Cyber attacks and cyber espionage have been the focus of media attention (again) lately. In addition to the news of Apple, Facebook, the New York Times, the Wall Street Journal, and Twitter all suffering cyber attacks, two important documents were released this past week. The first, a report by the data forensic investigation firm, Mandiant, is an in-depth analysis of the threats that Advanced Persistent Threats (APTs) pose to major U.S. companies. The report received a significant amount of media attention, including this very good New York Times article. The second document released this week was a report by the Obama administration outlining its strategy in response to the APT threats and the individuals/governments who engage in theft of U.S. trade secrets and cyber espionage.
Mandiant’s Report on Chinese Cyber Attacks
On February 18th, Mandiant issued a report in which it accused the Chinese military of years of cyber attacks (APTs) against over 140 companies, a majority of them American. The report’s conclusions were based on hundreds of investigations Mandiant conducted, which convinced Mandiant that the groups engaging in these security breaches are based primarily in China and are known by the Chinese government.
Mandiant tracks dozens of APT groups around the world. APT1 is the most prolific of these groups in terms of quantity of information stolen and has engaged in a cyber espionage campaign against an array of victims since 2006. APT1 is able to wage such a sustained and extensive cyber espionage campaign because it receives direct government support, Mandiant found.
Here are some other conclusions from Mandiant’s report:
- APT1 is believed to be a part of the Chinese People’s Liberation Army identified as Unit 61398, which is staffed by hundreds or thousands of people. The personnel in this unit are trained in computer security and computer network operations. APT1’s activity has been traced to four large networks in Shanghai.
- APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations in 20 major industries, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
- APT1 maintained access to victims’ networks for an average of 356 days, with the longest time period being four years and ten months.
- APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries. APT1’s targets are industries that China has identified as strategic to their growth.
- APT1 maintains an extensive infrastructure of computer systems around the world, with 937 command and control servers hosted on 849 distinct IP addresses in 13 countries. The majority of these IP addresses are registered to Chinese organizations.
- Mandiant has released more than 3,000 indicators (domain names, IP addresses, and MD5 hashes of malware) to help victims and potential victims bolster their defenses against APT1 operations. These defenses can be downloaded here.
Why did Mandiant expose APT1? Even though exposing APT1 would likely interfere with Mandiant’s ability to secretly collect intelligence on that particular group, Mandiant claims that it exposed APT1 in an effort to arm and prepare security professionals to combat the threat effectively and provide information that would lead to increased understanding and coordinated action in countering APT network breaches generally. Mandiant “expect[s] reprisals from China as well as an onslaught of criticism” as a result of the report.
The Obama Administration’s Report On Trade Secret Theft
On February 20th, the U.S. Attorney General released a report entitled “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets”, which outlines the Obama Administration’s strategy to promote improved coordination within the U.S. government to protect U.S. trade secrets. The report sets forth the following five-pronged strategy:
- Focus diplomatic efforts to protect trade secrets overseas – the Obama administration promises to continue applying sustained and coordinated diplomatic pressure on foreign countries to discourage trade secret theft.
- Promote voluntary best practices by private industry to protect trade secrets – examples of areas where private industries could consider voluntary best practices include research and development compartmentalization, information security policies, physical security policies, and human resources policies.
- Enhance domestic law enforcement operations – the Department of Justice and FBI will prioritize investigations and prosecutions of corporate and state sponsored trade secret theft. Law enforcement and intelligence will share information regarding the number and identity of foreign governments involved in trade secret misappropriation, the industrial sectors and types of information and technology targeted by such espionage, the methods used to conduct such espionage, and the dissemination, use, and associated impact of information lost in trade secret misappropriation.
- Improve domestic legislation – increasing the criminal penalties for those who engage in economic espionage and other trade secret crimes.
- Public awareness and stakeholder outreach – encouraging all stakeholders, including the general public, to be aware of the detrimental effects of misappropriation on trade secret owners and the U.S. economy. To this end, the administration will conduct educational and outreach efforts through the internet, forums for the private sector, and public outreach by the FBI.
I highly recommend that in house counsel who are concerned about cyber espionage read the report in full. It is filled with interesting vignettes of how major U.S. based companies have been the victims of cyber espionage, and it includes links to some very valuable resources including this one, which was one of the first major reports to outline the extent of cyber espionage affecting major companies in the U.S. These resources can help your company learn more about the threats of cyber espionage and ways to minimize those risks.
So what are the takeaways? First, cyber espionage is an increasing threat to major U.S. companies, particularly those in the technology, science, pharmaceutical, and defense industries. Second, a growing body of evidence shows us that the APT groups primarily responsible for cyber espionage are originating in China and may be supported directly by the Chinese government. Perhaps most importantly, however, there are steps that companies can and must take proactively to limit the risks associated with APTs, including the adoption of administrative safeguards (policies, procedures, and employee training that limit the likelihood that APTs, particularly those that target social behavior, will penetrate a company’s network) and technical safeguards (like the resources provided by Mandiant in its report, the establishment of firewalls, and the installation of spam filtering, monitoring and anti-malware software).
Given the findings of the Mandiant report and the Obama administration’s steps towards fighting cyber espionage, businesses cannot close their eyes to this threat and hope it will go away or won’t happen to them. They must begin defending themselves now.
UPDATE: Demonstrating the timeliness of this subject, the NY Times just went to press with this important article about the political implications of this issue.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.