Chinese Hacking: Ineptitude, Confusion

Monday, February 9, 2015 @ 09:02 AM gHale

By Richard Sale
Chinese hackers are a little engine that knows no rest.

And in light of new developments uncovered by ISSSource, because of lax intrusion detection, poor reporting by Defense Department (DoD) contractors, company inattentiveness and old fashioned politics, Chinese hackers are continuing their marauding ways and infiltrating systems and learning more details from the military industrial complex every day.

“China has engaged in a sustained investment in technology for thirty years while U.S. investments in science have too often come in fits and starts and been driven by fads,” said James Lewis, senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies. We can find a new example of the “fits and starts’ approach to security and examine its causes.

Solar Companies Under Attack
Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15
Sony: Risk Management in Real Time

When it comes to security for defense-related contractors, there is an impression of strength, but the reality is a bit more suspect.

Relating that impression to the manufacturing automation sector, while security awareness has increased substantially over the past few years, actual programs put into action remain on the back burner. But attacks, discovered or surreptitious, continue.

ISSSource reviewed a Senate Report, and dug deep into the documents and the outcome appears dismaying. The documents reveal a curious lack of thinking things through.

The success of Chinese hackers is not due to their keen deftness and skill, but is often the result of ineptitude of some U.S. companies, Lewis said.

“Verizon each year does a survey that concludes that more than 80 percent of corporate-network penetrations required only the most basic techniques, such as sending a bogus email with an infected attachment, and most breaches went undetected for months – another sign of lax security,” Lewis said. “One more sign: They were usually discovered by an outsider rather than the victimized company.” He added breaches go undiscovered on average of three months.

In other words, China is succeeding not because of their great skill and awareness, but because we are not putting up proper defenses to thwart them. It isn’t difficult to pilfer a safe if it has no locks; it isn’t difficult to burgle a house if it has no doors.

Citing the recent national uproar over the Sony Entertainment breach by North Korea, Lewis added Sony used the word “password” as an administrative “key” when it first ended up hacked in September, with a breach not detected until November. Sony declined to comment.

As we publish, several U.S. states are investigating a massive cyberattack on No. 2 U.S. health insurer Anthem Inc that a person familiar with the matter said is being examined for possible ties to China, but the most startling fact is the data were not encrypted, according to last week’s The Wall Street Journal.

A Case Study
In April of 2013, the Senate Armed Services Committee began a probe into Chinese military hackers who had successfully breached the systems of several transportation companies that do sensitive work for the U.S. military. Its findings, entitled, “Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors,” released last September, and its results have deep strategic implications.

U.S. Transportation Command, or TRANSCOM, the single manager of America’s global defense transportation system, is entrusted with the coordination of people and transportation systems to allow the U.S. to sustain forces, whenever, wherever, and for as long as they are needed, according to its press releases.

TRANSCOM is a little-recognized but vital U.S. military asset: It has the ability to tap civilian air, shipping and other transportation assets to rapidly deploy U.S. forces in times of crisis. Through programs such as the Civil Reserve Air Fleet (CRAF), commercial transportation companies (some of which do little or no CRAF-related business in peacetime), become key elements of TRANSCOM’s plans for moving troops and equipment around the world.

The Senate committee found in a 12-month period beginning June 1, 2012, there were about 50 intrusions or other cyber events into the computer networks of TRANSCOM contractors. At least 20 of those were successful intrusions that involved “advanced persistent threats (APTs),” a term used to designate sophisticated threats. The purpose of the new breach is for malware to find a way into a system, constantly learn how the system operates and then send intelligence back to a command and control center. These APTs are a common attack method employed by nation states or very sophisticated attack organizations.

Other highlights of the study included, a Chinese military intrusion into a TRANSCOM contractor between 2008 and 2010 that compromised emails, documents, user passwords and computer code; a 2010 intrusion by the Chinese military into the network of a CRAF contractor in which documents, flight details, credentials and passwords for encrypted email were stolen; and a 2012 Chinese military intrusion into multiple systems onboard a commercial ship contracted by TRANSCOM.

TRANSCOM command relies on a network of large and small private companies and is one of nine unified commands of the U.S. Defense Department. The organization’s knowledge of cyber intrusions into the contractor computer networks depends on the reporting of such breaches by the contractors themselves. But what the probe found was TRANSCOM contractors and subcontractors reported only a small fraction of their breaches. In fact, TRANSCOM, was aware of only one of nine successful intrusions, the Senate report said.

Beginning in 2010, TRANSCOM began to require contractors report certain cyber security incidents. Bearing in mind while 80 U.S companies were subjected to that rule, by August 2013, TRANSCOM had received only two reports of cyber intrusion from the contractors, the report said.

It Gets Worse
The Senate committee also requested information from 11 contractors about cyber intrusions they had experienced between Jan.1, 2013, and June 30, 2013, and asked whether the intrusions should have been reported. The companies are all involved with shippers, airlines and logistic support. Of the 11 contractors, eight companies said they were not aware of any cyber intrusions during the period in question. The remaining three companies identified 32 intrusions, with 11 of them associated with APTs. The Senate report defined an APT as an “extremely proficient, patient, determined and capable adversary including two or more adversaries working together.”

All 32 intrusions were attributed to China. Of the APT 11 intrusions, TRANSCOM was aware of only one.

The muddle originated in “a lack of common understanding” on the part of the companies about what had to be reported to the government. In fact, none of the contractors interpreted the cyber breach reporting obligation in a manner “consistent with TRANSCOM’s intent.”

It Gets Even Worse
Apparently, the TRANSCOM contract clause about reporting of cyber breaches has the effect of limiting the scope of what must be reported, requiring companies to report only intrusions into the networks that are storing or communicating DoD data at the time of the breaches. TRANSCOM concluded that poor sharing of information by U.S. companies “left the command largely unaware of computer compromises by China of contractors that are key to the mobilization and deployment of military forces” in a crisis.

What then follows are twisted, nitpicking, hairsplitting discussions about blind spots or vagueness in sharing information about breaches. The conclusion said, “Common understanding of reporting obligations is lacking.” (We file that under “do tell.”) The report also said China has “exhibited both the capability and intent to comprise private sector computer networks” used to support TRANSCOM operations. Breaches exploit the systems and their partners, networks and personnel that TRANSCOM relies on to carry out its mission.

“We must ensure that cyber intrusions cannot disrupt our mission readiness” said Senator Jim Inhofe, R-OK, the committee’s ranking member. “It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particularly those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations.” He said that last September.

Effective Remedies?
In response to the investigation’s findings, the committee included a provision in its version of the National Defense Authorization Act for Fiscal Year 2015 directed at addressing reporting gaps and improving the way in which the Department disseminates information about cyber intrusions into the computer networks of operationally critical contractors, the Senate report said.

Unfortunately, congressional legislation resembles a huge, sluggish, inert dragon whose shiny coils move extremely slowly. People most familiar with this situation have noted some meetings with the U.S. Chamber of Commerce and companies have taken place. These same people assure us the suggested legislative measures will be put in place. “It usually takes a year,” said a source familiar with the situation.

So by September of this year measures to foil breaches by the Chinese should be put in place and begin operation.

But in the world of APTs, malware can load on to a system and sit for years, learning and sending intelligence back home or even waiting until it gets the code to attack. One wonders how many new breaches will have occurred by September or how deeply they will have penetrated U.S. networks by then.

The operations of crime are incessant and ceaseless. They wait for no one.
Richard Sale is a freelance writer based out of Durham, NC, and was United Press International’s Intelligence Correspondent for 10 years and with the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Leave a Reply

You must be logged in to post a comment.