Security Firm Warns of
New Chinese Cyber Attacks

CrowdStrike: Russia, North Korea also engaged in cyber theft

Server farm
Server farm / Flickr user Henrik Bennetsen
February 4, 2016

China’s cyber attacks against U.S. government and private sector databases are part of a major intelligence-gathering operation and are likely to continue, according to a new report by a cyber security firm.

Chinese hackers stole health care data pertaining to some 80 million Americans last year, and the Office of Personnel Management cyber attacks netted sensitive records on 22 million federal workers, according to an annual threat report made public Wednesday by CrowdStrike, a cyber security and intelligence company. The company is widely consulted by both government and private sector organizations.

The gathering of personal data by the Chinese represents a new trend in Beijing’s aggressive cyber attacks.

"This targeting underscores that intrusion operations associated with nation-states pose a significant risk to all data, no matter how uninteresting it may seem," the report said.

The 49-page "2015 Global Threat Report" also states that the U.S.-China agreement not to conduct commercial cyber theft has had little impact on Beijing’s cyber operations.

"Beneath the surface, however, China has not appeared to change its intentions where cyber is concerned," the report said.

Any reduction in Chinese cyber attacks this year likely will be temporary, and an apparent reduction may result from the use of more clandestine methods for conducting attacks following a major military reorganization.

The military changes "will likely increase [China’s] reliance on its civilian intelligence agencies and associated contractors, all of which generally employ better tradecraft," the report said.

"If observed campaigns in late 2015 were any indication, it is unlikely China will completely cease its cyber operations, and 2016 will show the new direction it is headed," the report said.

More cyber attacks seeking personal data could take place in the future, and organizations that hold such data "should remain alert to the possibility of similar activity going into 2016," the report said.

China’s cyber spies usually use cyber intrusions to steal strategic information, such as intellectual property, business operations data, and sensitive government documents.

Stolen personal data, on the other hand, "is typically used to facilitate identity theft or other types of financially motivated crimes," the report said.

However, the compromised personal information from health insurance companies Anthem, Premera, and CareFirst last year could be used by the government or state-run companies.

The large data theft also appears to be part of Chinese efforts to "build out profiles on individuals to support future operations."

The federal government data breaches were more damaging and included sensitive background investigation information on federal employees, the report said.

"Without doubt, access to this degree of [personally identifiable information] for both successful and unsuccessful applicants represents a treasure trove of information that may be exploited for counterintelligence purposes," the report said.

The Chinese can now exploit millions of stolen records for intelligence operations.

"Knowledge acquired during these operations could be used to create more individualized, and therefore more effective, spear phishing campaigns, or also in more traditional, real-world espionage activity," the report said, noting that the background investigation data "would be particularly useful to traditional [human intelligence] operations as it contains details of a very personal nature about current and former government employees, as well as private sector employees working on government contracts."

The Chinese government, through the Ministry of Public Security, has launched a major domestic campaign to crack down on online dissent. The Ministry is conducting cyber operations against people and websites that post information opposed by communist authorities, including use of an offensive cyber security force called the "Great Cannon," a supplement to the Great Firewall designed to block online users from accessing unapproved content.

In Russia, hackers linked to the government used malicious software for intelligence-gathering and for political coercion, such as against Ukraine. Moscow hackers also have conducted cyber reconnaissance—preparation of the cyber battlefield—in Europe and elsewhere.

"In February, widespread spear phishing … was detected and analyzed," the report said. "These attacks targeted numerous entities in government, defense, and non-governmental organizations (NGOs) in the U.S., Europe, Asia, and South America."

Russian hackers used stolen emails from a hack against the U.S. strategic consulting firm Stratfor, the report said, a tactic not typical of Russian hacking in the past.

International pressure on Moscow over its military activities, such as the annexation of Ukraine’s Crimea "portend increased intelligence collection by Russia-based adversaries particularly against regional targets and global energy companies," the report said.

A Russian cyber intelligence operation, dubbed Berserk Bear, targeted oil and gas companies in the Middle East. Another operation, called Fancy Bear, targeted Chinese defense firms.

One Russian hacker group called CyberBerkut operating in Ukraine appears linked to Russian intelligence services.

North Korean cyber activities last year principally involved intelligence-gathering operations directed against South Korea.

Pressure from China could prompt Pyongyang to take a more aggressive cyber posture. And North Korean cyber activities also could expand into criminal activities to raise money for the regime, the report said.

Iran is expected to step up cyber attacks against Saudi Arabia. Regional tensions "increase the likelihood that Iran would use its proven cyber capabilities in 2016, targeting Saudi Arabia and regional governments that are becoming involved in the two countries’ dispute by choosing to align with Saudi Arabia."

The report names more than 70 cyber adversaries and divides them into three types of attackers: Target intruders, such as nation states, cyber criminals, and "hacktivists."

For cyber crime, attacks on banks and the use of ransom schemes increased during 2015.

"Phishing emails continued to dominate crimeware distribution throughout the year as the primary mechanism used for the aforementioned banking Trojans and ransomware threats," the report said.

So-called hacktivist activities including politically motivated cyber attacks by groups like the Syrian Electronic Army and pro-ISIS hackers.

Several pro-Iranian hacker groups also were active last year, including Parastoo, Remember EMAD, and SOBH Cyber Jihad.

The group Remember EMAD—named after the Hezbollah terrorist Imad Mughniyah who was killed in a Damascus car bomb in 2009—claimed to have penetrated Pentagon networks and then threatened to release stolen data. No data was ever released.

ISIS hacking was very active last year and included campaigns of web defacement, the release of personal data—known as "doxing"—and the hijacking of social media accounts.