January 29, 2010

New reports released this week on recent, high-profile data breaches make the compelling case that a simmering Cold War-style cyber arms race has emerged between the United States and China.

study issued Thursday by McAfee and the Center for Strategic and International Studies found that more than half of the 600 executives surveyed worldwide said they had been subject to “stealthy infiltration” by high-level adversaries, and that 59 percent believed representatives of foreign governments had been involved in the attacks.

A more granular analysis issued Thursday by Mandiant, an Alexandria, Va. based security firm, focuses on data breaches it has responded to involving the so-called “advanced persistent threat,” or those characterized by highly targeted attacks using custom-made malicious software in the hands of patient, well-funded assailants.

Mandiant notes that the scale, operation and logistics of conducting these attacks – against the government, commercial and private sectors – indicates that they’re state-sponsored.

The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement. Nonetheless, we’ve been able to correlate almost every APT intrusion we’ve investigated to current events within China. In all cases, information exfiltrated by each set of attackers correlates with a need for intelligence related to upcoming major U.S. / China mergers and acquisitions, corporate business negotiations, or defense industrial base acquisition opportunities [emphasis added].

The reports come just days after the Christian Science Monitor revealed that three Texas-based oil companies – Conoco, ExxonMobil and Marathon – were alerted by the FBI that their systems were penetrated back in 2008. The Monitor story said the attacks, thought to have originated in China, targeted “bid data” about oil reserves and potential drilling sites.

The Mandiant report offers several anonymous case studies of apparently targeted intrusions in 2009 that provide a detailed look at the attackers’ likely motivations:

-vs. government:

“During 2009, Mandiant witnessed [attackers] targeting multiple local, state and federal government entities whose commonality was their access to information related to terrorism…The malicious e-mails in the first event were sent to an organization tasked with consolidating local, state and federal law enforcement agencies into a central location to foster information sharing among various levels of government. The second event involved a high-ranking counter-terrorism official whose e-mail account was targeted with pinpoint accuracy. The third event involved data belonging to a government coordinating authority that receives intelligence information from local, state and federal government….When collectively viewed, these incidents clearly indicate an effort to satisfy an intelligence gap.”

Mandiant said that last year law enforcement notified a U.S. –based Fortune 500 manufacturing company that had initiated discussions to acquire a Chinese corporation. The feds told the company that intruders had stolen critical e-mails  containing details of the negotiation from the victim organization’s executives just days prior to the negotiations:

“Sensitive data left the company on a weekly basis during the negotiations, potentially providing the Chinese company with visibility to pricing and negotiation strategies.”

Describing a successful intrusion into a large-sized defense contractor, Mandiant said it found cases where the intruders were as patient as they needed to be:

“The implants were configured to sleep for anywhere from a few weeks tp a few months, with one implant configured to sleep for over a year. This is a clear example of how patient attackers are and indicates the length of time they strategically invest in a victim network.”

The study also shows how infrequently security software detects malicious software used in these highly targeted attacks.

“Of the samples we discovered and examined, only 24 percent was detected by security software.”

The Mandiant analysis concludes with a useful tutorial on what to expect if you are a victim of one of these stealthy attacks. Harlan Carvey, author of the accessible Windows Incident Response blog, suggests that the report should be required reading for all C-level executives and for individuals responsible for defending corporate and government computer networks.

“Bad guys are compartmentalized, dedicated, and have an economic stimulus to what they’re doing,” Carvey wrote in an instant message to krebsonsecurity.com. “The victims are still, for the most part, disorganized and don’t have dedicated protection and response staff.”

The full report is available here (e-mail registration required).


15 thoughts on “Simmering Over a ‘Cyber Cold War’

  1. Benjamin Wright

    As demonstrated by Google’s public statements in the past couple of weeks . . . the public communications response to a security incident is becoming just as important as the technical (or even legal) response. Thoughtful public messages are part of an effective security program.

