Banks looking to do business in China may want to shore up their cyber defenses.
Hackers tied to China's military have stolen data from hundreds of U.S. companies, including financial firms, over the past six years, some American computer security researchers have charged.
Since 2006, the group, dubbed APT1, has swiped business plans, technology blueprints, manufacturing processes, testing results, pricing documents, emails and contact lists, and network user credentials from at least 141 companies in 20 industries in 15 countries, including 115 victims in the U.S., according to a report published Tuesday by Mandiant, a digital security firm.
The financial services industry is among those compromised by APT1, although information technology, aerospace, public administration, telecommunications and scientific organizations make up most of the group's victims.
Though financial firms have suffered fewer than five attacks by the group compared with information technology targets, which have endured nearly 20, any company that does business in China can draw APT1's attention.
Triggers for the Chinese unit include signs that a foreign company is being acquired by a Chinese company or that a company is looking to do business in China, Richard Bejtlich, Mandiant's chief security officer, told American Banker. "Then the Chinese will attack one of the parties, trying to learn more about the deal," he says. "You could be doing business in China, or setting up a research center, or getting a license, and you find yourself in their cross hairs."
APT1 has spent less time targeting the financial industry, says Bejtlich, who adds that the top threat to banks continues to come from Eastern Europe. "The primary threat is still from the cybercrime side, groups who are trying to steal easily monetizable information or attack the infrastructure of the financial services community," he said.
For its part, the Chinese government has denied the allegations. "Cyberattacks are anonymous and transnational, and it is hard to trace the origin of attacks, so I don't know how the findings of the report are credible," Foreign Ministry spokesman Hong Lei is said to have told reporters on Tuesday.
Hong countered that China has weathered cyberattacks that have originated in the U.S.
According to Mandiant, APT1 has carried out attacks from a compound in Shanghai that houses a unit of the People's Liberation Army, which is said to sponsor the hackers.
APT1 penetrates victims' networks by sending an email that display a sender's name or other information that induces recipients to open it. The emails also include attachments that resemble familiar files. Clicking on them can install malicious software, which opens a back door to the network the intruders use to capture keystrokes, gather passwords and control the network in varied ways. In advanced stages an attack, APT1 installs more back doors and uses stolen credentials to log on to the network directly.
Eventually, APT1 drains documents, emails and other files from the network to computers the group controls. Mandiant researchers say they have seen APT1 steal as much as 6.5 terabytes of compressed data from a single victim over the course of 10 months.
To help companies strengthen defenses against APT1, Mandiant has published roughly 3,000 domain names, Internet addresses, encryption certificates and malware algorithms allegedly used by APT1.
Bejtlich advises companies to download the information and use it to find out if their systems have been affected by the problem. He also suggests companies assess whether they are doing business that would attract attention from APT1 or a similar group.