Chinese computer hackers, some linked to the military, engaged in an aggressive international campaign of electronic espionage through the Internet from 2003 through at least 2009, according to documents obtained by Inside the Ring.

The electronic spying campaign targeted large amounts of data and information from U.S. government and private sector networks, as well as from the French and German governments, other states and international organizations.

The documents, labeled “secret,” provide some of the first details to be made public on Chinese cyberspying and reveal a U.S. government program to monitor and halt the activity that was code-named “Byzantine Hades.”

The disclosure is the first official U.S. government report linking global computer hacking to China’s military.

For the full article, see here.

A group of academics and public interest organizations released a joint letter to Prime Minister Stephen Harper today, voicing their grave concerns about legislation that would allow for warrantless online spying on Canadians (“Lawful Access” legislation). The letter calls on the government to, at minimum, give the proposed legislation an appropriate hearing instead of rushing it through Parliament.

The letter to the Prime Minister is just the latest in a series of protests about the legislation. The Stop Online Spying Coalition has prompted more than 46,000 Canadians to sign an online petition at http://www.StopSpying.ca lambasting the government’s anti-privacy initiatives, and earlier this year every federal and provincial Privacy Commissioner signed a letter to the government criticizing the legislation and questioning the need for bringing in these repressive measures.

For the full original article, see here.

The Department of Defense says it was hit by a cyberattack by a “foreign intelligence service” that managed to pilfer 24,000 sensitive files.The attack, which occurred in March, was perpetrated by an unnamed “nation state,” according to Deputy Defense Secretary William J. Lynn III, who disclosed the breach during a speech Thursday outlining the Pentagon’s new cyber strategy for dealing with cyber-breaches.

The Washington Post reports that the files were stolen from a defense contractor. Lynn did not name the “nation state” involved, nor did he disclose the nature of the files that were stolen. The admission of the breach appears to be nothing more than a justification of the Department of Defense’s new “Strategy for Operating in Cyberspace” (PDF).

…

For full original article, see here

The Indian government is teaming up with Chinese tech giant Huawei to search imported smartphones and communications devices for signs of malware and spyware. However, some Indians are nervous because of Huawei’s close ties to the People’s Liberation Army and fear that the firm could be complicit in cyberattacks.

One journalist, Joji Thomas Philip of India’s Economic Times, calls it “rather like letting the fox in to guard the henhouse.”

Huawei recently opened a research lab at Bangalore’s Indian Institute of Science that will be expanded shortly. But opening a joint Indian-Chinese cybersecurity lab also presents problems for Huawei. The mobile-phone provider, which was named one of Fast Company’s Most Innovative Companies of 2010, will be operating in an environment where it will be easy for Indians to observe Huawei’s techniques and corporate goings-on.

The lab was reportedly opened by request of Indian intelligence services, who fear that foreign governments and corporations could use mobile-phone technology for espionage purposes. The lab’s tender requires it to test all imported mobile phones and handsets and equipment for built-in spyware and malware. It is not clear if the laboratory will also be involved in the testing of smartphone applications and for-purchase software for conventional mobile phones.

…

For full original article, see here

Chinese cyberspies, who targeted the personal Gmail accounts of top U.S. officials, are trying to gain access to computers belonging to China specialists and defense contractors who circulate in and out of the U.S. government and talk regularly with those in power, according to security experts who have tracked these schemes.

Chinese cyberspies have for years been trying to gain access to sensitive U.S. computers. This week, Google disclosed an infiltration into personal Gmail accounts of senior U.S. officials. WSJ’s Intelligence Correspondent Siobhan Gorman reports.

The stealth infiltration campaign, similar in tactics to the Gmail scheme that Google Inc. disclosed last week, represents cyberspies’ efforts to circumvent the high security walls on official government email accounts.

Such targeted “phishing” expeditions involved sending booby-trapped emails to people who have information a hacker is seeking. The emails typically appear to have been sent by a trusted colleague and ask the recipient to open an attachment. When that is done, a malicious software program is placed on the computer that could perform multiple functions, such as tracking all keystrokes or providing full access to an organization’s computer network. They frequently are used to obtain access to passwords and private correspondence.

Their occurrence has spiked in the past few months, security experts say. Kevin Mandia, CEO of the security firm Mandiant, said his firm saw four to five times the average number of attacks from China in April. “It was a huge uptick,” he said.

