How China transformed into a prime cyber threat to the US

More on this topic   Related Story College pals from China became among most prolific hackers ever, US says   Related Story Microsoft attack blamed on China morphs into global crisis The indictment also pointed to Chinese “government-affiliated” hackers for conducting ransomware attacks that extort companies for millions of dollars. Scrutiny of ransomware attackers had previously largely fallen on Russia, Eastern Europe and North Korea

NEW YORK (NYTIMES) – Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing e-mails against American companies for intellectual property theft.

On Monday, the US again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed US officials a decade ago.

The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former US officials, shows that China has reorganised its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralised digital assaults of American companies and interests around the world.

Hacks that were conducted via sloppily worded spearphishing e-mails by units of the People’s Liberation Army (PLA) are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China‘s Ministry of State Security (MSS), according to US officials and the indictment.

While phishing attacks remain, the espionage campaigns have gone underground and employ sophisticated techniques. Those include exploiting “zero-days,” or unknown security holes in widely used software like Microsoft’s Exchange e-mail service and Pulse VPN security devices, which are harder to defend against and allow China‘s hackers to operate undetected for longer periods.

“What we’ve seen over the past two or three years is an upleveling” by China, said Mr George Kurtz, CEO of the cybersecurity firm CrowdStrike.

They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”

China has long been one of the biggest digital threats to the US. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 US intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.

But that threat is even more troubling now because of China‘s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks – including ransomware attacks – into a major diplomatic front with superpowers like Russia, and US relations with China have steadily deteriorated over issues including trade and tech supremacy.

China‘s prominence in hacking first came to the fore in 2010 with attacks on Google and RSA, the security company, and again in 2013 with a hack of The New York Times.

Those breaches and thousands of others prompted the Obama administration to finger China‘s PLA hackers in a series of indictments for industrial trade theft in 2014. A single Shanghai-based unit of the People’s Liberation Army, known as Unit 61398, was responsible for hundreds – some estimated thousands – of breaches of American companies, the Times reported.

In 2015, Obama officials threatened to greet President Xi Jinping of China with an announcement of sanctions on his first visit to the White House, after a particularly aggressive breach of the US Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.

White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.

After President Donald Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, US intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the MSS, which handles China‘s intelligence, security and secret police.

Hacks of intellectual property, that benefited China‘s economic plans, originated not from the PLA but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.

More on this topic   Related Story US names four Chinese nationals in global hacking campaign   Related Story China acting as a safe haven for its cyber criminals, says US It was unclear how exactly China worked with these loosely affiliated hackers. Some cybersecurity experts speculated that the engineers were paid cash to moonlight for the state, while others said those in the network had no choice but to do whatever the state asked. In 2013, a classified US National Security Agency memo said, “The exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed from China‘s Ministry of State Security.”

On Monday (July 19), the White House provided more clarity. In its detailed indictment, the US accused China‘s MSS of being behind an aggressive assault on Microsoft’s Exchange e-mail systems this year.

The Justice Department separately indicted four Chinese nationals for coordinating the hacking of trade secrets from companies in aviation, defence, biopharmaceuticals and other industries.

According to the indictments, Chinese nationals operated from front companies, like Hainan Xiandun, that the MSS set up to give Chinese intelligence agencies plausible deniability. The indictment included a photo of one defendant, Mr Ding Xiaoyang, a Hainan Xiandun employee, receiving a 2018 award from the MSS for his work overseeing the front company’s hacks.

The US also accused Chinese universities of playing a critical role, recruiting students to the front companies and running their key business operations, like payroll.

More on this topic   Related Story College pals from China became among most prolific hackers ever, US says   Related Story Microsoft attack blamed on China morphs into global crisis The indictment also pointed to Chinese “government-affiliated” hackers for conducting ransomware attacks that extort companies for millions of dollars. Scrutiny of ransomware attackers had previously largely fallen on Russia, Eastern Europe and North Korea.

Secretary of State Antony Blinken said in a statement on Monday that China‘s MSS “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”

China has also clamped down on research about vulnerabilities in widely held software and hardware, which could potentially benefit the state’s surveillance, counterintelligence and cyberespionage campaigns. Last week, it announced a new policy requiring Chinese security researchers to notify the state within two days when they found security holes, such as the “zero-days” that the country relied on in the breach of Microsoft Exchange systems.

The policy is the culmination of Beijing’s five-year campaign to hoard its own zero-days. In 2016, authorities abruptly shuttered China‘s best-known private platform for reporting zero-days and arrested its founder. Two years later, Chinese police announced that they would start enforcing laws banning the “unauthorised disclosure” of vulnerabilities. That same year, Chinese hackers, who were a regular presence at big Western hacking conventions, stopped showing up, on state orders.

“If they continue to maintain this level of access, with the control that they have, their intelligence community is going to benefit,” Mr Kurtz said of China. “It’s an arms race in cyber.”

More on this topic   Related Story US dominant in cyber realm, but China catching up   Related Story US accuses Chinese nationals of hacking spree targeting Covid-19 data, defence secrets Join ST’s Telegram channel here and get the latest breaking news delivered to you.