We often talk to companies who believe they are an unlikely target for hackers because they do not have financial account information, Social Security numbers, or medical information. However, personal information is not the only item hackers are after. Indeed, the chief of the United States Cyber Command and director of the National Security Agency said last year that the loss of industrial information and intellectual property through cyberespionage is “the greatest transfer of wealth in history.”
Cyberespionage has often only been publicly attributed to the APT (Advanced Persistent Threat), a generic naming convention for sophisticated attacks that are believed to be sponsored by foreign governments. This week computer security firm Mandiant released a threat intelligence report that detailed the cyberespionage attributed to one specific APT group (APT1—reportedly a division of China’s People’s Liberation Army) over the past seven years. The report was based on the investigation of compromises at 141 companies across 20 industries that included the theft of hundreds of terabytes of data containing blueprints, manufacturing processes, product development test results, business plans, and pricing documents, as well as the e-mails of company executives. The industries that were targeted most often include information technology, aerospace, telecommunications, energy, transportation, manufacturing, engineering services, and high-tech electronics. Notably, the APT1’s attack methodology usually begins with aggressive spear phishing to gain entry to a company’s network before deploying their sophisticated “digital weapons” (Figure 15 of the report contains a spear-phishing e-mail APT1 sent to Mandiant employees that contained a malicious executable that would install a custom backdoor).
The release of Mandiant’s report follows recent disclosures by news organizations that they had been compromised by attackers from China. Among the targets were “journalists who had written about Chinese leaders, political and legal issues in China and the telecom giants Huawei and ZTE.” President Obama, who has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation,” issued a cybersecurity executive order shortly before his February 12, 2013 State of the Union address, which was designed as a start towards protecting the country’s critical infrastructure from these threats. The executive order was followed by a February 20, 2013 release of the Administration Strategy on Mitigating the Theft of U.S. Trade Secrets, which was designed as a means for improved government coordination to protect against trade secret theft by foreign competitors of U.S. companies.
Because the attack methodology and motives behind cyberespionage are different than attacks designed to steal credit card data, companies need to spend time learning about the threat before designing their defenses. The appendix to Mandiant’s report lists more than 3,000 indicators of APT1’s arsenal of digital weapons, including domain names, IP addresses, encryption certificates and MD5 hashes of malware.