WASHINGTON — Cyber espionage is on the rise, and increasingly Chinese attackers are targeting critical infrastructure, probing networks to see what they can get away with, a new report from Verizon released Tuesday found.
The report, an annual document from Verizon known as the Data Breach Investigations Report, combed through more than 47,000 security incidents and found that while 2011 was the year of the hacktivist, 2012 was the year of espionage.
“Last year the big change in the landscape was hacktivism, which suddenly accounted for more stolen records than any other category,” said Bryan Sartin, director of investigative response at Verizon. “That came out of nowhere, because hacktivism was such a statistical speed bump. Now this year, that espionage category, not only do we see it, but it’s almost 20, 21 percent or so of all the breaches contributed internationally here across all the participants.”
Espionage, particularly industrial espionage from China, isn’t new. Gen. Keith Alexander, chief of U.S. Cyber Command, has previously described the theft of data by state actors as leading to the greatest unintentional transfer of wealth in human history. And the threat has largely been viewed in monetary terms, with Chinese actors stealing plans and intellectual property for financial gain. But what makes the threats found in the Verizon report noteworthy is that many of the attacks are targeting systems where there is no clear financial motive for intrusion.
For instance, Verizon found a series of attacks against the Federal Aviation Administration’s traffic control system.
“There’s that line that’s being crossed here between information technology and operational technology,” Sartin said. “They might not be stealing data but they’ve got the capacity to deny disrupt and destroy at that point.”
Sartin said that they’ve found a number of instances where attackers, almost entirely out of China, are sitting inside critical infrastructure systems, gathering data for prolonged periods. They aren’t destroying the systems, but are probing and testing their limits.
About a third of the attacks to which Verizon was able to attribute a country of origin came from China overall. Attackers from other countries are largely focused on financial crime, with China making up the vast majority of espionage breaches.
“They’re testing the system,” said Jeff Moulton, director of information operations at the Georgia Tech Research Institute. “They’re figuring out what they can do, and what we’ll detect, and what they can get away with.”
The bigger question, Moulton said, is what state actors might do with what they’re learning.
“Maybe it looks pretty benign,” he said. “So it looks like they can just get in, but it’s obviously just a piece of a bigger puzzle. There’s a bigger picture.”
And while overall attacks still include a large number of financial crimes and some hacktivist type attacks, intrusion into critical infrastructure systems is dominating the incidents that Verizon is seeing.
“Starting at a certain point in March it was about five out of six,” Sartin said. “Almost every notification that we’re putting out the door, it’s not just an espionage type attack, but the victims are a unique category and they are for the most part critical infrastructure. It’s just curious how it changed overnight like that.”
The data for the report comes from 18 contributors besides Verizon, including the U.S. Secret Service and the European Cyber Crime Center. Paired with Verizon’s data, which comprises a large percentage of overall Internet traffic given the company’s significant market share, the report is a broad snapshot of the threats traveling across networks.
The report included several findings that subvert conventional thought on cyber attacks.
Hand held devices, viewed by many security experts as a major threat in the new bring-your-own-device office environment, accounted for only a small number of entry points for attacks. Desktop computers still dominate the threat landscape.
And while many voice concern about the risk of insiders exposing data, the vast majority of attacks are perpetrated from outside of systems, the report found. Ninety-two percent of attacks logged in the report were perpetrated by outsiders. And while insider attacks rose from 4 percent in 2011 to 14 percent in 2012, they still represented a clear minority of threats.
Sartin said that he thought the ongoing emphasis on the insider threat may be more a product of fear than a factual problem.
“Business, by and large, there’s a mentality that we have to protect what’s inside from this unregulated atmosphere outside, and that the protections are by and large built to keep things from getting in, not things from getting out,” he said. “It’s kind of a 1999 view of security, but at the end of the day, what’s inside is relatively unprotected to the internal threat actor. People have a perception based on that that most of my moving parts, most of my vulnerabilities are internal. Most of my security is postured against the external, so internal is where most of my crime should happen.”
Despite the growth in espionage, financially motivated crime still represents the majority of breaches, and organized crime makes up 55 percent of attackers. But the massive growth in cyber espionage provides the most troubling data.
“A whopping 96 percent of espionage cases were attributed to threat actors in China and the remaining 4 percent were unknown,” the report said. “This may mean that other threat groups perform their activities with greater stealth and subterfuge. But it could also mean that China is, in fact, the most active source of national and industrial espionage in the world today.”