maxoidos - Fotolia

First-ever high-level talks on US-China cyber issues

News roundup: Chinese hacking activity drops in advance of US-China cyber talks, Australia blames China for major breach, mature malware, National Security Letter unveiled, and more.

This week, as officials from U.S. and China meet for the first time since President Obama and President Xi Jinping signed an anti-hacking agreement in September, China is still making a mark on the cyber landscape in other ways -- and not just the surprising report that the "Chinese hackers" widely blamed for the OPM breach were private actors and had been arrested prior to Xi's September visit.

The first U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues, held in Washington, D.C. on December 1, was co-chaired by China's Minister of Public Security Guo Shengkun, U.S. Secretary of Homeland Security Jeh Johnson and Attorney General Loretta Lynch.

The objective of the summit was to "to enhance cooperation between the United States and China on cybercrime and related issues," according to the Department of Justice's summary of outcomes, which detailed five "specific outcomes" from the meeting.

Number one on the list was agreement on creating a document that establishes "guidelines for requesting assistance on cybercrime or other malicious cyber activities and for responding to such requests."

The two sides also agreed to participate in a "tabletop exercise in the spring of 2016 on agreed-upon cybercrime, malicious cyber activity and network protection scenarios to increase mutual understanding regarding their respective authorities, processes and procedures."

A "hotline mechanism" linking the two country's leaders will also be set up "to establish a hotline for escalation of issues that may arise in the course of responding to cybercrime and other malicious cyber activities," the details of which are to be worked out before the next meeting.

Both sides agreed to "further develop case cooperation on combatting cyber-enabled crimes, including child exploitation, theft of trade secrets, fraud and misuse of technology and communications for terrorist activities, and to enhance exchanges on network protection." The leaders also agreed to meet again in June 2016, in Beijing, China, for the second U.S.-China High-Level Dialogue on Combatting Cybercrime and Related Issues.

After the meetings, National Security Advisor Susan E. Rice and Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco, met with Guo, who is also one of five State Councilor's of China, "to underscore the importance of full adherence to the U.S.-China cyber commitments made during President Xi's September 2015 State Visit," according to a statement issued by the White House.

The "Chinese Hackers" Narrative Softens

The "Chinese hackers" narrative holds that cyber attacks against U.S. government agencies (such as the OPM breach), as well as attacks against U.S. corporations to gather proprietary information and pass it to Chinese companies, is done by a hacking division of the Chinese People's Liberation Army (PLA), all under the control and direction of the Chinese government.

However, this narrative, repeated by many security experts -- and politicians -- softened this week as the Washington Post reported that the "Chinese military scaled back its cybertheft of U.S. commercial secrets in the wake of Justice Department indictments of five officers, and the surprising drawdown shows that the law enforcement action had a more significant impact than is commonly assumed," at least according to "current and former U.S. officials."

Meanwhile, China's official Xinhua news agency reported that the OPM breach was "a criminal case rather than a state-sponsored cyberattack as the U.S. side has previously suspected," though U.S. officials have not commented on that claim.

Not that soft, though

But despite all the happy talk and feel good conferences, Chinese hackers are still drawing blame for cyberattacks, as the Australian Broadcasting Corporation reported "multiple official sources" confirming "a major cyberattack on the computers at the Bureau of Meteorology, which has compromised sensitive systems across the Federal Government," with one official placing the blame firmly on China.

In Other News

  • Malware, everywhere, and none of it new: First up is the super-stealthy GlassRAT trojan, reported by RSA, which they describe as a "zero detection" remote administration tool. The researchers wrote that GlassRAT "appears to have operated, stealthily, for nearly three years in some environments," and appears to have "targeted Chinese nationals associated with large multinational corporations in and outside of China." Another oldie but baddie, ransomware Cryptowall, is showing up again, this time version 4.0, which is being detected infecting computers via an exploit kit, according to SANS researcher Brad Duncan. If you thought that Conficker (first seen in 2008) was a thing of the past and relegated to random instances on law enforcement body cams, think again. This time, The Register reported, "Conficker was the most common malware used to attack UK and international organizations in October, accounting for 20% of all attacks globally," according to security vendor Check Point Software Technologies Ltd. Finally, Ponmocup is the stealthy monster botnet that's been running for nine years. According to Fox-IT, Ponmocup has infected as many as 15 million individual computers in all since 2006, peaking at 2.4 active nodes in July 2011 and with about 500,000 nodes currently. Fox-IT reports that Ponmocup "is sophisticated, underestimated and is currently largest in size and aimed at financial gain," adding that "Ponmocup is rarely noticed though, as the operators take care to keep it operating under the radar."
  • This week saw the end of the National Security Agency's (NSA) bulk telephony metadata program that had originally been authorized under Section 215 of the U.S.A. PATRIOT Act. The U.S.A. FREEDOM Act of 2015 ended the Section 215 U.S. government authorization to collect telephony metadata records in bulk -- but telephony metadata record collection will continue. Under the U.S.A. FREEDOM Act, "call detail records will be held and queried by the telecommunications service providers, not by the government," according to a fact sheet published by the Office of the Director of National Intelligence.
  • For the first time, the scope of information demanded by the FBI under a National Security Letter (NSL) has been revealed. Nicholas Merrill, owner of the now-defunct ISP Calyx Internet Access, was served with the NSL in 2004. The unredacted letter was released after the government declined to appeal the September decision by a federal district court ordering the FBI to lift the gag order. The FBI sought data about an unnamed ISP subscriber, included the web browsing history, online purchase information, IP addresses of contacts and much more.
  • The Department of Homeland Security (DHS) is doing free penetration testing for private companies, "mostly banks and energy firms," Krebs On Security reports. The testing is offered to "critical infrastructure" companies that request it, under the DHS's National Cybersecurity Assessment and Technical Services (NCATS) program.

Next Steps

Find out more about the Mandiant report on the APT1 Chinese hacking group.

Learn how to use sinkholing to defend against advanced persistent threats.

Discover how Chinese hackers have bypassed privacy tools with watering hole attacks.

Dig Deeper on Information security laws, investigations and ethics