How the US-China hacker war reached Europe and beyond

The email looked innocuous enough.It contained a link to access a shared document relating to a proje...

Posted: Dec 22, 2018 8:07 PM
Updated: Dec 22, 2018 8:07 PM

The email looked innocuous enough.

It contained a link to access a shared document relating to a project the staffer was working on. Once clicked, they were asked for their login details, which they provided -- just one of dozens of times a day they had to type them out.

Asia

China

Continents and regions

Cyber attacks

Cyberterrorism

Digital security

East Asia

International relations and national security

National security

Technology

Terrorism

Terrorism and counter-terrorism

Unrest, conflicts and war

Crime, law enforcement and corrections

Criminal offenses

Digital crime

Barack Obama

North America

Political Figures - US

The Americas

United States

Espionage

Hotel chains

Hotels and motels

Lodging

Travel and tourism

Government and public administration

Government bodies and offices

Government departments and authorities

Intelligence services

International relations

Political Figures - Intl

Xi Jinping

Digital privacy

Government organizations - US

National Security Agency

Politics

US federal departments and agencies

US federal government

US government independent agencies

US intelligence agencies

Beijing

White House

Larceny and theft

Property crimes

US Department of Justice

European Union

Government organizations - Intl

State departments and diplomatic services

Justice departments

Criminal law

Indictments

Law and legal system

Banking, finance and investments

Business, economy and trade

Consumer loans and credit

Credit card crime

Credit cards

Fraud and financial crimes

Personal finance

Europe

The moment the staffer pressed Enter, a notification was triggered on the other side of the world. A cascading series of actions then kicked into gear, which would eventually compromise the staffer's entire computer network and expose huge quantities of sensitive documents and information.

According to an explosive new report out this week, the above scenario played out hundreds of times in recent years as Chinese state-sponsored hackers allegedly targeted and compromised government entities around the world, including the European Union's diplomatic communications network.

Sensitive cables from that network were released by Area 1 -- a cybersecurity firm founded by former US National Security Agency employees -- including communications that revealed deep concerns within the EU about the Trump administration's negotiations with China, Russian relations with Western Europe and Iran's nuclear program.

The revelations, which were followed Thursday by new indictments of alleged Chinese hackers by the US Justice Department, expose that the cyber cold war between the US and China, which reached boiling point in the mid 2010s before a landmark agreement was signed by Washington and Beijing, is once again ramping up.

In a statement Friday, China's Ministry of Foreign Affairs reacted forcefully to what it described as "groundless accusations," saying the US had "fabricated facts out of thin air" and "seriously violated the basic norms of international relations and severely harmed bilateral cooperation."

New start

US President Barack Obama and Chinese President Xi Jinping stood side by side, facing a gaggle of reporters in the White House's Rose Garden.

It was September 2015. After months of escalating tensions and accusations, the two leaders announced that they had reached a "common understanding" on cyber espionage and security.

"We've agreed that neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage," Obama said.

Xi added that both governments would "not be engaged in or knowingly support online theft of intellectual properties," and would "establish a high-level joint dialogue mechanism on the fight against cybercrimes and related issues."

The announcement was seen as a major diplomatic win for Obama, coming after escalating tensions between the US and China over cyber espionage.

In 2014, the US Justice Department filed charges against five People's Liberation Army (PLA) officers, accusing them of the widespread targeting of US companies and entities. While there was little chance of prosecuting the men, all of whom were based in China, the charges were a major shot across Beijing's bow, and sparked outrage in the Chinese capital.

The US ambassador was summoned to meet with Foreign Ministry official Zheng Zeguang, who told him "the Chinese government and military and its associated personnel have never conducted or participated in the theft of trade secrets over the internet," and accused the US government of having an "overbearing and hypocritical" attitude to cybersecurity, according to state media.

Despite Beijing's denials, US officials allege that around this time Chinese hackers pulled off their most daring hack ever, breaking into the Office of Personnel Management and stealing the personal data of tens of millions of current and former government employees.

Nevertheless, while the Obama-Xi deal was limited and full of compromises, it still served as a much-needed reset just as tensions were threatening to boil over.

Limited success

While initial assessments of the 2015 deal were good, and there appears to have been a drop in breaches of US entities by Chinese-linked groups, the problem did not go away.

A report this year from the US government's National Counterintelligence and Security Center said that China "continues to use cyber espionage to support its strategic development goals -- science and technology advancement, military modernization, and economic policy objectives."

"The Intelligence Community and private sector security experts continue to identify ongoing Chinese cyber activity, although at lower volumes than existed before (the 2015 deal)," it added.

