Trojan Dragons of China

A. Introduction
1. In 2015, Edward Snowden released documents confirming that in 2007, Chinese hackers
stole top secret data about the F-22 Raptor, F-35 Joint Strike Fighter (JSF) jet and many
other classified designs. The data breach took place at Lockheed Martin and some other
US defence contractors. The operation was codenamed "Byzantine Hades Hacks". A
person named Chen Xingpeng pleaded guilty in Mar 2016 after two years of legal
proceedings. He had set up the command and control sites that connected to the First
Technical Reconnaissance Bureau (TRB), People’s Liberation Army (PLA), Chengdu
Province. Another hacker named Yinan Peng from a group called Javaphile was also
involved in the assaults.
2. The Chinese government denied any involvement in the attacks, stating that, "The Chinese
military has never supported any hacker attack or hacking activities", and “It is
unprofessional and groundless to accuse the Chinese military of launching cyber-attacks
without any conclusive evidence.”
3. China admitted for the first time to existence of special cyber warfare units in late 2015. The
PLA publication, "The Science of Military Strategy", gave out China's digital spying and
network attack capabilities.

B. Origin of Chinese Cyber War Capability

1. Chinese academic discussion of cyber warfare started in the 1990s when it was called
“information warfare”. Impressed by how the US military benefited from the application of
high technologies in the Gulf War, and subsequent operations in Kosovo, Afghanistan, and
Iraq, China began to realize that there is no way to adequately defend itself without
dominating the information technology realm. In 1993, the Chinese military adjusted its
military strategic guideline which was later revised in 2004 to “winning local wars under
conditions of informationization”.
2. The first time that the Chinese military publicly addressed cyber warfare from a holistic point
of view was in the 2013, when cyberspace was identified as a new and essential domain of
military struggle. A similar tone appeared in the 2015 paper that defined cyberspace as a
“new pillar of economic and social development, and a new domain of national security,”
and declared clearly that China was confronted with grave security threats to its cyber
infrastructure.

C. Core Aims of China’s Cyber Warfare

1. Chinese identify cyber warfare as involving competition in areas beyond the military, such
as the economy, diplomacy, and social development. They use the term “eight King Kongs”
to describe the top internet companies in its domestic supply chain: Apple, Cisco, Google,
IBM, Intel, Microsoft, Oracle, and Qualcomm. Heavy dependence on these companies’
products made China wary and realize the necessity to work towards developing the
domestic technology industry and its capabilities. It also resolved to make the country’s
internal internet infrastructure more secure.
2. With its stated strategic guideline of Active Defense, and the primary of Chinese cyber
warfare was to enhance defense capabilities in order to survive and counter after suffering
an offensive cyber strike. As argued by PLA Senior Colonel Li Daguang, after the first round
of a cyberattack, the targeted side can respond with a precise counterattack as long as it
has a strong defense. The attacker will then suffer unfavorable outcomes if its defense is
not good enough. From this perspective, it is wiser to make efforts in building up a strong
defense.
 Unique Selling Points: Walkie Talkie and SDR Features

3. The Chinese soon realized that computer network attacks were particularly powerful as they
had a longer range than conventional weapons, allowing China to directly ‘touch’ the United
States and other enemies.

D. Cyber War Capabilities of China

1. China's internet network is closed off and isolated from the rest of the internet. It connects
to the global backbone at only via three nodes located in Beijing, Shanghai, and Hong Kong.
The Communist Party does not allow U.S. or Western telecoms to set up PoPs on China’s
national internet network. This isolationist approach secures China from large scale external
attacks. As a disadvantage, it also restricts ability of the Chinese to conduct Cyber War from
within China. They have to depend on external resources to carry out attacks on
international traffic because very little goes through its mainland nodes. For this purpose,
China has set up PoPs in North America, Europe and Asia.
2. The first email in China was sent in September 1987, 16 years after the first email in the
US. For the first few years, the government reserved the internet for academics and officials.
Then, in 1995, it was opened to the general public. The government deemed 1996 as the
“Year of the Internet”, and internet clubs and cafes appeared all over China’s largest cities.
As enthusiastically as the government proclaimed its support for the internet, it started
taking steps to control it. By 1997, Beijing had enacted its first laws criminalising online
postings designed to hurt national security or the interests of the state.
3. In the late 1990s, Fang Binxing started working on developing the “Golden Shield”, a
software that enabled the government to inspect any data being received or sent, and to
block destination IP addresses and domain names. His work was rewarded by a swift
political rise. By the 2000s, he had earned the moniker “Father of the Great Firewall” and,
eventually, the enmity of hundreds of thousands of Chinese web users.
4. In September 2000, a law required internet service providers to ensure that the information
sent out on their services adhered to the law, and some domain names and IP addresses
were recorded. Two years later, Beijing blocked Google and launched its own search engine
called Baidu. In 2002, China’s Internet Industry was required to practice four principles:
patriotic observance of law, equitableness, trustworthiness and honesty. More than 100
companies, including Yahoo!, signed the pledge.
5. Under Xi, the government developed new technology to exert far greater control over the
internet. In January 2015, the government blocked many of the VPNs that citizens had used
to circumvent the Great Firewall. This was surprising as VPNs were useful to the Chinese
economy, supporting multinationals, banks and retailers, among others, for the government
to crack down on them.
6. In mid 2015, Beijing launched the Great Cannon. Unlike the Great Firewall, which had the
capacity to block traffic as it enters or exits China, the Great Cannon could adjust and
replace content at the interception point. One of its first targets was the US coding and
software development site GitHub. The Chinese government used the Great Cannon to levy
a distributed denial of service attack against the site, overwhelming it with traffic redirected
from Baidu. The attack focused to force GitHub to remove pages linked to the Chinese-
language edition of the New York Times and GreatFire.org, a popular VPN that helped
people circumvent Chinese censorship.

