China: Number One in Cyberespionage?
Allegations of the People’s Republic of China being engaged in massive cyberespionage efforts have been in the news quite a bit lately. Just last week a series of break-ins to systems in Canada was believed to have originated from China. A SANS NewsBites item several weeks ago stated: “The Chinese’s extensive reach into all aspects of cyber activity both inside and outside its borders means that there are no secrets it cannot obtain.” Are these allegations true?
I’m no longer involved in the kind of intrusion detection effort that nearly consumed my life when I was at Berkeley, but I clearly remember several ugly incidents that pointed directly to China as the source. You may recall that in the early part of this decade, not far off the coast of China, a US and Chinese plane collided, forcing both to make emergency landings. Not long afterwards I received a phone call from someone who was involved in nuclear research, who said that his Web server had been defaced. I hurried over to his lab, and when I arrived, I found not only Chinese splattered all over the home page of this server, but also dozens of hacking tools with Chinese titles and readme files installed on the system. Say what you will, but by all appearances someone from China had ostensively attacked this Web server.
Of all the attacks I witnessed while at Berkeley, more source addresses were from China than anywhere else. (Believe it or not, South Korea was second during that time.) Of course, this does not necessarily mean that these attacks were from China, as address spoofing on the Internet runs rampant. Once again, however, China was somehow in the spotlight. The “Titan Rain” incidents in which malware was installed in numerous machines used by US and UK government employees uncovered a massive number of unauthorized connections from these machines to IP address space assigned to China. And even as I write this blog entry, the same basic pattern of attacks that exploit vulnerabilities in Microsoft Office utilities, Adobe Acrobat, and other programs through miniscule attachments continue to occur not only against US and UK government systems, but also against systems throughout the business sector in the same countries.
My point is that there is a “smoking gun” here, and by all appearances China is holding it. But should anyone really be surprised? Governmental spying is not exactly anything new; after all, governments spy on each other all the time. Paying a trusted insider to steal or reveal information is a time-proven spying method, but it is difficult, expensive, and often dangerous compared to sending a small, malicious attachment to a targeted person who is likely to open it, thereby causing this person’s computer to connect to a malicious Web site that injects a keystroke sniffer programmed to send all keyboard input to a site where it can be harvested. International espionage is not a one-way street, either. I would also count on the fact that the US, the UK, and other major powers are using similar kinds of methods to those used by China, to steal information from China and other countries.. So the next time you see something about cyberespionage activity originating out of China, I wouldn’t be a bit skeptical. In my mind, China is the number one perpetrator of cyberespionage, with the US probably being number two. I would instead worry whether my computing systems and information are adequately defended against the kinds of attacks that China and other countries are launching.