Chinese cyber spies: Pwning U.S. businesses since 2006

The New York Times issued another blockbuster report yesterday revealing just how thoroughly U.S. companies have been pwned by Chinese cyber spies over the last few years.

The Chinese government immediately took to Twitter, accusing the Times of publishing a “fake” account and having a bias against hackers of Chinese origin as well as $100,000 electric vehicles. (I’m kidding about that last bit.)

[ Cash in on your IT stories! Send your IT tales to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld’s Tech Watch blog. ]

The Times got an advance copy of a report by security firm Mandiant, which was hired by the paper last fall to trace Chinese hackers rollicking through the Times’ own network. (Jeez, the lengths some people will go to just to get around a paywall.) Today Mandiant released a 60-page report (PDF) exposing one of the Chinese army’s cyber spook networks, called Advanced Persistent Threat 1 (APT1), which has been pwning major U.S. corporations and government agencies since 2006.

Among APT1’s known victims, per the Times, are RSA, Coca-Cola, Lockheed Martin, defense consultancy The Chertoff Group, and the National Electrical Manufacturers Association. The scariest part is that most of APT1’s attacks over the last two years were directed against U.S. and Canadian water, utility, power, and pipeline companies.

Unlike in previous reports, Mandiant isn’t saying the Chinese government may be behind these attacks — Mandiant is saying China’s fingerprints are all over it. Per the report:

Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area…. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.

Mandiant also released a five-minute video that shows hackers in various acts of hacking, illustrated via screen captures. And its report is full of fascinating facts. For example, Mandiant released the handles it assigned three of these hackers — DOTA, SuperHard, and UglyGorilla — and goes into some detail about each one.

DOTA may have taken his name from a game called Defense of the Ancients and is apparently a “Harry Poter” (sic) fan. SuperHard gets his moniker from his habit of replacing the names of companies within hacked modules with the word “SuperHard” — so Microsoft Corp. within CMD.exe becomes SuperHard Corp. (That seems about right.) UglyGorilla is apparently just ugly, but his real name is probably the somewhat redundant Wang Dong.

Also: In Chinese hacker slang, an infected computer is called a “meat chicken.” Aren’t you happy you bothered to read this blog post now?

Make no mistake, this is serious stuff. But the biggest takeaway for me is how thoroughly unsurprising this news is. We were always pretty sure the Chinese were hacking us, though it’s unclear whether they were behind the recent attacks on Twitter and Facebook, and Burger King’s potty-mouthed tweets. Now we have even more proof.

The question is, what do we do about it? That is, besides stocking plenty of water, batteries, and beef jerky for the day when the Chinese decide it’s time to shut off the lights.

How should the United States respond to Chinese hack attacks? Post your defensive strategies below or email me: cringe@infoworld.com.

This article, “Chinese cyber spies: Pwning U.S. businesses since 2006,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.