3rd Jan 2019 - PA2 1 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

7. In 2018, the total number of people employed to monitor opinion and censor content on the
internet as “internet public opinion analyst”, was estimated at 2 million. They were employed
across government propaganda departments, private corporations and news outlets. On an
average, the Chinese government fabricates and posts approximately 448m comments on
social media annually. A considerable amount of censorship is conducted through the
manual deletion of posts, and an estimated 100,000 people are employed by both the
government and private companies to do just this.
8. Private companies also play an important role in facilitating internet censorship in China.
Several major technology entrepreneurs also hold political office. Robin Li of Baidu is a
member of the Chinese People’s Political Consultative Conference, an advisory legislature,
while Lei Jun, founder and CEO of Xiaomi, is a representative of the National People’s
Congress.
9. As a result of all the controls, China’s internet is unreliable and ranks 91st in the world for
speed. China is trying to turn “Chinanet” into a model for other countries.
10. Despite all the protection, China’s internet is one of the most regularly attacked. According
to a report, China suffered the highest rate of distributed denial of service attacks (DDOS)
in the world in 2018, an average of over 800 million a day. Scanning and backdoor intrusions
made up the majority of the attacks and about 97 percent were conducted by domestic
hackers. However, a growing percentage came from overseas, mostly from the US, South
Korea, and Japan. Among all the attacks originating overseas, those that targeted
government and financial websites largely outnumbered those on other targets.

E. Unit 61398 and APT-1

1. In 2013, Mandiant published a report that detailed the notorious Chinese hacking group
'Unit 61398', suspected of waging cyber warfare against government agencies and
companies. Unit 61398 is identified as 3rd Department of PLA’s General Staff Department
(GSD), which belongs to 2nd Bureau of the Central Military Commission of Chinese
Communist Party. Its databases contain vast and detailed information about critical
infrastructure, including pipelines, transmission lines and power generation facilities of
target countries.
2. Unit 61398 is partially situated on Datong Road in Gaoqiaozhen, which is located in the
Pudong New Area of Shanghai. The central building in this compound is a is 12 stories high
and was built in early 2007. It is staffed by thousands of computer engineers.
3. Unit 61398 actively solicits and trains English speaking personnel specializing in a wide
variety of cyber topics. A graduate student of covert communications, Li Bingbing who
openly acknowledged his affiliation with Unit 61398, published a paper in 2010 that
discussed embedding covert communications within Microsoft Word documents. Another
example is English linguist Wang Weizhong’s biographical information, provided to the
Hebei Chamber of Commerce, which describes the training he received as an English
linguist while assigned to Unit 61398. The organization was also known as the “Cyber
Army,” or “Wang Jun” in Mandarin.
4. China Telecom has provided special fiber optic communications infrastructure for the unit
in the name of national defense. The unit launches advanced persistent threat (APT)
campaigns using state of art tools. The tools used by Unit 61398 are called APT1. There
3rd Jan 2019 - PA2 2 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

are lots of commonality between APT1 and characteristics of Unit 61398. APT1’s activity
was traced to the Pudong New Area where Unit 61398 is based. Both steal intellectual
property from English speaking organizations and target strategic emerging industries
identified in China’s 12th Five Year Plan. They have organized, funded, disciplined
operators with specific targeting objectives and a code of ethics (e.g., APT1 has not yet
destroyed property or stolen money which contrasts most “hackers” and even the most
sophisticated organize crime syndicates). They specialise in continuously stealing hundreds
of terabytes of data from 141 organizations belonging to 20 major industries since 2006. As
part of the PLA, Unit 61398 has the resources (people, money, influence) necessary to
orchestrate operation at APT1’s scale.
5. APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st
RAT. They also use two email-stealing utilities, GETMAIL, designed specifically to extract
email messages, attachments, and folders from within Microsoft Outlook archive (“PST”)
files and MAPIGET, designed to steal email that has not yet been archived and still resides
on a Microsoft Exchange Server.
6. In 2014, US filed criminal charges against five Chinese military officials belonging to the
Unit, named Wang Dong (Ugly Gorilla), Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu
Chunhui, for hacking and conducting cyber espionage against the US. Among spying on
U.S companies and stealing trade secrets, they had also accused for stealing information
about a nuclear power plant design and a solar panel company’s cost and pricing data.
Another hacker, Mei Qiang (also DOTA and SuperHard) was not traceable.
7. On 13th May 2004, an advertisement in China Digital Times, invited applications for
recruitment of computer science graduate students into Unit 61398. Students who signed
the contract were rewarded with a significant National Defense Scholarship (5,000 yuan per
year) and an offer to work in the unit. Interested candidates from Zhejiang University were
encouraged to contact Teacher Peng in the Graduate Division.
8. There are 19 APT groups controlled by the PLA. The most recent one is APT40, the group
that typically targets countries strategically important to the Belt and Road Initiative.

