The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies.
“These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People’s Liberation Army Unit 61398 . . . whose activity was publicly disclosed and attributed by security researchers in February 2013,” said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
Indeed, U.S. officials say privately, the activities of this group are just as significant — if not more so — than those of Unit 61398.
The U.S. government has publicly called on the Chinese government to halt its widespread cybertheft of corporate secrets, but Beijing has denied such activities. When the Justice Department in May announced the indictments of five PLA officials on charges of commercial cyberespionage, the government responded by pulling out of talks to resolve differences between the two nations over cyberspace issues.
The FBI’s alert, obtained by The Washington Post, coincided with the release of a preliminary report on the same hackers by a coalition of security firms, which have dubbed the group Axiom. “The Axiom threat group is a well-resourced and sophisticated cyber espionage group that has been operating unfettered for at least four years, and most likely more,” said the report, issued by Novetta Solutions, a Northern Virginia cybersecurity firm that heads the coalition.
The cyberspying campaign is in support of China’s strategic national interests, the report said. Specifically, Axiom targets organizations that have strategic financial and economic interest, influence energy and environmental policy and develop high-tech equipment such as microprocessors, the report said.
The group’s sophistication is demonstrated less in how it gains access to targets’ computers and more in how it moves “laterally’’ once inside the system, disguising its behavior to look normal so it goes undetected, said Peter B. LaMontagne, Novetta Solutions chief executive officer.
“It suggests a threat actor that is well-funded, organized, patient — all characteristics associated with a government organization,” he said.
The FBI and the industry coalition suggested that the group may be the same one that has been linked to other cyberespionage campaigns — including, notably, the coalition said, one that targeted Google in 2009 in what has come to be known as Operation Aurora.
The group, the FBI said, has deployed at least four “zero-day exploits” or hacking tools based on previously unknown flaws in Microsoft’s Windows operating system, which reflects a considerable degree of prowess as zero-day flaws are difficult to find in software.
The bureau’s nine-page alert contained some “indicators of compromise” that companies could use to determine if they have been hacked by the group.
“This group uses custom tools that should be immediately flagged if detected” and reported to FBI Cywatch, the agency’s 24-hour cyber-command center.
The industry coalition includes Microsoft, Cisco, FireEye, F-Secure, iSight Partners, Symantec, Tenable, ThreatConnect, ThreatTrack Security, Volexity and other threat researchers that did not wish to be identified.
The coalition said on Wednesday it was launching a two-week effort to gather more information about Axiom’s tactics and techniques from organizations that have been targeted. At that point, it said, it hopes to more definitively identify the group and its links to other cyberespionage campaigns. It will issue a report on Oct. 28.