Recently, a Dutch security firm has published an extensive report on the activities of a hacker organization by the exotic name of ‘Mofang’. Among their victims: several government agences and even some arms manufacturers. There are more than enough indications to conclude that these are all cases of digital espionage. Nor is it hard to conclude what country they are from. Based on some Chinese characters in the traces that weren’t deleted, and on the remarkably high number of Myanmar organizations among the victims, we can safely conclude that Chinese hackers are behind this group.
Who exactly they are spying for, is less clear. As the attacks are mainly targeted at government and military targets, the espionage seems to be commissioned by the Chinese government. But the sloppiness in some of the hacking activities points in the opposite direction. So the Chinese government gets the benefit of the doubt, for the time being. Especially because it isn’t very hard to obtain the information and tools needed to perform such an elaborate attack. A little money and some perseverance, that’s all you need for such cyberattack.
It starts with a mail
We may disagree on the origin and the commissioning party, but we can all agree on their mode of operation: that hasn’t changed throughout their activities. It starts with a simple phishing mail, containing an attachment that some employee opens unaware. Thus the hackers are granted access to the corporate network, and they can start searching for corporate information. Those phishing mails are not sent haphazardly: they are targeted at specific (types of) employees within the organization. That’s why we usually call it ‘spearphishing’. The hackers take good care of the content and style of the mails, in order to convince the targeted employees that these are legitimate mails.
These spearphishing mails usually contain some form of personal information, which makes them hard to distinguish from regular mails. Therefore, it is harder to prevent such attacks, even when employees are aware of the existence and the consequences of such threats. When a mail seems to come from a colleague or another trusted party, it is far more likely that you will open such attachments. The human factor is still the weakest link, no matter how often you inform or warn them.
Prevent and contain
That is why we strongly advise everybody to be prepared for phase 2, when the hackers have already broken into the network and are actively browsing around for information. One way of dealing with this sitation is by subdividing the network, and the corporate information, into many compartments. Another defense mechanism is to install a monitoring system, which continuously scans the corporate network for uncharacteristic and therefore suspicious behavior.
Digital espionage is not about to disappear, quite on the contrary. And we know that not all hacking attempts will be countered. That’s why it’s crucial to not only counter as many attacks as possible, but also to limit the consequences of a successful attack as much as possible. Thanks to these so far unknown Chinese hackers, this has once more been convincingly demonstrated.