F. A Disturbing Trend
1. There have been increase in sophisticated computer network intrusions originating in China,
engineered by the Chinese government. Such attacks reflect a new doctrine of the PLA
described as "pressure point warfare", the attacking of specific nodes to leave the adversary
paralysed. The Chinese see no difference between asymmetric warfare and conventional
warfare.
2. Reports had emerged over a period of time about backdoors or unexplained beaconing
from the equipment sold by Chinese companies. There were also reports about their
attempts to steal the trade secrets of other companies, to get a competitive advantage.
Some of the major ones are listed in the sub-paragraphs below.
3. Defending against the risk of cyber-attacks had become a challenge when the backbone as
well as access equipment itself could not be trusted.

3rd Jan 2019 - PA2 3 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

F.1. Trail of hacking events by Chinese

1998
a. A report identified the Honker Union which had carried out attacks from 1998
to 2005. Operating from mainland China, the Honker Union launched network
attacks against Indonesia, Taiwan, US, Japanese central and local
governments, banks, universities, and companies, as well as a Tibetan
political dissident. The Honker Union may be a proxy force of the Chinese
government.
1999
a. In 1999, when the Taiwanese President announced that Taipei should deal
with Beijing on a state-to-state basis and 20 Taiwanese government websites
were attacked. The hackers were both Chinese civilians and PLA specialists.
2001
a. Two people funded by state-owned Datang Telecom indicted for stealing
secrets from Lucent.
2002
a. Two people funded by Hangzhou city government indicted for stealing secrets
from four firms.
2003
a. PetroChina employee arrested for attempting to steal seismic imaging
software from Silicon Valley firm (later pled guilty).
b. The first known large-scale act of cyber espionage was the Titan Rain, in
which China-based hackers broke into the networks of the Departments of
State, Defense, Energy, and Homeland Security, as well as the networks of
defense contractors, stealing an estimated 10–20 terabytes of data. The
attacks were traced to the Chinese province of Guangdong and three Chinese
routers that acted as the first connection point from a local network to the
Internet. The hackers were armed with a scanner program that "primed the
pump," by searching vast military networks for computers with vulnerabilities
that the attackers could exploit. The targeted networks were unclassified
systems. Military's classified networks not connected directly to the Internet.
But even unclassified systems store sensitive information and provide logistics
support throughout the armed forces.
2004
a. Canada’s Nortel discovers that China-based hackers have compromised its
entire network.
b. NetTraveler, a data exfiltration tool infected more than 350 high profile victims
using primarily exploits targeting two patched Microsoft vulnerabilities.
NetTraveler samples were found to be targeting Tibetan and Uyghur activists,
oil production facilities, scientific research outfits, universities and private
companies. The tool is capable of extracting system information, drop
keylogging malware, steal Office documents such as Word, Excel and
3rd Jan 2019 - PA2 4 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

PowerPoint files, Corel Draw designs, AutoCAD files and other file types used
in manufacturing and defense circles. The files are compressed and encoded
via custom protocols that resemble BASE64 code and sent to a command and
control server using FTP through a VPN connection. They’re also used to
distribute the Saker, a backdoor module that shares export functions via two
DLLs named JustTempFun and ServiceMain. Kaspersky researchers found
more than 22 gigabytes of stolen data on more than 30 command and control
servers used in the NetTraveler campaign. Almost 30 percent of infections
happened in Mongolia, followed by Russia, India and Kazakhstan.
2005
a. Chinese national working at U.S. unit of Dutch firm AkzoNobel begins stealing
material needed to replicate advanced industrial coating.
2006
a. Two people indicted for stealing proprietary information from auto parts maker
Metaldyne and seeking to pass it to Chinese firms.
b. The Mandiant Intelligence Center released a shocking report on enterprise-
scale computer espionage campaign dubbed APT1. APT1 established 937
Command and Control (C2) servers hosted on 849 distinct IP addresses in 13
countries. The majority of these IP addresses were registered to organizations
in China. The operation started in 2006 targeting 141 victims across multiple
industries. Over the period, January 2011 to January 2013, 1,905 instances of
APT1 attacks were identified that used Remote Desktop to steal data. APT1
systematically stolen hundreds of terabytes of data from victim organizations
simultaneously.
c. The Network Crack Program Hacker (NCPH) group located in Zigong in the
Sichuan Province carried out repeated zero-day attacks specifically targeting
the Defense Department. It utilized exploit code for Microsoft Word and Excel.
The group comprised of students from the Sichuan University of Science and
Engineering, led by Tan Dailin who used the pseudonym ‘Wicked Rose,’ with
KuNgBiM, Rodag, and Charles as members. Another hacker, a close affiliate
called WHG was identified. His name was Zhao Jibing and was employed in
the Sichuan province.
2007
a. Chinese national employed by Dow begins transferring trade secrets to
Chinese government-controlled institutes.
b. Germany’s domestic intelligence service discovered a Chinese hacking
operation which targeted and infected computers in the German chancellery
as well as foreign, economy, and research ministries with Chinese spy
software. This attack campaign has made German officials fear whether China
may also be targeting the computers of German companies to steal
technology secrets.

