A birthday party, some empty liquor bottles, and a soldier doing pull-ups in front of his commanding officer. These are some of the photos that helped CrowdStrike identify a notorious Chinese hacker and officer in the People’s Liberation Army as part of a broader PLA hacking ring.
Computer forensics like those employed by CrowdStrike are increasingly vital to cybersecurity. The U.S.-based security technology firm made headlines with its report on Monday that traced the growing digital footprint of Chinese hackers invading the world’s satellite and aerospace industry, stealing intellectual property from companies throughout Europe, Japan and the U.S., as reported by the New York Times and Wall Street Journal.
CrowdStrike's digital sleuthing indicates that the five men charged with cyberespionage last month by the U.S. Department of Justice are not a few rogues working alone but rather part of an organized effort within the People’s Liberation Army that attempts to steal any intellectual property that could be of value.
While computer forensics used to mean analyzing the data on a hard drive to find clues to track down cybercriminals, as the industry moves into the cloud, hackers follow. That means that security teams like CrowdStrike's look for traces left behind not in a hard drive but on a network.
Headquartered in California, CrowdStrike said it found one of the hackers because he used his personal email address to register a website used in the attacks, where it found the Chinese army officer's personal information. Attribution, the outfit says, or tracking down the source of cyberattacks, helps companies understand their attackers better and build up their defenses against hackers.
“While attribution is part art and part science, it is possible with a high degree of confidence to be able to pinpoint the who and why of these attacks,” said George Kurtz, CrowdStrike CEO and founder, in a post on DarkReading.com.
China contended earlier this month that the charges are “absurd” and based on “fabricated facts” created by the U.S. government. The Chinese government says it has “never engaged or participated in cybertheft of trade secrets,” nor has any of its personnel. But CrowdStrike’s report, which it calls “Putter Panda” since most targets are golf-playing executives in the aerospace industry, proves that many of the men charged by the U.S. are officers in the PLA’s Unit 61398.
The unit is one of more than 10 that NSA says is tied to the PLA, which the agency is currently tracking. CrowdStrike's report appears to confirm U.S. suspicions that Chinese hackers are deployed by the government and military to steal intellectual property worldwide.
“We caught you red-handed,” Kurtz said, writing that China engages in these attacks to significantly reduce “the time and money involved in bringing new technologies to market.”
Rather than spending on research and development, the PLA focuses on targeting businesses around the world that can help them improve their military might -- through spy satellites, missile technology and jet engines. CrowdStrike says its report on the hackers, which it has been selling to paying customers for some time already, was made public to make companies more aware of the magnitude and the scope of hacks done by government-backed teams like Unit 61398.
“We see firsthand what is happening in the trenches when we respond to large breaches,” Kurtz said. “We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials.”