Chinese Cyber-Spying Shows Why U.S. Must Bolster Network Defenses

By Wayne Rash  |  Posted 2013-02-20

Chinese Cyber-Spying Shows Why U.S. Must Bolster Network Defenses

Cyber-attacks said to be from state-sponsored Chinese hackers underscore the reasons why U.S. companies and government agencies should rapidly adopt the measures outlined in President Barack Obama's executive order on cyber-security signed on Feb. 12.

Obama recounted the theft of a vast range of intellectual property, trade secrets and operational details during his State of the Union address and called for federal agencies and companies in the private sector to join together in protecting the U.S. critical infrastructure.

Following the executive order, which does not have the force of law but can be enforced within the government's executive branch, the president called for greatly improved information sharing between the public and private sectors.

A report released on Feb. 19 by Mandiant Corp a week after Obama signed his executive lent further urgency to calls for the country to bolster IT security. But it also does more. The report shows many of the reasons why U.S. companies have to start taking security seriously.

Serious gaffes such as power-generation facilities that are taken offline for monthsbecause nobody thought to install antivirus software are simply unacceptable. Unfortunately, they're all too common as executives worry about minor expenses for security.

Meanwhile their networks are under constant attack, if not by Chinese hackers seeking trade secrets, then by criminals seeking any information they can sell or credit card numbers to steal. But clearly the greatest threat to even small companies are the state-sponsored cyber-attacks that seek to drain them of their intellectual property.

While the Mandiant report states that the company has traced the Chinese hacking activity to an area near Shanghai, this isn't the first time researchers have found their tracks. In 2011 researchers from Google found other state-sponsored hackers working out of Jinan, China. That same group of Chinese hackers was also reported to be responsible for a series of attacks against the United Nations and the U.S. government in an operation labeled "Shady Rat."

Since those revelations, Mandiant has traced just how the Chinese break into companies, and it makes clear that without a coordinated response, those attackers may get the upper hand. Mandiant has confirmed earlier findings that once Chinese hackers penetrate a corporate network, they will stay for long periods of time and take anything they find of value.

Mandiant reports that the Chinese hackers maintain access to companies for a year or longer. In one case they kept a stealthy watch at a target's network for nearly five years. The targeted industries are those that China has identified as strategic for future growth, according to the report.

"This group has a very wide appetite for intellectual property," said Dan McWhorter, managing director for threat intelligence at Mandiant. He said that the group will steal nearly anything that might be useful, including things such as time sheets and logistics information.

McWhorter added that companies have to move beyond just defending themselves against possible attacks and move to the point where they can detect when an attack is taking place and then determine the best response to it. "The focus has been about defense," he said. "But it's easier to play offense than defense. Detection and response are very important."

Chinese Cyber-Spying Shows Why U.S. Must Bolster Network Defenses

However, McWhorter points out that it's important to understand the threat. This means understanding what the Chinese government and its business partners are after and why. "These are economic competitors," said Pace University Professor of Information Systems James Gabberty, who spoke to eWEEK from Hong Kong. "They're going to do whatever is in their best interests."

Gabberty said he suspects that the U.S. probably would do the same to China. But in the case of China, the "Chinese government and Chinese business are one and the same." He noted that China is in a hurry to catch up with the West, and that the Chinese will do anything they can to accomplish that. "They need to feed their 1.4 billion people," Gabberty said.

"They don't want to be seen as a place where cheap labor is dominant. They want to be seen as a source of knowledge." But he also noted that in their quest for information, "if you refuse to give them technology that they want, they will do their best to steal it."

Gabberty said that one common way for the Chinese government to extract technology secrets from the U.S. is to put pressure on the families of Chinese immigrants to provide information or help with its cyber-spying efforts. He also said that China is not likely to stop its attacks until it gets everything it wants.

So what do you do to protect your company against the Chinese hackers and similar threats? "Defense is good for non-targeted threats," McWhortle said. He said that it works very well for attacks by viruses and botnets, but not for targeted attacks such as those from the Chinese. "In a targeted attack, defense is only going to get you so far," he said.

"You have to understand the threat and have visibility into your network," McWhortle said. "You need to know what to look for, and you need to know how to look for it. Do you have adequate logging? Have you locked down your cell phones?"

McWhortle explained that it's critically important to really know your network so that you can tell when something isn't right. He said that logging is one way to tell when something happened that shouldn't have happened. In addition, it's important to tell what any intruders did, what information they took, how long they've had access to your network and where they went.

Information sharing is also really important because if the Chinese hacked into your network, the chances are pretty good they're also trying to get into your competitors' networks. He said that information sharing will help you learn what the threat environment is like. He also said that you can buy intelligence but that whatever route you take you have to know what's going on outside your organization.

Of course, that doesn't mean you can stop protecting your data. Critical information should still be encrypted using the strongest encryption you can find. Companies also need to deny access to anyone who shouldn't be seeing critical information. But first you need to determine what constitutes critical information, and that means more than just your intellectual property and trade secrets. Even your employee phone roster could be useful to the Chinese as they put together targeted attacks against your company.

Rocket Fuel