3rd Jan 2019 - PA2 5 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

2008
a. Former DuPont employee picked by state-owned Pangang to make titanium
dioxide, supposedly using DuPont production method (later pled guilty to
espionage).
b. A 2008 virus infection began when an infected USB flash drive was inserted
into a U.S. military laptop at a base in the Middle East. The flash drive’s
malicious code uploaded itself onto a network run by the U.S. Central
Command. The malware eventually spread to both classified and unclassified
computer systems creating a “digital beach head” from which classified
information could be siphoned The malware known as Agent.btz spread
extensively on Defense Department networks, prompting the DOD to suspend
the use of USB drives or other external media by service members. The attack
origin could not be localized, but China was one of the possible source.
c. In November 2008, a mass hack attack was discovered that infected between
2000 and 10,000 servers, mainly Western European and American. The
attackers used SQL injection or using accounts to the sites which had already
been stolen. One common factor is that the majority of the hacked sites run
on some type of vulnerability in the ASP engine.
2009
a. Ford Motor employee arrested for stealing trade secrets—later found guilty—
supposedly on behalf of Beijing Auto.
b. Operation Aurora was a series of cyber-attacks conducted by Elderwood
Group based in Beijing, China, with ties to the People's Liberation Army. The
attacks began in mid-2009 and continued through December 2009. The attack
was aimed at dozens of other organizations, of which Adobe Systems, Juniper
Networks and Rackspace have publicly confirmed that they were targeted.
According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan
Stanley and Dow Chemical were also among the targets.
c. GhostNet was a cyber espionage campaign targeting over 1,295 computers
in 103 countries, with targets ranging from ministries of foreign affairs,
embassies, international organizations, news media, and NGOs. Many of
these targets were linked to Chinese foreign and defense policy, particularly
in South and Southeast Asia. The log files of malware trace back to the
Lingshui signals intelligence facility and the PLA on Hainan Island.
2010
a. Google announced in January 2010 that they had been the victim of a highly
sophisticated and targeted attack originating from China. Google accused
China of stealing intellectual property, comprising the security of its
infrastructure, and spying on Chinese dissidents.
b. In April 2010, it was revealed that China Telecom rerouted traffic sent to about
15 per cent of the internet’s destinations, including branches of the U.S.
military, the U.S. Senate and companies such as Microsoft Corp. A significant
volume of traffic was hijacked by redirecting it through servers in China.

3rd Jan 2019 - PA2 6 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

2011
a. American Superconductor sues top Chinese turbine maker Sinovel for stealing
software used to drive wind turbines.
b. In the autumn of 2011, a Trojan was detected on a huge number of computers,
all of them engaged in a popular online game. The malware was embedded in
a DLL library as a properly signed malicious driver. It contained a backdoor
payload, with functionality of a fully-fledged Remote Administration Tool
(RAT), which gave cybercriminals the ability to control the victim computer
without the user’s knowledge. The attacks were attributed to the Winnti group.
At least 35 companies were infected by Winnti malware. The malicious
program injected code into certain processes and returned control back. Using
the backdoor, the attackers downloaded an auxiliary program ff._exe to the
Config.Msi folder on the infected machine. This code searched for HTML, MS
Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files
(.txt) on the hard drive. Research revealed that Winnti was a long-term
oriented large scale cyberespionage campaign of a criminal group with
Chinese origins.
c. Dubbed “Nitro Attacks”, Symantec Corporation uncovered a targeted attack
campaign on 29 private companies involved in the research, development and
manufacture of chemicals and advanced materials occurred. Symantec traced
the attacks back to a computer system that was a virtual private server (VPS)
located in the United States. The system was owned by a Chinese male living
in the Hebei region in China.
d. McAfee documented a coordinated and targeted cyber campaign starting in
November 2009, dubbed “Night Dragon”. It was conducted against global oil,
energy, and petrochemical companies. The attacks originated primarily in
China. C and C infrastructure was provided to the attackers by someone
based in Heze City, Shandong Province, China. The attackers also used
hacking tools of Chinese origin that are prevalent on Chinese underground
hacking forums.
2012
a. NSA director acknowledged that China-based hackers compromised defense
firms such as Lockheed Martin using attacks called as “Byzantine Hades
Hacks”. The method of attack involved a multi-layer strategy of social hacks
as well as technical ones. By hitting the lesser secured network/ company/
individuals they eventually escalated privileged access and hopped onto the
networks in a back-door manner. The scope of the attacks focused on
acquiring the radar design, detailed engine schematics, methods for cooling
gases, manufacturing process in leading and trailing edge treatments and aft
deck heating contour maps. The data included details on the F-22, F-35, B-2
stealth bomber, space-based lasers, missile navigation/ tracking systems,
CAD drawings of parts, chemical analysis, composition details, as well as the
source code and nuclear submarine/ anti-air missile designs. The theft
involved 30,000 hacking incidents, compromising 1600 DoD computers and
extracting 50 terabytes of data.
3rd Jan 2019 - PA2 7 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

