Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Incident & Breach Response
Reports: China Suspected in Marriott Database Breach
But Experts Caution Forensic Evidence Is LackingHackers linked with China are suspected to be behind the four-year breach of Marriott's Starwood guest reservation system, according to several news reports.
See Also: Gartner Guide for Digital Forensics and Incident Response
Reuters cited three anonymous sources with knowledge of Marriott's investigation. The New York Times and Washington Post filed similar reports. Chinese government officials deny the country was involved.
Although the investigation is ongoing, the New York Times reports that private companies brought in to analyze the Starwood intrusion saw "computer code and patterns familiar to operations by Chinese actors." It reported that the hackers may be connected with China's Ministry of State Security, a civilian spy agency.
In an interview on Fox & Friends on Wednesday, Secretary of State Mike Pompeo appeared to confirm the belief that China is behind the Marriott attack. Pompeo spoke broadly about Chinese intelligence operations, and said "That's right" when the host suggested the Marriott hack was the latest example.
Accurate Attribution?
Reuters reports that its sources say the tools, techniques and procedures - a trio of indicators studied in cyberattacks - used in the Marriott breach have been used in previous breaches attributed to China.
But Reuters' sources also said some of hacking tools seen have been available online, making it possible others are to blame. Computer security experts often caution about attribution because intruders can use a variety of techniques to leave misleading forensic clues.
Malware that may be linked to China doesn't necessarily mean Chinese hackers are in the network, writes Jake Williams, founder of Rendition Infosec, an Atlanta-based security consultancy.
China is "by far the easiest to false flag," Williams writes in a tweet. "So much of their malware is widely public (e.g. anyone with a VirusTotal account can download builders)."
I said this days ago. Just because you have malware linked to China doesn't mean you have Chinese hackers in the network. They're by far the easiest to false flag. So much of their malware is widely public (e.g. anyone with a VirusTotal account can download builders).
— Jake Williams (@MalwareJake) December 12, 2018
Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, writes on Twitter that it's "plausible" China is behind the intrusion. But he cautioned that the suggestion is a big claim that's being made without forensic evidence at a particularly sensitive time between the U.S. and China.
Trio of Mega-Breaches
If investigators' hunches are accurate, China would be to blame for three of the biggest intrusions that occurred since 2014: the U.S. government's Office of Personnel Management, the health insurer Anthem and now Marriott's Starwood.
As with the OPM hack and Anthem, none of the Marriott data apparently has shown up for sale in underground online markets, which some have suggested is a sign of a state-sponsored operation rather than one criminal one.
The Marriott intrusion was only halted in September. The attackers had access to data for 500 million accounts stored in the guest reservation database from 2014 through early September (see: Marriott's Mega-Breach: Many Concerns, But Few Answers).
For 327 million accounts, name, postal address, phone number, email address, passport number, birth date and travel data was exposed. For some of those accounts, encrypted payment card numbers and expiration dates were also exposed, as was potentially the information attackers would have needed to decrypt the payment card data. For the remaining accounts, less sensitive data, such as postal address, email address or other information, was leaked. So far, Marriott has not released information on how the hackers got inside the reservation database.
The New York Times notes that Marriott is the significant provider of accommodations for U.S. government employees and military personnel.
The OPM breach involved a staggering amount of data within background checks on federal employees. The data included information on debt, personal relationships and, for 5.6 million people, biometric fingerprint data (see: Stolen OPM Fingerprints: What's the Risk?).
Anthem, formerly known as WellPoint, disclosed in February 2015 that attackers gained access to a corporate database and stolen more than 79 million records containing patient and employee data (see: Anthem Hit by Massive Data Breach).
In August 2017, U.S. authorities arrested a Chinese man for allegedly distributing a type of malware that was used in both the Anthem and OPM attacks (see: Chinese Man Allegedly Tied to OPM Breach Malware Arrested).
Volatile Times
China's suspected involvement in the Marriott hack adds to rising tension with the U.S. The two countries are hashing out a trade agreement that President Donald Trump hopes will remove protectionist barriers and open new markets for U.S. companies.
Also, the Wall Street Journal reported on Dec. 6 that the Department of Justice is close to unsealing charges against members of the Chinese military for the so-called Cloudhopper attacks, which compromised managed service providers and managed security service providers. That attack group is also sometimes referred to as APT10.
Yet another conflict is the arrest of Huawei CFO Meng Wanzhou, the daughter of company founder Ren Zhengfei. She was detained in Canada at the request of the U.S. related to alleged violations of sanctions against Iran.