code silhouetteFor several years China and its military have been accused of masterminding systematic targeting of organizations throughout the world in a sophisticated hacking campaign. Their goal is obvious: to siphon research and development from Western companies to further China’s economic, military, and social agendas. Yet for all the brouhaha there has yet to be concrete evidence that proves China is indeed behind all this – due, in part, to the difficulty in tracking the attacks to a specific person, group or country.

That may have changed with a 74-page research report released last week by security firm Mandiant, which offers compelling evidence of China’s involvement. At the heart of Mandiant’s evidence are statistically heavy assertions that a vast number of the attacks lead back to systems in China, and, more specifically, to four large computer networks in Shanghai. Two of these four networks reside within the Pudong New Area of Shanghai, which houses China’s People’s Liberation Army (PLA’s) Unit 61398.

Mandiant fingers Unit 61398 as being part of a cyber-arm of the Chinese military. If you thought it hard to believe that Bin Laden could have holed up for years next door to the equivalent of Pakistan’s West Point without its military being aware, you’d probably find it even harder to believe China’s military would have remained ignorant of a sophisticated, multi-year, enterprise-wide hacking spree happening right under the nose of one of the most “big brother” regimes in history. More likely is that the Chinese government is behind Unit 61398 and has set it loose on a massive technology transfer program.

Madiant’s accusations aren’t based solely on Unit 61398’s physical location. A computer attacker can cover his tracks and hop through numerous countries and networks until reaching his final destination. Think of it as digital money laundering, with the perpetrator cleansing his path to the target to make it difficult, if not impossible, to trace. Fortunately there are other clues. The hackers have coded attacks based on Chinese language computer systems. It would be extremely difficult for a non-Chinese actor, such as a rogue hacker group in another country or foreign government, to employ the number of Chinese reading and writing hackers as Mandiant claims are behind these attacks.

While the report provides the most concrete public assessment to date as to China’s involvement in widespread computer attacks, it also raises questions — not concerning who was behind the attacks or what they did after successfully breaching computer networks, but how these attackers were able to compromise some of the most important organizations in the world, including Apple, Google, Coca-Cola, Lockheed-Martin, and The New York Times.

In the computer security industry we are good at saying what the bad guys do once they get in but rarely can we say how they got in. The Mandiant report offers some data on how companies were targeted and compromised – mostly via malicious email attachments and vague references to Web-based attacks. These kinds of attacks are so simple, though, that you really don’t need state sponsorship. What they really do is point out just how porous our computer security is.

The trick, these attackers knew, was to craft email to victims to make it look like the messages came from trusted sources like bosses or colleagues. You’ve likely received “phish” attacks that try to trick you into clicking on a link or an attachment, but bad grammar or spelling or crappy images tipped you off that these email weren’t kosher. If you fell for it, you might download malware that could do any number of things to your computer: turn it into a spam bot, siphon information from your hard drive, trash your system, and the like. Now imagine what would happen if you received a regular, run-of-the-mill email from your boss telling you to look at sales figures. You’d have no reason to question its authenticity.

That’s what happened with employees at Apple, Coca-Cola, and the others. And if they are vulnerable, then so are you. If you run a startup or small business, I’m afraid you are probably living by the credo “security by obscurity.” Unlike, say, Apple, you may not feel like you have anything worth stealing. Perhaps that’s true, but unless you instigate some basic security protocols and defenses of your own, you could easily find your hard-earned intellectual property ending up in the hands of foreign spies or a nefarious competitor.

In the case of Chinese hackers the email attachments were typically compressed zip archives that contained executable programs, which sometimes appeared, based on the programs icon file image, to be Adobe Reader documents. Once a victim opened and executed the PDF attachment, game over. The victim had just given these attackers remote access to do as they pleased.

There is nothing new about this. In the 1990s, this style of attack was so prolific it forced Microsoft to rewire its Outlook email program to disallow the receiving of executable attachments by default. While Outlook can still receive executable attachments within compressed zip files, security best practice dictates that companies deny inbound executable attachments, even when they are within compressed zip files. This is something that even popular email services such as Google’s Gmail do by default.

If Mandiant’s data and conclusions are accurate, some of the most important organizations within the United States and elsewhere fell victim to the Chinese military, because they failed to implement 1990’s security best practices on email attachment. I don’t want to blame the victims, but that’s like trying to protect a bank vault with a bicycle lock.

No doubt China, like other modern nations, has talented hackers and sophisticated attack tools that are not mentioned in this Mandiant report. It is also safe to say that Mandiant, by releasing this report, has unleashed a tidal wave of organizational review within the Chinese military that will lead to improved capabilities and operational safeguards.

In other words, Chinese hackers will only get better. But will our computer security follow suit?

[Image courtesy Nat W]