Written by Lucas Zaichkowsky, Enterprise Defense Architect at AccessData, responsible for expert guidance on cyber security.
This week saw a major event in the world of cyber security with far-reaching geopolitical implications. The United States Department of Justice announced indictments against five Chinese military officials for cyber-espionage against US corporations. As Reuters stated, “the indictments mark the first time the United States has filed charges against specific officials of foreign governments, accusing them of corporate cyber spying.”
Most governments and security companies know that state-sponsored Chinese hackers have been hacking many kinds of targeted organizations and individuals for years. The unfolding of these major charges signals a new era of highly public, government-versus-government allegations. The US government is taking bolder actions in articulating the seriousness of its concerns using exceptionally strong language to a global audience. It also begs the obvious question, if the US government felt compelled to go public with these allegations and charges, an admittedly very rare move, how much more has happened that they aren’t talking about? Could this be the onset of a virtual Cold War between the world’s two biggest economies with wide-ranging impact?
This is not the first time Unit 61398 has been referenced in the news. Last year Mandiant released a report focusing on the same Chinese People’s Liberation Army (PLA) unit. It’s important to understand that Unit 61398 is just one of a few dozen Chinese Advanced Persistent Threat (APT) state sponsored hacking groups. Unit 61398 conducts the most attacks in terms of the sheer volume of victim companies (think hundreds to thousands range). Unit 61398 tends to operate with minimal concern of being discovered. They have achieved incredible operational efficiency by developing and refining hacking procedures to get the information they want quickly with minimal effort.
Other cybercriminals specialize in targeted attacks on specific industries, requiring industry-specific knowledge. A few highly advanced hacking groups are assigned to breach organizations with bleeding edge defensive capabilities. These advanced groups invest immense effort evading security teams by using different backdoors and hacking tools each time they’re deployed to a system. Even their command and control (C2) infrastructure is rarely reused. To make matters worse, they implement anti-forensic techniques to make it difficult for security teams and incident responders to successfully remediate.
A large percentage of organizations across the globe are already fighting espionage cyberattacks emanating from China. They usually choose to not make it publicly known because of the negative business and brand impact that affects shareholder value. Without laws that require disclosure of espionage activity or a shift in public perception so that anger is directed at the aggressor, only the occasional victimized organization will voluntarily come forward as we saw in the Aurora incident.
China’s standard response has been and will continue to be denial followed by accusations that America is the real aggressor. They manipulate irrelevant data points such as mass malware infections, network scans performed by commodity viruses, and other similar noise. If a virus on my grandmother’s system scanning the internet randomly hits a Chinese IP by chance, they spin it as an attack against them conducted by the US. Furthermore, it’s important to note that every country conducts espionage activity whether they openly admit it or not.
The difference in democratic countries is that we aren’t stealing intellectual property, reading executive emails about business strategy, then supplying the information to the private sector. That’s exactly what China has been doing for more than a decade because everything is state owned. There is no private sector. When China or Russia point fingers at our espionage activity, they omit the key point that the US is not leveraging the information for economic and industrial growth advantages. There’s a huge difference between espionage against governments for political reasons and industrial espionage against the private sector for achieving economic superiority.
Lucas Zaichkowsky is the Enterprise Defense Architect at AccessData, responsible for providing expert guidance on the topic of Cybersecurity. Prior to joining AccessData, Lucas was a Technical Engineer at Mandiant where he worked with Fortune 500 organizations, the Defense Industrial Base, and government institutions to deploy measures designed to defend against the world’s most sophisticated attack groups.