The attacks have been traced to China, but that doesn’t necessarily mean they are directly ordered by the government. Spokesman Wang Baodong for the Chinese Embassy in Washington denied any government involvement in such cyberspying schemes. “As a responsible player in cyberspace, China strongly opposes unlawful online activities and supports international cooperation in striking down on such misdeeds,” he said. “Any claims of so-called Chinese state support for hacking are completely fictitious, and blaming misdeeds on China is irresponsible and unacceptable.”

Targeting people on the periphery of power is more likely to pay off because their computer systems are often less protected than the U.S. government, and these individuals frequently discuss sensitive issues with those in government. That was likely why the Google infiltrators targeted the personal emails of government officials.

“It’s a routine occurrence now because think tanks are soft targets and you get good data,” said James Lewis, a former State Department official and current cybersecurity specialist at the Center for Strategic and International Studies who has advised the Obama administration on cybersecurity policy. He said he was the target of a combined telephone and phishing attempt in 2010. “I just assume that all our communications are insecure.”

James Mulvenon, a China and cyber-security expert, has been tracking a four-year phishing campaign against China specialists in Washington. He’s logged more than 100 rounds of attacks against 30-40 China specialists, many of whom have rotated in and out of government.

“I was struck by the breadth of it,” he said. “They had targeted huge numbers of China specialists all over D.C.,” both former government officials and those about to take federal jobs. “They want to find people who have access.”

The goal of this campaign in Washington appears to be to gather information from individuals who communicate with U.S. officials about China matters, Mr. Mulvenon said.If cyberspies gather sensitive but unclassified data from Washington research institutions and a smattering of U.S. officials, he said, “you get a pretty good picture of what’s going on in Washington as it relates to China.”

The New Battleground

The campaign attempts to trick China specialists into opening attachments that would provide hackers access to their computers. In the beginning, Mr. Mulvenon said, the emails were easily identifiable as fraudulent. They contained lots of spelling errors and odd wording choices that would make more sense in Chinese than American English.

But the recent ones appear to come from people the target would know and contain text that plausibly could have been written by the alleged sender of the email, he said. The topics range from meeting agendas and the Olympics to President Barack Obama’s trip to China and conference invitations.

One such email in November 2009 purported to come from Dennis Wilder, a former Asia specialist on the National Security Council in the George W. Bush administration who was at the Brookings Institution at the time.

The email discussed a recent press briefing by the Chinese ambassador on climate change, and it contained an attachment concealing a virus that claimed to be a transcript of the press briefing. Mr. Wilder hasn’t owned a Gmail account.

Another well-crafted phishing scheme duped a group of defense contractors. In 2008, one Defense Department agency held a conference, and then posted some of the presentation materials online, including the names and email addresses of the 50 or so attendees.

Soon after, the attendees, mostly defense contractors, received emails that purported to be from one of the presenters at the conference and included an attachment that claimed to be his presentation materials, according to a person familiar with the incident.

A majority of the conference attendees opened the attachment, which downloaded on to their computer malware that provided “unfettered access” to their computer, this person said. “There was widespread success by the bad guys.” A subsequent investigation tracked the perpetrator back to a Chinese hacking group.

“They’re still doing the exact same thing” today, the person familiar with the incident said of the hacking group.

A two-sentence clause included in the U.S. spending bill approved by Congress a few weeks ago threatens to reverse more than three decades of constructive U.S. engagement with the People’s Republic of China.

The clause prohibits the White House Office of Science and Technology Policy (OSTP) and the National Aeronautics and Space Administration (NASA) from coordinating any joint scientific activity with China.

Representative Frank Wolf (R-VA), a long-time critic of the Chinese government who chairs a House spending committee that oversees several science agencies, inserted the language into the spending legislation to prevent NASA or OSTP from using federal funds “to develop, design, plan, promulgate, implement or execute a bilateral policy, program, order, or contract of any kind to participate, collaborate, or coordinate bilaterally in any way with China or any Chinese-owned company.”

By prohibiting the OSTP from working with China, Wolf claims the ban will bear on “the entire bilateral relationship on science and technology.”

“It’s the whole ball of wax,” said Wolf in an interview with Science Insider.

Although the ban will expire at the end of the current fiscal year in October, Wolf will seek to make the prohibition on any scientific collaboration between U.S. research agencies and China permanent.

“We don’t want to give them the opportunity to take advantage of our technology, and we have nothing to gain from dealing with them,” said Wolf. “China is spying against us, and every U.S. government agency has been hit by cyber-attacks. They are stealing technology from every major U.S. company. They have taken technology from NASA, and they have hit the NSF computers . . . . You name the company, and the Chinese are trying to get its secrets.”

