Cyberwar: China steals tons of sensitive data from US

US and China have stepped up spying on each other.

Updated: Apr 15, 2011, 01:10 AM IST

Atlanta: As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.

And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America`s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.

According to US investigators, China has stolen terabytes of sensitive data -- from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up.
"The attacks coming out of China are not only continuing, they are accelerating," says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Secret US State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by US investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China`s People`s Liberation Army.

Privately, US officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.

US efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department`s Cyber Threat Analysis Division noted that several Chinese-registered Web sites were "involved in Byzantine Hades intrusion activity in 2006."

The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the "precise" postal code in Chengdu used by the People`s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military.

"Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other" electronic spying units of the People`s Liberation Army, the cable says.
The precise relationship with the Chinese Army of suspected hacker Chen Xingpeng could not be immediately determined by Reuters. A spokesman for the Chinese embassy in Washington did not respond to multiple requests for comment. The US State Department declined to comment.

But the leaked cables and other US government reports underscore how Chinese and other state-sponsored and private hackers have overwhelmed US government computer networks.

In the last five years, cyber-intrusions reported to the US Computer Emergency Response Team, a unit of the Department of Homeland Security, have increased more than 650 per cent, from 5,503 incidents in fiscal 2006 to 41,776 four years later, according to a March 16 report by the Government Accountability Office.

The business of spying

The official figures don`t account for intrusions into commercial computer networks, which are part of an expanding cyber-espionage campaign attributed to China, according to current and former US national security officials and computer-security experts.

In the last two years, dozens of US companies in the technology, oil and gas and financial sectors have disclosed that their computer systems have been infiltrated.

In January 2010, Internet search giant Google announced it was the target of a sophisticated cyber-attack using malicious code dubbed "Aurora," which compromised the Gmail accounts of human rights activists and succeeded in accessing Google source code repositories.

The company, and subsequent public reports, blamed the attack on the Chinese government.

The Google attack "was certainly an escalation of Chinese network operations against the US," says Joel Brenner, former counterintelligence chief for the Office of the Director of National Intelligence. "Thousands" of US companies were targeted in the Aurora attacks, Brenner says -- far more than the estimated 34 companies publicly identified as targets so far -- a scale which Brenner says demonstrates China`s "heavy-handed use of state espionage against economic targets."

Many firms whose business revolves around intellectual property -- tech firms, defense group companies, even Formula One teams -- complain that their systems are now under constant attack to extract proprietary information. Several have told Reuters they believe the attacks come from China.

Some security officials say firms doing business directly with Chinese state-linked companies -- or which enter fields in which they compete directly -- find themselves suffering a wall of hacking attempts almost immediately.

The full scope of commercial computer intrusions is unknown. A study released by computer-security firm McAfee and government consulting company SAIC on March 28 shows that more than half of some 1,000 companies in the United States, Britain and other countries decided not to investigate a computer-security breach because of the cost. One in 10 companies will only report a security breach when legally obliged to do so, according to the study.
Gone phishing

What is known is the extent to which Chinese hackers use "spear-phishing" as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that "we have given up on the idea we can keep our networks pristine," says Stewart Baker, a former senior cyber-security official at the US Department of Homeland Security and National Security Agency. It`s safer, government and private experts say, to assume the worst -- that any network is vulnerable.

Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in "target development" for spear-phish attacks by combing the Internet for details about US government and commercial employees` job descriptions, networks of associates, and even the way they sign their emails -- such as US military personnel`s use of "V/R," which stands for "Very Respectfully" or "Virtual Regards."

The spear-phish are "the dominant attack vector. They work. They`re getting better. It`s just hard to stop," says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.
Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as "Byzantine Anchor," "Byzantine Candor," and "Byzantine Foothold." A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.

A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. "Since 2002, (US government) organisations have been targeted with social-engineering online attacks" which succeeded in "gaining access to hundreds of (US government) and cleared defense contractor systems," the cable said. The emails were aimed at the US Army, the Departments of Defense, State and Energy, other government entities and commercial companies.

Once inside the computer networks, the hackers install keystroke-logging software and "command-and-control" programs which allow them to direct the malicious code to seek out sensitive information. The cable says that at least some of the attacks in 2008 originated from a Shanghai-based hacker group linked to the People`s Liberation Army`s Third Department, which oversees intelligence-gathering from electronic communications.

Between April and October 2008, hackers successfully stole "50 megabytes of email messages and attached documents, as well as a complete list of usernames and passwords from an unspecified (U.S. government) agency," the cable says.

Investigators say Byzantine Hades intrusions are part of a particularly virulent form of cyber-espionage known as an "advanced persistent threat." The malicious code embedded in attachments to spear-phish emails is often "polymorphic" -- it changes form every time it runs -- and burrows deep into computer networks to avoid discovery. Hackers also conduct "quality-assurance" tests in advance of launching attacks to minimise the number of anti-virus programs which can detect it, experts say.

As a result, cyber-security analysts say advanced persistent threats are often only identified after they penetrate computer networks and begin to send stolen data to the computer responsible for managing the attack. "You have to look for the `phone home,`" says Roger Nebel, managing director for cyber-security at Defense Group Inc, a consulting firm in Washington, DC.

It was evidence of malicious code phoning home to a control server -- a computer that supervises the actions of code inside other computers -- that provided confirmation to US cyber-sleuths that Chinese hackers were behind Byzantine Hades attacks, according to the April 2009 State Department cable.

Bureau Report