China fingered in cyberattack on mystery high tech co.
'Extremely large volumes' siphoned
The Chinese government is stepping up efforts to steal valuable information from high-technology companies in other countries, according to a congressional advisory panel, which detailed one operation that siphoned "extremely large volumes" of sensitive data.
The 2007 attack against the unnamed high-technology company was just one of several successful operations the US-China Economic and Security Review Commission believes was sponsored by Beijing.
According to The Wall Street Journal, which reported the contents of a report the panel was expected to release Thursday, the Chinese government is suspected because of the "professional quality" of the attack and the technical natures of the stolen information.
According to the WSJ:
The hackers "operated at times using a communication channel between a host with an [Internet] address located in the People's Republic of China and a server on the company's internal network."
In the months leading up to the 2007 operation, cyberspies did extensive reconnaissance, identifying which employee computer accounts they wanted to hijack and which files they wanted to steal. They obtained credentials for dozens of employee accounts, which they accessed nearly 150 times.
The cyberspies then reached into the company's networks using the same type of program help-desk administrators use to remotely access computers.
The hackers copied and transferred files to seven servers hosting the company's email system, which were capable of processing large amounts of data quickly. Once they moved the data to the email servers, the intruders renamed the stolen files to blend in with the other files on the system and compressed and encrypted the files for export.
The attackers used at least eight US-based computers, some at universities, as drop boxes before sending it overseas. The company's security team managed to detect the theft while it was in progress, but not before significant amounts of data left the company network.
China is one of 100 countries believed to have the capability to conduct such operations, according to the report. ®
How they do it.
The company will normally hire a person for short term SAP advising and hops around company to company. They will call the helpdesk they need read and write access to do their job which elevates their account.
So always give these types thin client access to a firewalled server with no outside access!
Ever heard of a switch?
My employer has electronic files which for commercial, and other reasons - we are headquartered in an authoritarian country - and to prevent external access we have two separate networks running on separate cabling in our office premises.
To enforce this separation users physically have to rotate a switch that disconnects the general network - with InterNet access - to the isolated network.
Users also have to change logins which severely limits what applications can be run.
Sounds like a kluge? Maybe, but we know the nosey bastards next door in China can't stop by, nor can the government of this country.
>They used a host with an address in China? Yeah, cause they'd do that, wouldn't they?
Read the article. The files were being dropped into University and other servers in the U.S. first before the transfer to China.
High Tech companies won't blacklist Universities they have researchers / business relationships with. University academics won't blacklist nations.
There's all sorts of non-Defense specific industries the Chinese (and Russians, Poles, Israelies, Iranians, French, British, etc...) would love to get into. I've worked at an R&D center in the past that (before my time there in the 90s) had a foreign national as the top person...until he was taken away by the FBI for industrial espionage. Americans, in general, have a far lower appreciation about the scale of industrial espionage globally then others.
Such espionage could be for simple economic competetive advantage. Think of the counterfeit Cisco switches and routers that came out of China.
It could also have dual-use to enable further attacks. Think of the value of having the source code for Cisco IOS so you can make your own hooks into said counterfeit routers and see who buys and installs them.