STE WILLIAMS

The White House has unveiled a fresh strategy for combating the theft of American trade secrets – days after a high-profile Chinese cyber-espionage campaign against US corporate giants was exposed.

The strategy, outlined in a 141-page report [PDF] published on Wednesday, focuses on a five-part plan featuring diplomatic efforts, cooperation with private industry to bolster information security, legislation, law enforcement operations and public education campaigns. The US Departments of Commerce, Defense, Homeland Security, Justice, State and Treasury; the Office of the Director of National Intelligence; and the Office of the United States Trade Representative were all involved in drawing up the strategy, and will all be involved in aspects of putting it into play.

The US government report, which cites numerous examples of Chinese espionage and a lesser number of attacks traced to Russia and the countries, makes a fascinating read.

Although recent news headlines focused on state-sponsored cyber-espionage, the new Administration Strategy on Mitigation of Theft of US Trade Secrets also highlights the role of corrupt company insiders in the pilfering of trade secrets. Cyber-espionage is presented as making an existing threat far worse:

Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation’s prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place — amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect

Other targets of industrial espionage include firms in Canada, France, Germany, the UK and South Korea as well as US corporations, who seem to bear the brunt of attacks. And what other Western intelligence sources are telling their US counterparts, as summarised in the strategy document, bears repeating: “Russia also is seen as an important actor in cyber-enabled economic collection and espionage against other countries, albeit a distant second to China.”

The report states: “Trade-secret theft threatens American businesses, undermines national security, and places the security of the US economy in jeopardy. These acts also diminish US export prospects around the globe and put American jobs at risk.”

A key section of the document blames most of this malfeasance on China:

Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC {intelligence community] cannot confirm who was responsible.

Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

Seven of eight highlighted cases of trade-secret theft in early section of the report involve Chinese nationals or Chinese firms. The exception involves the alleged theft of Goldman Sachs’ computing trading source code by an employee of Russian extraction. The Obama administration aims to clamp down on both corporate and state-sponsored trade secret theft.

A summary of the Department of Justice’s economic espionage and trade-secret criminal cases since January 2009 lists 18 Chinese suspects, one South Korean and an Indian. It also lists a case involving an attempted sale of Akamai trade secrets to Israel that the Israelis actively helped in thwarting. All the cited cases involve current or former employees of negotiable morals rather than infiltration by outside hackers.

The report is noteworthy in listing the main targets of trade-secret theft: these include information and communications technology; military technologies (particularly marine systems and drones – unmanned aerial vehicles) and other aerospace technologies; and technologies in sectors likely to experience fast growth, such as clean energy; healthcare and pharmaceuticals; and natural resources (including oil and gas).

Intelligence agencies have “used independent hackers at times to augment their capabilities and act as proxies for intrusions, thereby providing plausible deniability”, the report states. It singles out the use of the Iranian Cyber Army, a hacker group with links to the Iranian government, in “social engineering techniques to obtain control over internet domains and disrupt the political opposition” as an example of this so-called “hackers for hire” trend.

Other second-tier threats include hacktivists and Wikileaks:

Similarly, political or social activists may use the tools of economic espionage against US companies, agencies, or other entities, with disgruntled insiders leaking information about corporate trade secrets or critical US technology to ‘hacktivist’ groups like WikiLeaks.

Hacktivists are very much a footnote to the report which focuses on corrupt insiders – such as current and former employees – and state-sponsored hackers based in China as by far the most significant threat.

Cyber-espionage to swipe US trade secrets has been going on for the last six or seven years, we’re told, but are occurring with increasing frequency and getting much more media attention of late. The new strategy brings together existing initiatives in diplomacy, promotion of best practice and law enforcement action rather than introducing anything more radical, such as active defence. Strategies involving active defence may involve anything from hacking back against attackers to deliberately feeding hackers misinformation and snaring them with honeypots. The policy document also omits mention of recent debates about charging foreign cyber-spies with hacking into US corporations.

