By David Geer, CSO | July 22nd, 2014
In May, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges of hacking and economic espionage, according to a May 19 U.S. Department of Justice media release. Per the same release, the targets were six U.S. enterprises operating in the solar products, nuclear power, and metals industries. The attacks began as early as 2006 and were carried out over many years and into this year, according to the same release.
The five indictees were Wang Dong a.k.a. Ugly Gorilla (hacker handle), Sun Kailiang, a.k.a. Jack Sun, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, a.k.a. KandyGoo. The indictees were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army. According to the charges, the five men compromised computers belonging to the six U.S. enterprises and stole trade secrets and strategic information useful to those enterprises’ Chinese competitors. The U.S. companies that fell victim were Westinghouse, SolarWorld, U.S. Steel, ATI, the USW, and Alcoa, Inc., according to the May 19 U.S. Department of Justice media release.
After much preparation, the attackers launched very specially tailored spear phishing email attacks. CSOs, CISOs, and IT and security executives and staff should reconsider the technical and social nature of these kinds of attacks. Security leadership should revisit the measures they apply to their organizations to determine whether they are sufficient to mitigate costly nation state hacker threats.
Attacks by members of the Chinese military
“The Chinese were probably probing their systems for years prior to launching the social engineering email attacks,” says Damon Petraglia, Director of Forensic and Information Security Services, Chartstone Consulting, speaking of the ground work the five members of the Chinese military would have to have laid before sending the spear phishing emails to the six enterprises. These probes enabled them to know who to target the emails to and what the corporate network topologies were in order to stage successful attacks against network vulnerabilities.
“They already knew what firewalls the targeted companies were using,” says Petraglia, who developed and taught information security training at a large U.S. government agency. According to Petraglia, these Chinese hackers would have built entire networks to the same specifications as the ones they planned to attack. “These were military and intelligence level officers who had the resources and the funding to do this. They were highly trained,” says Petraglia. Once the attacks they were working on were successful against the duplicate network, without detection, they could confidently send the attacks against the six U.S. entities.
Petraglia’s assertions are not speculation. “Military organizations duplicate towns, areas, and buildings to run practice drills prior to attack or rescue missions. From a technical perspective, duplicating a network based on electronic and physical reconnaissance is cheaper and easier than building a town, area, or building. Reconnaissance is a major part of red team / blue team exercise scenarios. From a military and intelligence perspective, this behavior is expected of the adversary,” says Petraglia.
Then came the slow, steady exfiltration. “Most of these high profile cases are the result of spear phishing, unless the attackers have an insider in the target company,” says Rahul Kashyap, Head of Security Research, Bromium. In the case of attacks by nation states you almost always see very well designed spear phishing emails that appear to come from the CEO or a similar high official within the organization. “A spear phishing email sent to employees of Alcoa appeared to come from a corporate board member,” says Kashyap of one example of an email sent during these attacks. The idea here was to create a sense of urgency so that employees responded without thinking and began clicking links or opening attachments containing malware. “Attackers spray bunches of emails at employees. All they need is for one person to open one email and respond for an attack to progress,” says Kashyap.
Employees ultimately requested the data via port 80 or another port used for web traffic. Enterprises expect this port to see a lot of traffic. Because the malware was designed to push / pull just a little bit of malicious traffic at a time together with expected web traffic, enterprise security did not detect the attacks. Meanwhile, the malware kit acquired increasing degrees of access on the network until it got to the databases and servers that contained the intellectual property and confidential documents the attackers sought and highly prized. “Anyone who had access to the kinds of material these hackers stole would have a huge advantage over the targeted U.S. competitors,” says Kashyap.
Previous state sponsored attacks have used kernel exploits like Stuxnet, Duqu, Gapz, TDL4, Gameover, and the recent Adobe Reader Sandbox bypass; these hackers may have used kernel exploits in these attacks as well. “The Windows kernel is the core of the operating system. If you compromise the kernel, you own the machine, including the security software on it,” says Kashyap.
Mitigating similar attacks
“I trained people at government agencies who had no clue that they were under attack as much as they were,” says Petraglia. Given that, every day businesses outside the government are certainly not up to speed on securing against state-sponsored attacks, concludes Petraglia. Enterprises need to educate and train their people that they are definitely military and intelligence level targets of hackers.
Several layered technical measures are necessary to mitigate state-sponsored attacks that hackers levy for economic gain. Enterprises need solid definitions as to what is sensitive data. They need absolute rules about data access. “Use Data Loss Prevention tools so people can’t copy sensitive data to their laptop, which then ends up unattended in the back of their car,” says Petraglia.
“Encryption is key,” Petraglia continues. Encrypt all data in transit and at rest. Don’t make it easy for the hackers to get the data. Follow egress traffic to where it terminates in so far as it is possible. Watch the packet sizes leaving the enterprise as well as their destinations. Watch for unexpected sizes and destinations.
Use a tiered security architecture with different security protocols and entirely different security devices at every level. “The firewalls at different layers should not all come from the same vendor,” says Petraglia; “they should be three different versions of firewalls from three different companies.” This helps to prevent an attacker from breaking through multiple layers of security using the same kind of attack on the same kind of vulnerability at all layers.
According to Kashyap, the threat landscape has changed over the last few years. “Hackers know the perimeter is well protected so they compromise the employees. Companies that care about their intellectual property should invest in security technology that assumes their employees are gullible and will make mistakes like the end users made during these state-sponsored attacks,” says Kashyap.
Enterprises should reevaluate any legacy security tools because the hackers’ approaches are more advanced than the capabilities of these tools. “Use multiple tools to recognize anomalous behavior,” says Kashyap. Isolate the behavior and don’t permit it to proceed any further on the network.