The APT3 hacker group, which has been attacking government and defense industry targets since 2010, has been linked to the Chinese Ministry of State Security, according to a report by Recorded Future.
Other attackers have been linked to the Chinese military, but this is the first time a group has been connected to Chinese intelligence, said Samantha Dionne, senior threat analyst at Somerville, Mass.-based Recorded Future, Inc.
Connections to the Chinese People’s Liberation Army were easier to make because there were aspects to the attacks that included identifying information to the army units that were involved.
However, a combination of other published reports, and the group’s own research, allowed Recorded Future to connect the dots to the MSS, she said.
One of the reports, published last fall by the Washington Free Beacon, cited Pentagon officials as linking a Chinese company to the MSS.
Then, earlier this month, a report by intrusiontruth linked that company to APT3. That company is the Guangzhou Boyu Information Technology Company, also known as Boyusec.
“Boyusec was working with Huaiwei, a Chinese telecom provider, to produce back doors for security products for the Chinese intelligence services,” said Dionne.
Back in 2009 and 2010, Boyusec made some mistakes when registering domain names, she said.
Dionne said she doesn’t know who’s behind intrusiontruth, but they did some solid DNS research to track down the connections.
Recorded Future was able to confirm the information, she said.
“They just published before I did,” she said.
For enterprises who are potential targets of these attackers, or who have already been hit by APT3, there are two avenues of action.
First, knowing who is behind the attacks means that companies are better able to identify vulnerable assets, she said.
For example, Chinese intelligence is less interested in stealing and selling credit card numbers, and more interested in intellectual properly.
And that doesn’t just include military secrets and cutting-edge research, she added.
For example, Chinese agricultural companies may want to find information about aspects of existing technology, such, as say, details of the workings of a particular part of a combine.
“It’s not just about stealing the top of the line stuff,” she said. “A lot of it is about filling in gaps.”
Enterprises hit by APT3 should take another look at the forensic evidence to see if these kinds of less obvious assets were targeted.
“For companies, it’s a reevaluation of their risk,” she said.
Knowing that Chinese intelligence is involved also means that the attackers have access to a wider array of tactics, including bribes and break-ins.
Second, enterprises may be able to pursue legal action, in either Chinese or US or international courts.
“Knowing that the perpetrator of these attacks is a nation state opens up some other avenues, like approaching the US government and using the legal process to address some of the losses,” she said.
There have already been suits filed in the Chinese courts but, so far, they have not been successful.
“But there are several ongoing cases in the U.S. legal system,” she added.