Corporate Security and Chinese Hacking – Lessons from the 2013 Mandiant Report on Chinese Espionage

In 2013 a report was published that shined a light on sophisticated hacker techniques and how they have been successfully used in the real world.  I’m referring to the Mandiant report called “APT1 Exposing One of China’s Cyber Espionage Units.”  It’s a great report that shows how a foreign government used both common and advanced techniques to pillage corporate databases.  Given that corporate espionage costs billions of dollars every year this report got my attention. When a threat is as well funded, planned, and executed as this one was it gets labeled as an “Advanced Persistent Threat” (APT).  This report looks at one particularly aggressive group affiliated with the Chinese military that it calls “APT1”.  Even when one excludes the political and diplomatic implications of such a sensitive topic, the report is still a great read for its detailed examination of how all the dirty work gets done. I think hackers and curious minds everywhere should read it over and see what can be learned from it.  In this article I’ll summarize the findings of the report and offer some suggestions companies (and individuals too) can take to improve their security.

Cyber espionage is a growing problem in the modern world.  Malicious cyber activity spans many different areas, but this article will focus primarily on the theft of intellectual property.  Specifically it will focus on incidents that have occurred between the United States and the People’s Republic of China.  Public awareness of cyber espionage has been increasing in recent years and with good reason.  Intellectual property (IP) theft costs the US hundreds of billions of dollars per year and a significant amount of that loss can be attributed to one country – China.  In fact, “China is the world’s largest source of IP theft.” (Huntsman Jr, et al., 2013)   To put the scale of IP theft in perspective one must consider the important role IP plays in the US economy.  The US economy is innovation driven and successful innovation requires that copyrights be respected and that innovators are rewarded for their efforts.  According to a coalition of CEOs in the technology field over 33% of the $15 trillion US economy relies on innovation, and innovation intensive industries create over 18% of all jobs.  “An annual loss of hundreds of billions of dollars of stolen IP—the very lifeblood of America’s innovation economy—is indeed extraordinary, especially to a still-recovering U.S. economy.” (Huntsman Jr, et al., 2013)  When IP theft involves American defense contractors national security can be compromised.  The latest literature on this topic shows that the Chinese government is actively involved in this kind of cyber espionage.

It should be noted that the focus of this analysis is on so called cyber-exploitation not cyber-attacks.    For purposes of this article a cyber-attack is:

“…the use of deliberate actions and operations – perhaps over an extended period of time – to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and (or) programs resident in or transiting these systems or networks.   Such effects on adversary systems and networks may also have indirect effects on entities coupled to or reliant on them. A cyber-attack seeks to cause the adversary’s computer systems and networks to be unavailable or untrustworthy and therefore less useful to the adversary.” (Lin, 2010)

In contrast, cyber-exploitation can be defined as “… the use of actions and operations – perhaps over an extended period of time – to obtain information that would otherwise be kept confidential and is resident on or transiting through an adversary’s computer systems or networks.” (Lin, 2010)  It may be easiest to think of cyber-attacks as actions designed to cause direct harm to an entity while cyber-exploitation refers to data gathering or theft without causing harm.  Of course the same vulnerabilities and security weaknesses that are exploited to gather intelligence could also be used to launch destructive attacks should an adversary choose to do so.  At present it appears the US and China are engaged in full scale cyber-exploitation or spying rather than damaging cyber-attacks which could be construed as an act of war.

Motivations and Scope

A major purpose of these cyber spying operations is to obtain sensitive industrial data from corporate networks.  China is by no means the only country engaged in cyber espionage, but they do stand out from the rest of the pack.  “For almost all categories of IP theft, currently available evidence and studies suggest that between 50% and 80% of the problem, both globally and in the United States, can be traced back to China.” (Huntsman Jr, et al., 2013)  This is due mainly to a national desire to be a world leader in technology – an economic super power that can one day rival the United States.  China’s 12th Five-Year Plan focuses on the upgrading of certain economic sectors such as energy, automobiles, IT Infrastructure, and biotechnology.  (KPMG, 2011)  It also focuses heavily on high-tech manufacturing, nuclear technology, and development of new composite materials.  Achieving this technological leadership means acquiring Western technology through both legal and illegal means.  In fact, foreign IP theft by government entities and businesses is encouraged by industrial policy in China. (Huntsman Jr, et al., 2013)  IP theft can allow China to leapfrog ahead of where it would otherwise be technologically and save millions in research cost in the process.

