company's secure network through a technique called "spear-phishing." This technique uses an email sent to a specific individual that appears on the surface to be genuine and frequently seems to originate from inside the organization, but which has actually been spoofed. That email will usually contain a link that appears innocent, but really contains the connection to load the Chinese malware that enables the break-in.

Once the malware is inside a company's network, the Chinese hackers can access computers, databases and data files by deploying malware that retrieves intellectual property over time. Normally, this malware is very difficult to detect, but sometimes the malware's actions can be detected with proper monitoring.

While the necessary tools to combat Chinese hacking still aren't available to the general public, there are steps a company can take. While these steps may not work forever, they can reduce the chance of losing control of your critical intellectual property or even losing control of your network.

China Resumes Cyber-Attacks on U.S. Corporate, Government Networks

First, it's essential that you perform an inventory of critical information that resides on your computer systems, including anything that could help a competitor. This could include trade secrets, supply-chain data, manufacturing data, customer information, materials lists or anything else that could hurt you even if it's incomplete.

Second, once you've found what's out there on your network, you need to protect it. This may include encrypting data and designs that must be available on a routine basis, limiting access to those who must use the data and then tracking their use. It may even include removing data from the network if loss of the information could be damaging to your company and that information does not need to be accessed frequently.

Removing data from the network means moving it either to a computer that isn't connected to the Internet in any way or it could mean writing your trade secrets file to a CD-ROM and stashing it in a safe that nobody but a few people can open and then tracking who opens the safe.

This is not to say that even those steps are perfect. After all, a Stuxnet-style attack can still get to even well-protected information, but it does reduce the risk. Meanwhile, maybe it's time to think of an up-to-date next-generation firewall that's smart enough to see when specific types of data are moving out of the company network and then preventing it. Of course, even next-generation firewalls can be subverted, but it's hard to do and if hackers are looking for targets of opportunity, such protection may encourage them to move on to easier targets.

But if your company's information is vital, then maybe it's time to engage professional help. Yes, it will be expensive. But how much would it cost your company if the Chinese passed the information along to a Chinese company that wanted to take your business away?

Rocket Fuel