b. The Luckycat campaign attacked diverse targets including aerospace, energy,

engineering, shipping, and military research industries as well as Tibetan
activists and organizations in Japan and India using a variety of malware.
Using open source research, Trend Micro mapped an email address back to
its QQ number, a hacker in the Chinese underground community. The New
York Times traced the alias to Gu Kaiyuan. Located in Chengdu, Gu was a
former student at Sichuan University, which receives funding for computer
network defense research and indicates the Chinese government sponsorship
of hackers.
F.2. The Big Traffic Diversion
a. For six months beginning in February, 2016, internet traffic was diverted by
China Telecom and routed through its PoP in Toronto, then forwarded to its
PoP on the West Coast, then on to China and finally to South Korea. The
shortest route for this traffic would normally have been Toronto to the United
States to South Korea, the authors says. This pattern continued for six months
and was not a short-term misconfiguration or temporary internet conditions
disruption. Such attacks suggested malicious intent, because of their unusual
transit characteristics, namely the lengthened routes and the abnormal
durations.
b. Starting from February 2016 and for about six months, routes from Canada to
Korean government sites were hijacked by China Telecom and routed through
China. On October 2016, traffic from several locations in the USA to a large
Anglo-American bank headquarters in Milan, Italy was hijacked by China
Telecom to China. Traffic from Sweden and Norway to the Japanese network
of a large American news organization was hijacked to China for about six
weeks in April/May 2017. Traffic to the mail server (and other IP addresses)
of a large financial company in Thailand was hijacked several times during
April, May, and July 2017. Some of the hijack attacks started in the USA.
Attacks were recreated in 2018, when data from Toronto to the South Korean
government was diverted.
c. Vast rewards can be reaped from the hijacking, diverting, and then copying of
information-rich traffic going into or crossing the United States and Canada.
This data can then be processed for encryption breaking and analysis or in
some cases even altering the traffic. The latency can be reduced by allocating
dedicated bandwidth for the diverted route, delivering the data with small
delays.
d. China Telecom had ten (eight in US and two in Canada) strategically placed,
Chinese-controlled internet ‘points of presence’ (PoPs) across the internet
backbone of North America. Telecom carriers set up such internet access
points to serve clients in their home countries and to expand business
opportunities. PoPs also make it easier for these telecom firms to influence
the routing of internet traffic. China Telecom has at least eight PoPs in the
United States and two PoPs in Canada.
e. Yuval Shavitt of Tel Aviv University and Chris Demchak, published a paper,
outlining how China has been rerouting Canadian and U.S. internet traffic. The
3rd Jan 2019 - PA2 8 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

researchers built a route tracing system monitoring the BGP announcements

and distinguishing patterns suggesting accidental or deliberate hijacking.
Using this system, they tracked down long-lived BGP hijacks to the ten PoPs
of China Telecom.
Attack Modus – BGP Hijack
a. China Telecom, had presence inside North American networks since the early
2000s when it created its first PoP. PoPs re-route traffic between all the
smaller networks that make up the larger internet. These smaller networks are
known as "autonomous systems" (AS) and they can be the networks of big
tech companies like Google, your friendly neighborhood ISP, big tier-1 ISPs
like Verizon, university networks, bank networks, web hosting companies, and
all entities big enough to have received their own block of IP addresses.
b. Traffic travels between these AS networks with the help of the Border Gateway
Protocol (BGP). This protocol was created in the early 80s and does not
feature any security controls, allowing anyone to announce a bad BGP route
and receive traffic that was not intended for their network. In the vast majority
of cases, these incidents, called “BGP hijacks” happen when a router
improperly advertises itself as having the most efficient route to a victim
network. It can also be triggered by configuration mistakes and are resolved
in minutes or hours.
c. However, intentional BGP Hijacks are done ofr organized crime or state-
backed threat actors to carry out man-in-the-middle traffic interception,
phishing attacks to steal passwords, or to record HTTPS-encrypted traffic to
later decrypt it by leveraging cryptographic attacks such as DROWN or
Logjam.
d. China Telecom has been one of the internet's most determined BGP hijackers.
It has abused BGP hijacks after signing a pact with the US in September 2015
that prohibited all government-backed cyber operations aimed at intellectual
property theft. This necessitated new ways to get information while still
technically adhering to the agreement.
e. China's internet network is a system that's largely closed off and isolated from
the rest of the internet, to which it connects only via three nodes located in
Beijing, Shanghai, and Hong Kong. This isolationist approach means that
China wouldn't be able to carry out BGP hijacks for international traffic
because very little goes through its mainland nodes. This is why the PoPs it
set up in North America, but also throughout Europe and Asia, are so crucial.
f. The prevalence of and demonstrated ease with which one can simply redirect
and copy data by controlling key transit nodes buried in a nation's
infrastructure required an urgent action and policy review. One of the problems
with BGP attacks is that they do not last very long, so by the time you know
an attack is taking place, the situation can already be restored to normal. This
stresses the importance of implementing monitoring tools and establishing an
efficient alerting workflow. Traffic can be monitored on the BGP routes that
relate to your AS. Monitoring solutions like BGPMon and Oracle Dyn can do
the work.
3rd Jan 2019 - PA2 9 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

