China is notorious for its cyber attacks on companies for commercial gain. But is China the only culprit, which sectors are being targeted and how can companies protect themselves from powerful nation-states?
Tim Ring
Aug 4, 2014: The fear of economic cyber espionage is now so great that companies rate cyber security as one of the top three global business risks, according to Lloyd’s of London, along with high taxation and loss of customers.
The worst-case scenario is that your business could, without you knowing it, be targeted by a rogue nation-state that infiltrates your corporate computers, siphons off your IP and confidential data on a massive scale, and passes it on to competitors. And one country’s name stands out above all others in this nightmare scenario: China.
In the last quarter alone, security researchers have disclosed cyber attacks from China against international shipping, logistics and manufacturing companies, US and European satellite, aerospace and communications companies, Japanese and European telecoms companies, and specific targets like Boeing and Lockheed Martin.
But the precise scale and nature of the threat became most clear on May 19 when, in an unprecedented move, five officers from the Chinese People’s Liberation Army (PLA) were indicted by a US court on 31 charges of hacking, economic espionage and stealing trade secrets, dating back to 2006.
The victims were American companies across a number of industries, and the beneficiaries were all state-owned Chinese enterprises. The accusations – vehemently denied by China – help to explain how, and why, businesses are targeted:
* In 2010, Sun Kailiang, an officer in Unit 61398 of the Third Department of the PLA, hacked US power plant manufacturer Westinghouse to steal technical and design specifications for power plant pipes and related products. At the time, Westinghouse was building four plants in China and negotiating terms of the construction with a Chinese state-owned enterprise (SOE), including technology transfers.
* In 2008, Sun Kailiang sent a “spear-phishing” email (a plausible fake message containing hidden ‘malware’) to US aluminium producer Alcoa that resulted in thousands of email messages and attachments being siphoned from Alcoa’s computers, including internal discussions concerning its partnership with a Chinese SOE.
* In 2012, another Chinese army officer, Wen Xinyu, stole thousands of computer files from US solar energy supplier SolarWorld, the charges say. The theft happened just as the US Commerce Department ruled that Chinese solar product manufacturers had ‘dumped’ products into US markets at prices below fair value. The stolen data included cashflow, costs and production line data, and privileged attorney-client communications relating to ongoing trade litigation. “Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles,” say the charges.
China not alone
The evidence shows that businesses are being deliberately targeted by government hackers in search of specific types of IP and data, to gain commercial advantage and sometimes improve their negotiating position.
But is the threat limited to China? The answer is: no.
While every developed country spies on other nations, the US insists that (unlike China) it draws the line at infiltrating foreign firms and passing what it finds to its own companies.
Yet in claiming this moral high ground, White House spokeswoman, Caitlin M Hayden, revealed that it is not just China who fail to reciprocate: “We do not give intelligence we collect to US companies to enhance their international competitiveness or increase their bottom line. Many countries cannot say the same,” she told the New York Times in March.
Paul Simmonds, founder of the international Jericho Forum, which aims to improve companies’ information security, agrees: “As much as we like to name and shame China, everyone is involved. Every major power is doing it to some extent,” he said.
Simmonds believes even the US may be culpable, pointing to a recent report by Glenn Greenwald, a journalist close to whistleblower Edward Snowden, which revealed that America’s NSA intelligence agency routinely planted ‘spyware’ in internet routers and servers before they were shipped to international customers – potentially allowing the US to hack industrial companies across the globe.
But Dmitri Alperovitch, co-founder and CTO of CrowdStrike, a US cyber security firm which specialises in tracking advanced attacks, is adamant the threat is limited to China and a few other nation-state attackers – who, unlike China, tend to target specific industry sectors.
Alperovitch singles out Russia (attacking primarily energy firms, oil & gas, nuclear), India (financial and legal firms), Iran (so far reconnaissance-only attacks on energy companies) and even France who have “traditionally not shied away from economic espionage; we have seen some activity in the aerospace sector from French actors”.
He also points out there is a dramatically different scale of threat between China and the rest. Attacks from China since 2005 have numbered in the tens of thousands, he said. From other countries – dozens.
“China is not the only player but they are by far the largest,” he said. “It’s literally orders of magnitude difference.”
Chinese hackers have hit a wide range of industries, he says, including energy, manufacturing, high-tech, environmental sciences, solar power, nuclear energy, finance (primarily M&A banking divisions of financial institutions); as well as law firms who hold confidential data on clients spanning many industries and typically have “very little security so they are the soft underbelly”.
Jen Weedon, principal threat intelligence analyst at Mandiant, another well-known pursuer of state cyber criminals, agrees with Alperovitch’s take: “In terms of economic espionage, China is vastly ahead of everybody else in the quantity of their activity,” she says.
Weedon also tops up the list of industries being hacked: “We’re seeing more and more utilities, energy companies and pharmaceutical/healthcare companies targeted. We’re also seeing financial companies get targeted not for financial theft but for information related to their business processes – information that might allow other people doing trading platforms and things like that to replicate business processes.”
Out of patience
In the face of this persistent Chinese cyber threat to business, America has abandoned tact and quiet diplomacy. Along with the ‘naming and shaming’ court indictments in May, both President Obama and US Secretary of State John Kerry have raised the issue publicly. On a July 9-11 visit to China, Kerry spoke of the country’s cyber attacks having a “chilling effect” on business innovation and investment.
Despite that, there is little optimism that China, and others, will moderate their activity.
There is “absolutely no sign” of change, Alperovitch said. “It’s no longer the art of war with China, it’s the art of denial. So far they have issued blanket statements saying China does not hack in the face of overwhelming evidence to the contrary. The Chinese have just rejected all accusations and basically tried to shut down discussions.”
Weedon agrees: “There’s been no appreciable difference in activity from China since the indictments and these dialogues that we’ve noticed. Maybe in the long term it might start to shift, but because this activity is so institutionalised it’s not easy just to stop on a dime.”
So with little prospect of change, what can companies do to protect themselves?
Instead of simply installing swathes of security hardware and software, Alperovitch suggests businesses need to use ‘threat intelligence’ (detailed knowledge of attackers, their likely targets and methods).
“In this day and age you can’t just defend yourself against everything and everyone. You need intelligence on who they are, how they operate, what information do they want,” he says.
“That’s probably the biggest shift in mindset that we’re seeing – the use of intelligence to look out for specific attackers who are likely to go after you, based on your business and based on the intellectual property that you’re going to have.”
Paul Simmonds puts less faith in current security approaches. “What we’re doing at the moment is horribly broken. Basically your systems are wide open,” he says. “But you can do one thing right now: you have to start encrypting your data. Then if someone accesses your data, guess what, it’s totally useless to them because it’s encrypted.
“That’s a do-it-today. For me that’s better than any magic thing sitting there sniffing my traffic, trying to detect strange packets coming in from China.”
But Jen Weedon only partially backs this advice: “If you are out and about and have disks or devices that are mobile or removable, then you should encrypt the files on it is as it adds that extra layer of security,” she says.
“But having a business encrypt all of the information on all of its servers in its environment may not be a feasible solution. Encrypting all these files can lead to your business being affected (for example, by complicating nimble communications or operations) which could outweigh the overall boost to security for many businesses. Ultimately it is a risk/reward calculus that each business must do for itself.”
Currently then, there are few glimmers of hope for companies who, armed with inadequate security shields, stand against what remains a powerful and apparently unrelenting economic cyber espionage threat.