China’s Payback for US Hacker Indictments Begins

The Department of Justice last week unsealed indictments against five members of the Chinese military who were accused of hacking into the computer systems of U.S. companies to steal everything from trade secrets to confidential corporate correspondence.

China’s initial response was to deny any wrongdoing and charge that the United States had hacked into the systems of Chinese companies for purposes of espionage — but Beijing wasn’t finished there.

Shortly after the indictments were handed down, China announced that its government agencies, which have been standardized on Microsoft Windows, would not be upgrading to the latest version of that operating system. The move was to ensure security going forward, the Central Government Procurement Center said, because Microsoft had stopped supporting a version of the OS, Windows XP, still widely used in China.

However, the timing of the move raised questions.

“I don’t think it’s coincidence. I think they were looking for ways to respond, and this was an issue that they’d been struggling with for some time because they invested heavily in XP,” Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute, told TechNewsWorld.

“It is ironic in some ways that they’re threatening not to buy, since a good chunk of XP in China is pirated to begin with,” he added.

Appeasing Business

Following the Windows move, China announced it would be adopting new rules to assess potential security problems “related to national security and the public interest.” China has been considering such rules for a while, but once again, the timing of this move also seems linked to the U.S. indictments.

China’s moves last week are likely to be just the beginning of the fallout.

“You’ll probably see economic repercussions of one sort or another,” Cilluffo said. “Whether this was just the first shoe and there are others to drop, I’m not sure, but it will make what is already a complex and vexing market even more so for U.S. and other companies doing business in China.”

There are those who doubt the U.S. will be willing to do what must be done to stop Chinese pilfering of the country’s corporate systems, however.

“I am skeptical that the [U.S. Government] will in fact continue to ratchet up the stakes to a degree that will make it irrational for China to continue on its current course, because doing so can quickly become very costly to many U.S. interests, and because China’s bounty from cybertheft is so great that it can absorb quite a lot of USG retaliation in any event,” wrote Harvard Law School professor Jack Goldsmith in his Lawfare blog.

“In this light,” he continued, “an alternate interpretation of yesterday’s events is that the USG is simply trying to get corporate America off its back by showing that it is doing something about China’s corporate cyber-snooping, and that it has no intention of raising the stakes of public confrontation beyond unenforceable indictments.”

Curtain Lowered on Blackshades

Chinese hackers weren’t the only targets of law enforcement last week. A coordinated effort by cops in 18 countries rounded up more than 100 people connected to a versatile piece of malware called “Blackshade.”

The malicious app, which can be purchased for as little as US$40, is a Remote Access Trojan that’s designed to give hackers control over another person’s computer. Since September 2010, the program has generated an estimated $350,000 for its salespersons, according to the FBI.

The malware has gained popularity for a number of reasons.

“What stands out about Blackshade is just how easy it is to use and deploy,” Alex Watson, director of security research at Websense, told TechNewsWorld.

“It has more features for an attacker than your typical remote administration tool, but fewer features than the RATs used in targeted atttacks,” he explained. “It can activate a webcam, steal files and has a limited ability to move laterally through a network by exploiting other hosts.”

However, since Blackshade is so simple to use, it doesn’t cover its tracks very well.

“Since there is very little skill required to run the software, the attackers often leave themselves exposed in many ways, considerably more so than some of the more advanced APT-style adversaries,” Greg Foss, a senior security research engineer with LogRhythm, told TechNewsWorld.

“The beaconing alone is incredibly loud and will be detected by default rules within a majority of commercial grade firewalls and SIEM tools,” he noted.

In addition, user intervention is needed to get the malware into a machine. “Even if they are able to get the executable on the target’s system, any antivirus software will flag and remove this malware, as it is so well known at this point, even when packed,” Foss added.

Breach Diary

  • May 19. U.S. Justice Department announces indictments against five members of the Chinese military for cyberespionage on U.S. companies.
  • May 19. FBI announces roundup of more 100 people people worldwide connected to distrbution and use of the Blackshades Remote Access Trojan.
  • May 20. Raytheon releases Ponemon Institute study finding that 88 percent of “privileged users” — network engineers, database administrators, information-security practitioners and cloud custodians — recognize insider threats as a cause of alarm but have difficulty identifying threatening actions by insiders.
  • May 20. Extensible Messaging and Presence Protocol (XMPP, formerly Jabber) announces more than 70 messaging services using the technolgy have begun protecting their chats with TLS encryption.
  • May 21. eBay reports security breach and urges all its users to change their existing passwords.
  • May 21. U.S. District Judge Richard Jones issues order thwarting attempt by FBI to suppress documents relating to National Security Letter demanding information on one of Microsoft’s enterprise customers.
  • May 21. California Attorney General’s office releases voluntary guidelines designed to create easy-to-understand privacy policies, including alerting website visitors as to how the website treats do-not-track requests.
  • May 21. CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute announces Insider Threat Program Manager Certificate program to train individuals to meet upcoming federal government standards.
  • May 21. Silent Circle, maker of the yet-to-be-released Blackphone, announces $30 million funding round.
  • May 21. Avast releases findings from survey conducted with 268,000 online respondents showing three out of four people were not aware of the Heartbleed vulnerability, which affected millions of websites and mobile devices.
  • May 21. Michaels stores, which suffered data breach compromising information on some three million customers, reports 22 percent increase in profits.
  • May 22. Cyberthreat intelligence company IntelCrawler reports Nemanja botnet has infected almost 1,500 point-of-sale terminals and other retail systems in 36 countries.
  • May 23. Facebook announces new tool to help its users better manage their privacy.
  • May 23. South Korea’s Electronics and Telecommunications Research Institute announces it has developed a chip that can protect authentication and personal information on smartphones from attack by cybercriminals.

Upcoming Security Events

  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 5. Portland SecureWorld. DoubleTree by Hilton, 1000 NE Multnomah, Porland, Ore. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • June 6-7. B-Sides Asheville. Mojo Coworking, Asheville, NC. Fee: NA.
  • June 6-7. B-Sides Cape Town. Dimension Data, 2 Fir St., Cape Town, South Africa. Fee: NA.
  • June 14. B-SidesCT. Quinnipiac University-York Hill Campus, Rocky Top Student Center, 305 Sherman Ave, Hamden, Conn. Fee: NA.
  • June 18. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: Government, free; through June 17, $495; June 18, $595.
  • June 20-21. Suits and Spooks New York City. Dream Downtown hotel, 355 West 16th St., New York City. Registration: Before May 6, $299; after May 6, $549.
  • June 21. B-Sides Charlotte. Sheraton Charlotte Airport Hotel, 3315 Scot Futrell Dr., Charlotte, NC. Free.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif. Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels