Foreign government hackers are continuing to target U.S. government and private sector computer networks in sophisticated cyber attacks, the FBI warned in an alert sent this week.
"Advanced Persistent Threat (APT) cyber actors continue to target sensitive information stored on U.S. commercial and government networks through cyber espionage," the FBI said in the May 11 notice.
The term "APT actor" is a euphemism for state-sponsored or highly sophisticated cyber attackers, usually involving connections to foreign militaries or intelligence services.
Two cyber security researchers who examined the FBI notice listing details of the cyber attacks said the tactics appeared similar to those used in the past by Chinese hackers, including the suspects behind the massive theft of records on 22 million federal workers from the Office of Personnel Management.
The FBI listed seven major Internet server software types hacked in the past year, including two Adobe ColdFusion security flaws. ColdFusion software is used with large databases.
Other attacks involved Apache Tomcat, JBoss, and Cacti, software used for remote data logging. Drupal servers used to operate a large number of websites around the world, including corporate and government sites, also were compromised. Joomla content-management software also was compromised, the FBI said.
A seventh compromise affected Oracle’s E-Business Suite software, used for customer management and supply-chain management.
State-sponsored hackers exploited vulnerabilities in all seven types of software, and "some of these vulnerabilities are also exploited by cyber criminals in addition to state-sponsored operators," the FBI said.
"The compromises were [used] to build infrastructure and for exploitation," the notice states.
Only two of the compromises took place last year, an indication that software patches applied last year to close entry holes have not stopped the attacks and that older vulnerabilities continue to be used by cyber spies, the notice says.
The FBI warned network administrators to engage in "proactive patch management" as the main line of defense for protecting publicly accessible computer servers from attack.
One indicator that China may have been behind the cyber espionage was the use of spear-phishing emails containing links to documents or compromised systems.
The technique is said to be a favorite of Chinese military hackers, including those part of Shanghai-based Unit 61398 that has been traced to widespread cyber attacks against U.S. government and private networks over the past several years.
"A general consensus is it is Chinese [tactics, techniques and procedures]," said one security researcher, who spoke on condition of anonymity.
The FBI said the recent government-sponsored hacking continued to use fraudulent emails to lure unsuspecting users into providing remote computer access. The hackers also were able to navigate widely once inside a network.
"Previous spear-phish emails sent by these actors contained decoy documents, such as a U.S. letter fax test page and an office monkeys video," the notice states.
"Once on computer networks, the actors utilizing these exploits are extremely adept at lateral movement through the enterprise, to include the ability to gain administrative access, including domain-level access, within a short time frame."
Like the hackers linked to OPM attack, the recent hackers also used a program called Mimikatz for "credential harvesting" from remote users. Another program called LogonUI allowed the hackers to maintain their presence inside a hacked network.
Additionally, the hackers used public data storage sites for storing the stolen data and delivering malware, including Google Drive, Microsoft OneDrive, and Dropbox.
In a relatively new technique, the hackers used a Tor software called Meek that allows online users to evade detection and tracking and also to hide data theft.
If the recent cyber espionage is confirmed as Chinese in origin, it would be a setback for the Obama administration.
The administration was set to impose sanctions on Chinese hackers in September in respond to Beijing’s role in the large-scale OPM data theft.
However, the sanctions were dropped during the summit in Washington in exchange for a pledge from Chinese leader Xi Jinping to halt cyber economic espionage.
A White House National Security Council spokesman had no immediate comment.
Senior U.S. intelligence officials, including Director of National Intelligence James Clapper and Cyber Command commander Adm. Mike Rogers, told Congress earlier this year they could not confirm China had halted the practice of stealing data through cyber espionage.
Clapper said in March it "remains to be seen" whether China will halt cyber spying.
Contrary to the Xi pledge, however, Rogers said, "cyber operations from China are still targeting and exploiting U.S. government, defense industry, academic, and private computer networks." The comments were made in prepared testimony to a House Armed Services subcommittee on March 16.
Missile Defense Agency Director Vice Adm. James Syring also told a House hearing May 14 that Chinese military cyber attacks on his agency’s networks were a daily occurrence.
"My biggest concern remains in our cleared defense contractor base and their protections," Syring said.
China’s cyber espionage and attack operations have included compromises of major U.S. weapons systems, including the F-35 and F-22 jet fighters, the B-2 stealth bomber, and the space-based laser.
A National Security Agency document made public by former contractor Edward Snowden revealed that the Chinese stole radar design and engine schematics for the new F-35.
FBI spokeswoman Nora Scheland declined to comment on the alert but said the FBI routinely advises private industry on various cyber threat indicators gained from investigations.