Under public and Western government pressure – including a dramatic deal with the White House – suspected Chinese-based threat groups have reduced their activity over the past two years, according to a report from security vendor FireEye.
However, its researchers also warn that Canada and other countries are still the targets of more than a dozen very active groups who may or may not be tied to the Chinese government.
Between the beginning of 2013 and last month there were FireEye customers suffered 262 incidents attributed to 72 suspected China-based groups (breaches but not necessarily data loss) in 26 countries, including Canada, the report says.
In an interview Tuesday Jordan Berry, FireEye’s principal threat intelligence analyst, and William Glass, a threat intelligence analyst, said 186 of those incidents involved U.S. organizations. However, they refused to say how many incidents FireEye investigated involved Canadian firms or government departments.
“Canadian companies that are in industries of interest to the Chinese corporations would be in manufacturing, energy, maybe agriculture,” said Glass. “There would be continuing risks for companies in Canada because it is a Western country, has technological development capacity that Chinese groups will continue to find attractive as far a stealing intellectual property.”
And while the number of incidents are down in the past two years, he noted that FireEye is still tracking 13 suspected China-based groups still active that are targeting high tech firms, particularly semiconductor makers, those making navigational technology, and health care institutions.
“As long as those groups are still out there, there’s no reason to suggest they’re not going turn on Canadian organizations just as they would try to breach companies in the U.S, the Japan or Europe.”
Two major breaches against federal departments were reportedly attributed to have come from inside China. In 2011 the finance department, Treasury Board and the Defence Research and Development agency were forced offline after a sustained attack. In 2014 the National Research Council was struck.
Security analysts are split on whether CISOs should worry about where an attacker is based, in part because it isn’t hard to disguise their tracks. Don’t worry about who might attack you, goes their argument, decide what is valuable and protect it.
Others, like Ray Boivert, former assistant director of the Canadian Security Intelligence Service (CSIS) and now CEO of I-Sec Integrated Strategies, a Toronto-based risk consultancy, say understanding who may be your adversary will help understand why they may attack and what they might do. “With that in hand, it will help you pre-determine where and potentially when (in a perfect scenario, of course). Absent perfection, it’s about “situational awareness” as a first line of defence… hence know your enemy.”
He also noted that according to public testimony in Washington, traditional spying by Chinese agencies continues to increase . And, he pointed out the FireEye report also says there’s evidence Chinese-based groups are increasing cyber activities against countries on its borders. In that case, he argued, China’s strategy may be, ‘We won’t target you directly, but we’ll get at what we need via your strategic partners and allies in a zone closer to home.’
Canadian organizations have another factor to think about, he said: “We are also a gateway to other entities in the West, particularly in the U.S. And, of course, no company wants to have been the portal for an attack that has significant consequences with a larger U.S.-based partner or customer.”
The FireEye report suggests that starting with reports in January 2103 from news agencies and security vendors exposing China-based groups and pressure from many governments the volume of China-based cyber attacks were been dropping — even before President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage.
Therefore FireEye concludes, the drop in activity was not solely due to the Obama-Xi Junping agreement.
In November, 2015, as part of the G20 meeting in Turkey, China signed the final communique which says in part “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
As some have noted that leaves lots of room for state-backed intelligence and national security activities.
Finally, the FireEye report concludes that regardless of the fact that the volume of China-based cyber attacks is dropping, they remain “more focused, calculated, and still successful in compromising corporate networks.”