Everyone that has sensitive data (including, of course, ITAR-controlled data) on their computers networks should read this sobering article in Wired, which reveals, for the first time that I am aware of, the methodology, extent and scope of Chinese cyber-attacks on U.S. computer networks. After you read this article, there will be no question in your mind that these attacks are orchestrated and carried out by the Chinese government, even though the Chinese government is currently issuing risible denials of its involvement. Also, you will never open an email attachment again from anyone. The problem is, of course, that someone on your network will.
Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures. …
The Heartland and RBS attackers, and other criminal hackers of their ilk, tend to use SQL injections attacks to breach front-end servers. The APT attackers, however, employ undetectable zero-day exploits and social engineering techniques against company employees to breach networks.
… They attempt to take every Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all e-mail, says Mandia. …
Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007.
APT attackers also appear to be well-funded and well-organized. In some cases, Mandiant has found multiple groups inside a network, each pursuing their own data in a seemingly uncoordinated fashion. …
Many entities don’t discover a breach until someone from law enforcement tells them. By then, it’s too late.
“By the time the government is telling you, you’ve already lost the stuff you didn’t want to lose usually,” Mandia says, noting that it’s generally not possible to ascertain everything that an attacker took.
While APT attacks are sophisticated, they use simple techniques to gain initial entry and, once inside, adhere to a pattern.
For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attacks — such as key executives, researchers and administrative assistants who have access to sensitive information — and then send malicious e-mails or instant messages that appear to come from a trusted colleague or friend.
The e-mails have an attachment or link to a ZIP file containing zero-day malware that exploits Microsoft Office or Adobe Reader vulnerabilities. Google employees received an e-mail with malware that exploited a vulnerability in Internet Explorer 6 that Microsoft had not yet publicly disclosed.
Once the attackers have a foothold on one system, they focus on obtaining elevated access privileges to burrow further into the network. They do this by grabbing employee password hashes from network domain controllers — and either brute-force decrypt them or use a pass-the-hash tool that tricks the system into giving them access with the encrypted hash.
Not only should you be extremely cautious about email attachments and forwarded links, even from trusted friends, but also you might think about taking down your entry on LinkedIn or other business networking sites. Unless, of course, it’s already too late.