China blamed for multi-continent cyberspying caper in 2011
For six months in 2011, cyberspies infiltrated, undetected, at least 20 commercial and industrial organizations on three continents, states a new report by a US-based cybersecurity firm. Investigators name China as 'most logical' benefactor.
(Page 2 of 2)
Within 32 hours of the legislation being submitted to Congress, a US group involved in lobbying for TAMA's passage was hit with a "spear-phishing" attack – an e-mail that appeared to be from a senior official within the organization to another employee. The e-mail had an attachment purportedly related to TAMA.Skip to next paragraph
Subscribe Today to the Monitor
But instead of opening it, the employee alerted Cyber Squared, which soon discovered a Trojan horse program buried inside the attachment that would have created a digital "back door" for spies to enter the network. From there, investigators traced the attacker back to a computer server in the US – and from there to servers in China.
Both the TAMA incident and other related compromises were "most likely the result of a Chinese state-sanctioned or sponsored exploitation campaign ... acting on behalf of an unknown Chinese benefactor who would strategically benefit from persistent network access and stolen information," the report found.
Attackers compromised US computer server infrastructure from sources within China in order to mask the real source of the attacks and to operate inside the global networks of its victims.
Interestingly, the initial attack did not employ particularly advanced techniques, the investigators concluded. The attacker created an e-mail address with a popular US webmail service that closely resembled the name of a senior executive within the targeted organization. After that, a message was sent containing a link to a website that directed the victim to download a malicious file.
But the "spear-phishing" e-mail aimed at a key person was poorly constructed, with a simple link to an encrypted file containing a customized Trojan horse program creating the "back door." Crude, perhaps, yet good enough to evade these organizations' antivirus security programs for six months.
Although all of the infiltrated organizations identified under Project Enlightenment were notified of the intrusion, it's probable that – because of the many variants and options available to the attacker – the cyberspies are still present inside those organizations' networks, Cyber Squared officials say.
"We are currently tracking the threat and they are still very active," Mr. Vincent writes in an e-mail.
It's a finding that would not surprise US officials banging the drum about this threat. China is stealing a "great deal" of intellectual property from the defense industry and other companies, Gen. Keith Alexander, head of US Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee in March.
"I can't go into the specifics here, but we do see [thefts] from defense industrial base companies," said General Alexander. "We need to make it more difficult for the Chinese to do what they're doing."
An e-mailed query to the Chinese Embassy about the Cyber Squared report was not responded to by late Thursday. China routinely denies accusations like those made in the Project Enlightenment report. Chinese officials, for instance, took umbrage over a report released last November by the Office of the National Counterintelligence Executive that named China as a major cyberespionage threat to US industrial and technology secrets.
"China's rapid development and prosperity are attributed to its sound national development strategy and the Chinese people's hard work, as well as China's ever enhanced economic and trade cooperation with other countries that benefits all," Wang Baodong, a Chinese Embassy spokesman, wrote at the time in an e-mail responding to a Monitor query about the US study.
"Willfully making unwarranted accusation against China is irresponsible," he continued. "We are against such demonization effort as firmly as our opposition to any forms of unlawful cyberspace activities."