Cyber-war trends: good, bad, and scary
The attention paid to Chinese cyberwarfare may be increasing, and warnings of doomsday from the government correspond to the new attention, but a new report from Mandiant, the company hired by The New York Times to cleanse their servers after a Chinese attack, suggests that, at long last, private companies are beginning to devote the resources required to fend off these deaths by a thousand cuts.
In the past, embarrassment, risk aversion, and a sense that if a state does it, our state has to respond to it, has prevented the development of cyber-defense best practices, even for companies that control big systems that touch our lives daily. In 2011, only 6 percent of Mandiant clients discovered a cyber intrusion on their own. In 2012, 37 percent discovered the intrusion before Mandiant set up a wall around their systems. Mandiant also says that the average time of the attack is down by about 40 percent, suggesting that counter-measures work as a deterrent. Still, fully two-thirds of attacked companies were not aware of it until an external source like Mandiant informed them about it.
At the same time, attacking techniques are getting more efficient. It's easier for attackers to map networks now. And it's easier to identify meaty morsels to steal or compromise.
Mandiant says that, according to its research, defense companies are the most frequent targets of APT1 — "Advanced Persistent Threat 1," which refers to a specific and controlled campaign of cyber espionage by a single military entity in China. Oil and gas and other energy companies are next, followed by financial institutions. The targeting of media has increased threefold, from 2 percent to 7 percent.
China has figured out that small companies with expensive secrets often outsource their information technology services to larger defense companies, and often will use the outsourced firm as a mechanism to get to their real target. General IT service providers are also used as a mechanism to infiltrate real targets. Indeed, Chinese hackers will often implant malware on the network and wait until a chance comes to compromise the intended target. This suggests a very high degree of coordination and planning.
Intelligence gathering is a hallmark of sophisticated Chinese hacking; the idea of network reconnaissance in the cyber world is analogous to what the CIA does in mapping out a terrorist network. Before acting, they spend months, if not years, figuring out the organizational chart, figuring out the vulnerabilities, looking for couriers and points of connection, and then attacking when their picture is of a high enough fidelity. Additionally, the correspondence between the technology stolen and the needs of Chinese industry is very close. Even when companies detect and rid themselves of the threat, Chinese hackers are likely to re-attack the same enterprise 40 percent of the time.
The most interesting part of Mandiant's report is what they have to say about the PLA unit that is likely responsible for the largest and most damaging cyber-intrusions: Unit 61398, which is organized as a discrete intelligence unit under the PLA's General Staff Department's 3rd Department, which is responsible for military intelligence. The New York Times has reported some of it, but Mandiant goes into more detail in their new report.
Mandiant has also decided to be helpful to companies it does not do business with. It's releasing what it knows about the Unit's techniques, which will give U.S. companies a better sense of how to defend against them. China will come up with new techniques, and the old ones will still work for a while, but the open-sourcing of this information will benefit everyone. It hardens the target, assuming that Americans take it seriously.