Marriott Hack Reported as Chinese State-Sponsored

The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true.

Reuters:

Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company's private probe into the attack.

That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing's espionage efforts and not for financial gain, two of the sources said.

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood's computer networks since 2014, said one of the sources.

I used to have opinions about whether these attributions are true or not. These days, I tend to wait and see.

Posted on December 13, 2018 at 6:37 AM • 21 Comments

Comments

GlenDecember 13, 2018 8:10 AM

We better get used to the fact that China is targeting our infrastructure.
Similarly, Kaspersky is targeting us for Russia (not an antivirus, but a virus/).

I can't believe people are still using Kaspersky and Huawei... not that this would help against such attacks on our private companies. But at least don't bring it home with you.

Sheilagh WongDecember 13, 2018 8:14 AM

The Chinese government, or whoever this was, is really going to love those backdoors the Australian government is mandating.

PhaeteDecember 13, 2018 8:32 AM

How possible scenarios turn into propaganda.
I'm getting a hint of a coming "Cyber weapons of Mass Destruction" campaign modeled after the successful lie that lets people invade other countries to takeover their resources.

If you read the articles, both attribs are thin, the chinese one and especially the state sponsored one.
Yet frighteningly many people hear it as gospel, and some news organisations dramatise it for their own gain.

I'm still not convinced that either China or Russia is anywhere as active in state sponsored worldwide hacking as the USA is. Sure, they give it a good try, but if you compare leaked tools, infrastructure, APT technique/tech level etc, then you see who is investing most by far.

IanDecember 13, 2018 8:44 AM

Lack of leaked tools just indicates that China/Russia are better at OpSec than the US. It does not indicate that they are not as prolific in their cyber attacks.

MatthewDecember 13, 2018 9:57 AM

I enjoyed your discussion of the hack on KNX radio in Los Angeles. Pleasantly surprised that KNX had an actual expert on computer security.

Security SamDecember 13, 2018 10:26 AM

While both public and private hostile foreign entities
Work day and night nonstop to steal our own identities
Our very own elected government came up with Real ID
That sets up tempting personal data banks in our cities.

Mr VerhartDecember 13, 2018 11:20 AM

@Glen: Security experts in China and Russia can't believe people are still using Cisco products.

Clive RobinsonDecember 13, 2018 12:22 PM

@ Bruce,

I used to have opinions about whether these attributions are true or not. These days, I tend to wait and see.

The evidence against many atributions is at best hearsay, thus it's best to be skeptical at the best of times.

@ All,

But when I read,

    Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company's private probe into the attack.

I can tell it's more like "the worst of times"...

In that first short paragraph I see four things that imeadiatly make me think "cough cough BS cough BS cough".

The first point is an unnamed Private investigators dear god that's a very old trick, with a beard longer than mine. Either you put your face to what you claim or you are saying nothing of consequence[1]. At best it's wallpapering your arse whilst shooting the breeze.

Secondly, previously used in attacks another "here be dragons" warning that you are entering BS la la land. We know the CIA amoungst other US agencies had "False Flag tools" to make it look like a chosen target was doing the attack. I would assume that most IC entities and a good many hackers and "Private investigators" have now built tools with samples of supposadly "attributed attacks". It's kind of Hacking 101 these days, like putting on gloves when being a burglar, so any hacker with half a brain wgo does not wish to be caught is doing it, thus about as much use as an indicator as dirt on the floor.

Thirdly, Chinese Oh dear god the US's current one of four "cyber-existrntial threat" I've explained the nonsense that lives behind this, and you can also find it described in George Orwell's "1984", Niccolò Machiavelli likewise had a thing or two to say about such things in "The Prince" and "The Art of War". Speaking of which then there was that ancient Chinese dude and his "Art of War" (depending on who's copy/translation) it's either Sun (Wu) Tzu or his descendant Sun Bin. It's a simple "Political trick" for the sheeple.

Fourthly, sources who were not authorized to discuss So why were they flapping their gums? This is another old "if you knew what we know" nonsense that so many people fall for there must be one born every half second or so...

My advice is it's more politically motivated than evidence based thus treat it with a very long pole with a sharp point and put a clothes peg on your nose. By all means stir it a little, you never know a little real evidence might bubble up... But I've yet to see anything called evidence in the "attribution game" I could not fairly easily fake myself.

And that's the point realy, things are way way to easy to fake, especially by those supposadly gathering the evidence. Worse there is no "chain of evidence" and the evidence is often obtained by "illegal or tainted methods" thus the "fruit of the poison vine" doctrine applies.

