CrowdStrike, a company that provides cyber protection services, said Oct. 19 it has detected several attempted intrusions against private companies originating in actors affiliated with the Chinese government–just several weeks after the U.S. – China agreement prohibiting cyber theft of intellectual property was signed.
CrowdStrike’s premiere service, Falcon, “has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government,” Dmitri Alperovitch, co-founder and Chief technology officer (CTO) of CrowdStrike, said in a company blog post.
Seven of the companies these actors attempted to infiltrate are in the technology or pharmaceuticals sector, where the main reason to hack seems aligned to steal intellectual property and trade secrets, which the cyber agreement prohibits, Alperovitch said.
The first intrusion conducted by a China-affiliated actor after the U.S.- China announcement was the next day, Sept. 26th, CrowdStrike said. “We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement,” Alperovitch said.
The blog post is accompanied by a timeline on suspected Chinese originating attempted intrusions of private industry clients of CrowdStrike, beginning before President Xi Jingping landed in Seattle to kick off his visit and continuing after the joint agreement was later inked in Washington, D.C.
“It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement,” Alperovitch said.
CrowdStrike assess “with a high degree of confidence” that the intrusions were undertaken by various Chinese actors, including DEEP PANDA, which the company has tracked for years breaking into national security targets as well as commercial industries such as agriculture, chemical, financial, healthcare, insurance, legal, and technology.
The company explained many of the intrusions were conducted via web server compromises with SQL injection as the preferred vector of implanting China Chopper webshells, which provide access to the internal networks of the victims. CrowdStrike instantly detected and thwarted actions using an Indicator of Attack (IOA) behavioral engine for these types of intrusions, CrowdStrike said. The company also detected and helped remediate attacks using Derusbi and PlugX malware, which are the preferred tools of several different Chinese actors, Alperovitch said.
Despite the detected cyber intrusion attempts, Alperovitch is encouraged by White House efforts to reduce Chinese intrusions and that it has also forced China to make a public distinction between national security-related espionage and commercial benefit-related espionage.
“The fact that there is some time delay between agreement and execution is not entirely unexpected. But, we need to know the parameters for success, and whether the parties to the agreement discussed a timeframe for implementation or, instead, expected it to be immediate,” Alperovitch said.
Lt. Gen. James McLaughlin, Deputy Commander of U.S. Cyber Command, agrees that it is too early to see Chinese behavioral changes yet.
“I think any changes you’re going to see as a result of the agreement that was announced between President Obama, President Xi–I think you’ll see that any changes, they’ll play out over a longer period of time than just the last couple of weeks,” McLaughlin said at a Center for Strategic and International Studies event on the role of the U.S. military in cyberspace on Oct. 9.