Security experts split on whether China is breaking no-hack pact
The hacks go on...but are they state-sponsored?
Security intelligence firm CrowdStrike has released a report alleging that Chinese hacking crews which they claim are likely state-sponsored are still attacking the US despite a anti-economic espionage pact agreed just a month ago when the Chinese president visited the US.
In a blog post, CrowdStrike states that it has seen no let-up in attacks against its commercial client since the agreement was signed three weeks ago. Intrusions it has traced back to Chinese hacking crews it alleges are linked to the state were likely to have been motivated by economic espionage rather than national security-related intelligence gathering, or so it claims.
Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.
The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day – Saturday September 26th. We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement.
CrowdStrike has produced a timeline of attacks it has detected and more technical details on the attacks. Malware associated with the latest run of attacks includes Derusbi, a strain previously linked to attacks on defence contractor VAE and health insurer Anthem. Among the groups involved in the latest run of attacks is a hacking crew known as Deep Panda, a Chinese group CrowdStrike has been tracking for years.
Dmitri Alperovitch, co-founder and CTO at CrowdStrike, notes that it may be that there is a lag between hands being shaken on the deal and China’s compliance in dismantling elements of intelligence-gathering.
However, other security intelligence firms reckon it's too soon after the deal, and there isn’t yet enough evidence to conclude that China is stealing trade secrets using hacking and malware, nefarious activities it has been accused of for many years.
Beijing's backing of well-resourced Chinese hacking groups has not been confirmed but is the subject of much speculation.
Laura Galante, director of threat intel at FireEye, claimed: “We have observed activity from likely Chinese state-sponsored threat groups since September 25, but it is premature to conclude that activity during this short timeframe constitutes economic espionage.
“We have seen an evolution in the operations of many of the China-based threat actors we track – a shift that had actually begun in roughly mid-2013. Whether operational shifts such as the one we have observed indicates a large scale shift in these groups’ missions away from economic espionage is an open question, and assessing the complexity of changes in state-sanctioned economic espionage requires far more sufficient time, data and viewpoints,” she concluded.
Chinese Foreign Ministry spokeswoman Hua Chunying told Reuters that the Chinese government opposed all forms of hacking or the stealing of commercial secrets, a standard line that pre-dates the 26 September pact between US President Barack Obama and Chinese President Xi Jinping. ®