Chinese cyberattacks against close U.S. ally India have been a perennial problem for at least a decade, according to a cybersecurity company that tracks the matter.
FireEye, an 11-year-old company that specializes in defending against Chinese cyberattacks, announced last Friday that an advanced persistent threat, or APT, group in China was waging an “advanced campaign” to gain access to strategic computer systems in India. The group “sent targeted spear phishing emails containing Microsoft Word attachments” to more than 100 victims “with a focus on governmental, diplomatic, scientific and educational organizations,” FireEye reported.
It’s the latest incident in a region that isn’t fully prepared to defend against Chinese cyberattacks, said Bryce Boland, the company’s chief technology officer for the Asia-Pacific region. “Most organizations in Asia are poorly equipped to contend with modern cybersecurity threats,” Boland told the Washington Examiner. “Legacy security solutions aren’t able to keep up with attackers who can now easily create unique malware, which slips right past them. Most organizations in Asia haven’t yet brought together the combination of technology, expertise and threat intelligence that’s necessary for a strong defense.”
In April, FireEye published a report on a Chinese hacking group that it called APT30. According to FireEye, APT30 began targeting government and commercial enterprises in India in 2005. The group was continuing to operate as recently as 2014. Based on the sophistication and sustained nature of APT30’s attacks, FireEye said, the group was probably state-sponsored, “most likely by the Chinese government.”
“Individuals don’t stand a chance against a determined adversary like APT30,” Boland said. “The challenge isn’t analogous to picking out Nigerian scam e-mails from years ago. These groups carefully research their targets and craft personal messages which appear to come from someone their target knows. The malicious attachments contain information relevant to their targets.”
The APT30 report cites one example of the group targeting journalists. In one instance, the group sent a reporter an e-mail with an attachment that promised to be a transcript of a Chinese press briefing. Rather than opening the attachment, the victim reported it to FireEye, which noted, “APT30 sent this message to over fifty other journalists of major global news outlets, including both official work accounts and personal email accounts.”
Reporters targeted by APT30 wrote on a small set of issues that FireEye identified. They included the Chinese economy; corruption and human rights issues in China; national defense and maritime disputes; and technological developments. FireEye didn’t provide details on the journalists who were targeted, but Boland said that they included correspondents for Western and other global news outlets.
Particularly when APT30 targeted Indian journalists, FireEye reported, it sent them e-mails pertaining to those areas of interest. “Several of APT30’s decoy themes have centered on Indian defense and military maritime topics. In particular, a number of spear phishing subjects have related to Indian aircraft carrier and oceanographic monitoring processes, which probably indicates a specific interest in naval and maritime themes around Indian military activity and disputes in the South China Sea.”
Boland said that in addition to lacking the resources to defend against attacks, India is still trying to improve the workplace practices that enable cyberattacks to take place. “This group could have had success targeting a lot of organizations in the U.S. with the same tools and techniques, but there are factors that made attacks on India easier,” Boland said, such as government employees’ use of free, public email addresses for official business. The government banned the use of Gmail and Yahoo Mail for official business in February.
Boland also said that it was difficult to ensure that every employee was safe in a large bureaucracy, explaining that if attackers gain access to one computer, they can gain access to a system. “Even if most people in a given organization are very savvy, attackers only need to succeed once to compromise the network.”
He also said that it was only through time and repeated reports that FireEye identified the breach. “We’ve seen other security researchers post about this group’s activity previously, and based on intelligence shared from our customers and some other research, we were able to paint a bigger picture,” Boland said.
Prevention, Boland and other experts say, requires up-to-date technology that is patched often, and mechanisms in place, such as those provided by cybersecurity firms, to detect when systems have been violated. Yet even with the best technology at work, APT groups that find vulnerabilities can stay in a system undetected for some time. In the largest hack of an American agency to date, the U.S. Office of Personnel Management was breached in December 2014, but went undetected until April 2015. It took two more months before officials discovered that it had affected 22 million people, not the four million they originally believed.
As the Examiner previously reported, Indian officials came to Washington for their fourth annual “Cyber Dialogue” this month. Officials from both countries are planning to hold their fifth meeting in New Delhi next year.
