On March 5, the Wall Street Journal reported that Chinese hackers have targeted 27 universities in the United States and other countries “as part of an elaborate scheme to steal research about maritime technology being developed for military use,” according to cybersecurity experts and current and former U.S. officials.
A report by cyber security firm iDefense found that a total of 27 universities – including Duke University, the Massachusetts Institute of Technology, Pennsylvania State University, and other universities in Canada and Southeast Asia – had been targeted by the hackers, based on the fact that those universities reportedly “either studied underwater technology or had faculty with relevant backgrounds.” Some of the universities reportedly have been working on underwater communications technologies, and MIT in particular “conducts research on warship design.”
The iDefense report noted that the hackers used a simple and time-tested attack technique, “sen[ding] universities spear phishing emails doctored to appear as if they came from partner universities, but they unleashed a malicious payload when opened.” According to The Times, the hacker group in question, known variously as APT10 and Temp.Periscope, “has also tried to infiltrate computer networks of companies involved in chipmaking, advanced manufacturing and industrial processing . . . [and] is thought to be behind the  theft of missile plans from a US naval contractor.”
Note: These cyberattacks on universities are only the latest manifestation of the sustained offensive that Chinese hackers have directed at the United States and other countries in pursuit of military and trade secrets and other intellectual property. These latest reports should prompt Chief Information Security Officers and Chief Compliance Officers to take two actions:
- First, use these attacks as illustrations in new cybersecurity warnings to employees about spear-phishing attacks and the risks to the company from opening such messages;
- Second, update information-security due diligence for third-party providers (including law firms) and joint-venture partners with which the company is sharing sensitive data for business reasons.
Unfortunately, the increasing sophistication of Chinese hacker teams in recent years means that cybersecurity teams in companies and agencies must base their cyberdefense planning on the Red Queen’s advice: “ . . . it takes all the running you can do to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”