In May, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges of hacking and economic espionage, according to a May 19 U.S. Department of Justice media release. Per the same release, the targets were six U.S. enterprises operating in the solar products, nuclear power, and metals industries. The attacks began as early as 2006 and were carried out over many years and into this year, according to the same release.
The five indictees were Wang Dong a.k.a. Ugly Gorilla (hacker handle), Sun Kailiang, a.k.a. Jack Sun, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, a.k.a. KandyGoo. The indictees were officers in Unit 61398 of the Third Department of the Chinese People's Liberation Army. According to the charges, the five men compromised computers belonging to the six U.S. enterprises and stole trade secrets and strategic information useful to those enterprises' Chinese competitors. The U.S. companies that fell victim were Westinghouse, SolarWorld, U.S. Steel, ATI, the USW, and Alcoa, Inc., according to the May 19 U.S. Department of Justice media release.
After much preparation, the attackers launched very specially tailored spear phishing email attacks. CSOs, CISOs, and IT and security executives and staff should reconsider the technical and social nature of these kinds of attacks. Security leadership should revisit the measures they apply to their organizations to determine whether they are sufficient to mitigate costly nation state hacker threats.
Attacks by members of the Chinese military
"The Chinese were probably probing their systems for years prior to launching the social engineering email attacks," says Damon Petraglia, Director of Forensic and Information Security Services, Chartstone Consulting, speaking of the ground work the five members of the Chinese military would have to have laid before sending the spear phishing emails to the six enterprises. These probes enabled them to know who to target the emails to and what the corporate network topologies were in order to stage successful attacks against network vulnerabilities.
"They already knew what firewalls the targeted companies were using," says Petraglia, who developed and taught information security training at a large U.S. government agency. According to Petraglia, these Chinese hackers would have built entire networks to the same specifications as the ones they planned to attack. "These were military and intelligence level officers who had the resources and the funding to do this. They were highly trained," says Petraglia. Once the attacks they were working on were successful against the duplicate network, without detection, they could confidently send the attacks against the six U.S. entities.
Petraglia's assertions are not speculation. "Military organizations duplicate towns, areas, and buildings to run practice drills prior to attack or rescue missions. From a technical perspective, duplicating a network based on electronic and physical reconnaissance is cheaper and easier than building a town, area, or building. Reconnaissance is a major part of red team / blue team exercise scenarios. From a military and intelligence perspective, this behavior is expected of the adversary," says Petraglia.
Sign up for CIO Asia eNewsletters.