Pierluigi Paganini June 23, 2016

According to the experts from FireEye attacks from China against the US started declining in mid-2014 and has continued to decrease, why?

Earlier this week, FireEye released a report showing a significant decline in cyber-attacks originating from China.  According to the report, the attacks started declining in mid-2014 and has continued.  According to FireEye, the decline in activity can be attributed to several factors such as the Just Department’s indictment of several PLA officers believed to have been involved in several high-profile attacks against US military interests as well as Preside Barrack Obama’s insistence that China stops its espionage program against the US or suffer economic sanctions. Despite FireEye’s findings, many remain skeptical.

According to iSight Partners, the decline in Chinese attacks against the US actually had been declining nearly a year before Chinese President Xi and Obama agreed to a cyber cease fire.  In iSight’s analysis concluded that the decline in attacks has more to do with Xi’s crack down in 2012 of hackers profiting from their attacks.  Xi has made a crackdown on government and military corruption for financial gain and centerpiece of his domestic policies.  It is likely that this crackdown has extended to PLA units and their military handlers as China’s espionage program matures and better managed.

Perhaps more intriguing than the decline in Chinese cyber-spying against the US is FireEye’s conclusion that attacks that are occurring are made with more precision.  This may lend support to Xi’s overall objective of rooting out corruption is working.   Although it can’t be said for sure, it is likely that new PLA tactics are becoming harder to detect as the PLA hardens its abilities and institutes better tradecraft to hide is activities.  Even FireEye admits that the level of sophistication and selective targeting by China is now the new normal.  There are also other factors to consider.

It has long been believed that China has an unlimited supply of Chinese hackers.  I myself know that the black hat community in China is very robust, with black hat hacking groups gathering several times a year to share their techniques, tactics, and protocols in and around China’s technology centers.  Regardless, there are limitations to the number of attacks that can be carried out by the attackers if the PLA is being more selective in its targeting.  It is likely that PLA, or other handlers of non-government black hats, are tightening up its activities as to not draw the attention of President Xi.

The theories for the decline are almost as endless as malware variants but perhaps the most likely scenario is less about President’s Xi’s domestic policies and more about his geopolitical ambitions.  In recent years, China has expanded its economic reach globally with a strong focus on South and Central Asia; more specifically, China’s “One Belt, One Road” initiative.

The goal behind the initiative is to provide trade routes from as far west as Iran and east to Indonesia.  These trade routes that include land and sea transit routes for energy and goods pass through some of the world’s least stable countries.  Pakistan and Afghanistan are two good examples, political instability and terrorism are significant risks to China’s goals.  Terrorist groups such as the Taliban are heavily entrenched in some of these areas. There are also tribal disputes and other Islamic militants to consider.   For this, it is likely that China has shifted its attention from what it feels comfortable knowing, the US, to what it doesn’t.

Cyber targeting Kazakhstan, India, and Vietnam may represent far more important sources of information to execute Xi’s long-term ambitions at this moment than the next US military weapon system.  If this is true, it may signal Beijing’s desire to take on the US economically rather than militarily.

China’s espionage program has often been seen using the least amount of force to compromise its target often exploiting the weakest vulnerabilities first, such as Windows XP, or other unpatched systems, then escalating up.  It is likely that the infrastructures in developing countries such as Afghanistan and others along the One Belt, One Road trade routes have weak infrastructures that require little skills to penetrate.  It would only make sense that China would use its most sophisticated hacks and hackers for high value targets in the US, shifting a majority of its less experienced hackers on unhardened systems that are easily compromised.

Written by: Rick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – fabrication-time attacks, backdoor)