19th Hole: On the Eve of China Summit, State Sponsored Hacks and Data Theft are still Big Problems
On the eve of a high-profile meeting between China’s President Xi Jinping and U.S. President Donald Trump, a new report underscores the continued scourge of Chinese spying on- and theft from U.S. firms.
You can call the timing “awkward” or – just maybe – brilliant. On the eve of a major summit between the U.S. President and the Chinese leader, reports from the likes of PWC and BAE Systems as well as Fidelis have revealed an extensive and on-going campaign of cyber espionage that targeted U.S. and Japanese firms, among others.
This, despite a supposed cyber détente between the two countries that was hammered out during President Obama’s second term. Oh well, at least President Trump and Chinese President Xi Jinping will have something to discuss at the club house at Mar a Lago during their upcoming visit!
With President Xi due to meet with President Trump in South Florida, PWC and BAE released a report on one long-running campaign, dubbed Cloud Hopper, that infiltrated firms in the US, EU and Japan by first hacking into managed IT service providers (or MSPs) to gain access to the intellectual property and sensitive data of both the MSPs and their clients.
The hacking group responsible, dubbed APT 10, has been active for years and has previously targeted U.S. government and U.S. defense industrial base (DIB) organizations, going back to 2009, the two companies reported. After reports about Chinese state-sponsored hacking cropped up in the media in 2013 and 2014, largely due to the work of firms like FireEye, that activity appeared to have died down. However, in recent months, the APT 10 group has expanded its work to both MSPs and Japanese firms, PWC and BAE reported.
The group used standard APT-style methods, including sophisticated (well researched) spear phishing e-mail messages and other lures to get a foothold on target networks, and then the installation of malware and other hacking tools to gain unhampered access to those networks. The attackers use scheduled tasks or Windows services to ensure the malware they plant remains active regardless of system reboots and other purges.
The shared nature of client-side MSP infrastructure made it easy for the attackers to move laterally between MSPs and other victims, often using shared credentials. “Systems that share access and thus credentials, from both a MSP and one of its clients serve as a way of hopping between the two,” PWC and BAE reported.
And, by targeting MSPs, who provide a range of services across industry sectors, the APT 10 group got access to a wide range of firms in industries like engineering and construction, industrial manufacturing, pharmaceuticals and technology, the companies reported.
And that’s not all. The security firm Fidelis added to the intrigue on Wednesday with a blog post that linked the Cloud Hopper campaign to an attack on The National Foreign Trade Council (NFTC), a prominent U.S. trade lobby group and advocate on international trade policy that counts firms like Wal-Mart, Johnson & Johnson, Amazon and Microsoft as members.
Hacking systems used by such a group could provide Chinese diplomats and officials with a heads up on U.S. talking points and concerns going into the Trump-Xi summit, experts note.
It wasn’t supposed to be this way. The popular wisdom was that the Obama Administration, chastened by devastating hacks on U.S. businesses and government agencies, like the Office of Personnel Management, laid down the law with President Xi and his men – underscoring the U.S.’s anger at China-backed adventures on U.S. networks. There may have even been a “show of force,” it is said, to underscore that the U.S. has both offensive and defensive capabilities, and wouldn’t be afraid to use them.
The result, we heard, was a drop-off in China backed incursions on the networks of US countries, even as Russian hackers and disinformation campaigns rose to prominence.
The Cloud Hopper and Fidelis reports throw that convenient narrative into doubt, however. Did Chinese hacking simply dry up, on orders from the Communist Party? Or did they just go underground, pursuing more subtle means of compromise and extraction so as not to garner attention?
Or has the change of administrations reset the rules (as far as China is concerned) about state-sponsored incursions? The Trump Administration has made no secret of its desire to play cyber offense, even as our networks are laid bare to attackers time and again. China may be daring the new Administration to act on those promises, while making off with valuable intellectual property and intelligence in the meantime.
Again – there will be plenty to talk about on the 19th hole, and golf will be the least of it.