China's Cyber Invasion
China's Cyber Invasion refers to a sustained campaign of cyber attacks attributed to Chinese hackers, often linked to military units, targeting government, corporate, and dissident systems globally. Initially, these activities were characterized by opportunistic hacking reminiscent of Russian tactics, but by 2004, China adopted a more strategic approach to cyber warfare, focusing on long-term national objectives. Notably, a pivotal report by the security firm Mandiant in 2013 identified the People’s Liberation Army’s Unit 61398 as a primary source of these operations, which have included extensive data theft from American and other Western companies, particularly in high-tech industries.
The Chinese strategy has also encompassed surveillance of journalists and cyber attacks against critics, reflecting a broader goal of maintaining internal stability and suppressing dissent. In response, the U.S. has intensified efforts to mitigate these cyber threats, recognizing them as a top national security concern, and has initiated diplomatic discussions to address the issue. The complexity and scale of these operations highlight significant implications for international relations and cybersecurity, raising questions about the evolving nature of warfare in the digital age. As both nations continue to bolster their cyber capabilities, the landscape of global security remains increasingly intertwined with technological advancements and cyber strategies.
China's Cyber Invasion
For years it was an open secret that the dramatic rise in infiltration of government and corporate computer systems had been traced repeatedly but not conclusively to China. Then, in February 2013, the security firm Mandiant released a report with evidence linking massive hacking operations to a unit of the Chinese army in Shanghai.
Until about 2004, China used its hacker population in the same way Russia did, encouraging them to attack websites of adversaries on an ad hoc basis. As a more strategic view took hold, China's computer network operations became more organized toward long-term national goals. Seeing a need to "leap-frog" its technology development, China planted surveillance tools in computer systems of high-tech companies in the United States (US) and other English-speaking countries. To counter threats to domestic stability, the government secretly searched the computers of journalists and vandalized dissident websites. Faced with superior US military capabilities, the People's Liberation Army looked for infrastructure vulnerabilities that could deter the US from taking action in the Pacific.
Key Events
- 2001 -- The Honkers Union and other Chinese hacker groups announce a week of attacks on American websites to begin on May Day. The government turns a blind eye to the campaign, the sixth by patriotic hackers against various countries since 1997.
- 2004 -- China's military planners adopt a strategic view of computer network operations, termed "informationization," in annual "China's National Defense" white papers.
- 2008 -- Hackers begin accessing computers of Western journalists in China and searching for names of sources.
- 2009 -- American military planners recognize the establishment of Chinese cyber warfare units whose mission is to develop computer viruses that can paralyze enemy systems.
January 2010 -- Google accuses China of using Gmail attachments to penetrate the systems of major corporations, searching for information on human rights activists.
July 2010 -- The People's Liberation Army (PLA) announces the formation of its Information Security Base, a counterpart to the American Cyber Command.
February 2011 -- Google blows the whistle on online attempts to steal computer codes from its facilities in China. The hackers are then tracked to computers at Shanghai Jiao Tong University and a vocational school in Shandong province.
March 2011 -- RSA Security admits hackers compromised its SecurID tokens, used by millions of employees to access defense-related computer systems. US military officials suspect China was responsible.
October 2012 -- The New York Times becomes aware of hackers searching its intranet after publication of a story about the family of China's then-premier Wen Jiabao.
February 2013 -- A report issued by Virginia-based security consulting firm Mandiant identifies the PLA's Unit 61398 as the point of origin for massive hacking operations.
Status
The Mandiant report set the stage for a US initiative on several fronts to restrain cyber attacks from overseas. In a policy document titled "Administration Strategy on Mitigating the Theft of US Trade Secrets," the White House called for tighter coordination of intelligence about system intrusions and urged businesses to work with law enforcement. The strategy includes gaining support from allies and trade organizations for international standards and accountability. News stories in March 2013 said computer hacking had become a top issue for discussion in diplomacy with China, notably during visits by Secretary of the Treasury Jack Lew and Secretary of State John Kerry.
Bringing the topic of cyber attacks into the open became a component of US counter-strategy in March 2013. Director of National Intelligence James R. Clapper Jr. told the Senate Intelligence Committee that potential cyber attacks on vital infrastructure, including power grids and communications systems, had become the number one threat to US security, moving ahead of terrorist attacks. On the same day, General Keith Alexander, head of the US Cyber Command, revealed to the House Armed Services Committee that the US has cyber weapons ready to respond in the event of attacks on US systems.
