If, by chance, some extended space travel took you out of Earth's orbit for the past 25 years and you just returned, you might be excused for thinking not much has changed in foreign relations. Western leaders like Canadian Prime Minister Stephen Harper are back to referring to the NATO countries as the “free world” and relations with Russia (yeah, we call it that, again) are chilly once more. China? Still red, and still spying on us, although now the Cold War is fought through advanced persistent threat (APT) in the cloud, on email servers and over mobile devices.
In February 2013, Alexandria, Va.-based Mandiant provided a detailed view inside the activities of APT1 – a unit of the People's Liberation Army (PLA) operating primarily out of Shanghai's Pudong New Area – which had compromised an estimated 141 organizations in 20 major industrial sectors.
“That report was important for a number of reasons,” says Amit Yoran (below), general manager and senior vice president of RSA Security in Bedford, Mass., and a former director of the Department of Homeland Security's National Cyber Security Division. “It provided some interesting specifics and raised awareness of these types of activities.”
While he says those within the security community merely shrugged at the confirmation of what they already suspected, the Mandiant report heightened people's understanding of how far foreign nations will go to obtain information.
Three months later, leaks from former Booz Allen Hamilton contractor Edward Snowden illustrated that China was not the only country playing the game.
“It wasn't unknown that spying was going on, but the increased profile changed the environment beyond the narrow core,” says Larry Clinton, president and CEO of the Internet Security Alliance, a nonprofit collaboration between trade associations and academia focused on cyber security.
“The technical content of the Mandiant report was not a shock,” agrees Michael Sutton, vice president of security research at San Jose, Calif.-based Zscaler, but he says the sudden public spotlight forced the PLA unit underground for about three months.
Despite the disruption, says Alex Cox, a senior research analyst at RSA FirstWatch, “It didn't really change things. The past six months have been business as usual for those guys.”
The weakest link
In this instance, business as usual means setting watering-hole traps and launching the kind of spear-phishing attacks that have reached as high as some federal government departments in the West.
“People continue to be the weakest link,” says Cox. “These APT crews know they can break in, and as far as security goes, we're seeing the same level of sophistication, or lack thereof, among Fortune 100 companies.”
Yoran adds that since the revelations there have been some changes in the tools and techniques being used. “But, that's just par for the course, over time. We are dealing with some very focused adversaries.”
In an email response on behalf of Communications Security Establishment Canada – the country's secretive cryptologic agency – spokesperson Ryan Foreman wrote: “Cyber threat actors are constantly probing government systems and networks looking for vulnerabilities. These activities are becoming more frequent and more sophisticated.”
Meanwhile, Cox says that the majority of attacks continue to emanate from China – and whether they are state-sponsored continues to be debated – but adds that countries like Russia and India are also active sources.
“Basically, everybody's doing it,” he says. “A lot of it is retaliatory, some of it is politically motivated. Not everything we see is a state-sponsored attack.”