Australian Media Reveals Companies Under Chinese Spy Agency Attack

November 20, 2018 Updated: November 20, 2018

Australia is the latest country to link a series of cyberattacks against local companies and their trade secrets to Chinese hackers working for Beijing.

A recent investigation by Sydney-based Fairfax Media and television broadcaster Channel Nine revealed that over the past year, Australian companies have been under attack by hackers within China’s Ministry of State Security (MSS), the chief agency responsible for the country’s counterintelligence and foreign intelligence, using a technique called “Cloud Hopper,” according to a Nov. 20 article by the Sydney Morning Herald.

Cyber experts noticed a string of attacks around the world that had a common pattern: hackers would infiltrate the cloud storage services firm used by a target company, then “hop” into the target’s information technology (IT) system. Cyber experts dubbed the hacker group “APT10” and have largely linked it to China. The latest investigation confirms that they have also targeted Australian firms.

The investigation found that APT10 hackers were able to attack Australian companies through their outsourced IT service providers, including cloud storage companies and help desk firms in North America and Asia, which were breached first.

The wave of attacks in Australia has been detected by the Australian government and its intelligence partners in the “Five Eyes” alliance: the United Kingdom, the United States, Canada, and New Zealand.

An unnamed senior Australian government source told the investigation team that China’s cyberattacks were a “constant, significant effort to steal our intellectual property.”

In April 2017, former Australian Prime Minister Malcolm Turnbull inked a cybersecurity pact with Chinese Premier Li Keqiang; both countries promised not to conduct or support cyber-enabled theft of intellectual property, trade secrets, or confidential business information, according to Reuters.

The fact that China has breached the pact was not a surprise to an unnamed former Australian government official, who said, “The way these things usually go with the Chinese is they behave themselves for a while before they go back to being bad,” according to Sydney Morning Herald.

Mike Sentonas, a vice president at U.S. cybersecurity firm CrowdStrike, stated: “We noticed a significant increase in attacks in the first six months of this year. The activity is mainly from China and it’s targeting all sectors.”

Crowdstrike and the Intrusion Truth blog, claimed to be run by independent analysts, have both previously linked the APT10 hackers to China’s MSS.

The U.S. Department of Homeland Security (DHS) issued a warning against the APT10 cloud hoppers back in early October due to increased attacks targeting U.S. firms in multiple sectors, including information technology, energy, healthcare, communication, and manufacturing.

Much like Australia, in September 2015, former U.S. President Barack Obama and Chinese leader Xi Jinping signed an agreement with the goal of curbing cyber-enabled economic theft.

Both nations initially saw a decrease in the number of Chinese cyber attacks following their respective signing of deals with China. But now, the number of Chinese cyberattacks are increasing.

In the United States and Western Europe, “we’ve seen a huge pickup in [Chinese] activity over the past year and a half. Nowadays they are the most predominant threat actors,” said Dmitri Alperovitch, chief technology officer of CrowdStrike, at a security conference in Washington on Oct. 2, according to Reuters.

A report issued in April 2017 by PriceWaterhouseCoopers found that IT services companies in several countries were targeted by China’s Cloud Hopper campaign, including Canada, the UK, South Korea, India, Thailand, and Japan.

Chinese hackers have also used other hacking techniques. In late October, two Chinese intelligence officers who worked for the Jiangsu Province branch of the Ministry of State Security were charged by U.S. prosecutors for stealing trade secrets from a French aerospace manufacturer and an U.S.-based aerospace company related to manufacturing commercial turbofan aircraft engines. The scheme involved Chinese employees at the French company’s office in China, as well as hackers who worked under the direction of MSS—all of whom were also indicted—using phishing emails, malware, and other tactics to gain access.

In Australia, sensitive information about its F-35 stealth fighter jets and P-8 Poseidon surveillance plane were stolen in a cyberattack that occurred in July 2016. According to British broadcaster Sky News, the alleged hackers used a tool known as “China Chopper”—a script that can be uploaded to a web server to enable remote control of a computer. This method is commonly used by Chinese hackers to gain access to a contractor’s systems and steal information.

Follow Frank on Twitter: @HwaiDer