Meanwhile, the Obama Administration has taken the position that the ban does not apply to any U.S. scientific interactions with China conducted as part of foreign policy. This interpretation will likely allow the President to continue current activities until the spending bill expires in October.

Wolf’s intense concern about the possible theft of intellectual property and sensitive military technologies resulting from joint U.S.-China research activities explain why the spending bill also prohibits NASA facilities from hosting “official Chinese visitors.” While this draconian prohibition may strike some as borderline paranoid, a growing body of evidence suggests that the risks of espionage are considerably higher than most people would suspect.

Wolf has learned this lesson the hard way.

In 2006, Wolf’s office was targeted in a cyber-attack, which the Federal Bureau of Investigation traced to sources operating in the People’s Republic of China. Speaking from the floor of the U.S. House of Representatives in June 2008, Wolf said:

In August 2006, four of the computers in my personal office were compromised by an outside source. This source first hacked into the computer of my foreign policy and human rights staff person, then the computers of my chief of staff, my legislative director, and my judiciary staff person. On these computers was information about all of the casework I have done on behalf of political dissidents and human rights activists around the world.

The history of China’s dabbling in cyber espionage is long. In a study for the U.S.-China Economic and Security Review Commission, Northrup Grumman created a chronology of alleged Chinese cyber-espionage incidents targeting the U.S. and foreign governments. Here is a sample of the chronology:

November 2004: US media reports that Chinese hackers attacked multiple unclassified US military systems at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona, the Defense Information Systems Agency in Arlington, Virginia, the Naval Ocean Systems Center in San Diego, California and the United States Army Space and Strategic Defense installation in Huntsville, Alabama.117

August 2005: Media reporting first covers the story of a Chinese computer network exploitation operation codenamed “Titan Rain,” alleging the intrusions into DoD systems date back to 2003.

July 2006: US media reports that intruders penetrate the US Department of State (DoS) networks, stealing sensitive information and user login credentials, and install backdoors on numerous computers, allowing them to return to the systems at will. DoS systems administrators are forced to limit Internet access until the investigation is completed.

August 2006: Pentagon officials state hostile civilian cyber units operating inside China have launched attacks against the NIPRNET and have downloaded up to 20 terabytes of data.

November 2006: Chinese hackers attack the US Naval War College computer infrastructure, possibly targeting war game information on the networks. The College’s Web and emails systems are down for at least two weeks while the investigation takes place.

June 2007: Media reports indicate approximately 1,500 computers are taken offline following a penetration into the email system of the Office of the Secretary of Defense (OSD).

October 2007: US media reports that China is suspected as the source of at least seven versions of socially engineered email targeting 1,100 employees at the Oak Ridge National Lab in Oak Ridge, Tennessee. Eleven staff possibly opened the malicious attachment, allowing the attackers to gain access to, and potentially steal, sensitive data, including a database at the nuclear weapons laboratory housing personnel records going back to 1990.

May 2008: U.S. authorities investigate claims that Chinese officials surreptitiously copied the contents of a US government laptop during then- Commerce Secretary Carlos Gutierrez’ visit to China.

November 2008: Media sources report that Chinese hackers penetrate the White House information system on numerous occasions, penetrating for brief periods before systems are patched.

November 2008: Business Week magazine publishes a report on significant cyber intrusions dating back several years at some of NASA’s most critical sites including the Kennedy Space Center and Goddard Space Flight Center. The operations to prevent the attacks from China are codenamed, “Avocado.” Attacks included socially engineered emails launched at top officials. Among the data stolen are operational details of the Space Shuttle including performance and engine data.

A number of cyber attacks took place against human rights groups this week; including Armorize’s discovery of a variant of a “drive-by-download” attack on Amnesty International’s Web site. As this Armorize blogpost explains, “A drive-by download attack refers to the process of a user visiting an infected page and subsequently gets installed with malware, without his/her knowledge and without having him/her to click on or to agree to anything.” In the case of this week’s attack on Amnesty International, a “drive-by-cache attack” (term dubbed by Amorize) was launched. John Leyden of the Register explains that in drive-by-caching, “malicious scripts are used to locate the malware which is already sitting in the browser’s cache directory, and executing it. This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicious maneuver many security software packages are liable to detect.” (For a more eloquent and technical write up of drive-by-caching see the Armorize blogpost).

