Jan 28 2008
Of interest to Dark Visitor readers is item number three in the SANS list:
Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data – Particularly Using Targeted Phishing
One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.
The open-source information we have so far about this type of well-resourced [Chinese] cyber espionage is anecdotal and positive attribution hasn’t been possible. Our only sources are the Rolls-Royce information (very detailed) and Charlie Chen. The information that we have from DoD sources is very limited on detail and a lot of readers are inclined to dismiss it because attribution by IP address only is pretty unreliable. I think there is a lot more going on behind the scenes than IP geolocation. Consider the information that has been exfiltrated. Consider the methods that were used to harvest email addresses to use for social engineering. Consider the tools that were used and then you have a much better picture. Let’s face it, script kiddies aren’t interested in Naval Order of Battle in the Taiwan Straight. Also, script kiddies aren’t after specific information from the world’s largest research based pharmaceutical company. Update: I neglected to reference another attack with some good details: SANS ISC covered the spear-phishing attack on 30 members of Fa1un G0ng which is banned in the PRC.