China Hacking Report QuestionedChinese Military Accused of Hacking European, US Businesses
A Chinese military unit, based in Shanghai, has been hacking U.S. defense companies as well as European aerospace and satellite firms since at least 2007, according to information security firm CrowdStrike. But some security experts have questioned those findings and whether they will help businesses that are being attacked to better defend themselves.
On June 9, CrowdStrike published a 62-page report on "Putter Panda", its code name for a campaign it now says is being run by Chinese People's Liberation Army signals intelligence unit 61486. That group reportedly favors targeting vulnerabilities in Adobe Reader and Microsoft Office software, which it exploits to install a remote-access tool such as 4H or 3Para. In some cases, the group has even used rare, e-mail-based command-and-control tools.
CrowdStrike president George Kurtz says in the report that unit 61486 has hacked into companies around the world "to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries" in a campaign that extends far beyond intelligence-gathering for national security purposes. "While the gains from electronic theft are hard to quantify, stolen information undoubtedly results in an improved competitive edge, reduced research and development timetables, and insight into strategy and vulnerabilities of the targeted organization," he says.
The timing of the release of the report is meant to continue U.S. pressure on China, following the U.S. Justice Department last month indicting five Chinese army officers on hacking charges, says Adam Meyers, vice president of intelligence at CrowdStrike. "The report isn't new, per se; our intel partners have had this information for months," he says in an interview with Information Security Media Group. "We want to keep the pressure on, because we're seeing our customers and lots of businesses being targeted and losing intellectual property, and that's unfair behavior by China in terms of business standards."
Signatures included in the report can also be used to block repeat attacks, he says.
First APT1, Then Putter Panda
Responding to the report, however, some security experts have questioned the usefulness of its findings. "Attribution of attacks down to individuals is almost never relevant to anyone outside of intelligence agencies or law enforcement," says John Pescatore, director of emerging security trends for the SANS Institute. "Here's a simple thought experiment I always use: If I could send you back in time to the day before a breach, and arm you with one piece of knowledge - who will launch the attack, or what vulnerability are they going to exploit? - which would you choose?"
Back in February 2013, threat intelligence firm Mandiant published a report that tied advanced persistent threat attacks launched by the "APT1" group to Chinese PLA unit 61398.
"So, both the previous Mandiant APT1 report and this CrowdStrike one name names, and it attracts attention in the press - but is value-free for corporate security managers, even the ones who might be targeted by this same [group]," Pescatore says. The report may also be meant to curry favor with U.S. government officials in the wake of Edward Snowden's leaks at the National Security Agency, he argues. "The U.S. government has been over-emphasizing Chinese hacking in general - especially after all the bad press about NSA's operations," Pescatore says.
Drilling into the report's findings, security expert Jeffrey Carr, CEO of Taia Global, contends that CrowdStrike - which is in the business of selling information about attackers and their techniques - fails to prove that that the Chinese military is behind the hacking team it's been tracking, or that a unit member named as "Chen Ping" is really involved.
"CrowdStrike did not prove that the person they've identified as Chen Ping, a.k.a. cpyy, is actually named Chen Ping or is an employee of PLA unit 61486 or is even a hacker," says Carr, who's the author of Inside Cyber Warfare: Mapping the Cyber Underworld. "All of that is speculation on the part of the researchers."
CrowdStrike's Meyers, however, dismisses Carr's criticism. "I tend not to read things that he publishes ..." he says, pointing to Carr's theory that China was involved in the development of the Stuxnet worm.
Meyers also emphasizes that CrowdStrike researchers found numerous signs of PLA members - from different parts of its signals intelligence bureau - interacting online, for example in a car-enthusiasts' forum, which substantiates a connection between the APT1 and Putter Panda teams. "There aren't a lot of coincidences in this game, so that's interesting," he says.
Timing of Report
The timing of the report's release is no coincidence. According to Meyers, CrowdStrike released it following the U.S. Justice Department filing hacking charges against five Chinese officials. He argues that rather than leaving such matters to the government, holding Chinese hackers accountable is a "shared responsibility."
"Right now, they're just continuing this behavior in an unabashed fashion," he says. According to the report, for example, unit 61486 has been using the street address of the Chinese military signals intelligence bureau to register domains it uses to control its malware. "Can you imagine if there was a domain that traced back to a U.S. intelligence agency that was being used to target satellite communications in a foreign country?" Meyers asks.
Pescatore, however, offers a different explanation for the timing of the report's release. "Most of these types of reports are largely aimed at getting funding from U.S. DoD [Department of Defense] and intelligence agencies that do care about who launches attacks, and is also useful for those agencies as they fight for fiscal year 2015 funds for cybersecurity," he says.