Not So Quiet On The Eastern Front
What Happened This Week
The US Department of Justice announced charges against five members of the (Chinese) Peoples Liberation Army Unit 61398 for cyber industrial espionage against Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies Inc., the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union, and Alcoa Inc. (News coverage: NYT, WSJ (may be behind their paywall), Washington Post)
The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.
“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.”
While these are serious allegations, there was a certain high theater about this. The Attorney General held a press conference. The DOJ and FBI issued press releases, complete with "Wanted By The FBI" posters with color pictures of each of the PLA officers and the note that if you see one of these people to call your local FBI office. Somehow, I don't expect any of them to plan a trip to anyplace with an extradition treaty with the US anytime soon.
Why are we not surprised?
That the PLA has made a concerted effort to hack into US companies is no surprise to anybody following the constant revelations of Advanced Persistent Threat (APT) attacks. Operation Aurora in 2009 targeted a number of US companies, including most famously Google (who made it public in January, 2010). Google's investigation (aided by Symantec) indicated that the main target of the attacks on their infrastructure was compromising the Gmail accounts of Chinese dissidents. McAfee's threat researchers were of the opinion that a major target of the attacks on other companies was to access and possibly modify the source code of defense contractors and tech companies. There was a strong suspicion at the time that the Chinese military was involved, but not conclusive proof. Google ultimately stopped censoring Chinese search results and moved its search engine from the mainland to Hong Kong in response.
In March 2011, RSA Security was attacked using an APT. After initially denying it, RSA admitted that there was a major breach involving SecurID two-factor authentication tokens. Speculation (undoubtedly correct) that seed records mapping the cryptographic secret in the ID (the seed of the random number sequence) to device serial numbers were compromised. This would allow an attacker in possession of a user ID, user PIN, and the seed record to impersonate the user. The user ID and PIN would have to be obtained from the user by social engineering, such as phishing. Clearly, experience has shown that's not as hard as it should be, since soon thereafter two US defense contractors (Lockheed Martin and Level 5 Communications) were hacked using stolen SecurID credentials. Lockheed claimed to have detected and stopped the intrusion quickly. RSA ultimately offered to replace every SecurID in circulation, a move that cost it $66 million.
Security company Mandiant (now a division of FireEye) put a name to this hacking, previously known as APT 1, with their excellent report in early 2013. Its major finding:
APT1is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (总参三部二局), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398 部队).
The Mandiant report also identified the street address of the office building in Shanghai that they operated out of, as well as a lot of information on methods. To read this week's press releases is to come away with the impression that the pubic outing of PLA Unit 61398 by Mandiant contributed a lot to this week's indictment. The press releases have a familiar feel to readers of that report. Also, just knowing the army unit and its street address left a lot of people with the feeling that something needed to be done about (alleged) Chinese government sponsored cyber assaults.
Why an indictment?
There has been a lot of speculation about why the government chose to do this. Nobody really expects any of the five to answer to these charges in a US court. As is clear from the dueling press releases, we have seriously pissed off the Chinese government, causing them to cancel talks on cyber-security for now. They have accused us of hypocrisy, given all of the recent revelations about our government's hacking. The US answer is essentially that, yes, we conduct espionage for governmental purposes, but that does not include turning the take over to US companies for their commercial advantage. That is a powerful argument, if true, and its assertion is certainly an attempt to seize the moral high ground where one might have thought there was none to take. I'm sure that's the reason why all of the cases in the indictment were purely commercial, as opposed to legitimate military intelligence gathering.
So why? One thing is that some of the victims bucked tradition and were willing to come forward and go public. The acts described in the indictment are clearly industrial espionage, not national security operations. As the Washington Post cites
“There has come a point at which enough is enough,” said David Hickton, U.S. attorney for the Western District of Pennsylvania. “The companies are tired of being raided.”
