China’s Fingerprints Are All Over Spy Operation Targeting Japan

August 24, 2015 Updated: August 26, 2015

News Analysis

New evidence suggests the Chinese regime is targeting Japan in a large-scale spy operation that mirrors similar campaigns targeting the United States.

The campaign that targets confidential information was exposed on Aug. 20 by researchers at cybersecurity company Kaspersky Lab. Among the hundreds of victims targeted in the campaign since at least November 2013 are the Japanese pension system and government organizations, as well as targets in research, manufacturing, and finance.

“This is the first campaign known to Kaspersky Lab that is strictly focused on Japanese targets—and it is still active,” states the Kaspersky report analyzing the attack.

Kurt Baumgartner, principal security researcher at Kaspersky Lab, said in an email interview, “We don’t perform attribution.” Yet, while they don’t explicitly state who is behind the attack, which researchers have dubbed “Blue Termite,” four pieces of evidence suggest its the work of hackers tied to the Chinese Communist Party (CCP).

An infographic from cybersecurity company Kaspersky Lab details the targets in a new cyberespionage campaign targeting Japan. The attack, which researchers are calling "Blue Termite," is aimed at several government offices, businesses, and research organizations in Japan. (Kaspersky Lab)
An infographic from cybersecurity company Kaspersky Lab details the targets in a new cyberespionage campaign targeting Japan. The attack, which researchers are calling Blue Termite, is aimed at several government offices, businesses, and research organizations in Japan. (Kaspersky Lab)

China’s New Targets

There are several oddities about the attack that show specific similarities to attacks against the United States by the Chinese regime.

Kaspersky notes the main target of the attack is the Japanese pension service, which fits in with the new targets of CCP hackers. Eric Devansky, director of global security services for TrueShield Security, told Epoch Times in a recent interview, “We’re seeing a paradigm shift in the type of data [they’re targeting].” 

Devansky said that while the main target of CCP hackers used to be intellectual property and data used for monetary gain, their new target is personal information that’s useful for spies.

Similar to the attack on the Japanese pension service, hackers with the CCP recently stole an estimated 80 million records on Americans from health care company Anthem Inc. Not long after, hackers tied to the Anthem attack also breached the U.S. Office of Personnel Management, and stole background checks on close to 21.5 million federal employees.

A source familiar with Chinese spy operations told Epoch Times the data is being used to build a database on Americans, using a system modeled after its domestic spy program, the “Social Credit System.” The attacks on Japan suggest the CCP may be expanding its database beyond Americans to include Japanese citizens.

State Guidance

The organizations targeted by the attack go far beyond the Japanese pension service—and many of the additional targets align with CCP programs.

In the attack, Baumgartner said, the hackers are “gathering any and all geopolitically and technologically significant Japan-related data that [they] can.”

One of the guiding CCP policies for economic theft is Project 863, which was started by former CCP leader Deng Xiaoping in 1986, and later updated in 1992 and 1996.

Project 863 “provides funding and guidance for efforts to clandestinely acquire U.S. technology and sensitive economic information,” according to a 2011 report from the U.S. Office of the National Counterintelligence Executive. The program singles out nine industries, which are biotechnology, space, information technology, laser technology, automation, energy, new materials, telecommunications, and marine technology.

Several industries hit by Blue Termite align with four targets identified by Project 863. Under automation, the hackers targeted Japanese industries in construction, robotics, and manufacturing. Under energy, they targeted Japanese electrical and energy industries. Under information technology and communications, the hackers targeted Japanese communication, media, information services, and satellite industries.

A New Tool

On a more technical level, the way the hackers infected computers is also very telling. Their methodology corresponds with recent changes in Chinese state-run cyberattacks.

Kaspersky started monitoring the Blue Termite cyberattacks in October 2014. Early on, the hackers were using spearphishing attacks—often infected emails tailored for each victim—to gain access to computers in targeted networks.

Their methodology changed, however, around Aug. 7, according to data published by Kaspersky.

Just a few days prior, on Aug. 3, a group of hacker activists leaked information on an Italian company called Hacking Team, which provides hacking services for governments.

Included in the leak was a 0-day vulnerability—a type of cyberattack that cannot be stopped, since it’s not yet identified by security companies—that Hacking Team used in its attacks. This attack involves infecting websites frequented by the intended victims (known as a “watering hole attack”), and includes code to filter out unwanted targets.

Shortly after the 0-day vulnerability used by Hacking Team was revealed, CCP hackers got hold of it, and began using it in their attacks.

The first such attack was revealed by cybersecurity company Zscaler on Aug. 14. In a report, it detailed a Chinese cyberattack against an unnamed, “well-known financial services firm.”

The Chinese hackers, Zscaler states, used 0-day to launch the attack. After the initial breach, they then installed malware on the computers of their victims. The malware they used was a specific remote access trojan (RAT), which gave them full control over the computers, “known to be used by the Chinese group in previous targeted attacks against governments.”

The hackers behind the Blue Termite attack used the same technique, according to forensics published by Kaspersky. Using 0-day from Hacking Team, they were able to infect several Japanese websites.

One of the sites they infected, according to Kaspersky, belonged to a “prominent member of the Japanese government.” Anyone visiting the website could have their computers compromised, and the hackers used code to filter out any IP addresses “except for the one belonging to the specific Japanese governmental organization.”

Just like in the attack uncovered by Zscaler, the hackers behind the Blue Termite attack then installed a RAT on the computers of their victims. This would allow them to monitor all activity on the computers, and control the computers at will.

Hand in the Cookie Jar

The last piece of evidence tying the attacks to the CCP, which Kaspersky revealed—yet notes is not a smoking gun—is that many of the documents and tools used by the hackers were written in Chinese.

Kaspersky was able to decrypt some of the malware used in the attacks, and was able to get its hands on some of the documents used by the hackers.

The hackers used a graphical user interface for their command and control server, and they had technical documents related to the malware used in the attacks—both of which were in Chinese.

While the individual pieces of evidence may not be enough to lay blame on the CCP, when taken as a whole they create a strong case that Chinese state-sponsored hackers are behind the attacks.

Overall, the information may also point to concerning shifts in the CCP’s targets and methodologies. The same attacks its hackers used to breach targets in the United States, and the nature of their targets, suggest the CCP may be expanding the breadth of its attacks.

“Although Blue Termite is not the first cyberespionage campaign to target Japan, it is the first campaign known to Kaspersky Lab, to be strictly focused on Japan targets,” said Suguru Ishimaru, junior researcher at Kaspersky Lab, in its report.

Follow Joshua on Twitter: @JoshJPhilipp