Instead the emphasis is placed far more on the Cyber Intelligence Sharing and Protection Act, or CISPA, legislation designed to facilitate sharing of intelligence about cyber-attacks and talk of how suspicions of industrial scale trade-secret theft may impact international trade negotiations – such as the Trans Pacific Partnership. The threat of trade sanctions against China is raised as a possible move although it’s not fully detailed.

The Obama administration’s announcement follows a spate of admissions by US high-tech firms, including Apple and Facebook, that they’ve fallen victim to hacking attacks linked to Java-based browser exploits. A separate run of attacks using spear-phishing and custom malware to compromise systems was levelled at The New York Times and The Wall Street Journal.

A detailed report drawn from a long-running investigation by security response firm Mandiant blamed a Shanghai-based Chinese military unit for spearheading many cyber-espionage campaigns over several years. China has denied these claims, arguing that it has often been a victim of cyber-attacks and called for greater international cooperation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/us_revamped_cyber_strategy/

Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures.

Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two or three years or so. This meant 419ers and others tried to hijack email accounts before sending fraudulent messages to potential marks, usually the friends and contacts of an account hijacking victim. Using auto-generated newbie accounts no longer works because messages from these accounts were routinely blocked.

Email account hijacks often follow either phishing campaigns or database leaks from insecure websites. Because many people make the mistake of re-using the same password across different accounts, stolen passwords from one site are often valid across many others. This is what made password database breaches involving the Sony PlayStation Network, Gawker, LinkedIn, eHarmony and Last.fm and many more over the last two or three years such bad news.

Using leaked passwords, sometimes purchased in bulk from underground cybercrime forums, the pond scum of the internet then launch various attempts to break into accounts across the web and across many different services.

“We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time,” Mike Hearn, a Google security engineer explains in a blog post. “A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.”

Google has introduced a variety of security checks, based on risk analysis and 120 variables, to determine if a sign-in is suspicious or at least worthy of being challenged. Risk factors include attempts to sign-in from a new country, among many others. Users are challenged to supply a phone number associated with an account, or the answer to a pre-agreed security question before they are allowed access to Google accounts.

“These questions are normally hard for a hijacker to solve, but are easy for the real owner,” Hearn reports. “Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 per cent since the peak of these hijacking attempts in 2011.”

This is a massive win for internet hygiene and privacy but it’s worth remembering that no one knows the number of account hijacks to begin with – the Y axis of Google’s graph is blank – and a gigantic reduction in the number is still scant consolation to anyone’s whose account has been hijacked. Also, the majority of successful hijacks are probably pulled off by shady state-sponsored types looking to break into the email accounts of journalists, human rights activists or business executives rather than ordinary spammers, 419 fraudsters or other ne’er-do-wells.

Google’s commendable efforts are certainly no reason for complacency. Users can play a role in protecting their own Google accounts by making sure they use a strong (hard-to-guess) password that they avoid reusing on other sites.

Upgrading accounts to use two-step verification, by associating accounts with a mobile phone number, as well as updating account recovery options to include a secondary email address, also help to make Google accounts more secure – and easier to recover if anything goes wrong. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/google_account_hijack_clampdown/

Mobile developer website iPhoneDevSDK says it was completely unaware of its own involvement in a recent online attack that compromised Macs at Facebook, Apple, and other companies – that is, not until its admins read about it in the tech press on Wednesday morning.

“As the most widely read dedicated iOS developer forum, we’re targeted for attacks frequently,” iPhoneDevSDK administrator Ian Sefferman wrote in a blog post on Wednesday.

Despite knowing this, however – and despite the fact that the security world has been abuzz about the attack on Facebook and others since February 15 – Sefferman says he first learned about iPhoneDevSDK’s involvement in the incident from an article at AllThingsD that morning.

Prior to that, Sefferman says neither Facebook, nor law enforcement, nor any other company had attempted to contact iPhoneDevSDK about the issue.

