Welcome!

Article

Chinese Attacks on the Media Industry

Just the Tip of the Iceberg

Two weeks ago the New York Times (NYT), Wall Street Journal (WSJ), Dow Jones (DJ) and Washington Post (WP) all reported being targeted and exploited by Chinese Advanced Persistent Threat (APT) groups.  In most cases, the compromises had reportedly been going on for quite some time and were severe enough that the Media Industry was forced over a barrel, like so many others, to stroke a check for a multi-month "cleanup on aisle nine" incident response effort.

Since the media is a highly relational and "connected" industry, it lends itself to being especially vulnerable to this type of remote exploitation.  Persistent access to media sources would be an obvious target because of the value they would provide to the Chinese. Access to timely confidential information would provide them, off the record notes, embargoed data, as well as sensitive, candid or compromising details of influential policy makers or corporate leaders to name a few.

Operational Caveat:

Cyber Squared has conducted analysis within ThreatConnect.com a threat intelligence-sharing exchange, and observed two dominate trends with regards to the media and Chinese cyber threats.  We have also uncovered additional targets and concluded that the recent attacks on the Media Industry are not the work of a single APT threat, but rather as many as six different threats groups.   All information referenced below is available within ThreatConnect.com to vetted security representatives of the effected media organizations who may register for an account.

Painting a Bigger Picture By the Numbers:

We begin with the primary and most pervasive trend that we see. Generally, Chinese APT groups will establish attack and command and control infrastructure that mimics legitimate news websites or media organizations.

A large majority of targeted spearphishing attacks will appear to be a benign news story emailed to the target with either an attachment or a malicious link.  As the victim interacts with either, their workstation and subsequently their enterprise falls victim to the APT.  In most cases, the attack circumvents traditional host based anti-virus by design. Multiple threat groups use a combination of these techniques to aggressively target their victims.

In another example, we observe multiple Chinese APT groups developing and operationalizing infrastructure so tailored that it most likely indicates that the attackers have operationalized it in an effort to directly target specific media organizations, publications and or individuals, versus indirectly targeting non-media related targets.

From analysis conducted by Cyber Squared's Threat Intelligence Team, we are able to determine that at least six APT groups are targeting the Media Industry.

APT Group 1:

From mid 2012 to present, APT Group 1 used infrastructure and capabilities that were most likely used to directly target the Dow Jones, specifically the Factiva news service, as well as indirectly target countless others with malicious content which appeared to be legitimate news stories from Dow Jones, World News and the Washington Post.  Targeting the Factiva service would have allowed attackers to obtain a wealth of information that could be used to target executives and journalists or react to market events and breaking news that the PRC leadership may consider unfavorable.

In early May 2012, APT Group 1 actors targeted the US think tank industry with a targeted attack from what appeared to be a prominent US Professor of East Asian History and Fulbright researcher.  The message contained a malicious link to a seemingly benign Washington post article about F-16 fighter sales to Taiwan, and commentary as to the sales not being in the best interest of Taiwan.  By early August 2012, APT Group 1 continued to target the US think tank industry, this time with a malicious Microsoft Word document that dropped a customized backdoor that beaconed to a secondary command and control infrastructure, closely associated with infrastructure observed in the May 2012 attack.

APT Group 2:

From late 2011 to present, Cyber Squared has observed APT Group 2 consistently using Beijing based infrastructure to possibly target and/or mimic a large named US and UK Media organization.

APT Group 3:

From mid 2012 to present, Cyber Squared has identified APT Group 3 using infrastructure to possibly target and/or mimic Philippine and Manila based news services.  APT Group 3 was also observed developing infrastructure used to emulate and target a US Defense Contractor who provides direct support to the US Navy in addition to developing infrastructure which mimicked a prominent US Pacific Command (US PACOM) web portal.  APT Group 3 continues to develop infrastructure with a consistent South China Sea and maritime focus.

APT Group 4:

From early 2012 to present, Cyber Squared has identified APT Group 4 using infrastructure to possibly target and/or mimic New York Times and a named Korean news service.

APT Group 5:

From late 2009 to present, Cyber Squared has identified APT Group 5 using infrastructure to possibly target and/or mimic named US, Australian, and Canadian news services.  In one example, Cyber Squared observed APT Group 5 developing infrastructure that appeared to mimic a local Utah based news service in late 2012.  We also observed APT Group 5 using associated infrastructure to most likely target a popular US, world news, finance, business and finance publication, in addition to numerous others within industries such as satellite communications (SATCOM), private sector defense, deep-water drilling and mining, and advanced research.