g. A key element in fighting BGP hijacking is accurate and fast detection that
enables flexible and equally fast mitigation of these events. This is where the
Automatic and Real-Time dEtection and MItigation System (ARTEMIS) can
provide help. ARTEMIS, is a self-operated and unified detection and mitigation
approach based on control-plane monitoring. ARTEMIS continuously monitors
the Internet control plane by leveraging pervasive publicly available BGP
monitoring services, such as RIPE RIS and RouteViews (and their recently
acquired real-time streaming capabilities). Detection operates by cross-
checking the BGP updates received by the monitoring module/service, against
the local configuration files (for example, origin/neighbour ASNs and
announced prefixes) and a knowledge base (containing, for example,
observed AS-level links and related metadata) created automatically by
ARTEMIS and stored locally. Mitigation can be triggered immediately upon
detection, configurable per prefix, hijack type and observed impact.
DROWN (SSL vulnerability)
a. DROWN is a serious vulnerability that affects HTTPS and other services that
rely on SSL and TLS, the cryptographic protocols for Internet security. These
protocols allow everyone on the Internet to browse the web, use email, shop
online, and send instant messages without third-parties being able to read the
communication.
b. DROWN allows attackers to break the encryption and read or steal sensitive
communications, including passwords, credit card numbers, trade secrets, or
financial data.
c. SSLv2 is known to be badly insecure. It allows an attacker to decrypt modern
TLS connections between up-to-date clients and servers by sending probes
to a server that uses the same private key.
Logjam Attack (Weak Diffie-Hellman)
a. Diffie-Hellman key exchange is a cryptographic algorithm that allows two
systems to agree on a shared key and negotiate a secure connection. The
Logjam attack allows a man-in-the-middle to downgrade vulnerable TLS
connections to 512-bit export-grade cryptography. This allows the attacker to
read and modify any data passed over the connection. This is due to a flaw in
the TLS protocol that does not protect the Diffie-Hellman key exchange.
b. Millions of HTTPS, SSH, and VPN servers use the same prime numbers for
Diffie-Hellman key exchange. This was safe as long as new key exchange
messages were generated for every connection. However, the first step in the
number field sieve—the most efficient algorithm for breaking a Diffie-Hellman
connection—is dependent only on this prime. After this first step, an attacker
can quickly break individual connections.
c. An academic team can break a 768-bit prime and a nation-state can break a
1024-bit prime. Breaking the single, most common 1024-bit prime used by web
servers would allow passive eavesdropping on connections to 18% of the
websites. Published NSA leaks show that the agency's attacks on VPNs are
consistent with having achieved such a break.

