Network Chatter from China
Imagine one hundred container ships full of the most valuable U.S. assets heading to China every day. Diamonds, gold, oil, John Deere Tractors, priceless artwork, Chevy Corvettes, life-saving artificial hearts, books from our historic libraries, soybeans, the latest Intel® processors, Redwood trees, the genuine Constitution of the United States of America, the Statue of Liberty, Boeing Jets, Northrop weapons, Motorola phones and our most precious asset – information.
Information, our irreplaceable intellectual property, is our foremost asset in the U.S. and it is being downloaded every second of every day and being shipped overseas to the People’s Republic of China.
Recently HALOCK was called in to investigate a consultant’s laptop that was causing a considerable amount of network chatter. This caused the organization plenty of concern because the consultant had access to a sufficient amount of intellectual property including a plethora of research data.
HALOCK responded first by imaging the system and conducting computer forensics. We then installed a malware detection device to check for the systemic issues with the modern malware. HALOCK also performed network forensics by reviewing logs and SIEM analysis.
Here is what we found:
- A great deal of malware was detected – over 60 instances.
- Two separate APT’s (Advanced Persistent Threats) from known threat actors associated with the PLA and the People’s Republic of China were also discovered.
This organization was under attack from China.
It was clear to us, and this organization, that China was trying to gain access to research data – and that this organization had insufficient controls in place to stop them.
In the process of this investigation, we discovered that this cyber attack could have been prevented or minimized if the following were in place:
- effective malware defense strategy (tools, process and education)
- effective monitoring of the environment (i.e. managed IDS)
- advanced packet capture capability in order to perform network forensics
- a web application firewall to prevent the initial injection of malware
With cyber-attacks from China on the rise, U.S. businesses are on warning that unless they take the necessary precautions to protect their assets, they could be next to fall victim – and they may already have, and not even know it. According to a recent report* focused on the most prolific cyber espionage group out of China, APT1, this single organization has conducted a cyber-espionage campaign against a broad range of victims since at least 2006. APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors.
HALOCK is a cyber security consulting firm headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security services throughout the US.