Businesses, Government Agencies, and Political Dissenters Beware. Chinese Predators May Be Lurking at the Waterhole: Understanding Waterhole Attacks

There are three main reasons for hacking. One is for financial gain, one is for acquiring protected information, and the third is to achieve some political objective. The second reason for hacking, that of acquiring protected information, is often used, at a later time, to achieve financial gain, but its motivation is somewhat different than the first objective of getting money as easily as possible. This goal of acquiring secret information is often classified as industrial or corporate espionage. Both the second and third objectives for hacking often take far more skill to attain than the first. They require bypassing system security to gain full access to a network of a large corporation, institute, or government agency. Since these large organizations often have the best security, they can often only be attacked through zero-day exploits; that is, previously undiscovered vulnerabilities. When well designed, these attacks can exploit the vulnerability for a considerable time before they are discovered. When discovered, they can remove themselves from the attacked network leaving little, if any, trace that they had ever been there. However, as I have mentioned in previous posts, such zero-day attacks are very expensive, running into the hundreds of thousands of dollars, which is another reason why bedroom hackers aren’t going to purchase them. No, these attacks are designed by the big boys; big governments or big industries.

Of couse, many hackers, of whatever financial status, will always try to attack these larger organizations directly. It happens every day. Who knows, they may get lucky. But if they don’t, a different strategy, a more indirect strategy, is called for. Sometimes, hackers will target individual employees in phishing or spear phishing attacks. These take a lot of time to design and still may not work because the organization’s network may have safeguards in place. That’s when the waterhole strategy comes into play.

Waterhole attacks work on the same principle as waterholes on an African plain. Predators, like lions and tigers, know that all animals will eventually have to come to the waterhole. It is just a matter of waiting and then attacking. In the cyber world, the waterholes are websites and the predators are generally Chinese, but more on that later.

Since many of the bigger sites are protected by security teams, even zero-day attacks might be too well defended against to be completely effective. Thus, it is often easier to attack these larger sites through sites that are associated with them. For example, if I wanted to get information from a company that made fighter planes, I might compromise a website of one of their suppliers. I would then wait for someone from the main company to come along and, when they did, I could inject the necessary malware. I might even find it easier to work through a supplier of a supplier. In other words, if you have a small or medium business and believe you are safe from such attacks, think again. If you have any connections at all with larger companies or institutions, you could, inadvertently, become the main cog in the hacker’s wheel. Your business or organization could be transformed into a watering hole.

Waterhole attacks were brought to light in 2012, but were probably created with the attack on Google in 2009. This has been called Operation Aurora and it was a cyber attack on up to 34 organizations and included such big names as Adobe, Yahoo, Dow Chemical, Symantec, and Morgan Stanley. Google immediately blamed China for the attack and subsequent investigations proved they were correct. It was traced to something called the Elderwood Project or Elderwood Group. Here is where things get a little confusing.

Symantec was the first to expose and name the Elderwood Project. This is a cybercrime unit that uses what they call the Elderwood Platform to propagate a “seemingly unlimited number of zero-day exploits”. These exploits target “defense, various defense supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.” Symantec goes on to say that “victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information—let alone analyze that information—could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.” Symantec, however, did not explicitly name China as the source of these attacks. This was first done by Mandiant in 2013 when they named PLA (People’s Liberation Army) Unit 61398, a part of the Chinese government, as the source of these attacks. Now, (bear with me) according to Mandiant, within PLA Unit 61398  is a group which has persistently attacked certain American firms since at least 2002. This group they refer to as APT1. It is one of four APT groups each of which apparently specializes in attacking specific types of organizations. This is the same group that recently had five of its members indicted by the U.S. Department of Justice for theft of confidential business information and intellectual property from U.S. commercial firms and for the planting of malware on their computers. They were eventually traced to this rather large building in Shanghai.

