Investigators: Chinese Government is Behind 96 Percent of Cyberspy Ops

Andy Wong/AP

The nation state’s motive appears to be economic growth, not physical destruction.

Hackers connected to the Chinese regime were responsible for more than 95 percent of cyber espionage cases last year worldwide, according to government authorities and private investigators.

An annual breach report compiled by Verizon traced the operations using known hallmarks of Chinese government interference as well as subpoenaed classified intelligence, company officials said.

"In those instances where we see the data is being used, the data was taken to give an advantage to a local business" in China, said Dave Ostertag, a global investigations manager with Verizon. China does not appear to be plumbing networks for a planned attack on electric grids or other industrial control systems, he said. Some victims in this year’s report do manage such operations, but intruders were probing separate administrative networks, not turning traffic lights green citywide or wreaking other havoc.

The 2012 study, scheduled for release today, breaks down 620 data breaches documented by various organizations such as the U.S. Secret Service and European Cyber Crime Center. Verizon also includes cases where victims hired their own investigative services.

"Ninety-six percent of espionage cases were attributed to threat actors in China and the remaining 4 percent were unknown,” the report states.

In some instances, Verizon obtained insights into hacker affiliations after filing court orders, Ostertag said. The details released as a result confirmed, for example, whether an implicated network address was actually in China and was communicating with a Chinese government network address. Mostly, though, malicious activity left behind telltale signatures already known to computer forensic firms such as Mandiant and Symantec.

The U.S. government is ratcheting up pressure on China, which it calls the world’s most persistent perpetrator of economic espionage, to stop snooping. The White House in February released a strategy threatening intellectual property thieves with diplomatic actions and prosecutions, days after Mandiant published evidence of the Chinese military hacking 141 organizations in English-speaking countries.

But Verizon officials concede other, more active threat groups might be maneuvering more covertly. China consistently denies cyberspying and argues its systems are penetrated too. 

Nearly all nation state-affiliated operations tricked personnel into divulging credentials by pretending to have a social connection to the target. "Over 95 percent of all attacks employed phishing” -- contacting victims through email or social media while feigning familiarity -- “as a means of establishing a foothold in their intended victims’ systems,” the report finds.

In general, attackers cracked accounts by somehow obtaining valid credentials. With spies, bank robbers and hacker activists, "authentication-based attacks factored into about four of every five breaches involving hacking," the report states. 

Of the exploits studied, 92 struck government agencies in various countries. The somewhat brighter finding here is that federal departments were better at password management than commercial victims, Verizon officials said.

"They have password complexity policies that are far more stringent than private sector organizations," where employees often rely on entry codes such as "password," Ostertag said. Also plaguing industry: “Poor password-change programs that allow the passwords to work for longer than they should,” he said.

The 2012 review focused more on cyberspies and China than last year’s study, which dissected the rise of hacktivists. Verizon’s own caseload contained more espionage incidents than ever before, officials said.

As in past years, contributing investigators stripped all records of information that could identify victims. Verizon recruited a record 19 participants, including, for the first time, the U.S. Cyber Emergency Response Team and the U.S. National Cybersecurity and Communications Integration Center.