Myers' account of a months-long battle with the group illustrates
the challenges governments and companies face in defending against
hackers that researchers believe are linked to the Chinese
government - a charge Beijing denies.
"The Shell Crew is an extremely efficient and talented group," Myers
said in an interview.Shell Crew, or Deep Panda, are one of several
hacking groups that Western cybersecurity companies have accused of
hacking into U.S. and other countries' networks and stealing
government, defense and industrial documents.The attack on the OPM
computers, revealed this month, compromised the data of 4 million
current and former federal employees, raising U.S. suspicions that
Chinese hackers were building huge databases that could be used to
recruit spies.
China has denied any connection with such attacks and little is
known about the identities of those involved in them. But
cybersecurity experts are starting to learn more about their
methods.
Researchers have connected the OPM breach to an earlier attack on
U.S. healthcare insurer Anthem Inc, which has been blamed on Deep
Panda.
RSA's Myers says his team has no evidence that Shell Crew were
behind the OPM attack, but believes Shell Crew and Deep Panda are
the same group.
And they are no newcomers to cyber-espionage.CrowdStrike, the
cybersecurity company which gave Deep Panda its name due to its
perceived Chinese links, traces its activities to 2011, when it
launched attacks on defense, energy and chemical industries in the
United States and Japan. But few have caught them in the act.
SHELL CREW IN ACTION
In February 2014 a U.S. firm that designs and makes technology
products called in RSA, a division of technology company EMC <EMC.N>,
to fix an unrelated problem. RSA realized there was a much bigger
one at hand: hackers were inside the company's network, stealing
sensitive data.
"In fact," Myers recalls telling the company, "you have a problem
right now."Myers' team could see hackers had been there for more
than six months. But the attack went back further than that.
For months Shell Crew had probed the company's defenses, using
software code that makes use of known weaknesses in computer systems
to try to unlock a door on its servers. Once Shell Crew found a way
in, however, they moved quickly, aware this was the point when they
were most likely to be spotted.
SPEARPHISHING
On July 10, 2013, they set up a fake user account at an engineering
portal. A malware package was uploaded to a site, and then, 40
minutes later, the fake account sent emails to company employees,
designed to fool one into clicking on a link which in turn would
download the malware and open the door.
[to top of second column] |
"It was very well timed, very well laid out," recalls Myers.
Once an employee fell for the email, the Shell Crew were in, and
within hours were wandering the company's network. Two days later
the company, aware employees had fallen for the emails - known as
spearphish - reset their passwords. But it was too late: the Shell
Crew had already shipped in software to create backdoors and other
ways in and out of the system.
For the next 50 days the group moved freely, mapping the network and
sending their findings back to base. This, Myers said, was because
the hackers would be working in tandem with someone else, someone
who knew what to steal.
"They take out these huge lists of what is there and hand it over to
another unit, someone who knows about this, what is important," he
said.
Then in early September 2013, they returned, with specific targets.
For weeks they mined the company's computers, copying gigabytes of
data. They were still at it when the RSA team discovered them nearly
five months later.
Myers' team painstakingly retraced Shell Crew's movements, trying to
catalogue where they had been in the networks and what they had
stolen. They couldn't move against them until they were sure they
could kick them out for good.
It took two months before they closed the door, locking the Shell
Crew out. But within days they were trying to get back in, launching
hundreds of assaults through backdoors, malware and webshells.
Myers says they are still trying to gain access today, though all
attempts have been unsuccessful.
"If they're still trying to get back in, that lets you know you're
successful in keeping them out," he said.
(Additional reporting by Joseph Menn; Editing by Rachel Armstrong
and Mark Bendeich)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|