I’ve just been putting together a piece for IDG Connect on tech predictions for China and Hong Kong in 2015. It’s always difficult to fit in all the comment I manage to get on these pieces, so here’s a bit more on the cyber security side of things, from FireEye threat intelligence manager Jen Weedon.
The long and the short of it is “expect more of the same” from China. The US strategy of naming and shaming PLA operatives ain’t really doing much at all.
“In the next six to twelve months, targeted data theft by China-based actors is likely to remain consistent with patterns we have observed in the past,” Weedon told me by email.
“We expect Chinese threat groups to conduct espionage campaigns that are in line with the Chinese central government’s political and development goals.”
So what exactly will these goals be in 2015? Well, according to Weedon we can expect data theft to focus on climate change and the tech sector.
“China’s ongoing pollution challenges provide strong incentive for threat actors to steal data related to technologies that can help China stem the environmental impact of its heavy reliance on coal,” she said. “We also expect cyber espionage activity against governments and policy influencers in the run-up to the 2015 UN Climate Summit as China seeks intelligence to enhance its negotiating position on global climate policy issues.”
As for the tech sector, China is stepping up its efforts to develop homegrown computing and semiconductor policies – ostensibly for reasons of national security, ie to close down the risk of NSA backdoors in US kit.
“As the country pursues these goals, we anticipate Chinese actors will leverage data theft to supplement knowledge acquired through legitimate channels such as joint ventures with experience foreign partners,” Weedon told me.
“We regularly observe China-based threat actors target firms engaged in joint ventures with Chinese enterprises.”
Territorial disputes in the South and East China Seas will also continue to drive cyber espionage activity, she said.
As for beyond that, we’ll just have to wait until after the National Development and Reform Commission (NDRC) outlines development priorities for the 13th Five Year Plan.
“As the central government solidifies its goals for the 2016 to 2020 timeframe, we expect further clues to emerge about which topics are likely to enter threat groups’ cross hairs in 2015 and beyond,” said Weedon.
It’s very much a question, therefore, not of whether China will continue its blatant state-backed cyber espionage campaigns, but where it will focus its considerable resources.
Verizon’s annual Data Breach Investigations Report is out and several headlines have pointed to it highlighting China once again as the biggest source of global cyber espionage threats, however we need to be careful drawing such conclusions.
The report revealed that when it comes to cyber espionage, the majority (87%) is state affiliated rather than committed by organised crime (11%) and is targeted at victim organisations outside of the country of origin.
When it comes to “victim countries”, the US (54%) accounts for by far the majority, followed by South Korea (6%) and Japan (3%), although this is more of a reflection of the intelligence sources that inform the report than anything else.
More interestingly, it pegged “external actors” operating from Eastern Asia – mainly China and North Korea – as the most prolific worldwide, accounting for 49%.
Eastern Europe was next (21%), followed by Western Asia (4%), while North America and Europe were way down with just 1% each.
So what does this tell us? Well, those looking to prove that China is once again the arch bogeyman when it comes to global state-sponsored attacks should think twice, according to Verizon.
Report co-author and senior analyst, Kevin Thompson, told me that the results reflect the fact that large numbers of North American companies participate in the study and relatively few hail from East Asia – with none from China and Japan.
“We have been trying to recruit a partner organisation from China, Japan, or South Korea to increase our visibility into that part of the world,” he added. “Since many of our partners that investigate cyber espionage are based in North America they tend to only see attacks that are aimed at North American companies.”
Also, out of 511 total cyber espionage incidents recorded, more than half (281) were removed because no country could be attributed as the source of an attack.
“East Asia is the most commonly seen espionage actor when our partners are able to identify the country at all, which is not even half of the time,” Thompson explained.
“There tends to be more research around East Asian espionage than other countries, especially among North American partner organisations. Since there is more research in that area, it is easier for a partner to identify espionage from those regions while espionage from North America or Europe might be labelled ‘Unknown’ and would not be included in figure 59 of the report.”
If the NSA revelations have taught us anything it’s that the 1% figure for North America-based attacks is likely to be way smaller than in reality.
Verizon also claimed in the report that “the percentage of incidents attributed to East Asia is much less predominant in this year’s dataset”.
The real growth in activity is actually coming from Eastern European attackers, it said, adding the following:
At a high level, there doesn’t seem to be much difference in the industries targeted by East Asian and Eastern European groups. Chinese actors appeared to target a greater breadth of industries, but that’s because there were more campaigns attributed to them.
Malicious email attachment (78%) and web drive-by (20%) are still the most popular method of gaining access to a victim’s environment.
As for advice on how to lower the risk of a compromise, Verizon reiterated the basics.
These include: patch all systems and software so they’re fully up-to-date; use and keep an updated anti-malware solution; maintain user training and awareness programs; segment your network; log system, network, and application activity; monitor outbound traffic for data exfiltration; and use 2FA to stop lateral movement inside the network.
Last week I popped over to the Quarry Bay HQ of Verizon Business in Hong Kong to hear more about the annual Data Breach Investigations Report.
The report’s really come on since I covered it way back in 2008, and this year pulled data from an unprecedented 19 reputable sources including Scotland Yard, the US Department of Homeland Security and many more.
The Register covered the main news from the report when it was launched the week before – that China was responsible for a whopping 96 per cent of state-affiliated attacks – so I was keen to get some other APAC-relevant insight from the team.
Unfortunately there wasn’t much to be had, in fact the report itself only mentions Asia Pacific once as a break-out region, to illustrate the top 20 threat types across the whopping 47,000 security “incidents” recorded over 2012.
What this probably tells us is that methods of collecting the data at the moment are pretty non-standardised across the globe, which makes drawing any clear comparisons difficult between regions.
Another thought that occurred: it’s fairly obvious that organisations across the globe suffer from the same kinds of information security risk – whether hacktivist, financially motivated criminal or state sponsored espionage-related.
As Verizon’s HK VP Francis Yip said: “No one is immune from cyber crime. As long as you have an IP address, you are a target, no matter how long you spend online.”
In this respect, there were no startling new trends as such to pull out of the report, aside from China’s consistent and persistent appearance as number one source of state-sponsored shenanigans.
This is probably good news for under fire CISOs, now tasked not only with deflecting financially motivated cyber crime and attempts from hacktivists to take down their sites and steal credentials, but also under-the-radar information theft from APT-style attacks.
What’s also good news, is Verizon’s assertion that the cloud is no less safe than any other form of computing system, as long as IT teams make sure they carry out due diligence on providers.
“Cloud can actually be more secure, because these providers are doing it on an industrial scale with staff who know what they are doing,” argued Verizon’s APAC head of identity and privacy services, Ian Christofis.
While all this is certainly true I definitely got the impression from the briefing that many firms are still failing on the security basics.
“Could try harder” is probably a suitable report card take-away for businesses from 2012.