On Thursday, the US Department of Justice indicted two Chinese nationals -- Zhu Hua and Zhang Shilong -- it said were members of a hacking group operating in China known within the cybersecurity community as Advanced Persistent Threat 10 (APT10). Contrary to the original rosy assessments of the deal, the DOJ claims that Zhu and Zhang began their operations in 2014 and continued through 2018.

"The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China's intelligence service access to sensitive business information," Deputy Attorney General Rod Rosenstein said. "This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system."

Back to normal

As tensions rise once again -- amid an ongoing US-China trade war and a diplomatic tussle over the detention of Huawei CFO Meng Wanzhou -- the broad outlines of Beijing's capabilities and motivations are fairly well known. What remains unclear are Washington's.

In the statement Friday, China's Ministry of Foreign Affairs said it was an "open secret that relevant US government agencies have long engaged in large-scale and organized cyber theft and surveillance against foreign governments, companies and individuals."

"The 'cyber theft' accusations against China by the US are purely groundless counter-charges and can deceive no one but itself. China will never accept such charges," the statement added.

China has long insisted it is also a victim of cyber attacks, but it does not usually go public about incidents like the US does. Nor do Chinese companies routinely reveal breaches or accuse other countries of carrying out campaigns against them.

The US vociferously objects to any allegation it carries out cyber attacks for commercial or trade purposes, as China has been accused of doing.

What is undeniable is that the US has an advanced cyber operation carrying out traditional espionage, defensive and even offensive actions. Many observers suggested at the time of the Obama-Xi deal that it was confined to commercial issues precisely because the White House did not want to limit its own intelligence-gathering capabilities.

Earlier this year, the Pentagon issued new guidelines encouraging the building of a "more lethal force" of first-strike hackers able to "disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict." Washington has in the past been linked to alleged cyber attacks against Iran and North Korea.

In 2017, Wikileaks dumped thousands of computer files it said belonged to the Central Intelligence Agency, including sophisticated hacking tools and cyber weapons capable of compromising smartphones, computer networks and numerous other targets.

And while the targets of Washington's cyber warriors may be different to Beijing's, their techniques are likely to be similar -- especially when it comes to intelligence gathering.

Human weakness

Both the Area 1 report and the latest DOJ indictments show that for well-resourced hackers like those working for state-sponsored groups, cyber espionage can sometimes be absurdly simple.

While the campaign described in the recent DOJ indictments is more sophisticated, the method used to break into the European Union communication network relied far more on human engineering -- and human sloppiness -- than ultra-sophisticated software.

In both cases the potential for damage, and the amount of information the attackers were able to acquire, was huge.

Area 1 documented a coordinated phishing campaign against dozens of government agencies, think tanks, NGOs and trades unions. Phishing, the report's authors said, remains the number one way for attackers to breach a network, used in nine out of 10 incidents.

It is also one of the hardest tactics to guard against, relying more on human engineering rather than coding. In a phishing attack, a target receives an email which appears to be trustworthy, encouraging them to click on a link or open a file.

The genius of a well-run phishing campaign is how the attackers can work their way up an organization. Rather than going straight after the ultimate target -- such as an employee with access to sensitive data, who may be more on guard -- the hackers look for the weak links. Once they have compromised one account, even if it provides no information, it can be used to launch new phishing attacks from directly within the company's network.

Few people who work within a big corporate network question links and attachments sent from a trusted colleague. Even if employees are suspicious, if their colleague's account is thoroughly compromised the attacker will have access to emails and instant messages they can use to make their phishing attack as realistic-looking as possible.

"Very little about cyber attacks is cutting-edge computer science," wrote the authors of the Area 1 report. "Cyber actors continually use their imagination to find the weakest links in the digital chain, breaching their intended targets through open side doors instead of breaking the locks down on the front door."

Increasingly, those side doors don't even belong to the targeted company. According to the DOJ release, APT10 targeted managed service providers (MSPs), "companies that remotely manage the information technology infrastructure of businesses and governments around the world."

Once the hackers had broken into an MSP, they were able to access the data of numerous companies and government bureaus at once. In once instance, the hackers "obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain ... clients involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining."

How to stop such attacks remains unclear. State-sponsored groups have potentially unlimited resources -- not only unknown computer exploits which cannot be guarded against, but also the time and patience to constantly probe companies and government entities for weaknesses.

