In May, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges of hacking and economic espionage, according to a May 19 U.S. Department of Justice media release. Per the same release, the targets were six U.S. enterprises operating in the solar products, nuclear power, and metals industries. The attacks began as early as 2006 and were carried out over many years and into this year, according to the same release.[Chinese cyberspies targeting U.S., European defense, space sectors]The five indictees were Wang Dong a.k.a. Ugly Gorilla (hacker handle), Sun Kailiang, a.k.a. Jack Sun, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, a.k.a. KandyGoo. The indictees were officers in Unit 61398 of the Third Department of the Chinese People\u2019s Liberation Army. According to the charges, the five men compromised computers belonging to the six U.S. enterprises and stole trade secrets and strategic information useful to those enterprises\u2019 Chinese competitors. The U.S. companies that fell victim were Westinghouse, SolarWorld, U.S. Steel, ATI, the USW, and Alcoa, Inc., according to the May 19 U.S. Department of Justice media release.After much preparation, the attackers launched very specially tailored spear phishing email attacks. CSOs, CISOs, and IT and security executives and staff should reconsider the technical and social nature of these kinds of attacks. Security leadership should revisit the measures they apply to their organizations to determine whether they are sufficient to mitigate costly nation state hacker threats. \u00a0Attacks by members of the Chinese military\u201cThe Chinese were probably probing their systems for years prior to launching the social engineering email attacks,\u201d says Damon Petraglia, Director of Forensic and Information Security Services, Chartstone Consulting, speaking of the ground work the five members of the Chinese military would have to have laid before sending the spear phishing emails to the six enterprises. These probes enabled them to know who to target the emails to and what the corporate network topologies were in order to stage successful attacks against network vulnerabilities.\u201cThey already knew what firewalls the targeted companies were using,\u201d says Petraglia, who developed and taught information security training at a large U.S. government agency. According to Petraglia, these Chinese hackers would have built entire networks to the same specifications as the ones they planned to attack. \u201cThese were military and intelligence level officers who had the resources and the funding to do this. They were highly trained,\u201d says Petraglia. Once the attacks they were working on were successful against the duplicate network, without detection, they could confidently send the attacks against the six U.S. entities.Petraglia\u2019s assertions are not speculation. \u201cMilitary organizations duplicate towns, areas, and buildings to run practice drills prior to attack or rescue missions. From a technical perspective, duplicating a network based on electronic and physical reconnaissance is cheaper and easier than building a town, area, or building. Reconnaissance is a major part of red team \/ blue team exercise scenarios. From a military and intelligence perspective, this behavior is expected of the adversary,\u201d says Petraglia.[Chinese hackers switched targets to U.S. experts on Iraq]Then came the slow, steady exfiltration. \u201cMost of these high profile cases are the result of spear phishing, unless the attackers have an insider in the target company,\u201d says Rahul Kashyap, Head of Security Research, Bromium. In the case of attacks by nation states you almost always see very well designed spear phishing emails that appear to come from the CEO or a similar high official within the organization. \u201cA spear phishing email sent to employees of Alcoa appeared to come from a corporate board member,\u201d says Kashyap of one example of an email sent during these attacks. The idea here was to create a sense of urgency so that employees responded without thinking and began clicking links or opening attachments containing malware. \u201cAttackers spray bunches of emails at employees. All they need is for one person to open one email and respond for an attack to progress,\u201d says Kashyap.Employees ultimately requested the data via port 80 or another port used for web traffic. Enterprises expect this port to see a lot of traffic. Because the malware was designed to push \/ pull just a little bit of malicious traffic at a time together with expected web traffic, enterprise security did not detect the attacks. Meanwhile, the malware kit acquired increasing degrees of access on the network until it got to the databases and servers that contained the intellectual property and confidential documents the attackers sought and highly prized. \u201cAnyone who had access to the kinds of material these hackers stole would have a huge advantage over the targeted U.S. competitors,\u201d says Kashyap.Previous state sponsored attacks have used kernel exploits like Stuxnet, Duqu, Gapz, TDL4, Gameover, and the recent Adobe Reader Sandbox bypass; these hackers may have used kernel exploits in these attacks as well. \u201cThe Windows kernel is the core of the operating system. If you compromise the kernel, you own the machine, including the security software on it,\u201d says Kashyap. \u00a0Mitigating similar attacks\u201cI trained people at government agencies who had no clue that they were under attack as much as they were,\u201d says Petraglia. Given that, every day businesses outside the government are certainly not up to speed on securing against state-sponsored attacks, concludes Petraglia. Enterprises need to educate and train their people that they are definitely military and intelligence level targets of hackers.[U.S. files indictments against Chinese officials for espionage]Several layered technical measures are necessary to mitigate state-sponsored attacks that hackers levy for economic gain. Enterprises need solid definitions as to what is sensitive data. They need absolute rules about data access. \u201cUse Data Loss Prevention tools so people can\u2019t copy sensitive data to their laptop, which then ends up unattended in the back of their car,\u201d says Petraglia.\u201cEncryption is key,\u201d Petraglia continues. Encrypt all data in transit and at rest. Don\u2019t make it easy for the hackers to get the data. Follow egress traffic to where it terminates in so far as it is possible. Watch the packet sizes leaving the enterprise as well as their destinations. Watch for unexpected sizes and destinations.Use a tiered security architecture with different security protocols and entirely different security devices at every level. \u201cThe firewalls at different layers should not all come from the same vendor,\u201d says Petraglia; \u201cthey should be three different versions of firewalls from three different companies.\u201d This helps to prevent an attacker from breaking through multiple layers of security using the same kind of attack on the same kind of vulnerability at all layers.According to Kashyap, the threat landscape has changed over the last few years. \u201cHackers know the perimeter is well protected so they compromise the employees. Companies that care about their intellectual property should invest in security technology that assumes their employees are gullible and will make mistakes like the end users made during these state-sponsored attacks,\u201d says Kashyap.[Shipping companies' computers compromised by malware-infected Chinese scanners]Enterprises should reevaluate any legacy security tools because the hackers\u2019 approaches are more advanced than the capabilities of these tools. \u201cUse multiple tools to recognize anomalous behavior,\u201d says Kashyap. Isolate the behavior and don\u2019t permit it to proceed any further on the network.