China Has “taken the gloves off” In Hacking Attacks

Remember the good old days, when the US and China were supposedly working out new norms for cyber, and China was going to stop all that hacking of US companies to steal intellectual property? 
 
It turns out the Chinese were just upping their hacking game, improving their operational security and penetration skills, learning from the methods of their Russian counterparts.
 
A recent example of that "island hopping" tactic is the "Cloud Hopper" hacking campaign, active since at least May of 2016. In October the US Dept. of Homeland Security (DHS) issued a new alert on the campaign, warning of a surge in activity by the campaign over the past few months. Cloud Hopper has been attributed to the threat group known as APT 10, aka Stone Panda—a hacking group that has been tied to the Chinese Ministry of State Security's Tianjin Bureau.
 
Based on data from incident response companies gathered by the security firm Carbon Black, China is now the leading source of cyber-attacks. Of 113 investigations conducted by Carbon Black's incident response partners in the third quarter of 2018, nearly half, 47 in total, came from China or Russia.
 
"What was notable was that we saw a resurgence of Chinese attacks, where they actually surpassed Russian activity," said Carbon Black's chief cybersecurity officer, Tom Kellermann. "And I think that's in direct line with the increasing tension with the South China Sea coupled with the trade war. Essentially, the Chinese have taken the gloves off."
 
The data backing this analysis, part of a report released recently by Carbon Black, came from 37 incident-response firms that partnered with the company. It's the second quarterly report compiled from incident-response data and an attempt by the intrusion-response community to understand more about the behavior of attackers, and how they manage to spend so much time within networks before they are detected.
 
"The Verizon data-breach report, which we all appreciate as being probably the best report out on data breaches, always failed to explain why [dwell time] was over 130 days," Kellermann told Ars. That Verizon report "talked about the vector and some of the weaknesses in security but never described why that dwell time was so expansive. 
 
This report is specifically trying to drive out how are they getting in, how are they staying in, how are they moving laterally, how are they changing, and are they becoming more punitive."
 
And, in fact, attackers on the whole do appear to be turning more "punitive", engaging in more destructive behavior either as part of a deliberate sabotage campaign or to counter the efforts by victims of intrusions to respond to them. 
 
But as far as the Chinese attackers go, it's clear that they have also significantly upped their game, improving their stealth and tactics in a way that has allowed them to dig deeper into targets and stay longer than before.
 
"They're doing a much better job of operational security for their campaigns and doing a tremendous amount of 'island hopping', targeting the major service providers and corporations' brands in order to island hop into their constituencies," Kellermann explained.
 
This type of stealth is a significant departure from Chinese state-sponsored hacking operations in the past. "The joke used to be that when the Chinese would come after you, they would throw the kitchen sink at you, and inevitably they would get into your house, and it would sound like a bunch of drunks in your kitchen at night," Kellermann said. "The Russians, if they targeted you. You would just wake up feeling funny in the morning."
 
But now, the Chinese groups are mirroring some of the clandestine techniques used by the Russian underground and "cyber militias," including:
 
• Using multiple command and control (C&C) systems to communicate with backdoors and other malware, with at least one of them on a "sleep cycle", left inactive until after other C&C systems have been purged by the targeted organisation's security team.
 
• "Living off the land" and moving within the targeted network by using 'known good tools' (legitimate software packages or system tools that may already be installed on the target network, such as PowerShell).
 
• Using techniques such as process hollowing to conceal malicious code within an existing system process to evade detection, Windows Management Instrumentation, and other alternatives to PowerShell to conceal activity on Windows systems.
 
Chinese hacking groups aren't the only ones to have improved their game against intrusion detection and response. Attackers from Iran, North Korea, and Brazil have also been evolving their behavior to adjust to the widespread use of breach-detection tools and common intrusion-response practices. The data gathered for the report showed that more than 40 percent of the incident-response investigations in the last three months found a secondary command and control network in place "on the sleep cycle." And more than 50 percent of the incidents were cases where the victim was not the primary target of the attack.
 
That said, the resurgence of the Chinese attacks is concerning when combined with their shift in tactics. While Chinese attacks against US targets never really stopped after the 2015 agreement on cyber norms, they had become much less brazen, which Kellermann attributes to their realization that they were "terrible at operational security." 
 
But they may have refocused their activities elsewhere, targeting India, Japan, and South Korea, as they learned more about how companies defended themselves and responded to breaches.
 
