China blamed for multi-continent cyberspying caper in 2011

For six months in 2011, cyberspies infiltrated, undetected, at least 20 commercial and industrial organizations on three continents, states a new report by a US-based cybersecurity firm. Investigators name China as 'most logical' benefactor.

May 3, 2012

For six months last year, cyberspies infiltrated and siphoned key data from the computer networks of at least 20 organizations in the US, Australia, Canada, and Europe – all of them with policy, economic, or political interests pending in China – then laundered them through a coopted server in the US and transmitted the information to China.

Operating undetected from late March to mid-September 2011, the sprawling cyberespionage program targeted, among others, a mining executive doing deals in China during a steel shortage there, Canadian immigration officials dealing with a Chinese businessman fleeing prosecution in Canada, and an international maritime executive promoting a new vessel design standard to minimize greenhouse gas emissions – a move China had publicly refuted.

Unlike cybercriminals who typically convert ill-gotten data – such as credit-card numbers – into quick cash, the attacker appeared to be trying to win long-term economic and strategic advantage for an unknown client in China, says a new report by Cyber Squared, an Arlington, Va., cybersecurity firm.

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

"When you look at all those independent targets as a collective, you start to see that whoever launched such a campaign had great resources and very large motives that were geopolitical and strategic in nature," Adam Vincent, CEO of Cyber Squared, says in an interview. "In this case it's commercial, not military, information that's the primary focus. We're dealing with an advanced, sophisticated, and highly resourced adversary that makes it their job to get into our organizations and conduct espionage operations."

While not claiming to have "solid evidence that the Chinese state is the culprit," the report says investigators familiar with the details are satisfied that "China is the most logical and direct benefactor of information stolen from these entities during the time of compromise."

"The intent was to acquire insider information regarding a variety of issues," the report, called Project Enlightenment, states. "Insight to these sectors could have been used to influence or preempt negotiations, strategic business, legal settlements and national policies."

It's not the first time cybersleuths have traced the path of digital spies. This new investigation parallels other investigations that point to a nation-state – most commonly claimed to be China – conducting a systematic and persistent type of attack that continues to higher levels of sophistication if one mode of attack is found out.

  • In 2011, the security firm McAfee announced it had detected a cyberespionage program aimed at international energy firms that it dubbed "Night Dragon."
  • A year earlier, the Monitor reported that a China-linked cyberespionage attack targeted several US oil companies. 
  • Canadian researchers in 2009 reported on GhostNet, a cyberespionage program crossing continents and hundreds of organizations with a single common link: China.

But in this case, Project Enlightenment investigators were able to pin cyberespionage attacks to a tight timeline of events, which was not possible for the earlier attacks. Indeed, all the victims have "a common denominator," Cyber Squared found. "They are all uniquely and individually tied to Chinese strategic interests at the time of the compromise."

Howard University hoped to make history. Now it’s ready for a different role.

The thread that unraveled the larger plot began simply enough. In September, two US congressmen proposed the Taiwan Airpower Modernization Act (TAMA), which would have required the US to sell 66 upgraded F-16 jets to Taiwan.

Within 32 hours of the legislation being submitted to Congress, a US group involved in lobbying for TAMA's passage was hit with a "spear-phishing" attack – an e-mail that appeared to be from a senior official within the organization to another employee. The e-mail had an attachment purportedly related to TAMA.

But instead of opening it, the employee alerted Cyber Squared, which soon discovered a Trojan horse program buried inside the attachment that would have created a digital "back door" for spies to enter the network. From there, investigators traced the attacker back to a computer server in the US – and from there to servers in China.

Both the TAMA incident and other related compromises were "most likely the result of a Chinese state-sanctioned or sponsored exploitation campaign ... acting on behalf of an unknown Chinese benefactor who would strategically benefit from persistent network access and stolen information," the report found.

Attackers compromised US computer server infrastructure from sources within China in order to mask the real source of the attacks and to operate inside the global networks of its victims.

Interestingly, the initial attack did not employ particularly advanced techniques, the investigators concluded. The attacker created an e-mail address with a popular US webmail service that closely resembled the name of a senior executive within the targeted organization. After that, a message was sent containing a link to a website that directed the victim to download a malicious file.

But the "spear-phishing" e-mail aimed at a key person was poorly constructed, with a simple link to an encrypted file containing a customized Trojan horse program creating the "back door." Crude, perhaps, yet good enough to evade these organizations' antivirus security programs for six months.

Although all of the infiltrated organizations identified under Project Enlightenment were notified of the intrusion, it's probable that – because of the many variants and options available to the attacker – the cyberspies are still present inside those organizations' networks, Cyber Squared officials say.

"We are currently tracking the threat and they are still very active," Mr. Vincent writes in an e-mail. 

It's a finding that would not surprise US officials banging the drum about this threat. China is stealing a "great deal" of intellectual property from the defense industry and other companies, Gen. Keith Alexander, head of US Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee in March.

"I can't go into the specifics here, but we do see [thefts] from defense industrial base companies," said General Alexander. "We need to make it more difficult for the Chinese to do what they're doing."

An e-mailed query to the Chinese Embassy about the Cyber Squared report was not responded to by late Thursday. China routinely denies accusations like those made in the Project Enlightenment report. Chinese officials, for instance, took umbrage over a report released last November by the Office of the National Counterintelligence Executive that named China as a major cyberespionage threat to US industrial and technology secrets.

"China's rapid development and prosperity are attributed to its sound national development strategy and the Chinese people's hard work, as well as China's ever enhanced economic and trade cooperation with other countries that benefits all," Wang Baodong, a Chinese Embassy spokesman, wrote at the time in an e-mail responding to a Monitor query about the US study.

"Willfully making unwarranted accusation against China is irresponsible," he continued. "We are against such demonization effort as firmly as our opposition to any forms of unlawful cyberspace activities."