Banks looking to do business in China may want to shore up their cyber defenses.
Hackers tied to China's military have stolen data from hundreds of U.S. companies, including financial firms, over the past six years, some American computer security researchers have charged.
Since 2006, the group, dubbed APT1, has swiped business plans, technology blueprints, manufacturing processes, testing results, pricing documents, emails and contact lists, and network user credentials from at least 141 companies in 20 industries in 15 countries, including 115 victims in the U.S., according to a report published Tuesday by Mandiant, a digital security firm.
The financial services industry is among those compromised by APT1, although information technology, aerospace, public administration, telecommunications and scientific organizations make up most of the group's victims.
Though financial firms have suffered fewer than five attacks by the group compared with information technology targets, which have endured nearly 20, any company that does business in China can draw APT1's attention.
Triggers for the Chinese unit include signs that a foreign company is being acquired by a Chinese company or that a company is looking to do business in China, Richard Bejtlich, Mandiant's chief security officer, told American Banker. "Then the Chinese will attack one of the parties, trying to learn more about the deal," he says. "You could be doing business in China, or setting up a research center, or getting a license, and you find yourself in their cross hairs."
APT1 has spent less time targeting the financial industry, says Bejtlich, who adds that the top threat to banks continues to come from Eastern Europe. "The primary threat is still from the cybercrime side, groups who are trying to steal easily monetizable information or attack the infrastructure of the financial services community," he said.
For its part, the Chinese government has denied the allegations. "Cyberattacks are anonymous and transnational, and it is hard to trace the origin of attacks, so I don't know how the findings of the report are credible," Foreign Ministry spokesman Hong Lei is said to have told reporters on Tuesday.
Hong countered that China has weathered cyberattacks that have originated in the U.S.
According to Mandiant, APT1 has carried out attacks from a compound in Shanghai that houses a unit of the People's Liberation Army, which is said to sponsor the hackers.
APT1 penetrates victims' networks by sending an email that display a sender's name or other information that induces recipients to open it. The emails also include attachments that resemble familiar files. Clicking on them can install malicious software, which opens a back door to the network the intruders use to capture keystrokes, gather passwords and control the network in varied ways. In advanced stages an attack, APT1 installs more back doors and uses stolen credentials to log on to the network directly.
Eventually, APT1 drains documents, emails and other files from the network to computers the group controls. Mandiant researchers say they have seen APT1 steal as much as 6.5 terabytes of compressed data from a single victim over the course of 10 months.
To help companies strengthen defenses against APT1, Mandiant has published roughly 3,000 domain names, Internet addresses, encryption certificates and malware algorithms allegedly used by APT1.
Bejtlich advises companies to download the information and use it to find out if their systems have been affected by the problem. He also suggests companies assess whether they are doing business that would attract attention from APT1 or a similar group.
"What you'll find is there is no one out there who is 100% able to stop these attacks," Bejtlich said. "The goal should be to find them quickly and stop them before they can accomplish the mission. Then you win, by preventing them from accomplishing their mission or a theft of data."
Bejtlich also says companies need to do much more than install technology. "If you look around and talk to your staff, and no one has the job of finding active bad guys in your company, then you have problems," he says.
The report comes amid a ratcheting up cyber threats, which have increased in intensity. Nearly one-third of cyberattacks last year revealed the highest level of threat, as measured by duration, number of vectors and complexity, compared with 7% of attacks that displayed such characteristics in 2011, according to Radware, a digital security firm.
The White House recently issued an executive order intended to secure the nation's critical infrastructure against cyberattack, while House Intelligence Committee Chairman Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.), the panel's ranking member, reintroduced legislation that would encourage sharing of information between companies and government agencies about cyber threats.