Feds Shared Chinese Hacker Data With Service Providers

The Syrian Electronic Army: 9 Things We Know

The FBI and Department of Homeland Security (DHS) in February supplied hundreds of IP addresses of suspected Chinese command-and-control (C&C) servers to U.S. service providers.

That intelligence sharing, first reported by The Wall Street Journal, was meant to counter rampant cyber spying by China by allowing service providers to block the IP addresses, according to unnamed U.S. officials. Compromised PCs in the United States would have contacted the IP addresses to receive instructions from attackers, or to relay sensitive data to Chinese spies.

But any gains from the threat-intelligence sharing were short lived, with attackers quickly retooling and launching attacks using new infrastructure. "Part of the problem is we can close this door and it's fairly easy for them to open another door," a U.S. official told the Journal.

The timing of the IP address information sharing, made by DHS and the FBI, suggests that it was done in the wake of Mandiant's February release of a report that tied the Chinese government a six-year advanced persistent threat (APT) campaign that hacked 141 businesses across 20 industries. Mandiant said it had traced these attacks to People's Liberation Army (PLA) Unit 61398, which it described as an elite military hacking unit.

[ Is hacking a two-way street? Read Snowden Says U.S. Hacking Chinese Civilians Since 2009. ]

The report included lists of IP addresses that Mandiant said were part of malicious Chinese C&C infrastructure. With Mandiant set to release the information -- CSO Richard Bejtlich said the cybersecurity firm gave the government at least a week's warning before doing so -- DHS likely decided to share related details with service providers, before the IP address information became useless for blocking active attacks.

The Chinese government denied all of the allegations contained in Mandiant's report. But in the wake of its release, multiple U.S. information security experts reported a reduction in attacks emanating from China. That decline, however, was only temporary, and likely reflected the fact that attackers were simply setting up new operations. By May, Adam Meyers, Crowdstrike's director of intelligence, told The New York Times that aside from seeing a few new tactics, it was "business as usual" for China's APT attackers.

Anup Ghosh, CEO of Invincea, disputed the long-term usefulness of having the U.S. government share C&C server IP addresses with service providers. "We're fighting forest fires with fire extinguishers," Ghosh said by phone. "This isn't a way to defend networks. This is way after the fact, when you discover you were compromised," he said.

Indeed, such information is typically gleaned by doing a forensic analysis of a captured C&C server, cataloging the IP addresses it's contacted, then identifying which ones trace to U.S. businesses and government agencies. With that information in hand, the FBI can alert affected organizations and agencies, who can then undertake a forensic investigation and try to identify what information attackers got their hands on.

"These methods can provide temporary relief, like putting ointment on a pain, but it's not a solution to the problem," Ghosh said. "What we really need to do is focus on 'how do we actually stop the threat, rather than cleaning up after it.' That requires innovating in software, innovating in architectures and really stopping the problem."

Might diplomacy help? That question is pertinent, after a U.S.-China cybersecurity working group held its first-ever meeting this week in Washington as part of the U.S.-China Strategic & Economic Dialogue (S&ED). The creation of the working group was announced in April, as part of what officials said were efforts to improve cybersecurity dialog, cooperation and coordination between the two countries.

A U.S. official with knowledge of the talks didn't detail the extent to which information released by National Security Agency (NSA) whistleblower Edward Snowden might have overshadowed the cybersecurity discussions, Bloomberg reported. Amongst the many details of NSA surveillance programs leaked by Snowden was information on what he described as the agency's hacking of civilian Chinese PCs, starting in 2009.

"Unfazed by the ruckus over the revelations of former U.S. intelligence contractor Edward Snowden, the Obama administration appears determined to use those talks to continue pressing the Chinese on the rampant theft of U.S. trade secrets and its implications for America's long-term economic competitiveness," according to an analysis of the talks published this week by the Center for Strategic and International Studies (CSIS).

U.S. officials have long maintained that China's active targeting of U.S. intellectual property differs from the U.S. approach to espionage, which isn't used to advance the country's business interests.

Still, early indications are that the bilateral talks won't lead to any immediate change in China's APT attack posture, not least because of Beijing again attempting to frame cybersecurity as an international issue, with the country suffering its own share of online attacks. "At least so far ... Beijing seems reluctant to offer any fresh proposals on managing bilateral friction over cyber theft," said the CSIS report. "The officials also stressed that Beijing's agenda for the S&ED talks remained firmly focused on expanding bilateral trade and investment, clearly downplaying the cyber issue."