New reports released this week on recent, high-profile data breaches make the compelling case that a simmering Cold War-style cyber arms race has emerged between the United States and China.
A study issued Thursday by McAfee and the Center for Strategic and International Studies found that more than half of the 600 executives surveyed worldwide said they had been subject to “stealthy infiltration” by high-level adversaries, and that 59 percent believed representatives of foreign governments had been involved in the attacks.
A more granular analysis issued Thursday by Mandiant, an Alexandria, Va. based security firm, focuses on data breaches it has responded to involving the so-called “advanced persistent threat,” or those characterized by highly targeted attacks using custom-made malicious software in the hands of patient, well-funded assailants.
Mandiant notes that the scale, operation and logistics of conducting these attacks – against the government, commercial and private sectors – indicates that they’re state-sponsored.
The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement. Nonetheless, we’ve been able to correlate almost every APT intrusion we’ve investigated to current events within China. In all cases, information exfiltrated by each set of attackers correlates with a need for intelligence related to upcoming major U.S. / China mergers and acquisitions, corporate business negotiations, or defense industrial base acquisition opportunities [emphasis added].
The reports come just days after the Christian Science Monitor revealed that three Texas-based oil companies – Conoco, ExxonMobil and Marathon – were alerted by the FBI that their systems were penetrated back in 2008. The Monitor story said the attacks, thought to have originated in China, targeted “bid data” about oil reserves and potential drilling sites.
The Mandiant report offers several anonymous case studies of apparently targeted intrusions in 2009 that provide a detailed look at the attackers’ likely motivations:
“During 2009, Mandiant witnessed [attackers] targeting multiple local, state and federal government entities whose commonality was their access to information related to terrorism…The malicious e-mails in the first event were sent to an organization tasked with consolidating local, state and federal law enforcement agencies into a central location to foster information sharing among various levels of government. The second event involved a high-ranking counter-terrorism official whose e-mail account was targeted with pinpoint accuracy. The third event involved data belonging to a government coordinating authority that receives intelligence information from local, state and federal government….When collectively viewed, these incidents clearly indicate an effort to satisfy an intelligence gap.”
Mandiant said that last year law enforcement notified a U.S. –based Fortune 500 manufacturing company that had initiated discussions to acquire a Chinese corporation. The feds told the company that intruders had stolen critical e-mails containing details of the negotiation from the victim organization’s executives just days prior to the negotiations:
“Sensitive data left the company on a weekly basis during the negotiations, potentially providing the Chinese company with visibility to pricing and negotiation strategies.”
Describing a successful intrusion into a large-sized defense contractor, Mandiant said it found cases where the intruders were as patient as they needed to be:
“The implants were configured to sleep for anywhere from a few weeks tp a few months, with one implant configured to sleep for over a year. This is a clear example of how patient attackers are and indicates the length of time they strategically invest in a victim network.”
The study also shows how infrequently security software detects malicious software used in these highly targeted attacks.
“Of the samples we discovered and examined, only 24 percent was detected by security software.”
The Mandiant analysis concludes with a useful tutorial on what to expect if you are a victim of one of these stealthy attacks. Harlan Carvey, author of the accessible Windows Incident Response blog, suggests that the report should be required reading for all C-level executives and for individuals responsible for defending corporate and government computer networks.
“Bad guys are compartmentalized, dedicated, and have an economic stimulus to what they’re doing,” Carvey wrote in an instant message to krebsonsecurity.com. “The victims are still, for the most part, disorganized and don’t have dedicated protection and response staff.”
The full report is available here (e-mail registration required).