Upon hearing the news, Sefferman says he immediately got in touch with Facebook to find out what it knew about the attack, and that iPhoneDevSDK has been working with Zuck’s security bods ever since.

From what Sefferman has been able to determine on his end, the attackers managed to compromise a single iPhoneDevSDK admin account, which allowed them to inject JavaScript code into the site’s templates to trigger the exploit.

To be precise, the JavaScript code targeted a vulnerability in the Java browser plug-in, one of a series of such flaws that have been discovered by security researchers – and, unfortunately, a few miscreants – in recent months.

The iPhoneDevSDK attack was unusual, however, in that it involved malware that specifically targeted OS X. Macs aren’t usually singled out for such attacks, owing to Apple’s relatively small share of the global PC market.

The fact that Macs were the target in this case suggests that the attackers were aware that iPhoneDevSDK was a site for iOS developers and that they crafted their exploits accordingly. Security firm F-Secure has even suggested that iOS developers were themselves the true targets, and that the attackers were hoping to gain access to their workstations to insert malicious code into their mobile apps.

But if that was the attackers’ true aim, how close they came to accomplishing it is not clear. As was the case with Facebook earlier, Sefferman said he believes no user data was compromised, but that iPhoneDevSDK’s administrators have reset the password of every account anyway, just to be safe.

Apple and Oracle have also since patched the Java vulnerability that made the Mac exploit possible, though Cupertino’s fix lagged somewhat behind Oracle’s.

For his part, Sefferman isn’t wrong when he says iPhoneDevSDK is a frequent target of attacks. According to the site’s forums, the last major incident was as recent as July 2012, and the time before that was in November 2011. In each case, web browsers and search engines flagged the site as a dangerous malware distributor.

Sefferman says these earlier incidents prompted the site to switch from vBulletin forum software to Vanilla Forums, which he claims is much more secure. He says he believes the Vanilla Forums software had nothing to do with the attack that affected Facebook and others; rather, one weak password seems to have been to blame.

“We’re still trying to determine the exploit’s exact timeline and details, but it appears as though it was ended (by the hacker) on January 30, 2013,” Sefferman said, adding that iPhoneDevSDK is still working with Facebook, law enforcement, and “other targeted companies” to track down the culprits.

The Reg has reached out to Facebook to inquire as to why iPhoneDevSDK was not contacted sooner about the issue, but the only response so far has been conspicuous silence. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/iphonedevsdk_hack_involvement/

BlackBerry has patched a security vulnerability that allowed hackers to run malicious code on systems running its BlackBerry Enterprise Server (BES) software.

The bug, rated as “high severity”, is triggered by specially crafted TIFF image files that travel into BES as users visit webpages, receive emails and exchange instant message conversations.

BlackBerry has supplied an update, which it warns must be applied not only to prevent hackers from squirting malicious code onto messaging servers, but also to block potential attempts by miscreants to harness the vulnerability as a means to hack into corporate networks:

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone.

Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server.

Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

The vulnerability affects messaging servers and not BlackBerry smartphones. The Canadian firm said it had not received any reports of attacks targeting its corporate customers, so there’s no need to press the panic button.

Although there’s no reason to believe that the flaw has been exploited by baddies, the security bug is nonetheless significant because of its potential for damage against what’s traditionally (and with good reason) been regarded as a secure corporate messaging platform, deployed by government and security-sensitive businesses worldwide.

A malicious hacker could create a booby-trapped TIFF image file and either trick a BlackBerry smartphone user into visiting a webpage hosting the image, or embed the malicious image directly into an email or instant message in order to run an attack against vulnerable BlackBerry Enterprise Server (BES) systems. Victims don’t even need to be tricked into opening a dodgy TIFF file. Just scrolling over an image embedded within a booby-trapped email would be enough to trigger an assault. Such an attack might take the form of an attempt to crash vulnerable message servers or an attempt to run malicious code.

Although the vulnerability is limited to Blackberry Enterprise Servers running any version below BES 5.0.4 MR2, it does suggest that the days of regarding all images as essentially safe may be numbered, according to security experts.

