The claim that China is the root
of all evil when it comes to cyber attacks, increased a notch yesterday, when
security software specialists Mandiant, released a damning report claiming
a sophisticated team of hackers, with suspected connections to the People’s
Liberation Army (PLA) and China Communist Party (CCP), had systematically
hacked over 140 organisations over a 7 year period.
Why Release The Report?
There have been numerous attempts
over the last few years to pin every single cyber-attack onto a group or
individual, originating from a Chinese network.
Some justified, some not so, but it’s an easy target to pin things
against. Many of the claims however,
have lacked the detailed technical and circumstantial foundation, to back up
the claims and move towards either active defence or proactive
prosecution. The Mandiant report – and I
really recommend reading it in full to appreciate the level of detail that has
been generated – really looks to point the finger, but this time, with a
credible amount of detail. The obvious
outcome of being so detailed is that the attackers now have a place of reference,
from which they can now mobilise further obfuscation techniques. However, the report provides several powerful
assets such as address and domain information, as well as malware hashes. This is all useful material in the fight
against further attacks.
How Bad Is It?
The detail is eye watering. 141 victims attacked over a 7 year period,
with terabytes of data is not a nice read, whatever the contents. The startling fact was simply the scale of
the operations upholding the attacks.
Not only were the attacks persistent, but the infrastructure required to
allow such complex and sustained attacks to take place, covered an estimated
1000 servers with hundreds, if not thousands of operators and control
staff. The victim data was equally interesting,
with several of the top sectors attacked, being on the industry list for the
China 5 year strategic emerging industries plan. This starts to bring questions surrounding
ethics, morality, intellectual protection and competitive behaviour too. The data points to a strategic industrial
programme to steal and use legal, process, leadership and technical information
on a vast scale.
What Happens Now…
The report will no doubt create a
lot of split opinion in both the infosec community and also the surrounding political
avenues too. The report points to
industrial theft on a grand scale. The links to the PLA and CCP are not to be
made on a whim and there will be a political response no doubt. From an effective defence perspective, where
does it leave us? Well the report
contains the practical information that many secops teams can effectively
utilise for blacklists and malware identification. The longer term impact may well be unknown at
present. The team behind APT1 will
obviously apply counter measures, altering their approach and attack
vectors. Mandiant themselves may well be
at risk of hacking as a result if they were not already.
I think ultimately it goes some
way to crystallise the view that long term effective attacks via the internet
are common place, sophisticated and long term.
They provide an effective way for industrial secrets to be stolen and
used, regardless of the levels of software and process protection organisations
use.