Chinese Cyberespionage: Brazen, Prolific, And Persistent

New research from multiple sources illustrates dominant role of China in cyberespionage

China, China, China: New data and intelligence is shedding more light on just how bold and pervasive Chinese cyberespionage activity is today.
Tracing malware and breaches to their attackers is not straightforward -- anyone can hide behind layers of IP addresses -- but China has been confirmed as a major player in cyberespionage in multiple reports this month, as both Verizon and FireEye independently have released data that points the finger at the country for the bulk of cyberspying activity. And even after Mandiants exhaustive report on a long-suspected Chinese military link to cyberespionage against U.S. firms that was published in February, the APT1/Comment Crew gang behind that operation appears to be back in action despite the publicity the report drew.
The APT1/Comment Crew appears to have done little to change its tactics and methods of attack even after it was unmasked with key intelligence from Mandiant.
I was personally part of the camp that thought these guys would change significantly after the Mandiant report was published, says Rich Barger, chief intelligence officer with Cyber Squared, which last week unveiled
new evidence
of the group targeting the defense and aerospace community using many of the same techniques and command-and-control (C&C) capabilities as before.
Its not to say that there [may be] other activity they are conducting which is different as night and day. But in this instance, I was surprised that the change was so minimal ... Unless the left hand is showing us some of the old ways whereas the right hand is doing new stuff, were not seeing, Barger says.
Chinese cyberespionage actors accounted for 96 percent of those types of targeted attacks in Verizons
new Data Breach Investigations Report
on attacks investigated in 2012. And one-fifth of all of the breaches in the Verizon report were Chinese cyberespionage-based.
FireEye found that infected machines phoning home to the bad guys mostly use advanced persistent threat tools used or developed by Chinese cyberspies. Most of the nearly 90 percent of those attacks use Chinese-born Gh0stRAT.
While other attackers in other countries have access to many of those same tools and likely are using them as well, it demonstrates what a mark Chinese cyberespionage attackers have made in hacking. Their footprint is definitely there, and its very large, says Rob Rachwald, director of market research at FireEye.
Rachwald says hes surprised other nations didnt make a bigger dent in cyberespionage in the Verizon report, but it may just be a matter of volume: It makes sense to some extent. Volume is the game for [China]. They do some sophisticated things, but its all about attack volume, he says. They go after a company very intensively for a several-week period, with a very heavy spearphishing attack ... It makes sense that they would appear in so many attacks because they spend a lot of time with it.
[Mandiant calls out Peoples Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/aka the Comment Crew, Comment Group. See
Chinese Military Tied To Major Cyberespionage Operation
.]
The infamous APT1/Comment Crew cyberespionage group went quiet for a few weeks, Rachwald says, after the Mandiant report came out, which included indicators of compromise for organizations and forensics investigators to use.
But Cyber Squared spotted new activity from the group this month, as it launched a convincing spearphishing campaign using this weeks NDIA MODSIM Aerospace and Defense conference in Hampton, Va., as a lure.
While much of the groups operations appears intact with no significant retooling of their technologies or C&C architecture, Barger says his team detected some subtle, simple changes. The command strings were different in the C&C communication, he says, and the crypto used within the string had been altered.
They also used free dynamic DNS services versus self-registered domains for this attack campaign, he says.
Otherwise, the malware was the same, as was its use of HTML command tags, he says. There was not a drastic change, but they modified some of the things that were easier to change. That got them back in the game quicker, he says. To recompile some of this code and test it may have taken a couple of hours of their time, tops, he says.
Chinese cyberespionage actors dont need to change their methods, and they dont even really need to hide, he says. They can maintain their current level of survivability and operate behind the noise of us as a community scratching our chin and observing, saying, Why do we have this problem, while meanwhile, everything is moving out the back door.
Meanwhile, the U.S. is the favorite home-away-from-home for C&C servers receiving calls from Chinese RAT tools, according to FireEyes data. Given that the majority of victims of those attacks are based in the U.S., it is clear that attackers are housing CnC servers in the same country as their targets in order to help avoid raising suspicions, the FireEye report said.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ Botnet operators ready to join Operation Payback. ◂ Discovered: 05/01/2025 Category: security	▸ Amazon Cloud stands firm against WikiLeaks attack. ◂ Discovered: 05/01/2025 Category: security	▸ NASA sold sensitive data-containing computers. ◂ Discovered: 05/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese Cyberespionage: Brazen, Prolific, And Persistent