The Latest on Chinese-affiliated Intrusions into Commercial Companies

Blue

It has been nearly three weeks since the announcement on September 25th of the landmark Cyber agreement between the United States and China in which both nations agreednot to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

On the day of the announcement,George KurtzandIsaid that CrowdStrike will continue to leverage ourCrowdStrike Falcon™cloud-based endpoint technology, which is deployed across numerous Fortune 500 companies across many industry sectors, to monitor nation-state activities and to notify our customers of any attempted intrusions into their networks.

Today, we would like to give a public report of our observations. Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.

The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day – Saturday September 26th. We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement.

We are releasing below the timeline of intrusions into these commercial entities that we detected over the course of the last 30 days. It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement. The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures.

CrowdStrike-China-Timeline

We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, includingDEEP PANDA, which CrowdStrike has tracked for many years breaking into national-security targets of strategic importance to China, as well as commercial industries such as Agriculture, Chemical, Financial, Healthcare, Insurance, Legal, Technology and many others.

In addition to preventing these intrusions, the CrowdStrike Falcon platform also provided full visibility into every tool, command and technique used by the adversary. This allowed us to determine that the hackers saw no need to change their usual tradecraft or previously used infrastructure in an attempt to throw off their scent.

Many of the intrusions were done through Web server compromises, with SQL injection being the prefered vector of implantingChina Chopper webshellswhich provide access to the internal networks of the victims. Since CrowdStrike Falcon uses anIndicator of Attack(IOA) behavioral engine, we instantly detected these actions and thwarted the adversary. In other cases, we’ve also detected and helped remediate the use ofDerusbi and PlugXmalware, preferred tools of a number of different Chinese actors.

So does this evidence of ongoing intrusions into the commercial sector from China indicate the failure of the U.S.-China cyber agreement? That depends on what is done about it and how long the current situation persists. AsGeorge Kurtz statedon the date of the agreement, “even under the best of circumstances, industry is left to wonder how quickly China’s bold intelligence gathering apparatus might be dismantled.” The fact that there is some time delay between agreement and execution is not entirely unexpected. But, we need to know the parameters for success, and whether the parties to the agreement discussed a timeframe for implementation or, instead, expected it to be immediate.

In the meantime, I personally remain encouraged by the Administration’s efforts to reduce the number and scope of Chinese intrusions and to have China draw a public distinction between national security-related espionage, which virtually every advanced nation engages in, and espionage done for commercial benefit, which the U.S. government and industry believe is unacceptable and must stop.

Call me an optimist, but I continue to have hope that meaningful progress can be made to turn the corner and establish norms of behavior for nation-states in cyberspace. In the meantime, CrowdStrike will remain vigilant and continue to protect our customers against breaches from all types of adversaries.

To learn more about how CrowdStrike Falcon platform can help your organization, please contact info@crowdstrike.com.

Dmitri Alperovitch

Dmitri Alperovitch

Co-founder and CTO of Crowdstrike, Dmitri Alperovitch leads the Intelligence, Technology and CrowdStrike Labs teams. Alperovitch has invented 18 patented technologies and has conducted extensive research on reputation systems, spam detection, web security, public-key and identity-based cryptography, malware and intrusion detection/prevention. He is a renowned computer security researcher and thought leader on cybersecurity policies and state tradecraft. Alperovitch’s many honors include being selected as MIT Technology Review’s “Young Innovators under 35” (TR35) in 2013. He also was named Foreign Policy Magazine’s Leading Global Thinker for 2013 and received a Federal 100 Award for his information security contributions.