Chinese, Iranian, Russian Hackers Honing Their Attack Skills

The National Security Agency and security firm FireEye recently detected extensive attacks by Iran on U.S. banks, businesses and government agencies, prompting the Department of Homeland Security to declare an emergency during the government shutdown. The attacks from Iran took place at the same time that China renewed its efforts to steal trade and military secrets, from Boeing, General Electric Aviation and T-Mobile. Meanwhile, Microsoft detected a Russian government operation targeting think tanks critical of Russia.

The New York Times reports that it was unclear if the Chinese attacks against the three U.S. companies were successful, and all the companies “declined to discuss the threats.” Four years ago, in the wake of a landmark deal struck by President Obama and President Xi Jinping, attacks to steal trade secrets cooled off considerably. But this agreement “appears to have been unofficially canceled amid the continuing trade tension between the United States and China,” said sources, and “Chinese hacks have returned to earlier levels, although they are now stealthier and more sophisticated.”

During the lull, says NYT, “the hackers substantially improved their skills.” Chinese hackers mainly focus on “commercially motivated attacks,” whereas Russian hackers considered more of a threat, “are believed to have launched attacks on nuclear plants, the electrical grid and other targets.” Chinese hackers are “supporting Beijing’s five-year economic plan, which is meant to make China a leader in artificial intelligence and other cutting-edge technologies.”

“The fingerprint of Chinese operations today is much different,” said former NSA head of the East Asia and Pacific cyberthreat division Priscilla Moriuchi. “These groups care about attribution. They don’t want to get caught.” Of the recent attacks, “only Airbus has acknowledged in recent weeks that Chinese hackers had penetrated its databases.”

According to security researchers, Iranian hacks, exploiting weaknesses in the Internet’s backbone, “were continuing and were more damaging and widespread than agency officials had acknowledged.” Iranian hackers have gone after 80 targets, “including Internet service providers, telecommunications companies and government agencies” in 12 European countries and the U.S.

FireEye reported that, “Iranian hackers have been going after the Internet’s core routing system, intercepting traffic between so-called domain name registrars,” and then using “stolen login credentials to gain access to their victims’ emails.” “They’re taking whole mailboxes of data,” said FireEye senior manager of cyberespionage analysis Benjamin Read, who added that the Iranians are targeting “police forces, intelligence agencies and foreign ministries.”

The Washington Post reports that Microsoft identified the two attacks as emanating from the APT28 hacking group (also known as Strontium or Fancy Bear), “a unit of Russian military intelligence that interfered in the 2016 U.S. election.” That group has also attacked “more than 100 European employees of the German Marshall Fund, the Aspen Institute Germany, and the German Council on Foreign Relations,” all groups engaged in transatlantic policy.

The attacks, over the last three months of 2018, “come ahead of European parliamentary elections in May … [and] highlight a continuously aggressive campaign by Russian operatives to undermine democratic institutions in countries they see as adversaries.” Microsoft warned that the attacks “validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”

Related:
Australia Says Foreign Government Behind Cyberattack on Parliament, The Wall Street Journal, 2/18/19
Russian Hackers Go From Foothold to Full-On Breach in 19 Minutes, Wired, 2/19/19