Four days before U.S. and Russian leaders met in Helsinki, hackers from China launched a wave of brute-force attacks on internet-connected devices in Finland, seeking to gain control of gear that could collect audio or visual intelligence, a new report says.
“Finland is not typically a top attacked country; it receives a small number of attacks on a regular basis,” the report says.
China generally originates the largest chunk of such attacks; in May, Chinese attacks accounted for 29 percent of the total. But as attacks began to spike on July 12, China’s share rose to 34 percent, the report said. Attacks jumped 2,800 percent.
The China-based hackers’ primary target was SSH (or Secure Shell) Port 22 — not a physical destination but a specific set of instructions for routing a message to the right destination when the message hits the server. “SSH brute force attacks are commonly used to exploit systems and [internet of things, or IOT] devices online,” the report says. “SSH is often used by IoT devices for ‘secure’ remote administration.”
Internet-of-things devices are particularly attractive targets for state-based hackers because many network administrators never change the password or login credentials for IOT devices on their networks from the factory default. That leaves those devices more vulnerable to brute-force attacks, in which hackers hit the devices with lots of random password combinations or combinations informed by some knowledge of how those manufacturers set default passwords and credentials. It’s the sort of attack that’s easier for actors with lots of human and computer power to throw at the problem, but hardly exclusive to them.
“The rise of poorly secured Internet of Things (IoT) devices has made it possible for attackers to gain access to targets of interest. Nation-states, spies, mercenaries, and others don’t need to dress up as repairmen to plant bugs in rooms anymore; they can just hack into a room that has vulnerable IoT devices,” the report says.
The attackers also heavily targeted Session Initiation Protocol, or SIP, Port 5060, used by teleconferencing software and internet-based phone apps.
China wasn’t alone in trying to gain access to Helsinki’s internet-connected devices in the lead-up to the July 16 summit. Attack traffic came from the U.S., France, and Italy as well, in that order. But the U.S. and French traffic was in keeping with averages. Russian attack traffic dropped considerably from third, its usual spot, to fifth. German attack traffic jumped.
Speaking at the Aspen Security Forum on Wednesday evening, FBI director Christopher Wray commented that “China from a counterintelligence perspective represents the broadest, most pervasive, most threatening challenge we face as a country.”
Administration and national security officials have also been sounding the alarm about the state of Chinese industrial espionage. It was a concern experts brought up before the House Committee on Intelligence on Thursday morning. Michael Pillsbury, Director of the Center on Chinese Strategy at the Hudson Institute, noted “We have made a good start toward a new strategy toward China, but we may still be underestimating the problem and China’s resistance to change.”
Elsa Kania, an adjunct fellow at the Center for a New American Security, said, “It is clear that, despite the 2015 Xi-Obama agreement, Chinese cyber espionage, including that undertaken for purposes of IP theft, has continued, as in the recent troubling compromise of a Navy contractor by hackers from the Ministry of State Security.”
Michael Brown, a former CEO of Symantec corporation and one of the co-authors of the so-called DIUx Paper for the Pentagon — a paper that outlines the national security threat posed by the transfer of technology capital to China — testified that “Chinese companies already own significant parts of the military supply chain.”
A recent report from the Office of the Counterintelligence Executive describes China as “the world’s most active and persistent perpetrator of economic espionage.”