China Resumes Cyber-Attacks on U.S. Corporate, Government Networks

NEWS ANALYSIS: The Chinese Army added to its cyber-warfare arsenal and is attacking U.S. networks that haven't been strengthened since the last attacks.


The Chinese Army suddenly stopped their cyber-attacks on the U.S. almost immediately after their actions became public in February.

Then, a Pentagon report revealed that a People's Liberation Army unit on the outskirts of Shanghai and known as Unit 61398—which works out of a fortified, heavily guarded 12-story white building—was behind the broad series of attacks. Those attacks targeted intellectual property, trade secrets and classified information stored on private and government computers.

Suddenly, after the attacks were made public, Unit 61398 quietly broke into the computers it had penetrated again, and removed the traces of their hacking tools. Unfortunately for the Chinese, they didn't get out soon enough. Cyber-security experts at Mandiant Corp. had already spotted the Chinese hackers at work, and had traced them back to their lair.

Once again, they're back. According to a report released by Mandiant, the Chinese hacking squad took their time off to improve their tools and sharpen their skills. Now, they're hacking again. And once again they're trying to steal everything, from blueprints to trade negotiation strategies to test results. The media company that reported the return to operations by the Chinese was The New York Times, which was one of several media organizations attacked by the Chinese hackers earlier in 2013.

While the attacks aren't up to their previous levels yet, the fact is that they're just as dangerous as they were in the past. Companies that were attacked previously probably haven't had time to institute adequate defenses, and the Chinese have refined their methods to be more effective.

But things have changed, as well. For one thing, the Pentagon has confirmed details on the Chinese attacks on the U.S. For another, security researchers now know what to look for and can identify such an attack and take action much more quickly than in the past.

But that doesn't necessarily help you very much. Because the methods that the Chinese use to gain access in the first place change frequently, you can't point to a specific action as the one action that predicts that an attack is about to take place. But there are some things you can do that will help.

First, it helps to be aware that the Chinese frequently make their first entry into a company's secure network through a technique called "spear-phishing." This technique uses an email sent to a specific individual that appears on the surface to be genuine and frequently seems to originate from inside the organization, but which has actually been spoofed. That email will usually contain a link that appears innocent, but really contains the connection to load the Chinese malware that enables the break-in.

Once the malware is inside a company's network, the Chinese hackers can access computers, databases and data files by deploying malware that retrieves intellectual property over time. Normally, this malware is very difficult to detect, but sometimes the malware's actions can be detected with proper monitoring.

While the necessary tools to combat Chinese hacking still aren't available to the general public, there are steps a company can take. While these steps may not work forever, they can reduce the chance of losing control of your critical intellectual property or even losing control of your network.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...