Remember the good old days, when the US and China were supposedly working out new norms for the cybers, and China was going to stop all that hacking of US companies to steal intellectual property? It turns out the Chinese were just upping their hacking game, improving their operational security and penetration skills—learning from the methods of their Russian counterparts.
A recent example of that "island hopping" tactic is the "Cloud Hopper" hacking campaign, active since at least May of 2016. In October, DHS issued a new alert on the campaign, warning of a surge in activity by the campaign over the past few months. Cloud Hopper has been attributed to the threat group known as APT 10, aka Stone Panda—a hacking group that has been tied to the Chinese Ministry of State Security's Tianjin Bureau.
Based on data from incident response companies gathered by the security software vendor Carbon Black, China is now the leading source of cyber-attacks. Of 113 investigations conducted by Carbon Black's incident response partners in the third quarter of 2018, nearly half—47 in total—came from China or Russia.
"What was notable was that we saw a resurgence of Chinese attacks, where they actually surpassed Russian activity," said Carbon Black's chief cybersecurity officer, Tom Kellermann. "And I think that's in direct line with the increasing tension with the South China Sea coupled with the trade war. Essentially, the Chinese have taken the gloves off."
The data backing this analysis, part of a report released this week by Carbon Black, came from 37 incident-response firms that partnered with the company. It's the second quarterly report compiled from incident-response data and an attempt by the intrusion-response community to understand more about the behavior of attackers—and how they manage to spend so much time within networks before they are detected.
"The Verizon data-breach report, which we all appreciate as being probably the best report out on data breaches, always failed to explain why [dwell time] was over 130 days," Kellermann told Ars. That Verizon report "talked about the vector and some of the weaknesses in security but never described why that dwell time was so expansive. This report is specifically trying to drive out how are they getting in, how are they staying in, how are they moving laterally, how are they changing, and are they becoming more punitive."
And, in fact, attackers on the whole do appear to be turning more "punitive"—engaging in more destructive behavior either as part of a deliberate sabotage campaign or to counter the efforts by victims of intrusions to respond to them. But as far as the Chinese attackers go, it's clear that they have also significantly upped their game, improving their stealth and tactics in a way that has allowed them to dig deeper into targets and stay longer than before.
But now, the Chinese groups are mirroring some of the clandestine techniques used by the Russian underground and "cyber militias," including:
- Using multiple command and control (C&C) systems to communicate with backdoors and other malware, with at least one of them on a "sleep cycle"—left inactive until after other C&C systems have been purged by the targeted organization's security team.
- "Living off the land" and moving within the targeted network by using 'known good tools' (legitimate software packages or system tools that may already be installed on the target network, such as PowerShell).
- Using techniques such as process hollowing to conceal malicious code within an existing system process to evade detection, Windows Management Instrumentation, and other alternatives to PowerShell to conceal activity on Windows systems.
Across the board, the financial sector was the most commonly targeted victim, followed by healthcare. "With North Korea and Iran, as well as Russia, they're understanding how they can offset economic sanctions by targeting the financial sector," Kellerman suggested.
But there was also a spike over the third quarter of 2018 in attacks against manufacturing companies—a type of attack that has been frequently tied to Chinese economic espionage. "Hacking a manufacturing entity, it's very hard to create a liquid asset to capitalize financially on that," Kellermann noted, "unless it's for the purpose of economic espionage or economic sabotage."
No comments:
Post a Comment