(CNN) -- The Chinese government is sponsoring
cyber-espionage to attack top U.S. companies, according to Grady
Summers, vice president of security firm Mandiant.
Virginia-based Mandiant
published a 60-page report detailing allegations over a six-year period
against a group of hackers -- known as Comment Crew -- which Summers
linked to a secret division of the Chinese military.
Summers told CNN: "China
is attacking the U.S. on a scale like we've never seen before... We
believe that the Communist Party of China is very aware of this."
Mandiant says the
activity can be traced to four networks near Shanghai -- with some
operations taking place in a location that is also the headquarters of
Unit 61398, the secret military division.
Summers added: "Never
before have we seen one state-sponsored entity like unit 61398 of the
Chinese PLA attacking helpless commercial organizations in other
countries."
The espionage group mainly targeted U.S. blue chip companies in 20 separate industries from aerospace to financial services.
"It's really a who's who of American companies. Of 140 victims worldwide, 115 of them were in the U.S.," Grady said.
Chinese foreign ministry
spokesman Hong Lei dismissed the hacking charges on Tuesday, insisting
that China is the victim of many cyberattacks -- most originating in the
United States.
"Making baseless
accusations based on premature analysis is irresponsible and
unprofessional," he said. "China resolutely opposes any form of hacking
activities."
Summers says a cyber
offence by the U.S. is not an appropriate response to the attacks as "it
creates more problems than it solves."
Instead, he advocates
better defense systems in organizations that are vulnerable to cyber
attacks and diplomatic pressure from Washington on Beijing.
The Mandiant report
details 3,000 technical indicators including IP addresses, domain names
and encryption certificates, that can be used to strengthen companies'
defenses.
During a four-month long cyberattack by Chinese hackers on the New York Times, the company's antivirus software missed 44 of the 45 pieces of malware installed by attackers on the network.
That's a stunning wake-up call to people and businesses who think they are fully protected by their antivirus software.
"Even the most modern version of antivirus software doesn't give consumers or enterprises what they need to compete in the hacker world," said Dave Aitel, CEO of security consultancy Immunity. "It's just not as effective as it needs to be."
The New York Times said it had an antivirus system from Symantec (SYMC, Fortune 500) installed on devices connected to its network. The Chinese hackers built custom malware to, among other things, retrieve the usernames and passwords of Times' reporters. Since that brand-new malware wasn't on Symantec's list of forbidden software, most of it was allowed to pass through undetected.
Symantec responded that it offers more advanced solutions than the one the New York Times (NYT) deployed.
"Advanced attacks like the ones the New York Times described underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," the company said in a written statement. "Antivirus software alone is not enough."
Related story: Nations prepare for cyber war
The cold fact is that no single solution can prevent all cyberthreats. Sophisticated attacks on networks routinely bypass network security systems, no matter how rock-solid they are -- or claim to be.
"Commercially available solutions are available to everyone," said Rohit Sethi, head of product development for SD Elements, a security firm. "It's not hard for attackers to learn how to evade detection, and they're coming up with ingenious ways of doing just that."
The solution, security experts say, is to deploy technology that keeps a very, very close eye on what's happening inside your network. You can't always prevent attackers from getting in, but you can at least set tripwires to alert you when they do.
In the New York Times' case, the company suspected that it would be attacked because of its investigation into Chinese Prime Minister Wen Jiabao's family finances. It asked AT&T (T, Fortune 500) to monitor its network. AT&T quickly picked up suspicious signs. Two weeks later, when the extent of the infiltration became clear, the Times hired security consultancy Mandiant to track the attackers' movements through its systems.
"Attackers no longer go after our firewall," Michael Higgins, the Times' chief security officer, told Times reporter Nicole Perlroth. "They go after individuals. They send a malicious piece of code to your e-mail account and you're opening it and letting them in."
From there, the best thing companies can do is track what attackers are doing.
"The question we always ask our customers is, 'Do you know every program running on your network?" said Immunity's Aitel. "When you know the answer to that question, you don't need antivirus software. When you don't, you're screwed."
Experts say that antivirus software is still a good, basic thing to have. Owning an antivirus solution is like putting the Club in your car -- it's not going to stop a determined thief, but it's going to make stealing your stuff more difficult.
Antivirus software maker Avast, whose free antivirus software is among the most widely used, says there's a major distinction between the kinds of threats encountered by everyday Web surfers and the carefully targeted attack the Times faced.
"Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired -- say by a hired killer," said Jindrich Kubec, Avast's threat intelligence director. "Does it mean you will stop using airbags and seatbelts?"
Some antivirus solutions are better than others. In a recent analysts, Immunity simulated attacks against networks protected by the top-of-the-line software built by Symantec, Kaspersky Labs and Intel's (INTC, Fortune 500) McAfee security division.
Immunity was able to break into the systems protected by Kaspersky and McAfee in two days. Symantec was the best of the breed, with Immunity unable to penetrate it in the several days it gave itself to achieve the task.
"New reputational-based software works to an extent," Aitel said, referring to systems that aim to contextualize the threats they detect. "But deep down, nothing is as good has having a proper awareness about what's going on in your network."