In-depth Description
Evidence Leading to China's Military
The computer security firm Mandiant began following a group they identified as APT1 in 2006. Hackers in this group route their attacks through Internet Protocol (IP) addresses set up by known APT1 agents and use certain tools unique to the group. Two of these tools -- GETMAIL and MAPIGET -- retrieve e-mails from a target's inbox and archives. Mandiant identified three APT1 agents to illustrate the group's operations. A hacker using the online name UglyGorilla, who expressed support for China's "cyber troops" in January 2004, registered several of the Internet domains used by APT1 and wrote some of its malware, or malicious software. A second hacker, code-named DOTA by Mandiant, using the same domains and IP ranges as UglyGorilla, created dozens of e-mail accounts that were used to carry out social engineering attacks, in which the victim is tricked into volunteering information, and spear phishing attacks, in which the victim opens an attached file believing the e-mail is from a colleague. In registering the e-mail accounts, DOTA gave a telephone number in Shanghai. The third hacker, known as SuperHard, who wrote code for APT1 tools in the AURIGA and BANGAT families, revealed he was working from the Pudong New Area of Shanghai.
The scale and duration of AT1 operations imply support from a large organization with access to a variety of resources. In 2011 and 2012, APT1 set up more than 900 servers hosted at more than 800 IP addresses in 13 countries. These servers functioned as command and control centers for the theft of hundreds of terabytes of information from more than 140 organizations across 20 industries. APT1 hijacked data from dozens of corporations simultaneously. For operations at this level, APT1 had to have an extensive front-line staff, possibly hundreds of hackers. To search for targets inside a high-technology corporation, the hackers must have had support from specialists in a range of disciplines, including linguists, industry experts, and programmers to write customized malware. To manage the huge volume of stolen data, APT1 had to have a substantial inventory of equipment and technicians to maintain it, in addition to administrative support for finances, logistics, and so on.
The epicenter of APT1 activity is Shanghai, and specifically the Pudong New Area, where two of the four large networks used by the group physically reside. A survey of facilities capable of supporting APT1 leads to the 12-story headquarters of Unit 61398 of the People's Liberation Army (PLA). While the mission of Unit 61398 is officially secret, it has recruited publicly for computer science graduates who have both a master's degree and proficiency in English. Records show China Telecom installed fiber-optic cable near the unit's Datong Road building as a "national defense construction." While the evidence linking the PLA to APT1 is circumstantial, any alternative explanation requires the existence of a second institution near the same location with the same combination of staff capabilities in computers and English and an enduring interest in documents from a broad spectrum of high technology companies in the West.
Industrial Espionage
In economic plans, China has identified a need to "leap-frog" its development of technology, and since 2004 teams of hackers in China have raided computer systems of companies in the United States (US) and other countries, quietly making off with a smorgasbord of business documents from technical manuals to budget reports to contact lists. According to US intelligence sources, there are 20 groups similar to APT1 based in China, and one Congressional source put the dollar value of stolen proprietary information at $300 billion. Before the February 2013 report by Mandiant, a November 2011 study by the National Intelligence Council, "Foreign Spies Stealing US Economic Secrets in Cyberspace," said China's hackers focused on companies with advanced maritime technologies, anticipating China's naval buildup, and companies in the aerospace industry, where China has rapidly developed a full line of unmanned aerial vehicles (UAVs). An August 2012 report by McAfee Security, "Revealed: Operation Shady RAT," identifed US defense contractors and others as targets of hackers in China and detailed their use of remote access tools, or RATs.
To install a RAT in a targeted system, the hacker first sends a spear-phishing e-mail to a legitimate system user. The e-mail comes with an attached file, which appears to be a routine business document. Clicking the file activates hidden malware, which then installs a back door or several back doors into the network. Having gained access, hackers may install additional tools to transmit screen images or keystrokes or even activate microphones and webcams. APT1 hackers, using a tool called REMOTE DESKTOP, typically explored the target system carefully before capturing large amounts of data. They would continue to exploit a penetrated network for almost a year on average.