“This is a bit of a twist on normal exploitation simply because the malicious code is actually inside of an image, something that hasn’t really been done before,” notes Fred Touchette, senior security analyst at AppRiver, in a blog post entitled A Picture Is Worth a Thousand Exploits. “Sure, attackers have used executables that pretend to be images, or hide malicious URLs behind image links, but they haven’t been able to use the image itself before now.”

Touchette agrees with Graham Cluley of Sophos that the vulnerability is a “serious concern” that needs to be patched sooner rather than later, to guard against possible targeted attacks and corporate espionage based on the vulnerability, which has now become general knowledge.

Corporates can’t always interrupt normal operations to apply patches without testing and planned downtime, of course, in which case applying BlackBerry’s suggested workarounds is a useful precaution. These workarounds involve either replacing the vulnerable image.dll handler or blocking inline image handling. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/20/blackbery_squashes_image_peril/

Mozilla’s Firefox web browser now includes a built-in PDF viewer – allowing users to bin plugins from Adobe and other developers.

The move to run third-party PDF file readers out of town comes after security holes were discovered in closed-source add-ons from FoxIt and Adobe. The new built-in document viewer is open source, just like Firefox, and is written in JavaScript.

No plugin required to peek at this portable-document-format file

The web browser’s PDF.js emerged as a beta version in January, and yesterday was added to the mainstream build of Firefox, specifically the new version 19.0. There’s more on the HTML5 and JavaScript used to create the PDF reader right here.

As an upside of using HTML5 and JavaScript, the viewer is multi-platform and works across PCs, tablets and mobile phones – it should also work in other web browsers.

“Not only do most PDFs load and render quickly, they run securely and have an interface that feels at home in the browser,” Mozilla’s bods added, apparently comfortable that their new PDF.js tool has fewer security issues than Adobe’s well-established plugin. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/20/mozilla_pdf_view_html5_javascript/

The maker of Adblock Plus is upset its users must jump through hoops to get its advert-banishing app working on devices running Android – the mobile OS made by advertising giant Google.

The complaint follows moves by Google that made it more difficult for Google Chrome users to use Adblock Plus as a browser extension.

The Android app no longer works out of the box on non-rooted devices running Android 4.1.2 or 4.2.2. Instead it shows a warning box telling users they must manually configure a proxy server: that’s because the app works by routing web traffic through a server running on the handheld that filters out websites’ adverts before they appear in a browser.

But Google took the position that there is a significant security risk in allowing software to automatically redirect web connections in this manner. The internet giant has now fenced off proxy configuration because malicious programs can use it to intercept users’ data and endanger their privacy.

It’s this change that’s stopping the app from working unless the user gets busy in the device’s proxy settings to allow the app to receive web traffic.

The ad-blocking firm flagged up the drawbacks to the update on the official Android OS development site. Meanwhile Adblock Plus has published a workaround allowing users to continue using its software.

But the suggested solution is an eight-stage process, as illustrated in this guide for Galaxy S3 smartphone owners.

Till Faida, co-founder of the Adblock Plus project, told El Reg: “We are not opposed to the fix per se. We just think Google shouldn’t deliberately break any functionality when fixing something. That’s why we are hoping Google will not ignore the issue we have created on the Google code forums and provide a solution that addresses security concerns and still respects user’s choices.”

In Chrome land, Google changed the way users could search for its web browser’s apps, and since Adblock Plus was established as an extension, the utility stopped appearing when users looked for apps. Adblock Plus switched to offering a Chrome app on 12 December, only for Google to take it down 12 hours later. The software’s maker accused Google of singling out the utility, which we’re told has been downloaded 190 million times for Firefox, for unfavourable treatment – and cast the Android security tweaks as the latest skirmish in a long-running battle.

Google is yet to respond to a request from El Reg to expand on the thinking behind its Android security update. We’ll update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/20/google_adblock_plus/

Apple has patched a Java security hole that was exploited by hackers to infect its own developers, their counterparts at Facebook and scores of other companies using Mac OS X machines.