What is interesting is that the compromising of Web sites belonging to human rights groups as vehicles to deliver 0day exploits to visitors is a continuation of a trend that the Infowar Monitor has been actively monitoring—for example, a similar attack launched on users occurred in November 2010 to Amnesty International’s Hong Kong site (see our past Nobel Peace Prize, Amnesty HK and Malware and “0day”: Civil Society and Cyber Security blogposts on such attacks for more).

More generally, attacks launched on the Web sites of human rights groups (and independent Web sites) have become increasingly common. In fact, cyberspace saw two such attacks this week. First, was the DDoS attack launched against the Web site of the alternative new source, Newsnet Scotland, in the lead up to the country’s elections; and second was the DDoS attack launched on Change.org’s Web site this week.

As a major online petitioning platform, Change.org has recently become known for hosting a major petition, signed by over 90,000, calling for the release of famous Chinese dissident Ai Weiwei. The DDoS attack on the site began on Monday and rendered the site inaccessible for a few hours. It has been reported that the attack has been traced to servers in China and Change.org has begun reporting that the attacks were launched by Chinese hackers.

The Chinese state is often believed to be behind attacks on human rights Web sites, as noted in our recent blog here; however, attribution of cyberattacks is an ongoing problem and difficult to make—for instance, although the attacks were traced to China, it is possible that the computers are controlled by attackers in another country. In this CIO article, Verizon points out that the recent introduction of the term “advanced persistent threat attack” (APT) (defined by Verizon as “sophisticated and highly targeted data exfiltration exercises conducted by state-sponsored agents) has led many victims of security breaches to characterize attacks as APT, usually originating from China. Verizon argues that although “China is the source for most online attacks these days, no matter what the motivation,” it must be remembered that “the country has more than 400 million Internet users, and many of them are using computers that don’t have up-to-date patches or security software. Those PCs often get hacked and then used as stepping-stones for further attacks.” Verizon further stated that, “China is like the wild west of source IP addresses that can be taken over to state attacks.” When an attack occurs “everybody looks at it and says, ‘Oh that’s the Chinese government.”

The problem of state attribution was brought up once again this week when Canadian resident and Chinese dissident with protected person status, Maggie Wenzhuo Hou, stepped up to warn against a “’silent cyber war” that was being launched by the Chinese government. Hou stated that she was certain that the Chinese government was monitoring and blocking her communications. Some note that there is evidence that China is involved in the spying of expatriates, and Hou’s own background certainly puts her in a vulnerable category. However, Ron Deibert, Director of the Citizen Lab suggested that such a case requires caution: “There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion.”

Indeed, accusations of China’s involvement in cyber espionage is a regular fixture in cyber news. Last week, a leaked US diplomatic cable revealed that US authorities had traced a series of breaches (in which private information was stolen from US agencies and the private sector)—known as Byzantine Hades—to a unit of the country’s People Liberation Army.

Although attribution is difficult to make, attacks continue against Web sites of human rights organizations and supporters/employees and are part of a continuing trend that has been recently documented by the Berkman Center for Internet and Society in their 2010 report on Distributed Denial of Services Attacks Against Independent Media and Human Rights Sites.

Are the Chinese spying on Ottawa resident Maggie Wenzhuo Hou?

Hou, a 41-year-old Chinese dissident who has lived in Ottawa since June 2009, is convinced that agents of the government of China are monitoring and blocking her e-mail and telephone communications.

While she can’t prove her allegations, she can offer up a long list of circumstantial evidence to support her claims. Based on her dissident status and documented attacks by China-based hackers, security experts say hers is a credible story.

Alex Neve, secretary general of Amnesty International Canada, says Chinese monitoring of human rights activists in this country is a “well-known and notorious pattern.”

Hou is a “high-profile, outspoken human rights activist who has some real credibility because she’s freshly out of China, has first-hand experience with human rights violations and is quite well connected to a number of known human rights activists still inside China,” Neve says.

“So it does not surprise me at all that she could be, would be or was targeted for some sort of hacking or computer surveillance by the Chinese authorities.”

But Ron Deibert, the director of the University of Toronto’s Citizen Lab, which in 2009 uncovered GhostNet, a cyberspy ring based in China that was gathering intelligence in more than 100 countries, counsels caution when assessing cases such as Hou’s.

“There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion,” Deibert says.