First, a little overview of how Chinese hacking has impacted US companies, particularly companies in the defense industry.  In the age of the Internet, cyber spying stands out as a goldmine of information acquisition.  The volume of attacks attributed to China has reached such a high level that the US government considers it a threat to economic competitiveness.  Industries hacked include those involved in energy, finance, aerospace, information technology and automobiles.  Intellectual Property theft targets a variety of technological areas including defense and military technology.  In 2009, it is believed that Chinese hackers stole token related technology from security company RSA which was later used to hack into Lockheed Martin’s computer network. (Nakashima, 2013)  Indeed, Lockheed Martin may have lost information related to the newest stealth fighter, which could jeopardize lives and cost millions dollars.  One defense contractor, QinetiQ, was reportedly infiltrated and took little action to stop it even after repeated warnings from NASA and the NCIS.  The network was compromised at every level for almost a year.  As a result, investigators said that terabytes of data, including classified information relating to military robotics, drones and the Army’s helicopter fleet, including PIN codes that could now be used to identify helicopters’ deployment and combat-readiness, were stolen. (Schwartz, 2013)  The data lost could compromise Army helicopters around the world.  QinetiQ also gave up classified information related to satellite programs. Unfortunately, QinetiQ is not the only company that has been victimized by such attacks:

“QinetiQ was only one target in a broader cyber-pillage. Beginning at least as early as 2007, Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.” (Elgin, 2013)

It is more than a little disturbing that the national security of the United States could be at risk from such security breaches.  Many of the security breaches are downplayed by companies worried about their public image.  However, the more such security breaches are kept hidden the harder it will be to force companies to take security more seriously.  Due to the persistent nature and broad scope of such attacks one former Bush Administration official feared we could find that some of American’s most critical and expensive weapons technologies will fail to perform in a military conflict with China.  While the Chinese government denies engaging in computer hacking evidence to the contrary is mounting.  The report by Mandiant stands out as one of the most well documented reports to date linking economic cyber espionage directly to the Chinese military.  While the amount of public information related to IP theft and hacking could literally fill volumes of books, the Mandiant report deserves special attention because it consolidates the hacking problem into one coherent and well documented report.

The actor known as APT1 is believed to be the 2nd Bureau of the People’s Liberation Army Unit 61398.  This elite unit recruits those with the background necessary to conduct hacking operations against English speaking countries.  In addition to English language proficiency the recruits for this group are also skilled in highly technical areas of information technology including computer security.  The unit receives large scale fiber optic infrastructure support from China Telecom which cites its importance in protecting national security.  The data stolen by this unit since 2006 is measured in terabytes and over 140 companies are known to have been targeted.  The attacks are continuous and wide spread over a range of industries.  Once a target was successfully attacked the unit would maintain a continued presence on the network for almost a year on average.  The information targeted is highly technical and confidential – system designs, test results, business plans, manufacturing procedures, management e-mails, network architecture information and user credentials.  (Mandiant, 2013)

Anatomy Of An Attack

This kind of cyber espionage requires the exploitation of vulnerabilities in existing computer systems and networks.  Vulnerabilities can range from unpatched software to zero day exploits to social engineering.  Not surprisingly, people appear to be the weak link that the Chinese are exploiting the most.  Spear phishing is APT1’s most commonly used technique.  Why spear phish?  Because spear phishing works!  The methods used to perpetuate these attacks are a textbook lesson in computer security and hacking.  Unlike many spear phishing e-mails their e-mails use proper English to the point that it can fool well educated targets.  They even incorporate American slang to an extent.  The e-mails originate from free webmail accounts and contain infected attachments or hyperlinks to infected sites.  When someone clicks on the attachment or link the malicious spyware is loaded onto their computer.  Many of the malicious attachments used by APT1 have been zip files.  This shows the importance of not randomly opening executable files from unknown sources.  Once the zip file is opened a user may see what appears to be an Adobe PDF file.  However, the file is actually malware complete with an Adobe PDF icon.  Most users won’t look carefully enough at the file extension to see the .exe at the end.