But there is another thing that arises from points 2&3, they say "attributed to Chinese hackers" but are realy trying to imply "Chinese State". It's using a long runing build up of a Pavlovian type to make a probably false assumption in peoples heads. Again it's to try and make what few facts there are fit a frame that is in all probability not valid.

A usefull thing for people to ask themselves is "Of what use is this data?" then ask "Who would use it and why?" If it was the Chinese State there are probably a lot easier ways to get the data that might be of political use...

[1] Though it's a nice little trick if your are scrabbling for "Government Business".

TristanDecember 13, 2018 12:34 PM

These attributions are something I've questioned for a long time. If a group of hackers is smart enough to penetrate hardened defences, aren't they going to be smart enough to leave a trail pointing to someone else? Everyone now talks about Russian hackers interfering in the US elections (and elsewhere), but what is the evidence that they are Russian, and is it conclusive?

md5December 13, 2018 3:02 PM

China my ass.

"same hacking tools, some of which have previously been posted online"
"multiple hacking groups may have simultaneously been inside Starwood's computer networks since 2014, said one of the sources."

With their investment in cyber war, I doubt they will be easily detected. There must be an SOP to wipe everything, narrowing operating window, etc. All the good stuff.

So, this is instead something else. What it is, who knows, and who cares. There are more important targets being hacked right now.

Horatiu PetrescuDecember 13, 2018 4:30 PM

Every piece of information these days is second-hand, so very possibly untrusted. Big companies like Bloomberg can't even verify their sources (see the Supermicro story).
Media and blogs are untrusted sources of information and powerful manipulation tools. I only trust a handful of blogs and I trust research papers more than other sources of information, but that doesn't mean they're 100% trustworthy.
US blames China these days for a lot cyber attacks (and other things). Huawei is banned (now in New Zealand as well for the upcoming 5G network), Kasperski is banned. Like Bruce said at the recent New Zealand Kiwicon 2018, all devices have multiple passports. You ban Huawei but your device is still made in China and there's no 100% sure way of telling what's inside it.
Fear mongering is another powerful tool, and if it's not terrorism it seems to be China. People need to fear something or else the government won't have anything to spend their big defense budgets on.
From China's point of view the same thing can be said - US is blamed for cyber attacks happening in China. Is that wrong?
I started to think that China is not necessarily evil, compared to other states. It just depends which way you look at it, which perspective. Every state wants to defend their own power or people, some of them make a coalition (like the 5 Eyes - New Zealand, Australia, USA, Canada and UK).
I used to think many years ago that Google is an all-good entity. Or other companies as well, like Apple. But who's to say that the information they have on us isn't ingested for some evil purpose, now or in the future? Or when Google says that they're going to delete the personal data they have on you (if you request that), how can you verify that? Is Google or Facebook better than China in terms of privacy?
The more I think from different perspectives the more I understand that trust is becoming very scarce. The tendency to be paranoid is high.
Trust is broken. Everything is broken.

VK-4December 13, 2018 5:29 PM

Some are unable to expand-their god-given faculties to realize just how valuable this Marriott info is. Why would China want hotel personalized and verified data?

Assumptions
(1) customers who stay at Marriott are upscale
(2) a leading place to stay while on travel for important business reasons
(3) rooms are leased by all sorts of corporate, military and government officials

Data-Mining Delight
(4) identities are verified (cover identities require further data analytics)
(6) company charge cards can trivially associate all those working for the same employer and project
(7) company charge cards history show where and who they went out to a business lunch with
(8) what high-tech conferences are being held nearby?
(9) what sensitive facilities are nearby?
(10) smart phones location is widely available for sale
(11) rental cars always enable real-time gps tracking

In summary company name, charge card, verified name and addresses, phone number is a espionager’s gold-mine of who to further target. A hotel guest data is the gateway to determine a who’s-who attending confidential high technology or black box national security meetings. Now fuze this to the OPM SF-86 detailed life history.

My Homework
Are there Chinese agents working to spread disinformation in America[1]?
Is it technically ‘still-sufficient’ to just leave all smartphones outside the secure room[2]?
What the heck is SS7?

[1] To do: ask the FBI if they still have thousands of open investigations in all 50 states
[2] The military has determined that adversaries can identify ‘secret’ bases or installations from the clusters of smart-phones alone. To do: Does Amazon still sell cheap Chinese RF pouches?

Sancho_PDecember 13, 2018 6:12 PM

Sad situation. Foreigners!
Again a reminder of neglected cyber defense: A security gap.

But I’v heard from someone who is generally best informed that there are four other anonymous sources (also not authorized to speak in public) pointing at Russia because of very particular well known tools and methods used in the hack.
Only one other trusted insider (also speaking in anonymity because not authorized to comment) was naming Iran in this context. [1]

Four Trumps three, plus we know they want to destroy western freedom and democracy.
So don’t forget the Russians while targeting China.

