The New York Times reported Monday that China has resumed its cyberattacks on the U.S. There had been a three month hiatus from hackers working for a cyberunit of China’s People’s Liberation Army went silent amid evidence that they had stolen data from scores of American companies and government agencies. But now they appear to have renewed their attacks using new techniques according to cybersecurity experts and American officials.
Security company Mandiant said that many of the victims had been attacked previously. Cyberunit 61398 is believed to be responsible for an attack on Coca-Coca in 2009 when it attempted to acquire the China Huiyuan Juice Group and a 2011 attack on RSA, which makes data security products used by the U.S. government and defense contractors. From the 2011 attack, the unit gleaned enough information to attack Lockheed Martin. Security experts have said that the group has more recently targeted companies with access to the nation's power grid.
Mandiant reports that the renewed attacks mean the Chinese cyberunit is operating at 60-70% of its previous level. Interesting that Mandiant performed their study at the request of The New York Times. As you may recall, Mandiant had previous been hired by the company to investigate an attacks on its news operations that originated in China. Another security company, Crowdstrike, agrees that the Chinese hackers have largely returned to "business as usual."
The exposure of the cyberunit’s actions resulted in haphazard cleanup operations according to Mandiant. Attack tools were unplugged from victims’ systems. Command and control servers went silent. And of the 3,000 technical indicators Mandiant identified in its initial report, only a few kept operating. Some of the unit’s most visible hackers, with names like “DOTA,” “SuperHard” and “UglyGorilla,” disappeared, as investigators looked for clues to their real identities.
The unit’s hackers have now set up new beachheads from compromised computers all over the world, many of them small Internet service providers and mom-and-pop shops whose owners do not realize that by failing to rigorously apply software patches for known threats, they are enabling state-sponsored espionage.
Amid this happy news, India appears to be joining the global hacking club too - more on that tomorrow.