Once the malware is opened it installs a backdoor on the victim’s machine.  The backdoor is very useful to the attacker because it allows an outbound communication back to the malware’s command and control (C2) server.  These outbound communications are easier to get past a firewall than an inbound connection.  The malware can send data back to the command and control servers or download additional malware.  Multiple kinds of malware were used in the APT1 attacks.  In fact, Appendix C of the Mandiant report (which details the malware used) is 153 pages long.  Another indicator of the sophistication of the attacks (and likely government involvement) is that most of the malware was custom made to conduct these cyber- exploitation attacks.  Mandiant actually categorizes the malware into sections – reconnaissance prior to the attack, establish foothold and maintain presence, and complete the mission.  A beachhead backdoor will establish a presence on the compromised system, gather system information, and lay the groundwork for additional malware.  For example, it might open a windows command shell, download and execute a file, and then sleep until time to be used again.  This type of backdoor would likely be hidden in one of the initial spear phishing e-mails sent to a target computer.  Once an attacker is in the system other backdoors will be created and kept hidden – ready to be used if others are found and eliminated.  This can make the network compromise persistent.  One variant of this malware called WEBC2 can download HTML pages from a C2 server and look for special commands hidden between special HTML tags.  After installation, the standard backdoors will begin doing most of the cyber espionage.  The methods of exploitation include uploading and downloading files, taking screen shots of the victim’s computer, logging keystrokes, creating or modifying programs, altering the registry, stealing passwords, identifying users, and even establishing remote desktop interfaces.  (Mandiant, 2013)   These backdoors will try to mimic routine network traffic in order to avoid detection.  They may use names like “MACROMAIL” and “CALENDAR” to blend in.

As part of a standard hacking methodology, the APT1 attackers will employ privilege escalation to gain access to sensitive files and directories.  They will dump hashed password files from the victim’s network using such publicly available tools as cachedump, fgdump, mimikatz, pass-the-hash toolkit and pwdump7.   Once they have the passwords they can use software to crack them.  With cracked passwords they can log on as privileged users and access even more data.  As the attackers gain greater access rights they can run basic windows commands to explore the target systems.  The commands can be manually typed or run all at once as batch files.  These basic commands can yield important information about who is logged in, network configuration, domain information, accounts that exist on the network, which accounts have administrator privileges, and currently running systems services.  At this point, the attackers can move laterally around the system gathering and stealing information. The will also install multiple backdoors so that if one is discovered and removed there will be another waiting to be used.  Once these attackers have stolen a user’s account name and password they can impersonate that user over the company’s VPN or webmail connections.  The group would also steal e-mail using GETMAIL and MAPIGET.  These utilities allowed them to steal e-mail from PST archives as well as directly off the MS Exchange servers.  As they mined the data, APT1 would archive it using the proprietary RAR format.  The archived files would be broken down into manageable 200 MB portions, encrypted, and sent back to the C2 servers.  By encrypting the data that is sent back they make it impossible for companies to know exactly what was stolen.

How can one be certain these attacks really originated in China?  Fortunately, Mandiant also provides documentation of the world-wide internet infrastructure used by APT1.  Mandiant could observe APT1 activity after it hit US severs and then trace it back to servers originating in China.  Although APT1 used various sever hops in countries all over the world the attacks could be traced back to four major networks in Shanghai.  These hop points can make it appear that the attacks originate in countries other than China.  APT1 will create these hop points by compromising networks in various countries and then using them as launch pads for attacks against their ultimate objectives.  Incredibly, Mandiant was able to observe APT1 as it logged into some of its compromised hop points.  It captured 1,905 instances of these logins that utilized 832 different IP addresses of which 98.2% originated in China.  (Mandiant, 2013)  By capturing the IP address ranges from which the attacks originated, Mandiant could see that most of them were registered to China Unicom Shanghai Network.  The registration information even included contact information.  Because APT1 utilized Remote Desktop protocol they inadvertently disclosed details about themselves.  For instance, the keyboard layout was observed to be “Chinese (Simplified) — US Keyboard.”  The IP address originations and the keyboard layouts are good indications that the attacks originated in China by Chinese speakers.

APT1 also utilized C2 servers and DNS servers to facilitate the espionage.  Some of these C2 servers utilized by APT1 were examined.  709 of them were in China and 109 were found to be in the US.  These C2 servers used various protocols to facilitate the hacking – FTP for file transfer, web, RDP for remote control of a system, and HTran for proxy.  The DNS servers allowed APT1 to use Fully Qualified Domain Names (FQDNs) instead of hard coded IP addresses.  An IP address could be blocked or shut down, but by using a FQDN and reconfiguring the DNS servers APT1 could maintain their connections to compromised networks.  All that was necessary was for APT1 to point the FQDN to a new IP address. Some of the registration addresses have been found to be fraudulent.  Others had been hijacked.  In either case, APT1 has used the TCP/IP based internet infrastructure to establish a cyber-espionage architecture that is vast and persistent.

Common Sense Security

 A strong corporate security policy cannot prevent all attacks, but it can make them much more difficult to conduct.  In fact, common sense security policies that are already standard practice in the IT community today could have prevented much of the theft that has occurred.  There is simply no reason for a business entity not to address the methods employed by APT1 when developing a security policy.