The vulnerability allowed miscreants to execute their malicious code outside of the limited and supposedly secure sandbox each downloaded web applet runs in, in effect granting wider access to the underlying system. The escaped software has the same level of privileges as the logged-in user but often that’s enough to compromise the box’s security.

Attackers were able to use this hole to infiltrate computers at Apple, Facebook and others using Mac-compatible malware. That’s according to Apple insiders speaking to Reuters in an unprecedented admission of security weaknesses at the iPhone maker, which until the last year or so all but dismissed malware as a Windows-only problem.

Specifically, Facebook and Apple were pwned after their employees visited iPhoneDevSDK.com – a website popular with mobile developers but was booby-trapped with code to exploit the unpatched Java security hole and install a load of spyware. Reuters reports that the hack attack against Twitter earlier this month has also been linked to the same Java zero-day vulnerability.

Twitter recently admitted it suffered a network security breach that exposed the login credentials of 250,000 early adopters of the social network, but it didn’t say how it happened beyond advising everyone to turn off Java in their browser.

All indications are that the Java browser plugin was the gateway to victims’ machines for whichever hacking group pulled off the attacks against Apple and Facebook. Their identity remains elusive.

Bloomberg is quoting sources who say it might be Eastern European hackers while Reuters’ sources are more inclined to blame China. The motive of the attackers remains unclear.

Apple’s Tuesday update aligns the version of Java it supplies with Oracle’s latest patch*, which was formally released yesterday as scheduled after an emergency update earlier this month.

“[It’s a] bit of a pity that the Fruity Ones didn’t do this back at the beginning of February, when Oracle’s emergency ‘pre-Patch-Tuesday’ update came out to fix the hole that Apple is only now closing off,” notes Paul Ducklin of Sophos in a blog post.

The fact that Java security releases from Apple arrived weeks after Oracle’s updates were a massive factor in the spread of the Flashback botnet last year. The malware infected over 500,000 Macs, forming a zombie network that included 274 bots traced back to Cupertino, California, home of Apple’s HQ. This time around the window of Java vulnerability extended for less than three weeks instead of two months but the overall fallout from the delay in pushing out a patch quickly is arguably even more toxic.

Apple released a malware removal tool for Java alongside its Java security update on Tuesday. But to use the malware removal tool you have to install Java and this is perhaps not the best idea especially since the language has become a prime target for hacking attacks of late, as Sean Sullivan of security software firm F-Secure notes.

Meanwhile, three of the five components of Oracle’s latest Java security update, also released on Tuesday, hit the maximum security peril rating of 10.

All five of the security vulnerabilities resolved by in the latest Java update might lend themselves to remote exploitation. The critical patch update released on Tuesday includes all fixes provided in an emergency update for Oracle Java SE published at the start of February plus an additional five fixes. Oracle has scheduled its next Java SE (Java Platform, Standard Edition) critical patch update for 16 April. Java 7 Update 13 and earlier as well as Java 6 Update 39 and earlier need updating. ®

* Apple maintains Java 6 for the Mac, Java 7 is maintained directly by Oracle and Mac users need to go to Oracle to install Java 7, as explained in a blog post by Wolfgang Kandek, CTO at Qualys, here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/20/apple_java_omnishambles/

VMware is thinking about emitting security patches on a fixed schedule, instead of its current just-in-time regime.

The virtualisation giant revealed its thinking in a post for VMware user group members, 1,700 of whom it surveyed for their thoughts on the company’s security practices.

The results found “an almost even split between those in favor of a schedule vs. those wanting patches released immediately as they are available,” leading VMware to respond with a plan to “conduct some follow-up calls to gather more data to see whether it makes sense for us to stay with our current process or whether we should further evaluate moving to a regular schedule.”