Let’s outlaw crypto, then they can’t hide anymore, this will improve our security!

[1]
Others have it that Kim Jong-un from N.K. in a clumsy attempt to book a hotel suite in Florida by mistake downloaded the whole 4 years database to his iPhone, but I think this is a hoax, probably to discredit Kim while bragging about the apple’s capabilities.

Clive RobinsonDecember 13, 2018 8:07 PM

@ VK-4,

Some are unable to expand-their god-given faculties to realize just how valuable this Marriott info is.

Unfortunatly you have not read what was actually written,

    A usefull thing for people to ask themselves is "Of what use is this data?" then ask "Who would use it and why?"

You have provided not much more than a list of assumptions, for a "Movie Plot"

What you did not address was the important point of,

    If it was the Chinese State there are probably a lot easier ways to get the data that might be of political use...

As for your homework, you've left a lot out. Put simply one way or another data haemorrhages out of the West and many other places due to very very poor quality consumer level devices and OS's with all the security of an old cookie jar.

The easy way currently for the Chinese to get US citizen data is not by hacking. Just about every cheap electronic device you get from China that "needs" conbectivity is sending it back to servers in China. Oh as for that OPM hack, was it even realy a hack or a give away?

Is the Chinese Government behind this data haemorrhage, most likeky not, it's actually US Money from US Corporates that's driving it. Those cheap Chinese devices grabing the data have no profit in them at the price you pay. So what you have purchased is that Chinese companies way to get a slice of the world's biggest and most usless industry "Marketing". Just like Amazon and Google do...

Is the Chinese Government SigInt agencies watching all this "free" data flow by? Well it's what the NSA does in the US and anywhere else there is CISCO or Jupiter kit...

Hence my point does the Chinese Government need to hack a hotel chain, the answer is in the "why bother" category. It's actually more likely to be a financial related crime.

Mind you I've stayed at a number of their hotels and some of them ain't exactly "High roller territory". Oh and about the most usefull thing you will learn is I once ordered strawberry jam with breakfast, which I kept getting to my anoyance at other hotels in the chain, finally some one changed it to "Thick cut marmalade" what they never grocked was "I like a choice to chose from"...

As for SS7 it's Signalling System Seven" used as the "out of band" signalling and control of most telephone networks. It's now an International Standard from the ITU-T, though originally it came about from CCITT work which is why you will sometimes here it called C7 rather than SS7. The CCITT work was heavily based and influenced by work that originated from the UK Post Office System X which gave the world digital telephony signalling (like ISDN). It appeared in the mid 1970's and replaced the earlier "in band" signalling that was "multitone". As this transition involved great expense you might ask why the switch? Well it was due to those "Phone Phreakers" and their little "blue box" and Capt Crunch whistle rings that caused the almighty AT&T amongst others to lose trunk revenue. Guess what though... the whole point behind SS7 was it would not be publicaly accessable... But due to time and the desire to make more money in the US and other places getting at SS7 to "do your thing" as a member of the great unwashed public is not at all difficult...

ClipperDecember 14, 2018 5:45 PM

@Glen

"I can't believe people are still using Kaspersky and Huawei."

I admit I prefer having the Chinese spy on me. As it is now, most commercial hardware will have a backdoor. Living in the West, I am more afraid of the backdoors from Intel, Microsoft and the rest of American corporations than the backdoors of the far away Chinese.

So, if a Huawei phone means that the Chinese can spy on me but the Americans not, it's an obvious choice for me.

WeatherDecember 14, 2018 7:26 PM

I think NZ should use hwahi ,there is always realtime debuggers,but I think its not a technology issue, that area I won't touch

Sancho_PDecember 15, 2018 9:39 AM

@Clipper, Glen

Not spying! (what an ugly word for surveillance = protecting the people!)

It can be seen as sharing western ideology and lifestyle among Chinese analysts and government (=business). Experiencing our liberty, freedom and happiness from first hand will accelerate their social development much more than Radio Free Asia propagaxxx - sorry, information.

DennisDecember 20, 2018 4:18 AM

"So, if a Huawei phone means that the Chinese can spy on me but the Americans not, it's an obvious choice for me."

If you think a Huawei phone can spy on you, you better start worrying about Google.

DennisDecember 20, 2018 4:29 AM

Clive Robinson wrote, "The easy way currently for the Chinese to get US citizen data is not by hacking."

Ironically, it is the US Gov that forced the biggest privacy data grab of American citizens by foreign governments, as part of the "foreign accounts" push initiated by our overy own venerable President Obama.

The Marriott data appear rather pale and mild in comparison..

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.