Analysts finger dirty dozen Chinese hacking groups

US cyber security analysts and experts have reported that 12 groups are behind the bulk of China-based cyber attacks stealing critical data from US companies and government agencies.

According to the Associated Press, the US often gives the attackers unique names or numbers and can tell where the hackers are, and even who they are.

Targets have broadened from the US government to private industry defence companies to critical infrastructure in the last ten to 15 years; according to Jon Ramsey, head of the counter-threat unit at Dell SecureWorks, hackers in China have different digital fingerprints which are often visible through the computer code they use, or the command and control computers through which they route their malicious software.

The report claimed that US government officials have been reluctant to tie the attacks directly to the Chinese government, but analysts and officials quietly say they have tracked enough intrusions to specific locations to be confident they are linked to Beijing. One of the analysts said investigations show that the dozen or so Chinese teams appear to be commissioned to go after specific technologies or companies within a particular industry.

Experts and analysts also claimed that the malware and tools have not got much more sophisticated in recent years, instead relying on burying malware deep in computer networks so it can be used again over the course of several months or even years.

A report from last month by the US National Counterintelligence Executive openly named China and Russia as key cyber threats, saying that "the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace".

However, cyber security analyst Jeffrey Carr disputed the claims, saying that the researchers quoted in the article (Mandiant and Dell SecureWorks) have a vested interest in painting China as the bad guy since the bulk of their marketing is advanced persistent threat-centric, with APT being 'code' for China.

In a blog posting, Carr also said that the 12 hacker groups have not been named, which prevents independent analysis being performed by individuals who don't have a vested interest in the outcome.

He further said: “There's been no proven reliable way to assign attribution. Digital DNA is a marketing ploy, not a fact. It conflicts with our own research on state and non-state actors involved in cyber espionage.

“It conflicts with our confidential work in incident response and protection for Taia Global clients, including members of the Defense Industrial Base. It lacks rigour. For example, I highly doubt that either Mandiant or Dell SecureWorks applied negative analysis to their findings before making their claims (i.e., looked for reasons why their findings could be wrong – a standard analytic technique).”

Carr called it "sensationalist reporting" that "feeds anti-China paranoia while minimising the role of many other state actors engaging in the same activity as China".

“Senators and Congressmen unfortunately don't have enough knowledge about cyber security to discern truth from fiction so what starts off as highly questionable analysis soon becomes terrible US government policies; especially when it is advocating for permission for civilian US companies to counterattack a specific nation's network. There has never been a worse idea in the history of bad ideas than that one,” he said.

This article originally appeared at scmagazineuk.com