For her part, Hou says “Canadian authorities” are interested in her experiences, and have interviewed her three times about them. She decided to go public to warn Canadians about what she calls China’s “silent cyber war.”

“The Canadian public is just sleeping while, as we Chinese say, a tiger’s sleeping next to you. People should wake up. This country is slipping into danger,” she says. “When I came to Canada, I thought I’d be safe. I don’t feel safe anymore. I feel like I’m in China.”

Hou first got involved in human rights and political activism in China while attending Sichuan University in 1989, the year of the Tiananmen Square massacre. In 2003, she founded and led a now-defunct human rights group in Beijing. She’s now director of the human rights committee of the Democratic Party of China, an exiled opposition party.

While in China, she was arrested and detained many times, most recently at the time of the 2008 Beijing Olympics, when she was imprisoned for 18 days for her involvement in human rights protests.

When she became pregnant late that year, she managed, with help from some Canadian friends, to leave China for a teaching job at the University of Ottawa. She gave birth a month later and taught courses in human rights and political activism in China at the university’s graduate school of international and public affairs the during the 2009-10 academic year. She has had protected person status in Canada since last August.

She first started noticing some “funny things” going on around the time of Prime Minister Stephen Harper’s visit to China in December 2009, when she was involved in demonstrations and an online petition. “My e-mails started to be irregular,” she says. “There were lost e-mail messages.” When people signed the online petition, their names didn’t appear. Friends told her that when they opened her Gmail messages, their computers slowed down noticeably.

Google Inc., which owns Gmail, told Hou at the time that the problem was with her computer. But the company has since accused Chinese authorities of interfering with its Gmail, leading to access problems.

Last May, Hou travelled to Toronto to have her computer examined by Greg Walton, a computer security expert who worked for Citizen Lab on the GhostNet project. According to Hou, Walton told her the computer was heavily hacked and was communicating with dozens of IP addresses, including some in China.

Walton, now based in London, England, agrees there were “anomalies” in the network traffic. “However, the traffic was almost entirely consistent with common malware to which all Internet users are exposed, associated with cyber criminals motivated by profit rather than the targeting of political dissidents.”

Despite his failure to find anything linked to Chinese spying on Hou’s computer, Walton says “credible sources within the investigations community have repeatedly indicated that there has been growing unease about the surveillance of dissidents in Canada.”

In an e-mail to the Citizen, an official at the Chinese Embassy in Ottawa said allegations that the Chinese government supports hacking are “groundless and with ulterior motives.”

“The Chinese government has consistently been firmly opposing any illegal activities that sabotage the Internet and computer networks, including computer hacking,” the official wrote, adding that China’s government “is ready to work with countries to counter hacking and other forms of Internet crime.”

But Rafal Rohozinski, chief executive of Ottawa-based SecDev Group, who worked with Citizen Lab on the GhostNet project, say Hou’s allegations are credible.

“We’ve got plenty of precedent where these kinds of techniques have been used against inconvenient political actors,” says Rohozinski, though whether the perpetrators are Chinese authorities or “patriotic hackers” is difficult to determine.

Whenever Hou communicates with people in China, “she has to work through services that invariably pick up her identifying IP address or the address of the e-mail she’s using,” Rohozinski says. “If someone’s on a watch list, it’s pretty simple to be able to identify that individual.”

Wesley Wark, a security expert and visiting professor at the University of Ottawa, says there’s lots of evidence that China is involved in state-sponsored efforts to “harass and survey” Chinese expatriates. “It’s a big part of what the Chinese do, and they do it because they have global reach, because they are determined to monitor overseas dissident groups and individuals.”

Deibert notes that Hou isn’t an ordinary person. “She’s someone who’s connected politically to Chinese events. That puts her in a different category right off the bat.”

Wark thinks the Canadian government should be meeting regularly with Chinese officials to emphasize that spying and hacking are not tolerated in Canada. “But that’s not a message we’ve heard from recent governments. The big message is trade and better relations.”

Hou acknowledges that speaking out carries risks. “I definitely am worried,” she says. “I know their people are watching me. Their people maybe hate me. But I feel I have an obligation for myself, for Chinese people and for people at large, including Canadians.”

Leaked US diplomatic cables have provided some of the first hard evidence that the US is engaged in a heated cyberespionage battle with China, a conflict diplomats reckon is showing few signs of cooling off.

Diplomatic cables, obtained by WikiLeaks and released to the media by a third party last week, trace a series of breaches codenamed Byzantine Hades back to a specific unit of China’s People’s Liberation Army.