APT Group 6:

From late 2012 to present, Cyber Squared identified APT Group 6 using infrastructure to most likely target an international, multi-language US based news service that is tied to the Falun Gong, a spiritual movement outlawed in China that is often a critical of Chinese policies and human rights abuses.  Access to the US based news service would provide China State Security personnel insights to the internal news cycles, confidential sources and information that may subject mainland-Chinese journalists and their sources to arrest or intimidation.

Cyber Squared has also identified APT Group 6 most likely targeting a popular international publisher of a global metals journal and metals trading news, further research identified the same group controlling infrastructure that was tailored specifically for a large Japanese steel company and a large multi-national European steel company.  Remote access to these enterprises would provide the PRC timely insights into the metals market, possibly allowing them to obtain an unfair advantage in international metals trading.  Cyber Squared previously observed APT Group 6 targeting US Mining, Metals companies, Aerospace and Defense organizations, Manufacturing and Fabrication, as well as Construction and Engineering companies, all of which were highlighted within our 10 January 2013 blog posting, Victim-nomics: Estimating The "Cost" of Compromise.

Conclusion:

When a particular victim or industry reports a compromise of this nature we must also begin to look for what's below the waterline.  In the case of Chinese based APT's, it is important to understand that victims need not adopt a victim mindset, or assume that they are central to the story.  In many cases, there are others like them who can provide additional insights. When industries establish a community, work together, jointly collaborate and share information about their common attacker, this shared perspective of the adversary allows organizations to minimize the term and efficacy of exploitation operations.  Even from a post-incident perspective, when industries collaborate around common threat intelligence leads they paint a bigger overall picture about what is really going on.

The NYT, WSJ, Dow Jones, and WP can now join the ranks of those like Google, RSA, Lockheed Martin, and Rio Tinto. While these organizations should be applauded for coming forward, it is equally important to consider that of all of these victims who self reported are not the central story to Chinese corporate espionage. There are many more victims and targets.  Had these organizations implemented a community based threat intelligence-sharing program into their security strategy, perhaps the compromises would not have had been so severe. By sharing what they knew, when they knew it, they could have saved someone else from the same fate.  This is no different than how a neighborhood watch works, individual homeowners working as one community jointly with local law enforcement, sharing information to keep each other and their property safe.

As of February 9th 2013, the ThreatConnect.com community was just three months old, and we are already seeing a groundswell of participation.  We are currently tracking over 12,000 actionable APT threat indicators within a growing community of over 150 users and 45 organizational accounts, across numerous sectors and industries.  These users and organizations are following an average of 21 threats groups.  What is important is that all of these organizations have 100% control their data and can choose the data they share and with whom they share it.

ThreatConnect is enabling threat analysts to collect, analyze and share threat intelligence in a timely manner, allowing them to track and mitigate sophisticated threats that may be targeting their networks.  In ThreatConnect we're bringing the framework for a community to streamline trusted sharing, all you need to bring is your desire to not be another headline.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.

Latest Stories
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busi...
Today, we have more data to manage than ever. We also have better algorithms that help us access our data faster. Cloud is the driving force behind many of the data warehouse advancements we have enjoyed in recent years. But what are the best practices for storing data in the cloud for machine learning and data science applications?
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science" is responsible for guiding the technology strategy within Hitachi Vantara for IoT and Analytics. Bill brings a balanced business-technology approach that focuses on business outcomes to drive data, analytics and technology decisions that underpin an organization's digital transformation strategy.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
CI/CD is conceptually straightforward, yet often technically intricate to implement since it requires time and opportunities to develop intimate understanding on not only DevOps processes and operations, but likely product integrations with multiple platforms. This session intends to bridge the gap by offering an intense learning experience while witnessing the processes and operations to build from zero to a simple, yet functional CI/CD pipeline integrated with Jenkins, Github, Docker and Azure...
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
For years the world's most security-focused and distributed organizations - banks, military/defense agencies, global enterprises - have sought to adopt cloud technologies that can reduce costs, future-proof against data growth, and improve user productivity. The challenges of cloud transformation for these kinds of secure organizations have centered around data security, migration from legacy systems, and performance. In our presentation, we will discuss the notion that cloud computing, properl...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...