Only five nations would be capable of sponsoring a massive cyber-espionage campaign that infiltrated governments, international organizations, and high-tech companies, persisted over years, and stole billions of dollars’ worth of intellectual property—like the operation unveiled by security firm McAfee this week.
The United States and the U.K. can be removed from the equation because they don’t spy on each other. Iran and Russia are capable, but the evidence doesn’t suggest they were involved. Taking into account past campaigns of monumental hacking, and considering the Asian focus in the recent attack, there’s only one country left, according to James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, in a Twitter post.
China.
The onslaught has been termed Operation Shady RAT (referring to one of the items of software used in the attack, a “Remote Administration Tool”), and bears a striking resemblance to similar campaigns that have been traced back to China and, many experts believe, actors sponsored by the Chinese regime.
Atlanta-based Dell SecureWorks has also traced the attacks. They pinpoint them to two major Chinese cities: Shanghai and Beijing.
According to McAfee, hackers stole petabytes (thousands of terabytes) of information, including industry-relevant secrets from a sweeping variety of targets since 2006: classified state secrets from governments, design schematics and source code from technology companies, and exploration plans from natural resources companies.
McAfee won’t say whether they have evidence that the attacks originated in China, but experts don’t see much room for argument.
The Work of a State
In its report, security firm McAfee said the large-scale cyber-espionage operation was conducted not by a group of independent hackers but a “state actor.” This is due to the “sophistication, target list, or type of information” targeted, McAfee spokesperson Joris Evers told The Epoch Times in a telephone interview.
“It’s not typical stuff that a cybercriminal could go after or turn into money,” he said. “That’s why we think it was a nation-sponsored activity.”
Of the 72 compromised parties from 14 countries, Chinese entities were entirely missing from the hit list of hacks. Also, most of the targets in the operation are of definite interest to the Chinese regime, including Taiwan and the U.S.’s defense industry.
“All the signs point to China,” Lewis, the cybersecurity expert, said to Vanity Fair. “Who else spies on Taiwan?”
A China expert quoted in the Nelson Report, a newsletter sent to Washington insiders, also believed China was the source of the attacks. “Only such a police state is capable of a cyber-act of war of that scale and scope,” he said.
Targets All Over the World
The Epoch Times looked at over a dozen of the hacking incidents and, through targeted news searches, traced them to business deals and political events around the time they occurred.
A pattern emerges of friendly meetings, deal announcements, or cooperative efforts between China and a variety of groups, closely followed or in some cases preceded by, a hacking intrusion. Snooping on the targets in all of these cases would potentially have netted the Chinese regime’s high-tech blueprints, top-secret documents, and other pieces of insider information invaluable in political or business discussions, in some cases of very high financial value.
The Pohang Iron and Steel Company (POSCO), based in Pohang, South Korea, is the third largest steel maker in the world. In July 2006, POSCO initiated a takeover of a large mill in China’s Jiangsu Province, and in November, POSCO developed a “new efficient steel.” McAfee says that Korean Steel Company was hacked in July 2006—the same date of takeover negotiations. The intrusion lasted beyond November.
Continued: The evidence accumulates...
An intrusion into the U.S. Department of Energy Labs (DOE) began in July 2006. In April 2006, the Chinese Academy of Sciences announced a collaborative project with an American university to develop detectors for a DOE particle accelerator.
Encroachments into the networks of Northern California and Southern Californian County governments took place in June 2007, August 2007, and December 2007. In May 2007, Gov. Schwarzenegger announced with much fanfare that several Californian companies had signed contracts with Chinese businesses worth $3 billion.
The International Olympic Committee (IOC) was infiltrated in November 2007. In August 2007, IOC representatives met with Beijing officials over the next year’s Beijing Summer Games. Hacks also took place against national Olympic Committees in Asia and the West and the World Anti-Doping Agency in the prelude to and after the 2008 Beijing Olympics.
The systems of a Denmark satellite telecommunications company were penetrated in August 2008 and September 2010. In June 2008, Thrane & Thrane, Denmark’s only manufacturer of satellite communication equipment, showed “excellent performance under harsh conditions” in the effort to rescue survivors of the May 2008, earthquake in Sichuan, as stated by the Chinese regime’s overseas mouthpiece China Daily.
The United Nations was hacked in September 2008. The U.N. Security Council’s elections during the 63rd General Assembly were held in October 2008.
In February of 2009 a bus crashed near Las Vegas, killing seven Chinese tourists; the Clark County Medical Examiner’s Office in Nevada handled the bodies, while the Chinese regime expressed interest in the case. A Nevada County government was hacked in April of 2009.
So was a “U.S. Solar Power Company” in September 2009, November 2009, and December 2010, according to McAfee. In August 2009, First Solar, a U.S. company, announced plans to build the world’s largest solar plant in China. In November 2010, its “cutting edge” photovoltaic technology was used during the Shanghai Expo.
Old Hat
According to experts and McAfee’s documents, the current round of hacking uses the same techniques as previous operations traced back to China.
These include Ghostnet, which targeted diplomatic posts, media organizations, and NGOs; Operation Aurora, which successfully hacked Google; Byzantine Hades, which was run by the Chinese military and targeted the U.S. government; and Night Dragon, which plundered intellectual property from major oil and gas companies.
The social engineering and hacking techniques used were the same. And so were the tools, which “are widely available on the Chinese Web forums,” McAfee said in a previous report. They “tend to be used extensively by Chinese hacker groups.”
In previous massive hacking operations exposed by McAfee, researchers have fingered “attackers based in China” as the culprits, but have not gone so far as to say the Chinese regime was behind the attacks.
In this case, McAfee refers to “a state actor” but declines to say whether that actor is China or not. Evers, the spokesperson, would not say whether that was due to a deficit of evidence. McAfee has an office in China.
Dell SecureWorks was less reserved, noting in its forensics, “Most of the Chinese destination IPs belong to large ISPs [Internet Service Providers], making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government.”
Friends Read Free