"Because the cybersecurity doom narrative has become so embellished, we've lost our nerve to take action to prevent future damages," the Area 1 report said. "Our democracy remains susceptible to cybersecurity attacks; our computing infrastructure is permeated with deep vulnerabilities; major corporations entrusted with the safeguarding of information continue to be compromised; and we as individuals have adopted a laissez-faire attitude towards the whole thing."

Terre Haute
Clear
78° wxIcon
Hi: 91° Lo: 71°
Feels Like: 80°
Robinson
Clear
77° wxIcon
Hi: 89° Lo: 69°
Feels Like: 78°
Indianapolis
Overcast
76° wxIcon
Hi: 91° Lo: 73°
Feels Like: 76°
Rockville
Clear
73° wxIcon
Hi: 92° Lo: 71°
Feels Like: 73°
Casey
Few Clouds
80° wxIcon
Hi: 91° Lo: 72°
Feels Like: 83°
Brazil
Clear
79° wxIcon
Hi: 92° Lo: 71°
Feels Like: 82°
Marshall
Clear
79° wxIcon
Hi: 92° Lo: 71°
Feels Like: 82°
Hot and humid!
WTHI Planner
WTHI Temps
WTHI Radar

WTHI Events

 

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Confirmed Cases: 147251

Reported Deaths: 7020
CountyConfirmedDeaths
Cook925324627
Lake9954423
DuPage9311475
Kane7856275
Will6923320
Winnebago309196
McHenry211597
St. Clair2017137
Kankakee130765
Madison103669
Rock Island103329
Kendall99621
Champaign94813
Boone60821
DeKalb57819
Peoria55628
Sangamon45032
Jackson33919
Randolph2887
McLean27713
Stephenson2765
Ogle2714
Clinton24217
Macon23522
LaSalle22617
Union19519
Whiteside19515
Grundy1735
Coles17217
Iroquois1625
Tazewell1508
Warren1430
Knox1400
Cass1367
Williamson1324
Monroe13013
Morgan1303
Adams1221
Jefferson10717
McDonough10215
Lee1012
Henry961
Pulaski790
Vermilion782
Marion690
Macoupin583
Perry571
Douglas540
Unassigned540
Livingston522
Montgomery481
Jasper477
Jo Daviess461
Christian454
Ford381
Jersey351
Woodford352
Bureau302
Franklin290
Menard240
Fayette233
Mercer230
Wabash230
Alexander220
Mason220
Carroll212
Washington210
Johnson200
Piatt200
Hancock191
Moultrie190
Shelby191
Crawford180
Effingham181
Logan180
Bond161
Cumberland160
Fulton160
Clark150
Massac150
Wayne141
Schuyler130
De Witt120
Brown100
Edgar100
Marshall100
Greene90
Saline90
Henderson80
White80
Lawrence70
Hamilton60
Richland40
Stark40
Pike30
Clay20
Edwards20
Gallatin20
Calhoun10
Hardin10
Pope10
Putnam10
Scott10
Out of IL00

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Confirmed Cases: 48201

Reported Deaths: 2693
CountyConfirmedDeaths
Marion11624683
Lake5146242
Elkhart328546
Allen2762129
St. Joseph194366
Cass16389
Hamilton1552101
Hendricks1403100
Johnson1278118
Porter72837
Tippecanoe7158
Madison65864
Clark65144
Bartholomew58544
Howard57557
LaPorte57326
Kosciusko5464
Vanderburgh5226
Marshall4924
Noble47828
Jackson4703
LaGrange4708
Hancock44835
Boone44243
Delaware44250
Shelby42525
Floyd37944
Morgan32931
Grant29426
Monroe29428
Montgomery29420
Clinton2892
Dubois2736
Henry26315
White26310
Decatur25032
Lawrence24425
Dearborn23623
Vigo2348
Warrick21429
Harrison21322
Unassigned193193
Greene18832
Miami1822
Jennings17611
Putnam1698
DeKalb1624
Scott1607
Daviess14317
Wayne1386
Orange13623
Steuben1292
Perry1279
Franklin1248
Jasper1212
Ripley1167
Wabash1122
Carroll1102
Fayette997
Newton9810
Starke933
Whitley925
Huntington812
Gibson802
Randolph794
Jefferson722
Wells721
Fulton701
Jay680
Washington671
Knox640
Pulaski641
Clay604
Rush583
Adams501
Benton480
Owen471
Sullivan441
Brown391
Posey390
Spencer381
Blackford372
Crawford320
Tipton321
Fountain312
Switzerland270
Parke230
Martin220
Ohio170
Vermillion140
Warren141
Union130
Pike110