By Kevin Boyle and Alex Stout
On Monday, the data security firm CrowdStrike released a new report pointing a digital finger at the Chinese Army for cyber espionage against western technology companies. It has long been known that some of the most serious cyber challenges stem from state-sponsored attacks using encryption, customized tools that anti-virus software cannot detect, and sophisticated means to bypass or compromise legitimate access controls. The CrowdStrike report joins a spate of recent revelations that have uncovered meaningful intelligence about the location, means, and motives of certain Advanced Persistent Threat (APT) actors.
Last year, the data security firm Mandiant released a similar report pulling the cover from “APT1” (also identified as “Comment Crew,” “Comment Group,” or “Comment Panda”), an organization believed to operate from within the People’s Liberation Army (PLA) known as Unit 61398. In April of this year, five alleged members of Unit 61398 were indicted by the U.S. Department of Justice for alleged violations of the Computer Fraud and Abuse Act and economic espionage and identity theft laws. The new report by CrowdStrike focuses upon a second alleged unit within the PLA, Unit 61486 (known to CrowdStrike as “Putter Panda”), as being responsible for cyber intrusions within the “US Defense and European satellite and aerospace industries.” Like the Mandiant report, CrowdStrike reported on individuals within Putter Panda who are believed to be responsible for specific pieces of malicious code.
Although the report provides fascinating insight into the workings of a Chinese cyber espionage unit, much of what was revealed merely put literal faces on a long-building epidemic of global enterprises facing large-scale, highly complex persistent attacks on sensitive corporate data. APT actors are expert at hiding in plain sight, masquerading as authorized users, and escalating privileges until they have achieved full access. The detailed disclosures made by the report give us three good reminders.
First, internal awareness training is vital to network security regardless of the size of your enterprise. This report shows that end-user behaviors such as unknowingly downloading a malicious file or loading a compromised webpage introduce great risks to enterprise security. The unnamed corporate victims of Putter Panda were compromised by industry conference invitations, job postings, and brochures for golf outings (hence the name “putter”), all of which were carefully tailored to particular individuals at the target companies. Regular security awareness training, placards in the cafeteria, email bulletins about observed phishing attempts, participating in events surrounding National Cyber Security Awareness Month and other ongoing awareness efforts all help employees be more cautious about who they trust online. Employee buy-in is critical to any data security effort and should be a part of your compliance metrics.
Second, both reports include technical data to help identify if your organization has been infiltrated using the techniques known to be used by these Chinese units. The “rules” and “definitions” they provide might allow automated defensive devices on your network to detect and prevent intrusions using these techniques. While APTs such as Putter Panda use many tools and will certainly adapt in the wake of this publicity, it is nevertheless a good idea to ensure that your corporate IT team has taken steps to implement new security protocols and other learning from these reports. In particular, as with APT1, the threat indicators (domain names, IP addresses, hashes of malware) listed in the Crowdstrike report are potentially important, actionable data for information security teams. Keeping up with security alerts is daunting, but is as fundamental as closing windows and locking doors. Failure to do so could be a very bad fact in the face of a subsequent breach that would otherwise have been stopped.
Finally, as we have said before, very few organizations have the technical means to go it alone against an APT operating within their networks. APTs are—by definition—the most technically skilled and pernicious actors attacking corporate networks, and even the most prepared organizations might not uncover an intrusion for many months (if at all). Regular outside security audits help to identify defensive gaps, but when an intrusion is discovered it is critical to have in place a detailed and tested – APT-specific — incident response plan. Most incident response plans we have encountered are not well-tailored to the unique technical and legal challenges of being targeted for espionage by a foreign government. Unlike breaches of personal health, financial, or other sensitive data, state-sponsored APTs carry very different considerations for lawyers and other senior managers overseeing the attack response, in terms of (i) whom to notify, of what facts, and when, (ii) how to assess and respond to exfiltration evidence, and (iii) whether and how to pursue insurance recoveries for investigation and other first-party response costs. A good APT plan will have identified and trained key personnel within your organization who have responsibility for managing this category of incident, but should also include on-call outside forensic experts, who have the means and experience to handle attacks of this persistence and sophistication.