The post also says many respondents “requested more detailed information in Security Advisories to help with risk assessments”. VMware agreed, saying “we need to provide more detail in our VMware Security Advisories (VMSAs). Your insightful feedback will help the VMware Security Response Center (VSRC) focus on the most important areas in which to improve our VMSAs in 2013.”

The survey also found that two thirds of respondents “Have established maintenance policies, schedules and are generally up to date with security patches (no more than 4 patches behind).”

VMware’s response is that “While we are encouraged that two thirds of respondents are keeping up with security updates, we would like to increase that amount,” which sounds eminently sensible.

The company is therefore “considering some initiatives to increase awareness of security updates, as well as the potential for product improvements to reduce the burden of keeping up to date on security.”

The company also sees the need to do better for the two thirds of respondents who “protect their vSphere management networks, primarily using VLANs” as it would “like this protection to be higher; therefore, we will investigate ways to make this best practice guidance more visible in product documentation.”

The survey comes on the heels of a recent security scare that saw VMware patch a flaw that allowed malicious users to adjust settings in a virtual machine, a privilege usually only offered to hypervisor admins.

A representative of anti-virus vendor AVG recently opined to Vulture South that this incident is likely a precursor to a wave of attacks directed at hypervisors. The spokesperson had no evidence for that assumption, but if the consumer-grade security industry’s FUD-flingers are starting to talk down virtualisation it seems a fine time for VMware and other virty vendors to get their houses in order. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/20/vmware_security_survey/

Apple, Facebook and “hundreds of other companies” have had their Mac computers hacked in a sophisticated campaign mounted by an unknown adversary.

Attackers were able to infect Apple, along with other businesses around the world with Mac malware delivered via a Java zero-day vulnerability, Reuters reported on Tuesday, after receiving information from a source at Apple.

The hack used the same Java zero-day and associated Mac malware as the one which Facebook disclosed last week, the Apple source indicated.

Hundreds of companies, including defense contractors, have been infected with the same malicious software, the source said.

“This is the first really big attack on Macs,” Reuters’s source said, “Apple has more on its hands than the attack on itself.”

Apple plans to release a software tool to detect and remove the Java-related malware, the company said in a statement to AllThingsD. Java has not shipped with Macs since the release of OS X Lion.

The Mac malware could have been used to deliver a backdoor onto the computers via the installation of an SSH Daemon, allowing hackers to remotely control parts of the affected system, Finnish virus experts F-Secure indicated in a blog post on Monday.

At the time, they classed the Facebook hack as a “watering hole” attack, which sought to target Facebook users by infecting the company behind the social network.

With the revelations from Apple, it appears the attack could have been part of a widespread hacking campaign against various companies including Facebook and Twitter as well.

At the time of writing Google had not responded to queries about whether it had also been targeted, and Microsoft declined to comment.

The news comes alongside the release of a report on Tuesday that linked the Chinese People’s Liberation Army to hackers that have been mounting a “Cold War” style campaign against Western companies.

The report implicated the PLA in a variety of major hacking campaigns that have occurred over the past few years, including 2011’s RSA hack that compromised SecurID encryption tokens. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/19/apple_hacked/

Chinese military spies, holed up in ho-hum Shanghai tower blocks surrounded by restaurants and massage parlours, have siphoned hundreds of terabytes of data from computers at scores of US corporations.

We’re assured that, rather than being a work of fiction, this is the conclusion of a new study by Mandiant that claims a unit of China’s People’s Liberation Army is masterminding a state-sponsored cyber-espionage hub.

The security consultancy published its report [PDF] today, and linked PLA unit 61398* to hackers who apparently infiltrated American businesses in sectors from high-tech to energy.

The electronic intrusions were allegedly carried out by a group dubbed an advanced persistent threat (APT) and previously codenamed by Western experts as APT1 or the Comment Crew**. Mandiant blamed APT1 for a campaign of espionage waged against 141 corporations in 20 industries since 2006, and accused the team of swiping hundreds of terabytes in data.