Websites associated with attacks dating back to 2006 were registered using the same postal code in the central Chinese town of Chengdu that is used by the People’s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit.

At least six such bureaus, including the Chengdu unit, “are likely focused on defines or exploitation of foreign networks”, according to a report by officials in the State Department’s Cyber Threat Analysis Division and quoted in the leaked cable, which was written in April 2009.

The Byzantine Hades attacks, which ran from 2006 through till at least October 2008 – and are possibly still ongoing – used targeted emails that attempted to trick recipients into opening booby-trapped attachments. Common malware payloads involved the so-called Gh0stNet Remote Access Tool (RAT), a strain of malware capable of capturing keystrokes, taking screen shots, installing and changing files, and even surreptitiously recording conversations before uploading them to a remote server, Reuters reports.

Servers used in the exercise were the same as those previously linked to attacks on Tibetan websites around the time of the Beijing Olympics in 2008.

The cable reports claim that a Shanghai-based hacker group linked to the People’s Liberation Army’s Third Department was involved in the assaults. The leaked cable names a hacker named Yinan Peng from a group called Javaphile as among those involved in the assaults.

Both US government agencies and private sector firms became victims of the attacks.

Hackers successfully swiped “50 megabytes of email messages and attached documents, as well as a complete list of usernames and passwords from an unspecified [US government] agency,” the cable said.

Other targets of the assaults include the US Embassy in Tokyo, Japan. The cable quotes a meeting at the Ramstein Air Base in September 2008 when German and French officials told their US opposite numbers that they had also been hit by cyber-espionage attacks.

The leaked cable was written months before China went public over hack attacks against the US search giant and other high-tech firms that were creating diplomatic tension between the US and China. The cable speaks of a series of diplomatic meetings between US and Chinese officials. US diplomats seem fairly sure that the Chinese are behind the attacks, whose main motive seems to be to steal trade secrets that might be used to sustain China’s economic growth. The talks reportedly remain ongoing, even though progress remains slow.

Chinese officials are seemingly happy enough to assure the US that they have no interest in destabilising the US economy – as a major stockholder such actions would be counterproductive – but clam up when talk turns to cyber-espionage. Senior figures in the government, when pressed on the issue, are inclined to state that China is being spied upon more than it is spying on others.

As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.

And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America’s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.

According to U.S. investigators, China has stolen terabytes of sensitive data – from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. “The attacks coming out of China are not only continuing, they are accelerating,” says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches – colourfully code-named “Byzantine Hades” by U.S. investigators – to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China’s People’s Liberation Army.

Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.

U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department’s Cyber Threat Analysis Division noted that several Chinese-registered Web sites were “involved in Byzantine Hades intrusion activity in 2006.”

The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the “precise” postal code in Chengdu used by the People’s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. “Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other” electronic spying units of the People’s Liberation Army, the cable says.

Reconnaissance bureaus are part of the People’s Liberation Army’s Third Department, which oversees China’s electronic eavesdropping, according to an October 2009 report by the U.S.-China Economic and Security Commission, a panel created by Congress to monitor potential national security issues related to U.S- China relations. Staffed with linguists and technicians, the Third Department monitors communications systems in China and abroad. At least six Technical Reconnaissance Bureaus, including the Chengdu unit, “are likely focused on defence or exploitation of foreign networks,” the commission report states.

The precise relationship with the Chinese Army of suspected hacker Chen Xingpeng could not be immediately determined by Reuters. A spokesman for the Chinese embassy in Washington did not respond to multiple requests for comment. The U.S. State Department declined to comment.

But the leaked cables and other U.S. government reports underscore how Chinese and other state-sponsored and private hackers have overwhelmed U.S. government computer networks. In the last five years, cyber-intrusions reported to the U.S. Computer Emergency Response Team, a unit of the Department of Homeland Security, have increased more than 650 per cent, from 5,503 incidents in fiscal 2006 to 41,776 four years later, according to a March 16 report by the Government Accountability Office.

THE BUSINESS OF SPYING

The official figures don’t account for intrusions into commercial computer networks, which are part of an expanding cyber-espionage campaign attributed to China, according to current and former U.S. national security officials and computer-security experts.

In the last two years, dozens of U.S. companies in the technology, oil and gas and financial sectors have disclosed that their computer systems have been infiltrated.

