The massive Operation Aurora cyber attack last month, apparently launched from command and control server computers in Taiwan, is part of a larger and sustained effort that has been stealing data for years.
Although computer forensics experts have been unable to trace the recent Aurora attack back to China they do not believe that Aurora originated in Taiwan, the Silicon Valley of the western Pacific. Public details about the cyber attack on major corporations in the United States are scanty as the companies try to assess the damage.
The Department of Defense held a conference with top computer security experts last week in St. Louis, Missouri to discuss the problem. One of the participants, Mandiant, a security consulting firm, has released a report on its findings.
Although sanitized by removal of corporate and government names, Mandiant’s technical report opens a window on the scope and sophistication of the cyber intrusions.
“The scale, operation and logistics of conducting these attacks–against the government, commercial and private sectors–indicates they are state-sponsored. The Chinese government may authorize this activity, but there is no way to determine the extent of its involvement. Nonetheless, we have been able to correlate almost every APT [Advanced Persistent Threat] intrusion we have investigated to current events within China.”
Mandiant explains that the ATP has infiltrated thousands of computers over the last half-decade and that many efforts to stop the cyber penetration have aided the hackers by identifying the extent of detection allowing the hackers to escalate data collection on undetected machines. The hackers use sleeper viruses that sit undetected until they activate, install “back doors” on infected machines and steal PDF files, Microsoft-created documents, and email traffic.
Mandiant offered a peek into the damage with several unidentified case studies from 2009.
One medium sized defense contractor that conducts research for the U.S. government had 100 infected computers and twenty infected workstations that escaped the company’s own anti-intrusion efforts that had been loaded with Aurora-style malware since 2007.
A large-sized defense contractor was found in 2009 to have ten compromised systems with sleeper back doors indicating the long-range nature of the intrusion. A second sweep found 150 more compromised systems, spread by the first layer of the hack.
Another large-sized defense contractor also discovered150 infected computers that had been leaking data for several years. One of the machines had 95 different malware additions as hackers modified their viruses to avoid detection. The APT hackers were able to adjust to software changes within hours, even cracking encrypted code and in one case used a remediated computer within 24 hours of its having been cleaned.
“This is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends. You will never declare victory.”
To read the full Mandiant report you may download it from their website: