US group takes aim at China's role in cyber wars

A senior figure working for a large European manufacturing company in China tells a story of a blueprint for an industrial process…

A senior figure working for a large European manufacturing company in China tells a story of a blueprint for an industrial process that they just could not get to work. Engineers spent weeks examining the process but found the project lacked something crucial. It was deemed unsustainable and the project was abandoned.

The executive took the abandoned project outline and put it into a heavily encrypted section of the company’s IT system to see what happened. Sure enough, within a couple of weeks, he received a call from a local client. The Chinese company had developed an industrial process, but it seemed to be lacking some crucial elements. Could he have a look at it? Perhaps see how to fix the process?

These stories are common and there are enough verified true stories of hacking and industrial espionage for China to take centre-stage in the debate about what cyber warfare is being waged, and who is the assailant. Various international newspapers say they have been targeted by Chinese hackers, such as the New York Times, the Washington Post and the Wall Street Journal, as has the Bloomberg news agency.

The attacks often coincided with sensitive stories about China, such as the New York Times exposé about Premier Wen Jiabao’s family and their billions, or Bloomberg’s piece about financial holdings by new Chinese leader Xi Jinping’s family.

READ MORE

At the New York Times, hackers installed malware that wasn’t detected by Symantec’s anti-virus software, they installed backdoors, obtained passwords of employees and accessed emails by New York Times correspondents David Barboza, who wrote the Wen Jiabao exposé, and former China correspondent Jim Yardley.

Unit 61398 of the People’s Liberation Army is based in Shanghai’s financial hub Pudong, in a 12-storey building in a residential area. Inside this building a secret group of hundreds, maybe thousands, of hackers form the core of China’s cyber assault against scores of corporate victims over the past seven years.

China’s hackers

The US cyber security group, Mandiant, believes the attacks involving hundreds of terabytes are state-sponsored, and as targeted as any conventional weapon.

The hackers here are the central plank of state-sponsored industrial espionage in China and are behind the specific Advanced Persistent Threat (APT) group, which Mandiant has labelled APT1. The group is known by many of its victims in the United States as “Comment Crew” or “Shanghai Group”.

“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organisation behind APT1,” Mandiant said. “We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors.”

Unit 61398’s formal name is the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department. The only way that APT1 would be in a position to wage such an extensive cyber espionage campaign would be because it gets direct government support.

The report identifies a number of individual hackers, including “UglyGorilla”, who has registered domains associated with APT1 and written malware, who expressed his interest in China’s “cyber troops” in January 2004. Another hacker called “DOTA” has registered dozens of email accounts used to conduct social engineering and “phishing” attacks.

Once the hackers establish access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including blueprints, manufacturing processes, test results, business plans, pricing documents, partnership agreements, as well as emails and contact lists from the victim organisation’s leadership.

Sceptical eyebrow

Beijing denies the reports, and says that it is a victim of hacking and denies that it is involved in cyber warfare. China’s foreign ministry raised a sceptical eyebrow about the evidence in the report. Beijing’s line is that cyber attacks are global, anonymous and deceptive, and their true sources are not easy to identify. “Hacking attacks are transnational and anonymous. Determining their origins is extremely difficult. We don’t know how the evidence in this so-called report can be tenable,” spokesman Hong Lei told a regular news briefing.

Computer security experts say the key to the success of the cyber wars is deniability. The cyber spies use third-party computers in other countries as a way of covering their tracks. It’s not just the Chinese government that is sceptical, and analysts have criticised what they see as over-reliance on Mandiant as a source, and also failure to recognise that everyone is at it.

Around 60 per cent of attacks on US national defence systems are said to emanate from within America. That leaves 40 per cent for the rest of the world, which means that it can’t all be China. “My problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage,” Jeffrey Carr, founder and CEO of Taia Global Inc and the author of Inside Cyber Warfare, wrote on his blog.

“I know that they do – especially when an executive that we worked with travelled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room. My problem is that Mandiant refuses to consider what everyone that I know in the intelligence community acknowledges – that there are multiple states engaging in this activity; not just China,” he said. “Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.”

The Chinese blame the US, saying Washington is talking up threats from cyberspace to help stop plans by the Obama administration to cut defence spending. IP addresses alone do not provide proof of hackers’ origins, or whether the government is behind them. To deal with cyber attack allegations, there should be more dialogue, cooperation and regulation, rather than focusing on an imaginary enemy and demonising it, said Yuan Peng, an expert on US studies at the China Institute of Contemporary International Relations.

Clifford Coonan

Clifford Coonan

Clifford Coonan, an Irish Times contributor, spent 15 years reporting from Beijing