China ‘Aiding Hacker Attacks On West’

Charles Arthur | The Guardian

The Chinese government is directly aiding thousands of computer attacks against western companies and defence groups by top-level hackers based in Shanghai, according to a new study which warns that they have stolen vast amounts of data from their targets.

Mandiant, a security company which has been investigating attacks against western organisations for more than six years, says in a report (PDF) that the attacks come from a 12-storey building belonging to the People’s Liberation Army (PLA) General Staff’s Department, also known as Unit 61398, in Shanghai.

The discovery will further raise the temperature in the intergovernmental cyberwars, which have heated up in recent years as the US, Israel, Iran, China and UK have all used computer subterfuge to undermine rival state or terrorist organisations. One security expert warned that companies in high-profile fields should assume that they will be targeted and hacked – and build systems that will fence sensitive data off from each other. “We need to concentrate less on building castles and assuming they’ll be impervious, and more on building better dungeons so that when people get in they can’t get anything else,” said Rik Ferguson, global vice-president of security research at rival company Trend Micro.

Mandiant says that Unit 61398 could house “hundreds or thousands” of people and has military-grade high-speed fibre-optic connections from China Mobile, the world’s largest telecoms carrier. “The nature of Unit 61398’s work is considered by China to be a state secret; however, we believe it engages in harmful computer network operations,” Mandiant said in the report. It said it has been operating since 2006, and is one of the most prolific hacking groups “in terms of quantity of information stolen” – which it put at hundreds of terabytes, enough for thousands of 3D designs and blueprints.

“APT1”, as Mandiant calls it, is only one of 20 groups that Mandiant says has carried out scores of hacking attacks against businesses and organisations in the west to surreptitiously steal copious amounts of data without the owners’ knowledge. The industries affected all work in industries viewed as “strategic” by the Chinese government.

A typical attack would leave software that hid its presence from the user or administrator and silently siphoned data to a remote server elsewhere on the internet at the instruction of a separate “command and control” (C&C) computer. By analysing the hidden software, the pattern of connections and links from the C&C server the team at Mandiant said it was confident of the source of the threat.

Mandiant said: “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”

A Chinese foreign ministry spokesman denied the government was behind the attacks, saying on Tuesday: “Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don’t know how the evidence in this so-called report can be tenable. Arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”

But Ferguson told the Guardian: “This is a pretty compelling report, with evidence collected over a prolonged period of time. It points very strongly to marked Chinese involvement.” Mandiant, based in Alexandria, Virginia in the US, investigated the New York Times break-in and suggested it had come from Chinese sources.

President Obama is already beefing up US cybersecurity, introducing an executive order in his state of the union speech earlier in February which would let the government work with the private sector to tend off hacking. But that will take until February 2014 to have a final version ready for implementation.

The revelation comes just days after the New York Times, Wall Street Journal and Washington Post, as well as the social networks Facebook and Twitter, said that they had been subjected to “highly sophisticated” hacks which in some cases were focussd on correspondents writing about China and its government.

Separate investigations by the computer company Dell working with news company Bloomberg tracked down another alleged hacker, Zhang Changhe, who had written a number of papers on PC hacking – and who works at the PLA’s “Information Engineering University” in Zhengzhou, in Henan province in north-central China.

The allegations will raise the temperature in an ongoing “cyberwar” between the west and China, which has been steadily rising since the Pentagon and MI6 uncovered “Titan Rain“, a scheme that tried to siphon data from the Pentagon and the House of Commons in 2006 – which one security expert said at the time dated back at least to 2004.

Ferguson suggested that western governments are also carrying out attacks against Chinese targets – “but that’s not a culture which would open up about being hit. I would be surprised and disappointed if most western nations don’t have a cybersecurity force.”

The Stuxnet virus which hit Iran’s uranium reprocessing plant in 2010 is believed to have been written jointly by the US and Israel, while Iranian sources are believed to have hacked companies which issue email security certificates so that they could crack secure connections used by Iranian dissidents on Google’s Gmail system. China’s is also reckoned to have been behind the hacking of Google’s email servers in that country in late 2009 – which files from Wikileaks suggested was government-inspired.