In January 2010, Internet search giant Google announced it was the target of a sophisticated cyber-attack using malicious code dubbed “Aurora,” which compromised the Gmail accounts of human rights activists and succeeded in accessing Google source code repositories.

The company, and subsequent public reports, blamed the attack on the Chinese government.

The Google attack “was certainly an escalation of Chinese network operations against the U.S.,” says Joel Brenner, former counterintelligence chief for the Office of the Director of National Intelligence. “Thousands” of U.S. companies were targeted in the Aurora attacks, Brenner says – far more than the estimated 34 companies publicly identified as targets so far – a scale which Brenner says demonstrates China’s “heavy-handed use of state espionage against economic targets.”

Many firms whose business revolves around intellectual property – tech firms, defence group companies, even Formula One teams – complain that their systems are now under constant attack to extract proprietary information. Several have told Reuters they believe the attacks come from China.

Some security officials say firms doing business directly with Chinese state-linked companies – or which enter fields in which they compete directly – find themselves suffering a wall of hacking attempts almost immediately.

The full scope of commercial computer intrusions is unknown. A study released by computer-security firm McAfee and government consulting company SAIC on March 28 shows that more than half of some 1,000 companies in the United States, Britain and other countries decided not to investigate a computer-security breach because of the cost. One in 10 companies will only report a security breach when legally obliged to do so, according to the study.

“Simply put, corporations cannot afford negative publicity (about computer security breaches),” says Tom Kellermann, vice president of security awareness at Core Security Technologies and a contributor to the study.

GONE PHISHING

What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised e-mail accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst – that any network is vulnerable.

Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in “target development” for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees’ job descriptions, networks of associates, and even the way they sign their e-mails – such as U.S. military personnel’s use of “V/R,” which stands for “Very Respectfully” or “Virtual Regards.”

The spear-phish are “the dominant attack vector. They work. They’re getting better. It’s just hard to stop,” says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.

Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as “Byzantine Anchor,” “Byzantine Candor,” and “Byzantine Foothold.” A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.

A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. “Since 2002, (U.S. government) organizations have been targeted with social-engineering online attacks” which succeeded in “gaining access to hundreds of (U.S. government) and cleared defence contractor systems,” the cable said. The e-mails were aimed at the U.S. Army, the Departments of Defense, State and Energy, other government entities and commercial companies.

Once inside the computer networks, the hackers install keystroke-logging software and “command-and-control” programs which allow them to direct the malicious code to seek out sensitive information. The cable says that at least some of the attacks in 2008 originated from a Shanghai-based hacker group linked to the People’s Liberation Army’s Third Department, which oversees intelligence-gathering from electronic communications.

Between April and October 2008, hackers successfully stole “50 megabytes of e-mail messages and attached documents, as well as a complete list of usernames and passwords from an unspecified (U.S. government) agency,” the cable says.

Investigators say Byzantine Hades intrusions are part of a particularly virulent form of cyber-espionage known as an “advanced persistent threat.” The malicious code embedded in attachments to spear-phish e-mails is often “polymorphic” – it changes form every time it runs – and burrows deep into computer networks to avoid discovery. Hackers also conduct “quality-assurance” tests in advance of launching attacks to minimize the number of anti-virus programs which can detect it, experts say.

As a result, cyber-security analysts say advanced persistent threats are often only identified after they penetrate computer networks and begin to send stolen data to the computer responsible for managing the attack. “You have to look for the ‘phone home,’” says Roger Nebel, managing director for cyber-security at Defense Group Inc., a consulting firm in Washington, DC.

It was evidence of malicious code phoning home to a control server – a computer that supervises the actions of code inside other computers – that provided confirmation to U.S. cyber-sleuths that Chinese hackers were behind Byzantine Hades attacks, according to the April 2009 State Department cable.

As a case study, the cable cites a 10-month investigation by a group of computer experts at the University of Toronto which focused in part on cyber-intrusions aimed at Tibetan groups, including the office of the exiled Dalai Lama in Dharamsala, India.

Referencing the Canadian research, the cable notes that infected computers in the Dalai Lama’s office communicated with control servers previously used to attack Tibetan targets during the 2008 Olympics in Beijing. Two Web sites linked to the attack also communicated with the control server.

TARGETS DETAILED

The same sites had also been involved in Byzantine Hades attacks on U.S. government computers in 2006, according to “sensitive reports” cited in the cable – likely a euphemistic reference to secret intelligence reporting.

