In 1986, a German hacker named Markus Hess spent ten months ‘inside’ ARPANET, the US military and academic network that spawned the Internet.
According to Clifford Stoll, the astrophysicist turned systems administrator who eventually caught Hess, he had accessed ARPANET by breaking into a German university that was connected to the network. From there, he compromised machines at the Lawrence Berkeley National Laboratory and used them as a hub to access the other nodes on the network, accumulating data as he went.
By many reckonings, Hess’s attack on ARPANET was the world’s first advanced persistent threat (APT). APT is an increasingly common term that is used to describe a particular kind of IT security attack, in which a hacker establishes a remote presence on a particular network, from where they can search out interesting and valuable data.
Organisations that claim to have fallen victim to an APT include security vendor RSA, which says the 2010 breach that lead to its SecureID two-factor authentication being compromised was an APT, and US space agency NASA. Last week, a report from NASA’s inspector general revealed that “mission systems” had been breached by 13 separate APTs last year alone, despite the organisation’s $58 million security budget.
According to Laura Aylward, an analyst for security consultancy Context, what separates an APT from a common-or-garden hack is that it has the specific goal of remaining undetected on corporate networks and extracting as much data as possible.
The initial point of entry for an APT is usually an email with an attachment, says Aylward, disguised as a PDF or a Word document, that contains remote command software. A well-executed attack will spoof an email that fits into the company’s operations, such as a press release that needs urgent approval from the PR department, she adds.
Another important characteristic is that APT attacks involve “real people sitting at keyboards, not just a massive, scripted attack,” says Aylward. “APT is hacking with a mission, carried out by people with funding. APT attacks are as advanced as they need to be to complete their assigned mission”.
China’s role in cyber crime
Who are these people sitting at keyboards? The suspicion lies almost exclusively with intelligence forces in China. “Let’s be serious,” Greg Hoglund, CEO of IT security firm HBGary told Information Age last year. “When someone says APT, they really mean China. It’s very rare that they mean anyone else.”
That is a view shared by US Army Colonel Bill Hagestad. In his recent book 21st Century Chinese Cyberwarfare, Hagestad alleges that the Chinese government was behind multiple cyber attacks on Western military organisations and businesses over the past ten years.
Not everyone is so certain. Eugene Kaspersky, founder of Russian security software vendor Kaspersky Lab, says that proving that Chinese authorities lie behind APTs would require full access to the log data of the Chinese Internet service providers, something that is currently impossible.
“The US has pointed the finger at China for APT attacks because they came from Chinese servers,” Kaspersky says. “If I was a secret service officer, I would not run an attack from my own country. I would use proxy servers in whichever country is easiest to blame for this attack. So perhaps these APTs are Russians, or Iranians, or whoever. It’s so easy to spoof an IP address, we just don’t know.”
Another argument that Hagestad uses to implicate China in APTs is the fact that a lot malware contains Chinese characters. Again, this is circumstantial, as IT security analyst Jeffrey Carr wrote earlier this year.
“Chinese characters in the code only mean that a Chinese engineer was involved at some point,” Carr observed. “How many Chinese engineers work for Western companies or are naturalized citizens outside of the PRC? I shouldn’t have to state the obvious fact that because you write using Chinese characters doesn’t mean that you work for the Chinese government. That’s beyond simple ignorance; bordering on xenophobia.”
And although Kaspersky confirms that most malware is written in Chinese, this does not make it more effective, as Hagestad argues. “The human language doesn’t matter,” he says. “All that counts is how professional the hackers are.”
Kaspersky does not altogether dismiss the idea that Chinese authorities are involved in APTs, however. He notes, for example, that the Chinese government has been particularly active in arresting cyber criminals that attack Chinese business. “I wouldn’t be surprised if the Chinese government was converting these criminals to soldiers,” he says. “I don’t know what the truth is, but that makes sense to me.”
Plus, the fact that Chinese IP addresses are so often used in these attacks does not mean they did not come from China, he says. “Maybe China doesn’t care if the West knows they are behind these APTs,” Kasperky suggests.
Hagestad argues that it does not. He believes that economic factors mean China can do what it wants. “The reason there isn’t more uproar [over APTs] is that the Chinese government owns a significant amount of the bond market,” he says. “If US or UK officials were making a cacophony about the Chinese doing this, the Chinese could call in the bonds.”
He concedes that there is only circumstantial evidence linking China to APTs, at least in the public eye. However, he adds that there has been some condemnation of Chinese cyber espionage from Western governments. “I don’t think the discussion makers within the political body of a country would be making accusations about an alleged threat if they didn’t have some kind of credible evidence on the classified side.”
So, are advanced persistent threats the work of a state government hell-bent on intellectual property theft on a global scale, or the glamorisation of more everyday hacks by organisations that should have been able to defend against them? As yet, there is only speculation.