  2. M Henri Day

    Can’t help wondering what the attacks on Chinese networks look like, how successful they are, and where they come from. Wars, as we know, are usually carried out by (at least) two sides, and if, as Brian writes above, «a simmering Cold War-style cyber arms race has emerged between the United States and China», it would certainly be inconsistent with the history of the former Power for it not to be doing its best to carry the battle to the other side….

    Henri

      1. M Henri Day

        Ah, wiredog, do you really believe that this is the only US «response» ? And who is responding to whom ?…

        Henri

    1. KFritz

      The PRC is a party-oligarchy dictatorship. As such, it has strong focus on tasks at hand. The corporations under attack are mainly focused on quarterly profits, personal success of the top executives, and competition with rivals also focused on the first two factors. The winner/outcome is a foregone conclusion.

      Google is a young, vital, obviously web-based organization. Don’t know how successful the recent attack was, but however successful, Google will work very hard to inoculate itself against the next attack.

  3. Dan

    Are there any countermeasure steps you recommend? For example, one might consider using his compromised network/email to his advantage by spreading dis-information to the attacker. Eventually, the attacker will realize that the pipeline is filled with dubious information.

    1. M Henri Day

      Thanks for the link, Gunnar ; I suspect Mr Sterling is spot on. Whose hacking whom ? «Everybody» is hacking «everybody» else – that seems to be the way the game is played….

      Henri

  4. M Henri Day

    Brian, would it be possible to provide a preview service for comments ? It’s embarrassing to discover that one has posted «Whose» for «Who’s» !…

    Henri

    1. M Henri Day

      While Brian notes that, according to the CSIS report, more than half of the respondents reported having suffered attacks, and believing that critical infrastructure in their respective countries was already under attack by foreign governments, for some reason he fails to record that the country identified as posting the biggest threat was the United States, which was named by 36 percent of respondents, while China came in second at 33 percent – at least if Dan Goodin’s report from San Francisco in The Register (http://preview.tinyurl.com/yeoczhr ) is to be believed (I’ve not yet been able to access the original CSIS report)….

      Henri

  5. M Henri Day

    The quote from the CSIS report to which I referred at second-hand above is found on page 30 of the report and runs as follows :

    «As noted in chapter one, a hefty majority of IT and security executives surveyed believe that for-
    eign governments have already been involved in
    network attacks on their sector. When they were
    asked which country “you worry is of greatest
    concern in the context of network attacks against
    your country/sector,” 36 percent named the
    United States and 33 percent China—more than
    any other countries on a list of six (respondents
    were also offered the chance to specify a differ-
    ent answer). The next most frequently cited was
    Russia, a distant third at just 12 percent. None
    of the other three, the UK, France and Germany,
    topped six percent.»

    A very informative graph concerning which country’s efforts at networks attacks are perceived as most worrying by respondents according to the country in which the latter reside is found on page 31 ; respondents from China, Brazil, Spain, Mexico, Russia, and Germany place the US in first place, while respondents from the US, Australia, the UK, France, Italy, and Japan name China. In India the two main contenders run neck and neck, while Saudi Arabian respondents point to Russia….

    Henri

  6. Space Rogue

    We have been in a cyber cold war for a while now. The Google-China thing is just the first U2 incident of the war. Take a look at all the posturing that has been going on with ‘Cyber Commands’ . Every country claims they have more ‘cyber warriors’ than the other country.

    South Korea is pointing a lot of fingers at North Koreas and the mysterious ‘lab 101’ and is hurredly rushing to put together a cyber command.

    The Brits want to hire ‘naught boys’ to fight for them.

    The Navy, not wanting to get upstaged by the AirForce or the Army has created its own ‘Cyber Command’. This despite the fact that all the services has had electronic warfare components since at least WWII.

    Then you have the Cyber Czar, possible government takeover of critical infrastructure civilian networks, etc etc etc….

    I see lots of propaganda, who knows what is going on behind the scenes. But, yes a Cyber Cold war is on and has been for several years. In my opinion we are in the touchy feely or recon stage. Everyone is still just probing (except maybe China) to figure out what the other side can do, what their capabilities really are.

    – SR

  7. op

    Plan on networks being down and don’t expect warnings. They delete them.

Comments are closed.