Writing in the Lawfare blog, Harvard Law's Jack Goldsmith asserts:
But yesterday’s indictment is not meaningless, even if no conviction results, because it demonstrates USG seriousness about the issue by showing that the USG is willing to raise the stakes. On this view, a sharp legal or diplomatic reaction to the indictments by China serves USG policy aims, for such a (foreseeable) reaction will show that the United States is willing to take steps against Chinese corporate cybertheft that incur costs to itself, and thus that the USG might take even more aggressive costly steps than yesterday (such as ones suggested in this WSJ editorial) in the future. Until yesterday, the USG complaints against China’s cyber-snooping were nothing but talk. It might seem like naming names in an indictment that cannot result in conviction is just talk as well. But yesterday’s step clearly (and predictably, and thus purposefully) offended the Chinese in a way that prior talk did not, and to that extent it shows that the USG is somewhat more serious about this issue, and might retaliate further regardless of the costs to itself.
Goldsmith also points out that trying members of a foreign army for their actions as soldiers could raise interesting legal issues, but they only would arise if they actually made it to trial. The other hazards of actually putting them on trial are
And speaking of issues that would arise if the USG ever got the defendants in the country, it seems like it would be hugely difficult to prove the charges in yesterday’s indictment, consistent with the normal rules of proof in a criminal trial, without revealing quite a lot about how the USG spies on the Chinese government. ... The indictment asserts many detailed facts, but proving those facts would be very tricky
By the way the WSJ editorial Goldsmith cited suggests some pretty aggressive tactics, first in the domain of cyber warfare:
The proper way to respond to cyber war is to use the tools of statecraft to make China pay a political and economic price. A criminal indictment against Wang Dong and comrades is not such a price. The U.S. should respond with its own cyber battle plan that attacks Chinese targets and forces China to play defense rather than devote all of its resources to hacking U.S. targets.
as well as economic and personal sanctions against Chinese companies, business people and politicians:
The U.S. could also punish Chinese firms, such as Huawei, that the House Intelligence Committee has publicly identified for its ties to China's military. It could limit U.S.-China military-to-military ties and deny visas to the children of China's elites who want to attend American universities. The U.S. ought to be explicit in saying that these and other actions are direct responses to Chinese cyber attacks against Americans.
That's heavy stuff, spoken of openly in the media. In that context, the indictment is a shot across the bow, obnoxious but a stern warning that things could get worse.
What you should be doing to protect your company
- Every APT starts with a single click. In general APTs get in via highly targeted phishing campaign. The members of this unit are very talented social engineers, and the phishing email messages look plausible enough to get some takers. Regular anti-phishing learning and communications campaigns are essential to keep employee awareness high.
- Patch your systems. While many APT attacks exploit zero-day vulnerabilities, not all do. Aurora targeted IE6, which was obsolete at the time. Keeping your systems updated raises the bar. Note that this we are not just talking about the OS, but also frequently attacked applications or middleware, such as Office, Java, and Flash.
- Get rid of XP. Staying on XP is like hanging out a sign welcoming the invaders. Every vulnerability patched in other versions of Windows is a permanent zero-day vulnerability in XP. You should also avoid using any version of IE on XP, since vulnerabilities are also going unpatched on the versions of IE that run on XP. If you must use IE for a particular business application, use it for just that application, and make another browser the default.
- Endpoint protection, not antivirus. Signature-based antivirus is not going to get most of these threats. Endpoint protection that also uses behavior based heuristics and a local firewall is a necessary part of defense in depth.
- Employ network based defense in depth too. Use all the tools at your disposal. Again focus on intrusion protection that detects bad behavior not just attack signatures. Make sure that your web filters aggressively block known command-and-control sites.
- Practice good data governance. Users can only leak what they can access. Follow data governance best practices: review access regularly, revoke unneeded access, don't grant unneeded access, review all access on transfers, revoke all access on termination. Make least privilege your guiding principle.
- Restrict admin rights. Nobody should surf the web with administrative rights. End users should not routinely get local admin rights on their workstations. Administrators should use a separate user ID for administrative work and do their normal work with reduced rights too.
- Lock down hosts. Anything you can do to make it harder for malware to add software to a machine or alter its configuration is desirable. I think the ultimate solution is going to be application whitelisting — if something is not on the whitelist it doesn't run — but I understand that is extremely difficult to do. There are technical, procedural, and cultural challenges. But I think that's where we will end up eventually. In the meantime, though, any lesser lockdowns you can do will help.
This isn't foolproof − nothing is. But every one of these steps raises the bar and makes you a much harder target.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.