3rd Jan 2019 - PA2 10 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

F.3. Mother of all Hacks – Hacking the Hardware

a. In 2015, Amazon.com Inc. began evaluating a startup called Elemental
Technologies for acquisition in order to meet the expansion needs of its
streaming video service, known today as Amazon Prime Video.
b. Amazon Web Services (AWS), which was overseeing the prospective
acquisition, hired a third-party company to scrutinize Elemental’s security. In
mid-2015, the Super Micro Servers hosting Elemental's video compression
software were sent to Ontario, Canada, for a third-party security testing.
Nested on the servers’ motherboards, the testers found a tiny microchip, not
much bigger than a grain of rice, that wasn’t part of the boards’ original design.
Amazon reported the discovery to the FBI, sending a shudder through the
intelligence community. Already, in the first half of 2014, intelligence officials
had given specific intelligence that Chinese military was preparing to insert
malicious chips into Supermicro motherboards bound for U.S. companies.
c. Elemental’s servers were deployed in Department of Defense data centers to
process drone and surveillance-camera footage, on Navy warships to transmit
feeds of airborne missions, and inside government buildings to enable secure
videoconferencing. NASA, both houses of Congress, and the Department of
Homeland Security were also using the servers. Supermicro also dominated
the $1 billion market for server boards used in special-purpose computers,
MRI machines and weapons systems. Its motherboards could be found in
server setups at banks, government contractors, hedge funds, cloud
computing providers and web-hosting services. Elemental had also supplied
the implanted server to CIA datacenters in development partnership with In-
Q-Tel Inc, the CIA’s investment arm. The deal had paved a way for Elemental's
Supermicro Servers deployment in CIA's datacenter. Apple was an important
Supermicro customer and had planned to order more than 30,000 of its
servers in two years for a new global network of data centers. Thus, with more
than 900 customers in 100 countries by 2015, Supermicro offered inroads to
a large collection of sensitive targets. However, the chip implants were
restricted to servers supplied to 30 companies, including Elemental.
d. To track the corrupted chips to their source, U.S. intelligence agencies began
following Supermicro’s serpentine supply chain in reverse. Eventually, they
traced the malicious chips to four subcontracting factories that had been
building Supermicro motherboards for at least two years. Plant managers were
approached by people who claimed to represent Supermicro or the
government. The middlemen would request changes to the motherboards’
original designs. If there was opposition, they threatened factory managers
with inspections that could shut down their plants. Once arrangements were
in place, the middlemen would organize delivery of the chips to the factories.
The Supermicro attack was attributed to the PLA. American investigators
eventually figured out who had been hit by tracing and hacking the command
and control server the chip pinged for further instructions.
e. The implanted chips were designed to look like signal conditioning couplers,
a common motherboard component. In one case, the malicious chips were
embedded between the layers of the Printed Circuit Boards (PCB). They were
3rd Jan 2019 - PA2 11 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

unlikely to be detectable without specialized equipment. When the servers

were installed in the customer location, they had to be updated with latest
firmware using Supermicro's online portal. The portal had been breached by
Chinese hackers in 2015 and firmware injected with code to initialize the chip.
In 2016, Facebook testing of Supermicro servers revealed that the
downloaded firmware code had been altered to enable a backdoor in the
network card driver.
f. Once the chip was enabled, it controlled data lines between the CPU and the
memory and could edit the instructions the CPU was meant to follow. The
control also provided it with an attack vector for the baseboard management
controller (BMC). BMC has an ARM processor running an ancient version of
Linux that controls major parts of the server. Any known vulnerability in the
BMC would be an attack surface for the custom chip. The BMC lets
administrators remotely reboot malfunctioning equipment among other
administrative tasks. If this malicious chip can take control of the BMC, then it
can provide remote access to the attackers. In this way it could bypass the
security mechanisms and create a clear copy of encrypted data, which is the
most precious gift for a hacker. The compromised network driver could open
stealthy backdoors for attackers and also communicate with one of several
anonymous command and control computers on the internet. Thus, the chip
could steal encryption keys for secure communications, block security updates
to neutralize the attack, and open up new pathways to the internet. Hardware
hacks are highly devastating due to their long-term stealth access and high
level of difficulty for detection. This methodology was graver than the software-
based hack attacks.
g. China has an advantage executing this kind of work as it makes 75 percent of
the hardware for world’s mobile phones and 90 percent of PCs. To accomplish
this kind of attack would require development of a deep understanding of a
product’s design, manipulating components at the factory, and ensuring that
the doctored devices made it through the global logistics chain to the desired
location. Important aspect of the finding was that, though, Supermicro’s
motherboards were engineered in US and followed the manufacturing
standards required to secure supply chain logistics, they could still get
manipulated. If the spy chips were secretly installed why was it not discovered
during the QA process?
h. As for Apple, all Supermicro servers were replaced in a matter of weeks.
Concurrent with the illicit chips, Supermicro has been plagued by an
accounting problem. Supermicro was delisted from the Nasdaq on 23rd Aug
2018.

G. Huawei and ZTE

G.1. US Intelligence Committee Investigations
a. On 13th September 2012, the US Intelligence Committee submitted a report
on security threat posed by Chinese Telecommunications Companies Huawei

3rd Jan 2019 - PA2 12 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

and ZTE. The investigation was conducted over a period of one year starting
in 2011.
b. It was a known fact that China accorded highest priority to tamper with the
global telecommunications supply chain and called it a “Strategic Sector.” The
ability to maliciously modify or steal information from government and
corporate entities provided China access to expensive research and
development to accelerate China’s growth. Huawei and ZTE were grown with
the aim of furthering this aim of the Chinese. They were benefited by billions
of dollars in Chinese government financing. Further, the products were
subsidized by the Chinese government, so that the companies could offer
bargain basement prices to unsuspecting consumers and kill competition. The
companies were well poised to provide a wealth of opportunities for Chinese
intelligence agencies to compromise critical telecommunications components
and systems.
c. Being a communist country, China could compel these companies to provide
it information or worse spy using their equipment. Under Chinese law, they
were bound to cooperate with any request by the Chinese government to use
their systems or access for malicious purposes. However, Huawei, which was
founded in 1987 by former PLA officer Ren Zhengfei, has repeatedly denied
being linked to the Chinese government or military or receiving financial
support from either. On the other hand, ZTE, initially founded as Zhongxing
Semiconductor Co., Ltd in Shenzhen, Guangdong province, in 1985, was
incorporated by a group of investors associated with China's Ministry of
Aerospace Industry. In March 1993, it had a capital of RMB 3 million, and
became one of the first company to come under a new business model called
"state-owned and private-operating" economic entity.
d. In the course of the investigation by the US Intelligence Committee, the
companies provided little actual evidence to ameliorate the Committee’s
concerns. When the committee visited China, they were disappointed with the
lack of direct answers to in-person questions and vague responses to letters.
The Companies did not provide documentation supporting or confirming their
claims about their formal relationships or regulatory interaction with Chinese
authorities, corporate structure, ownership, operations, or management. They
claimed that to turn over internal corporate documents would violate China’s
state-secret laws. It was strange that internal corporate documents of private
sector firms are considered classified secrets in China. This fact alone was a
reason to question their independence.
G.2. Hayden Revelations
a. In 2013, Michael Hayden, a retired United States Air Force general who used
to head the National Security Agency, said in an interview with Australian
Financial Review (AFR) that Huawei had shared “intimate and extensive
knowledge” of all the telecommunications infrastructure it was involved in with
the Chinese government. He further confirmed that he had seen “hard
evidence” of spying activity performed by Huawei on behalf of the Chinese
government.