Bringing the Pain
 
Across the board, the financial sector was the most commonly targeted victim, followed by healthcare. "With North Korea and Iran, as well as Russia, they're understanding how they can offset economic sanctions by targeting the financial sector," Kellerman suggested.
 
But there was also a spike over the third quarter of 2018 in attacks against manufacturing companies, a type of attack that has been frequently tied to Chinese economic espionage. 
 
"Hacking a manufacturing entity, it's very hard to create a liquid asset to capitalise financially on that," Kellermann noted, "unless it's for the purpose of economic espionage or economic sabotage."
 
There was another spike that drew notice, a shift toward what Kellermann described as "a more punitive adversary." In 32 percent of the documented investigations over the past quarter, the attackers engaged in some sort of data destruction, either as economic sabotage or as a way of countering incident-response efforts by the victim.
 
"We're seeing destruction of logs, not just the logs specific to the footprint of the adversary on various hosts, but just massive amounts of logs," Kellermann said, "and that should be concerning to all of us. In the first three months we looked at, back in the spring of this year, we were at 10 percent for destructive attacks. Now we're at 32 percent. Is it the geopolitical context, or is it just that the actors have become far more punitive?"
 
The trend suggests, Kellermann said, that the days of "the straight burglary" of data are now gone, and sophisticated attackers are turning toward the tactics of a home invasion. 
 
Kellermann compared most companies' tactics in dealing with intrusions to responding to an intruder by "standing at the top of the steps and shouting 'I've got a gun and the police know you're here' and assuming that would scare them away." 
 
The problem with that approach, he noted, was that it assumes that there is only one intruder, that the threat is enough to intimidate them to leave, and that the intruder(s) "would not get punitive enough to come upstairs and set the house on fire."
 
We've already seen the potential threat of purely destructive attacks in the past from malware such as Shamoon, WannaCry, and NotPetya. 
 
But as tensions continue to build over trade, that sort of virtual arson attack on networks could become increasingly more common and much more sophisticated in its application. And that's something that current security practices and US "cyber deterrence" don't yet appear to be prepared to deal with.
 
Ars Technica:
 
You Might Also Read:
 
China Is 'biggest state sponsor of Cyber-Attacks on the West'
« China May Be Reading Your Emails
How Did Iran Find CIA Spies? They Googled It! »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CloudEndure

CloudEndure

CloudEndure offers Disaster Recovery and Continuous Replication for the Cloud.

Lantronix

Lantronix

Lantronix is a global provider of secure data access and management solutions for Internet of Things (IoT) and information technology assets.

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

K2 Integrity

K2 Integrity

K2 Integrity is a preeminent risk, compliance, investigations, and monitoring firm - built by industry leaders to safeguard our clients’ operations, reputations, and economic security.

BLUECYFORCE

BLUECYFORCE

BLUECYFORCE is the leading professional training and cyber defense training organization in France.

Pelion

Pelion

Pelion Connected Device Services are the easiest way to securely connect and manage your devices, allowing you to focus on forging your future.

Evolution Equity Partners

Evolution Equity Partners

Evolution Equity Partners is an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies.

Firmus

Firmus

As the leading penetration testing services provider in Malaysia, Firmus evaluates the ability of your internal or external information assets to withstand attacks.

Raman Power Technologies

Raman Power Technologies

Raman Power Technologies focus on bringing value and solving business challenges through the delivery of modern IT services and solutions including cybersecurity.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

ELLIO Technology

ELLIO Technology

ELLIO Technology is a cybersecurity company that reduces alert overload, improves incident response, and helps security teams target serious attackers who pose a real threat.

SecureTeam

SecureTeam

SecureTeam are a UK-based information security practice, specialising in all areas of cybersecurity.

Sirti

Sirti

Sirti is Italy's leading technology company in the design and production of network infrastructures and telecoms system integration.

CyberEPQ

CyberEPQ

CyberEPQ (Cyber Extended Project Qualification) is the UK’s first and only Extended Project Qualification in Cyber Security.

Nuke From Orbit

Nuke From Orbit

Nuke's mission is to put you back in control of your digital identity when your smartphone gets stolen.

CESAR

CESAR

CESAR is one of the premier R+D and innovation centers in Brazil and a designated Cybersecurity Competence Center.

Secure Domains

Secure Domains

Secure Domains is the first company in the GCC to offer cloud-based DNS firewall services and security through its flagship SaaS product, DNS Armor.