Chinese Cyberespionage Crackdown Prompts Look At Intellectual Property Theft
Cyberespionage has been a poorly documented, longstanding problem, say solution providers. The indictment of five Chinese People's Liberation Army officers for their alleged role in hacking into U.S. computer networks to steal intellectual property is a sign that businesses need to take IP theft more seriously, they add.
The U.S. Department of Justice handed down the indictment Monday, charging that the men allegedly hacked into the networks of a number of companies, among them Alcoa and Westinghouse Electrics Co. The proprietary information sought by the hackers allegedly was passed on to Chinese-owned companies in an attempt to copy the processes and reproduce similar items, according to the indictment.
The theft of trade secrets, manufacturing plans and other highly sensitive intellectual property has been a serious concern for years, but security experts say the threat is poorly documented because most businesses are not required to publicly disclose data breaches involving the theft of the information. Intellectual property theft was at the heart of a report issued last year by Alexandria, Va.-based Mandiant (acquired by FireEye) on a Chinese group linked to sustained cyberespionage activity. The move by the Justice Department is not likely to have a measurable impact on global espionage, said Jon Heimerl, a senior security strategist at Solutionary, an Omaha, Neb.-based managed service provider and subsidiary of the NTT Group. Private and government-backed espionage will continue regardless of how this particular case progresses, Heimerl said.
[Related: Verizon 2014 Data Breach Report: The Bad Guys Are Winning ]
"These activities could be considered 'crimes' by any and all foreign governments," Heimerl said. "By any number of international standards, it would not be surprising at all to see more lawsuits filed as a result of eavesdropping or corporate spying."
The indictment alleges the five officers stole design and technical specifications, email and financial information from U.S. private sector businesses. The men are assigned to People's Liberation Army Unit 61398, a hacking group that allegedly steals information to give an advantage to state-owned companies and other interests in China, said U.S. Attorney General Eric Holder in a statement.
’The indictment alleges that these PLA officers maintained unauthorized access to victim computers to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises," Holder said. "In some cases, they stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In others, they stole sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.’
At Westinghouse, the intruders allegedly stole design specifications for pipes, pipe supports and pipe routing designed for nuclear power plant buildings. At aluminum producer Alcoa, one of the hackers allegedly stole thousands of email messages and attachments from the company's systems regarding a partnership between Alcoa and a Chinese state-owned company.
NEXT: Some Firms Fail To Address Data Security Lapses
The indictment (.pdf), filed in the U.S. District Court of Western Pennsylvania, charges the officers with 31 counts of computer fraud and abuse charges, identity theft, trade secret theft and economic espionage. Justice Department officials said there are many more victims of cyberespionage.
’State actors engaged in cyberespionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag,’ said John Carlin, Assistant Attorney General for National Security. ’Cybertheft is real theft and we will hold state-sponsored cyberthieves accountable as we would any other transnational criminal organization that steals our goods and breaks our laws.’
Smaller businesses often fail to have adequate data safeguards because they lack budgeting and IT resources to manage encryption, data loss prevention and other measures, said Jason Tierney, founder and CEO of BeyondIT Consulting. Companies with deeper pockets deploy data security measures and undergo regular vulnerability scanning and penetration testing to uncover weaknesses, Tierney said.
"Anecdotally everyone knows that China and Russia are the two biggest hacking countries in the world," Tierney said. "Smaller businesses think intellectual property theft is only a problem for larger firms, but it's a huge misconception."
Tierney said end-user security awareness training would help reduce the risk. According to the indictment, the officers allegedly used spearphishing or targeted phishing messages and stolen account credentials to gain initial access to the corporate networks. In other targeted attack campaigns documented by security vendors, more sophisticated measures are used to maintain remote access and persistence and then pivot to more sensitive resources on the network.
PUBLISHED MAY 20, 2014