Mandiant doesn’t name the supposedly attacked firms, but other reports suggest these include Coca-Cola, RSA Security and Telvent, a firm that supplies power grid control systems and smart meters.

“In seeking to identify the organisation behind this activity, our research found that People’s Liberation Army unit 61398 is similar to APT1 in its mission, capabilities, and resources,” Mandiant wrote in its report. “PLA unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”

More precisely, according to Mandiant, unit 61398 is housed in a series of nondescript tower blocks on Datong Road in Gaoqiaozhen, in the Pudong New Area of Shanghai, that were built in 2007. The buildings were pictured in a front-page story by the New York Times on Mandiant’s research; the newspaper said China’s alleged cyber-espionage hub is surrounded by diners, massage parlours and a wine importer.

According to a US intelligence agency assessment quoted by the NYT, digital-espionage agents operating in China are either handled by army officers or are contractors working for outfits such as unit 61398. The NYT hired Mandiant to investigate a high-profile breach of the paper’s network security, which the consultants concluded was the work of a Chinese APT group. A US spook grilled by the NYT said Mandiant’s report was consistent with the American government’s own analysis.

The charges that China is carrying out international electronic espionage on an industrial scale are, of course, years old, but Mandiant’s 60-page study is a fascinating read because it goes into considerable detail.

Mandiant claimed APT1 is just one of 20 computer spying crews in operation in China, and is among dozens it is tracking worldwide. APT1’s handiwork is partially identifiable, we’re told, because its members use distinct hacking tools, techniques and resources not used by other groups. Mandiant claimed:

Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures).

According to the security consultancy, the group’s modus-operandi involves gaining access to networks using spear-phishing messages and custom-built malware. It then revisits compromised systems over time to copy intellectual property including technology blueprints, documentation of manufacturing processes, test results, business plans, partnership agreements, emails and contact lists of senior execs.

The industries APT1 targets match industries that China has identified as strategic to its growth.

A video compiled by Mandiant apparently showing APT1’s attacks and intrusions as they happened can be found here or watched below:

Some of those allegedly involved in the corporate spying were personally identifiable because they skirted around the Great Firewall of China to log into Twitter and Facebook accounts.

Malware used in APT-style attacks were apparently created by a character called UglyGorilla, who first appeared on a Chinese military forum in 2004 to ask whether China was planning a response to the formation of a US cyberspace command. The user then appeared years later on IP addresses linked to unit 61398.

Another person called DOTA created email accounts that were used to plant malware from IP addresses also associated with unit 61398’s network. And confirmation messages to set up those mail accounts were sent to a mobile phone number provided by a Shanghai-based operator.

A third person, who uses the nickname SuperHard, was allegedly involved in creating the AURIGA and BANGAT malware families used by APT1. According to Mandiant the trio are soldiers in a unit of dozens if not hundreds of personnel that targets the English-speaking world from IP addresses registered in Shanghai and systems configured to use the simplified Chinese language.

Mandiant also revealed domain names, IP addresses and MD5 hashes of malware associated with APT1. The release includes 13 X.509 encryption certificates used by the team.

The security consultancy concluded: “Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission, or APT1 is Unit 61398.”

The Chinese government has angrily dismissed the latest charges as another round of China bashing. Officials dismissed Mandiant’s APT1 report as “groundless”, the Asian nation’s official news agency Xinhua reported.

“Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem,” said Foreign Ministry spokesman Hong Lei, adding that China has also been a victim of cyber-attacks and reiterating the need for international cooperation in addressing the problem.

Mandiant’s detailed and well-written report was well received in security circles. About the only substantive criticism comes from a cogently argued blog post by Jeffrey Carr, who claimed that Mandiant failed to take into account that multiple states are engaged in this activity; not just China. Mandiant did not consider and rule out competing hypotheses on the identity of the hackers, according to Carr. ®

* Unit 61398 was otherwise known as the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department. ** The Comment Crew earned its nickname from its habit of embedding hidden code or comments in web pages.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/19/china_apt_report_mandiant/