The computer-snooping code that the intrusion unleashed was known as the Gh0stNet Remote Access Tool (RAT). It “can capture keystrokes, take screen shots, install and change files, as well as record sound with a connected microphone and video with a connected webcam,” according to the cable.

Gh0st RAT succeeded in invading at least one State Department computer. It “has been identified in incidents – believed to be the work of (Byzantine Hades) actors – affecting a locally employed staff member at the U.S. Embassy in Tokyo, Japan,” according to the cable.

Evidence that data was being sucked out of a target network by malicious code also appears to have led cyber-security investigators to a specific hacker, affiliated with the Chinese government, who was conducting cyber-espionage in the United States. A March, 2009 cable identifies him as Yinan Peng. The cable says that Peng was believed to be the leader of a band of Chinese hackers who call themselves “Javaphile.”

Peng did not respond to three e-mails seeking comment.

The details of alleged Chinese military-backed intrusions of U.S. government computers are discussed in a half dozen State Department cables recounting intense global concern about China’s aggressive use of cyber-espionage.

In a private meeting of U.S., German, French, British and Dutch officials held at Ramstein Air Base in September 2008, German officials said such computer attacks targeted every corner of the German market, including “the military, the economy, science and technology, commercial interests, and research and development,” and increase “before major negotiations involving German and Chinese interests,” according to a cable from that year.

French officials said at the meeting that they “believed Chinese actors had gained access to the computers of several high-level French officials, activating microphones and Web cameras for the purpose of eavesdropping,” the cable said.

TESTING THE WATERS

The leaked State Department cables have surfaced as Reuters has learned that the U.S. is engaged in quiet, proxy-led talks with China over cyber issues.

Chronic computer breaches have become a major source of tension in U.S. relations with China, which intensified after the major Google hack was disclosed in January 2010, according to U.S. officials involved in the talks. Even before the Google hack, Chinese officials had recognized the problem as well.

In mid-2009, representatives of the China Institutes for Contemporary International Relations, a nominally independent research group affiliated with China’s Ministry of State Security, contacted James A. Lewis, a former U.S. diplomat now with the Center for Strategic and International Studies (CSIS).

Lewis said that in his first meeting with his Chinese counterparts, a representative of the China Institutes asked: “Why does the Western press always blame China (for cyber-attacks)?” Lewis says he replied: “Because it’s true.”

There was no response to request for comment on the talks from the Chinese embassy in Washington.

Preliminary meetings at CSIS have blossomed into three formal meetings in Washington and Beijing over the last 14 months. According to two participants, the talks continue to be marked by “a lot of suspicion.” Attendees have focused on establishing a common understanding of cyber-related military, law enforcement and trade issues. Cyber-espionage isn’t being discussed directly, according to one participant, because “the Chinese go rigid” when the subject is raised.

One reason: for China, digital espionage is wrapped into larger concerns about how to keep China’s economy, the world’s second largest, growing. “They’ve identified innovation as crucial to future economic growth – but they’re not sure they can do it,” says Lewis. “The easiest way to innovate is to plagiarize” by stealing U.S. intellectual property, he adds.

There have been a few breakthroughs. U.S. and Chinese government officials from law enforcement, intelligence, military and diplomatic agencies have attended in the wings of each discussion. “The goal has been to get both sides on the same page,” says Lewis. “We’re building the groundwork for official discussions.”

A former senior national security official who has also attended the talks says, “Our reports go straight to the top policymakers” in the Obama administration.

Chinese participants have sought to allay U.S. concerns about a Chinese cyber-attack on the U.S. financial system. With China owning more than $1.1-trillion in U.S. government debt, Lewis says China’s representatives acknowledged destabilization of U.S. markets would, in effect, be an attack on China’s economy, itself.

Despite the talks, suspected Chinese cyber-espionage has hardly tapered off. Documents reviewed by Reuters show that CSIS itself recently was the target of a spear-phish containing malicious code with a suspected link to China.

On March 1, an e-mail sent from an address on an unofficial U.S. Armed Forces family welfare network called AFGIMail was sent to Andrew Schwartz, chief spokesman for CSIS. Attached to the message was an Excel spreadsheet labelled “Titan Global Invitation List.”

An analysis conducted for Reuters by a cyber-security expert who asked not to be identified shows the email may have been sent from a compromised AFGIMail e-mail server. The Excel spreadsheet, if opened, installs malicious code which searches for documents on the victim’s computer. The code then communicates to a Web-site hosting company in Orange County, California that has additional sites in China.