The Mandiant report identifies a specific unit of the Chinese Army, Unit 61398, that operates out of the Pudong New Area of Shanghai as Advanced Persistent Threat 1 (APT1). Whereas most recent state-sponsored hacking has been cyberwar-like Distributed Denial of Service (DDOS) attacks and computer virus attacks (e.g., the Stuxnet worm used by U.S. and Israeli hackers to bring down Iran’s nuclear facilities), Unit 61398 has been primarily involved in industrial espionage. This unit has stolen “hundreds of terabytes of data from at least 141 organizations,” according to the report. The content of the stolen data has been highly strategic, including “technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.” This combination of direct state support, industrial targeting, and the strategic nature of the stolen content signifies a new era in the evolution of IT risk.
While it is possible to overreact to the hype surrounding these revelations, it is important that clients take a balanced approach to judging and mitigating the risk that has been revealed by this report. There are actually reasons for optimism for some clients because not all industries are equally at risk. The companies targeted by Unit 62198 have primarily been those identified in China’s 12th Five Year Plan. The firms at highest risk are: Information Technology, Aerospace, Public Administration, Satellites and Telecommunications, and Scientific Research. Industries that otherwise have high compliance and regulatory risk, such as Healthcare, Financial Services, Metals and Mining, and Chemicals have not been as extensively targeted.
Even if your firm is among those industries targeted by Unit 61398, our recommendations for combating hacking from a compliance perspective are mostly unchanged. If the organizations that have been attacked had used information security best practices and their employees had been trained in the proper use of IT assets, their exposure would have been significantly diminished.
Specifically, firms need to:
- Perform a comprehensive IT security risk assessment that includes consideration of emerging threats such as Unit 62198
- Establish substantive IT security compliance policies
- Develop procedural policies regarding the updating of existing policies to deal with emerging threats
- Communicate IT security policies and procedures widely, targeting employees at highest risk (e.g., IT professionals, remote employees)
- Train employees in the appropriate use of IT assets, the safeguarding of data (especially data that contains strategic information), and how to avoid specific attacks (e.g., spear phishing—the embedding of a link within an official appearing email that installs malware when opened)
In the less-dynamic, more geographically insular pre-Internet era, it would have been sufficient to establish IT security policies and revisit them every two or three years. With competitive threats now originating from governments as well as traditional competitors and coming from around the globe, the period between reviews needs to be shortened and provisions for ad hoc changes to policies should be made.