A major U.S security firm conducted a detailed and exhaustive computer forensic investigation which revealed two Chinese hacker groups – Wekby and Deep Panda behind three recent and prominent cyber-attacks targeting companies in the U.S. The report on the investigation noted that the Chinese groups orchestrated the attacks using a total of seven computer-hosting companies in order to target:
- A U.S air carrier
- A European telecommunications company
- A European energy firm
While the security firm asked not to be named, they spoke to the Washington Free Beacon under the condition of anonymity. The online newspaper has obtained a copy of the report by the security firm.
A losing battle?
“It’s like playing whack-a-mole,” said an executive at a cybersecurity firm, noting the difficulties of blocking IP (Internet Protocol) addresses used by hackers from China on domains hosted by American servers. Fearing the possibility of being targeted in a cyber-attack, the executive who spoke anonymously said of the hackers that “they are using very, very sophisticated methods,” and have been doing so for years.
The commander of the U.S. Cyber Command, Admiral Mike Rodgers said in a speech recently that identifying cyber-attackers has become “a bit of a cat and mouse game,” and that hackers are taking proactive measures to actively deceive intelligence agencies.
One particular tactic used by cybercriminals is to reach out and establish new partnerships with other hackers, said Rodgers. “As you generate and gain more insights on what actors are doing, you watch them try to change what they do in a way to obfuscate how they do it,” he noted.
The most recent hacking report revealed that the Chinese have successfully mastered the means to re-use IP addresses that have been previous blocked years ago when authorities had identified them as a probable source of hacking.
Forensic analysis in the report said that “these Chinese actors (attackers) utilized common infrastructure hosted inside the U.S.”
For instance, the European energy company was the target of a cyber-attack that originated from discountbok.com, a website that’s connected to WeHostWebsites.com which is located in Baoan, Shenzen City, Guangdong. The cyber-attack also involved three IP addresses that were hosted by a Californian company called Psychz Networks, based in Los Angeles.
In a statement, a spokesman for Psychz Networks said, “We won’t be able to discuss any possible active investigations of our clients,” despite confirming that the IP addresses was the company’s to begin with.
The cyber-attack carried out against the U.S. air carrier was also traced back to IP addresses owned by GorillaServers Inc., along with another service at the same address in Los Angeles named WebNX.
The recent rise of U.S. servers being used by Chinese hackers is a worrying trend, say several cybersecurity experts.