China condemns hacking report by US firm Mandiant

Unsurprisingly, the Chinese denied any connection with these attacks. In their defense, they claimed that ,if they were really the attackers, they would not have allowed their IP addresses to be traced back to China. It’s a good argument. They also claimed that the true organizer of these attacks was the U.S. government who, they claim, wanted to make it look like China was behind them. They have a point. There would be no reason for Chinese hackers not to hide their IP addresses unless they wanted to make it appear that they were being manipulated. In other words, had they allowed the address to be traced to, say, Afghanistan, it may have looked even more as if they were trying to hide. Either that, or they wanted to show how much cyber power they possessed. Mandiant has no doubt that these attacks originated in China. In their report they conclude that “the nature of Unit 61398’s work is considered by China to be a state secret; however, we believe it engages in harmful ‘Computer Network Operations.’” The evidence they give for this conclusion is compelling. They even named three of the people behind these attacks. Mandiant also pointed out that they expected reprisals for this report. Whether related to this or not, malware has been found on android phones that presents a screen with the Mandiant logo saying that the government has locked the phone and will only unlock it after a fine has been paid. I have asked Mandiant if they have suffered any repercussions due to their reporting and hope to find out when I attend their webinar in a few days, after which, I will update this post.

There are other reasons why China seems to be behind these waterhole attacks. All one has to do is look at the targets involved. As Mandiant points out, “APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan”. The top industrial targets have been information technology, aerospace, public administration, satellites and telecommunications, and scientific research and consulting. However, more telling is the targeting of Chinese dissidents by compromising news sites that they may tend to visit. Websites used by Tibetan dissidents were similarly compromised. They include the Dalai Lama’s site (, the Tibet Times, the Voice of Tibet radio station, and the Tibetan Center for Human Rights and Democracy. Now, I ask you, who else would be so interested in identifying these dissenters?

How would you know if your business or organization was being used as a watering hole? First of all, you have to understand that the perpetrators will do research on the organization they plan to attack. They may gather names of employees and suppliers, for example. They may then attempt a spear phishing attack which is generally in the form of an email sent from a believable email address with an actual employee’s name. The email may include an attachment or a link but, since it seems to be someone that the recipient knows, they may be more likely to click on it. Here is one that was sent to Mandiant employees seemingly from their CEO, Kevin Mandia.

Date: Wed, 18 Apr 2012 06:31:41 -0700

From: Kevin Mandia <>

Subject: Internal Discussion on the Press Release


Shall we schedule a time to meet next week?

We need to finalize the press release.

Details click here. (this was a zip file with an apparently relevant name)

Kevin Mandia

Some attachments use the pdf logo with a believable file name. If one actually responds to the email address given, they will be assured by someone that the email and attachment are valid.

Such a preliminary attack may be only to gain more information about the target organization and then to use this information to set up a watering hole. For example, if I had a list of usernames from your company for a supplier’s web site, I could filter out those visitors to the compromised website that I’m not interested in. In any event, if you identify such a spear phishing attack as outlined above, it should signal that you are being set up for a future waterhole attack. This is when you should alert all organizations connected to you to be on guard. Unfortunately, this still might not stop their websites from being compromised.

In fact, there is little chance you can stop an attack from someone with the resources and desire to get information from your company or organization. According to a recent FireEye report, over the last 6 months, 97% of the networks they studied have been breached. This despite the fact that organizations spend over $67 billion on security. Bluntly speaking, this is a pretty poor return on investment. As FireEye states in its conclusion, “organizations must consider a new approach to securing their IT assets. For many, that shift should include reducing waste on redundant, backward-looking technology and redeploying those resources on defenses designed to find and stop today’s advanced attacks.” At InZero Systems, we agree with FireEye’s conclusions. All software security solutions are only temporary and can be circumvented. For this reason, we have developed a hardware solution that does not allow any cybercriminal to access company information from a compromised user device. If you are considering getting a return on your security investment, contact InZero ( Why let others profit from your research?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s