WASHINGTON, D.C., March 30, 2017. FireEye Chief Executive Officer Kevin Mandia testifies before the Senate Intelligence Committee. The committee heard testimony on the topic “Disinformation: A Primer in Russian Active Measures and Influence campaign.
Cybersecurity firms have blamed the Chinese Communist Party for a recent hack that exposed tens of thousands of servers running the Microsoft Exchange email program to potential Hackers. The chief executive of a leading cybersecurity firm said it now seems clear that the Chinese Communist Party has launched an indiscriminate, automated second wave of hacking in an attempt to open the way for ransomware infections and other cyberattacks.
In response, Kevin Mandia of FireEye said the second wave of hacks, which began on Feb. 26, had the hallmarks of elite cyber espionage on Beijing‘s part and far exceeded the norms of ordinary cyber espionage, according to the Associated Press. In terms of its scale, the attack was very different from the highly targeted nature of the first wave of hacks discovered in January.
You would never expect to see a modern state like China (Communist Party of China) with offensive capabilities – which they usually control with discipline to hide -” Mandia said in an interview with The Associated Press on Tuesday (March 9). -to suddenly launch an attack on 100,000 systems.”
Mandia said his firm’s assessment, based on forensics, shows that two groups of hackers backed by the Communist regime have installed a large number of automatically seeded backdoors, known as “web shells,” on a yet-to-be-finalized number of systems. Experts are concerned that the large number of backdoors could be easily exploited by criminals for a second phase of ransomware infections, who also use automation to identify and infect targets.
Across the globe, cybersecurity teams are busy identifying and maintaining hacked systems. On Tuesday (March 9), the National Governors Association issued a rare alert to state governors asking them to strengthen “awareness of the severity of the threat and the next steps to be taken by local governments, businesses and operators of critical infrastructure. “
David Kennedy, CEO of cybersecurity firm TrustedSec, tweeted Tuesday that “resource-requesting programs for ‘mining’ cryptocurrencies are being installed on some threatened exchange servers.
The White House has called the hack an “active threat,” but so far Biden has not urged tough action against the Chinese Communist Party, nor has he distinguished between the two waves of attacks – at least not in the public domain. Neither the White House nor the Department of Homeland Security has commented on whether to blame the second wave of hacking attacks on the Chinese Communist Party.
Mandia has been dealing with hackers backed by the Chinese Communist regime since 1995 and has long been on the radar of presidents and prime ministers. Mandia’s assessment is consistent with that of Dmitri Alperovitch, former chief technology officer of CrowdStrike, another Washington-area cybersecurity agency. Alperovitch commented that the Chinese Communist Party needs to be notified immediately: shut down those cyber shell implant backdoors.
The wave of widespread hacks that automatically create backdoors began five days before Microsoft released its patches, when cybersecurity firm Volexity discovered vulnerabilities in patches first released by Microsoft in late January of this year. The company found evidence that the vulnerabilities were exploited by hackers backed by the Chinese Communist regime as early as Jan. 3. The hackers targeted U.S. think tanks, universities, defense contractors, law firms and infectious disease research centers, the researchers said.
Suddenly, all organizations running e-mail servers were infected with cyber shell attacks linked to known Chinese hacking groups, Mandia said. These hacker groups knew patches were about to be released, so they rushed to attack everything they could.
In an interview at FireEye’s offices, Mandia commented, “It’s like they feel like their lives are about to end, so they’re getting crazy.” “It’s like they strafed the entire network with machine guns.”
Mandia added, “The second wave of infection attacks may not have been approved by the highest levels of the Communist Party [regime].”
“This is inconsistent with what they normally do,” he explained, “and very often there is a disconnect between the top leadership and the front-line executors. All I can tell you is that I was surprised to see four ‘zero days loopholes’ (zero days) being exploited with impunity.” He added, “If you can be exploited by this attack, in most cases, you have been.”
“Zero-day vulnerabilities,” also known as “zero-day attacks,” are security flaws that are discovered and then immediately exploited for malicious purposes to pry open secret doors in software. They get their name from the countdown to patching that begins after deployment. In layman’s terms, this means that the security patch appears within the same day as the flaw is exposed, and the malicious program in question appears. In this case, it took Microsoft 28 days to develop a patch after being notified.
Mandia warned that a large-scale hack would not trigger any critical infrastructure failures or cause loss of Life. “It won’t shed blood, but it highlights that there are no rules of engagement in cyberspace, something that governments urgently need to address ‘before disaster strikes.'”
Asked on Monday (March 8) whether it was the hacker behind the incident, the Chinese Embassy in Washington noted that the Communist Party’s Foreign Ministry spokesman Wang Wenbin had stated last week that the Communist Party “resolutely opposes and combats all forms of cyber attacks and cyber theft.” He said accusations of cyberattacks should be based on evidence, not “baseless accusations.”
Mandia compared the Microsoft Exchange hack to the SolarWinds hacking operation, which Washington blamed on elite Russian cyber intelligence operatives his company discovered last December.
The SolarWinds attack was very stealthy, very covert and very focused,” Mandia said. The hackers showed restraint in that they sought to go deeper rather than trying to expand the scope.” He has attended several U.S. congressional hearings on the Sunwind hack. And “this attack (on Exchange) feels very broad in scope, but I don’t know yet how deep it really is.”
U.S. officials said at least nine federal agencies and more than 100 private-sector targets were affected by the Sunwind hacking operation. The operation is named after a Texas-based company. The company’s network management software was used to plant malware on more than 18,000 customers. Only a small percentage were hacked in the operation, which lasted eight months without being detected.
Mandia said Russian intelligence officers manually hacked into the networks of 60 to 100 different victims. Security researchers said telecoms, software companies and think tanks were particularly hard hit by the attacks.