InfoSec 2013: China Is ‘Biggest Source Of Advanced Cyber Attacks’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Two reports again claim China is the number one source of serious attacks

Whilst many nations are behind advanced, persistent cyber attacks, China is involved in most of them, producing many of the tools used by Internet-based spies and carrying out plenty of espionage campaigns, according to reports released today.

Nine in 10 APT tools is made in China, according to a report from security firm FireEye, which released its findings at the InfoSec 2013 conference in London today. Gh0st RAT was the most prevalent remote access Trojan in what the industry calls Advanced Persistent Threats (APTs), which are often funded by nation states.

Such APT attacks were used to compromise various media organisations in the US over the last year, including the New York Times, and China was alleged to have sponsored the malicious strikes.

A separate report from Verizon today claimed China was behind 96 percent of cyber espionage campaigns the firm had seen over the last year. Of all the breaches it looked at, 19 percent had ties to the Chinese government, as they sought to get their hands on others’ intellectual property, Verizon said.

© Karen Roach - Fotolia (Medium)China cyber attacks

A recent report from security supplier Mandiant recently caused a stir, claiming over 100 organisations had been targeted by a group with apparent connections to the Chinese military, the People’s Liberation Army. China has denied sponsoring any cyber espionage efforts it has been accused of backing.

“There are many reasons why a lot of APT activity comes out of China. First, they’ve developed the tools,” Jason Steer, EMEA product manager at FireEye.

“Secondly, there is a national directive to be a dominant player in cyber space. But to be clear, China isn’t the only player. In fact, our report points out that many countries attack and are victims.”

FireEye pointed to the global nature of persistent threat activity, finding APTs hooked up to command and control servers in 184 countries, up from 150 in 2011.

America is both a big perpetrator and victim of persistent attacks. It was home to more C&C (command and control)  servers than any other region, with 44 percent residing in the US, although many are used by foreign hackers looking to cover their tracks.

“The US is a player in APT and certainly some of the CnC traffic is likely to be American APT attacks.  However, since the US experiences so many attacks, many American security teams know to block traffic exiting the country,” Steer added. “We saw a similar dynamic in Japan, for example, where a huge amount of traffic stays in country.”

South Korea saw the highest number of events per organisation and has become a “fertile location” for cyber criminal activity, FireEye said.

When it comes to IP theft, technology companies are the number one target, with the financial industry not far behind.

UK an easy target?

As for the UK threat, the FireEye report had some bad news: attackers are confident they can breach companies and successfully exfiltrate data out of the country. Nine in 10 APT attacks hitting UK firms succeed in getting information out of the country.

“A lot of callback activity exits the UK quickly. This tells you that many firms in the UK aren’t looking at where their traffic is going, allowing attackers to be more brazen in their attacks,” Steer said.

“If most of the traffic stayed domestically, it implies attackers needed to set up C&Cs in country to help with evasion. Attackers won’t do more work than they need to and the fact that a lot of UK traffic exits the country tells you that attackers feel confident enough to not bother with setting up C&Cs in the UK.”

What do you know about Internet security? Find out with our quiz!