The intrusion of hackers into The New York Times's computer network in 2012 offers a useful example of a company that was expecting a break-in. AT&T notified the Times of unusual telephone traffic in October, shortly before publication of a story about the billion-dollar fortune accumulated by relatives of Premier Wen Jiabao. The Times hired Mandiant to track the intruders, who began by setting up back doors in three employee computers. After exploring the network for two weeks, the hackers found the user names and passwords of all system users. The passwords were "hashed," but even scrambled passwords can be decrypted with "rainbow tables," databases compiled for use by hackers and available on various websites. The hackers wanted e-mails related to the story about Wen Jiabao and soon retrieved them from reporters' archives. By the end of the year, the hackers had installed 45 customized tools. Even with knowledge of the break-in as it was happening, it was a painstaking process to close the back doors and remove the malware. After a similar cleanup at the US Chamber of Commerce in 2011, investigators found months later that a computer-controlled thermostat and an office printer were still in contact with computers in China.
Cyber Attacks on Dissidents
The New York Times anticipated that there might be an attempt on its network once officials became aware of the Wen Jiabao story. Western journalists in China have been subject to surveillance of e-mails since 2008, the year of the Beijing Olympics, when Chinese anxiety about unfavorable publicity reached a high point. Political dissidents, regional separatists, and religious organizations such as Falun Gong have also been targets of cyber spying and vandalism.
In 2009, the Canada-based research group Information Warfare Monitor (IWM) uncovered extensive cyber spying on the Tibetan independence movement, with malware installed in Tibetans' computers in China and India and spreading out to embassies and nonprofit organizations worldwide. The spying operation, dubbed GhostNet by IWM, used the spear phishing technique to infect systems in Delhi, New York, and London and retrieved information via command and control servers in China. GhostNet also targeted organizations connected to other issues of concern to China, such as Taiwan independence.
Vandalism against dissidents and their supporters has been sporadic and may be the work of patriotic hackers who are tolerated by the Chinese government. In 2010, hackers attacked the Nobel Prize committee website after human rights advocate Liu Xiaobo was awarded the Peace Prize. In 2011, a website offering a petition in support of dissident artist Ai Weiwei was hit by a distributed denial of service attack, a technique that overwhelms a server with requests for access.
Military Applications
China's military planners acknowledge the US advantage in weapons with superior firepower and control. To counter the advantage, China's defense strategy emphasizes asymmetrical measures to slow down or neutralize an enemy's ability to deploy such weapons. Cyber attacks against command and control centers are a rapidly attainable, low-cost, and effective means to hobble superior forces, and cyberwarfare has been a component of PLA doctrine since 2004. The US military is developing its response to asymmetrical interference strategies, such as might be seen in the South China Sea or Strait of Hormuz, under a concept called Air-Sea Battle, promulgated by the Pentagon in 2009.
Intrusions by China-based hackers into systems that control US power grids, nuclear generation plants, and other critical infrastructure may also play a role in China's defense strategy. By demonstrating its ability to enter systems considered vital to national security, China introduces a powerful consideration to US strategic thinking -- the possibility of a disabling attack far from the scene of a confrontation that might occur, for example, in the South China Sea. Strategists have recommended that the US advertise its cyber weapons as a deterrent, and in March 2013 General Keith Alexander, commander of the US Cyber Command, told a Senate committee the US is prepared to use offensive cyber weapons against an enemy who uses them first.
Chinese officials point out that the US was the first to militarize cyberspace with the establishment of Cyber Command in 2009. Moreover, China is itself under constant attack by hackers. Two defense ministry websites were bombarded by more than 140,000 attacks per month in 2012. Sixty-two percent originated from servers in the US.
Bibliography
Crosston, Matthew. "Virtual Patriots and a New American Cyber Strategy: Changing the Zero-Sum Game." Strategic Studies Quarterly 6:4 (Winter 2012) p. 100-118. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=84590801&site=ehost-live
Wattanajantra, Asavin. "The New Cold War." SC Magazine: For IT Security Professionals (November/December 2012) p. 18-21. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=83243322&site=ehost-live
Magnuson, Stew. "U.S. Government Attempts to Thwart Chinese Network Intrusions." National Defense 704 (July 2012) p. 58-60. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=80239667&site=ehost-live
Roberts, Mary Rose. "An invisible enemy." Urgent Communications. 30:3 (March 2012) p. 18-21. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=73997146&site=ehost-live
Segal, Adam. "Chinese Computer Games." Foreign Affairs 91:2 (March/April 2012) p. 14-20. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=71912441&site=ehost-live
Nagy, Viktor. "The geostrategic struggle in cyberspace between the United States, China, and Russia." AARMS: Academic & Applied Research in Military Science 11:1 (2012) p. 13-26. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=85327369&site=ehost-live