Business and government entities (especially those working on sensitive technologies) should conduct periodic reviews of their security landscape with an eye toward spotting vulnerabilities and unsecured access points.  These reviews should also look at employee training programs, current backup and disaster recovery procedures, change management policies, network architecture, firewall policies and rules, wireless access points, use of encryption, remote access, and other areas of vulnerability.  These reviews will help develop and maintain a comprehensive security policy that is implemented through strict corporate procedures.

The case of APT1 shows that poor decisions made by employees can open the door to cyber intrusion.  One of the simplest things a company can do to protect itself is to train employees in the basics of information security.  If you work in corporate security, train your employees not to click on unverified hyperlinks, to be suspicious of e-mails from outside the company, and not to open documents in e-mails that they are not expecting and from people they do not know.  They need to understand that e-mail addresses can be spoofed and that some attachments can be dangerous. If employees had been more vigilant about opening e-mail and clicking on links many of the attempts by APT1 to gain network access could have been prevented.  It is also fairly simple and inexpensive for a company to adopt strong password policies.  The stronger the password the less likely it is that it can be cracked using brute force attacks.  Also, by forcing employees to change their passwords every 90 days and preventing the re-use of old passwords hackers who have stolen a password will be kicked out of the system after the password expires.  Make sure employees know whom to contact if they do notice suspicious activity.  That way security has a chance to stop an attack before it can succeed.

Strong e-mail and spam filtering protocols should be implemented to prevent phishing e-mails from arriving in the first place.  It would also make sense to initiate polices that prevent employees from sending company files and data through unencrypted private e-mail accounts, especially free ones.  Corporate data should stay on the corporate network.  With good training, an employee should immediately be suspicious if a manager is sending attachments or links from a non-work related e-mail account.  Companies and government entities should also implement multi-factor authentication through the use of security tokens.  The tokens generate random numbers that are synchronized with a remote server and change at regular intervals (such as every 50 to 60 seconds).  When the employee attempts to log on he must type the randomly generated numbers into the logon screen.  If the numbers match what is on the remote server at that time he is allowed access.  In addition to the token generated numbers the employee should also have to provide a PIN number that only the employee knows.  That way a hacker who steals the token will still not be able to log in even if the logon ID and password are known.   In order to log on remotely the employee must have a user ID, password, PIN, and token generated random number.  This type of multifactor authentication should be used for remote VPN access as well as webmail access.

Other standard security precautions all companies and individuals should take include maintaining up to date and effective patch management policies.  It should be assumed that all known software vulnerabilities will eventually be exploited so all software patches for both operating systems and applications should be applied regularly.  Antivirus definitions should be up to date and scans should be run regularly on the network and against all files downloaded from the internet.  Firms should use IDS and IPS systems both on the network and on individual hosts.  They should develop and enforce strong authentication protocols for VPNs and remote access.  To help prevent data loss laptops should have full disk encryption.  Companies should practice good wireless security by scanning for and shutting down rogue access points.  The latest wireless security protocols such as WPA2 should be mandatory.  The most sensitive parts of the network should be inaccessible to Wi-Fi devices.  They should also conduct frequent penetration tests against the network to highlight vulnerabilities.

I learned a lot about hacking and security from this report.  It should of interest to hackers, security professionals and anyone else interested in keeping information safe in the modern world.

Bibliography

Elgin, M. R. (2013, May 02). China’s Cyberspies Outwit Model for Bond’s Q. Retrieved November 10, 2013, from Bloomberg: http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html

Huntsman Jr, J. M., Blair, D. C., Barrett, C. R., Lynn III, W. J., Gorton, S., Wince-Smith, D., et al. (2013). The Commission on the Theft of American Intellectural Property . United States of America: The National Bureau of Asian Research.

Mandiant. (2013). APT1 Exposing One of China’s Cyber Espionage Units. Alexandria, VA: Mandiant.

Nakashima, E. (2013, February 10). U.S. said to be target of massive cyber-espionage campaign. Retrieved November 8, 2013, from Washington Post: http://articles.washingtonpost.com/2013-02-10/world/37026024_1_cyber-espionage-national-counterintelligence-executive-trade-secrets

Schwartz, M. J. (2013, May 02). China Tied To 3-Year Hack Of Defense Contractor. Retrieved November 10, 2013, from Information Week Security: http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064

KPMG. (2011). China’s 12th Five-Year Plan (2011-2015) – KPMG Insight Series. Retrieved November 12, 2013, from KPMG : http://www.kpmg.com/cn/en/issuesandinsights/articlespublications/publicationseries/5-years-plan/pages/default.aspx

Lin, H. S. (2010). Offensive Cyber Operations and the Use of Force. Journal of National Security Law and Policy, 63-86.