3rd Jan 2019 - PA2 13 | Page

 Unique Selling Points: Walkie Talkie and SDR Features

b. Hayden is on the Board of Directors of Motorola Solutions (the part of Motorola

that Google did not buy) that has been in ongoing intellectual property disputes
with Huawei for years. Hayden said that he had been approached by Huawei
to join its American Board, but “God did not make enough slides on Huawei to
convince me that having them involved in our critical communications
infrastructure was going to be OK. This was my considered view, based on a
four-decade career as an intelligence officer.”
c. It was a significant blow to Huawei, having a high-profile individual “in the
know” publicly state about its mischievous activities and claim that evidence
exists to back it up.
G.3. Huawei Spying at T-Mobile
a. In September 2014, Huawei faced a lawsuit from T-Mobile US, which alleged
that Huawei stole technology from its Bellevue, Washington Headquarters.
Huawei's employees snuck into a T-Mobile lab during the period of 2012–2013
and stole parts of its smartphone testing robot Tappy. The Huawei employees
then copied the operating software and design details, violating confidentiality
agreements that both companies signed. Furthermore, Huawei used the
stolen parts and data to build its own testing robot.
b. Huawei USA engineers were under such pressure to spy for corporate that
they repeatedly suggested sending someone from Huawei China to complete
the IP theft mission. Huawei China sent engineer to T-Mobile lab in Seattle to
continue reconnaissance. The engineer took photos and sent back
information, but they were caught and banned by T-Mobile for improper
access.
c. On 29th May, Huawei USA engineer A.X. accessed the laboratory, placed a
Tappy robot arm into his laptop bag, and left. A.X. initially falsely denied taking
the robot arm, but then later claimed he had found it in his bag. A.X. described
the incident a "mistake" and offered to return the part. Before he returned it,
he took measurements of various aspects of the robot arm, including of the
end tip of the conductor stick and took photographs of the robot arm. These
were sticking points in the development of the Huawei robot. He sent these
photos and information back to Huawei China.
d. On 10th July 2013, Huawei China launched a formal policy instituting a bonus
program to reward employees who stole confidential information from
competitors. The policy emphasized that no employees would be punished for
taking actions in accordance with the policy.

H. Conclusion
1. Of the ongoing inter-state cyberwar, China and the United States were the most active, with
China attacking US assets 18 times and the US responding only twice. Experts have
suggested not to allow China Telecom to set up PoPs in North America. For years, US has
maintained that Huawei and ZTE have embeded stealth espionage technology inside the
gear they produce for the world's Internet routers, switches, and wireless transmitters.
Unlike normal cyber threats, hardware implants enable deeper infiltration into systems and
3rd Jan 2019 - PA2 14 | Page
 Unique Selling Points: Walkie Talkie and SDR Features

end devices supplied by the companies. Software programs are relatively easy to update
or replace; the threat of embedded and exploitable hardware is difficult to mitigate. The
affected organizations might never realize that infiltration is occurring.
2. There is increasing loss of trust in Chinese electronics hardware. Across the world, critical
telecommunication infrastructure has been infiltrated by Chinese routers and switches.
Hardware manipulation is extremely difficult to detect due the complexity of modern circuit
design. This is why intelligence agencies invest billions of dollars in such sabotage. The
U.S. is known to have extensive programs to seed technology heading to foreign countries
with spy implants, based on revelations from former CIA employee Edward Snowden. China
has progressed aggressively in this direction and has surpassed the US and the West.
3. China’s economic, military and technological espionage has reached an intolerable level
and has become difficult to stop or contain. Today, China is the greatest source of cyber-
attacks and intrusions in the world. These attacks are widespread and coordinated,
suggesting state involvement. These campaigns have infiltrated thousands of computers
across dozens of countries and international organizations to steal information for the PRC.

3rd Jan 2019 - PA2 15 | Page