Professional Documents
Culture Documents
A. Introduction
1. In 2015, Edward Snowden released documents confirming that in 2007, Chinese hackers
stole top secret data about the F-22 Raptor, F-35 Joint Strike Fighter (JSF) jet and many
other classified designs. The data breach took place at Lockheed Martin and some other
US defence contractors. The operation was codenamed "Byzantine Hades Hacks". A
person named Chen Xingpeng pleaded guilty in Mar 2016 after two years of legal
proceedings. He had set up the command and control sites that connected to the First
Technical Reconnaissance Bureau (TRB), People’s Liberation Army (PLA), Chengdu
Province. Another hacker named Yinan Peng from a group called Javaphile was also
involved in the assaults.
2. The Chinese government denied any involvement in the attacks, stating that, "The Chinese
military has never supported any hacker attack or hacking activities", and “It is
unprofessional and groundless to accuse the Chinese military of launching cyber-attacks
without any conclusive evidence.”
3. China admitted for the first time to existence of special cyber warfare units in late 2015. The
PLA publication, "The Science of Military Strategy", gave out China's digital spying and
network attack capabilities.
3. The Chinese soon realized that computer network attacks were particularly powerful as they
had a longer range than conventional weapons, allowing China to directly ‘touch’ the United
States and other enemies.
7. In 2018, the total number of people employed to monitor opinion and censor content on the
internet as “internet public opinion analyst”, was estimated at 2 million. They were employed
across government propaganda departments, private corporations and news outlets. On an
average, the Chinese government fabricates and posts approximately 448m comments on
social media annually. A considerable amount of censorship is conducted through the
manual deletion of posts, and an estimated 100,000 people are employed by both the
government and private companies to do just this.
8. Private companies also play an important role in facilitating internet censorship in China.
Several major technology entrepreneurs also hold political office. Robin Li of Baidu is a
member of the Chinese People’s Political Consultative Conference, an advisory legislature,
while Lei Jun, founder and CEO of Xiaomi, is a representative of the National People’s
Congress.
9. As a result of all the controls, China’s internet is unreliable and ranks 91st in the world for
speed. China is trying to turn “Chinanet” into a model for other countries.
10. Despite all the protection, China’s internet is one of the most regularly attacked. According
to a report, China suffered the highest rate of distributed denial of service attacks (DDOS)
in the world in 2018, an average of over 800 million a day. Scanning and backdoor intrusions
made up the majority of the attacks and about 97 percent were conducted by domestic
hackers. However, a growing percentage came from overseas, mostly from the US, South
Korea, and Japan. Among all the attacks originating overseas, those that targeted
government and financial websites largely outnumbered those on other targets.
are lots of commonality between APT1 and characteristics of Unit 61398. APT1’s activity
was traced to the Pudong New Area where Unit 61398 is based. Both steal intellectual
property from English speaking organizations and target strategic emerging industries
identified in China’s 12th Five Year Plan. They have organized, funded, disciplined
operators with specific targeting objectives and a code of ethics (e.g., APT1 has not yet
destroyed property or stolen money which contrasts most “hackers” and even the most
sophisticated organize crime syndicates). They specialise in continuously stealing hundreds
of terabytes of data from 141 organizations belonging to 20 major industries since 2006. As
part of the PLA, Unit 61398 has the resources (people, money, influence) necessary to
orchestrate operation at APT1’s scale.
5. APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st
RAT. They also use two email-stealing utilities, GETMAIL, designed specifically to extract
email messages, attachments, and folders from within Microsoft Outlook archive (“PST”)
files and MAPIGET, designed to steal email that has not yet been archived and still resides
on a Microsoft Exchange Server.
6. In 2014, US filed criminal charges against five Chinese military officials belonging to the
Unit, named Wang Dong (Ugly Gorilla), Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu
Chunhui, for hacking and conducting cyber espionage against the US. Among spying on
U.S companies and stealing trade secrets, they had also accused for stealing information
about a nuclear power plant design and a solar panel company’s cost and pricing data.
Another hacker, Mei Qiang (also DOTA and SuperHard) was not traceable.
7. On 13th May 2004, an advertisement in China Digital Times, invited applications for
recruitment of computer science graduate students into Unit 61398. Students who signed
the contract were rewarded with a significant National Defense Scholarship (5,000 yuan per
year) and an offer to work in the unit. Interested candidates from Zhejiang University were
encouraged to contact Teacher Peng in the Graduate Division.
8. There are 19 APT groups controlled by the PLA. The most recent one is APT40, the group
that typically targets countries strategically important to the Belt and Road Initiative.
F. A Disturbing Trend
1. There have been increase in sophisticated computer network intrusions originating in China,
engineered by the Chinese government. Such attacks reflect a new doctrine of the PLA
described as "pressure point warfare", the attacking of specific nodes to leave the adversary
paralysed. The Chinese see no difference between asymmetric warfare and conventional
warfare.
2. Reports had emerged over a period of time about backdoors or unexplained beaconing
from the equipment sold by Chinese companies. There were also reports about their
attempts to steal the trade secrets of other companies, to get a competitive advantage.
Some of the major ones are listed in the sub-paragraphs below.
3. Defending against the risk of cyber-attacks had become a challenge when the backbone as
well as access equipment itself could not be trusted.
PowerPoint files, Corel Draw designs, AutoCAD files and other file types used
in manufacturing and defense circles. The files are compressed and encoded
via custom protocols that resemble BASE64 code and sent to a command and
control server using FTP through a VPN connection. They’re also used to
distribute the Saker, a backdoor module that shares export functions via two
DLLs named JustTempFun and ServiceMain. Kaspersky researchers found
more than 22 gigabytes of stolen data on more than 30 command and control
servers used in the NetTraveler campaign. Almost 30 percent of infections
happened in Mongolia, followed by Russia, India and Kazakhstan.
2005
a. Chinese national working at U.S. unit of Dutch firm AkzoNobel begins stealing
material needed to replicate advanced industrial coating.
2006
a. Two people indicted for stealing proprietary information from auto parts maker
Metaldyne and seeking to pass it to Chinese firms.
b. The Mandiant Intelligence Center released a shocking report on enterprise-
scale computer espionage campaign dubbed APT1. APT1 established 937
Command and Control (C2) servers hosted on 849 distinct IP addresses in 13
countries. The majority of these IP addresses were registered to organizations
in China. The operation started in 2006 targeting 141 victims across multiple
industries. Over the period, January 2011 to January 2013, 1,905 instances of
APT1 attacks were identified that used Remote Desktop to steal data. APT1
systematically stolen hundreds of terabytes of data from victim organizations
simultaneously.
c. The Network Crack Program Hacker (NCPH) group located in Zigong in the
Sichuan Province carried out repeated zero-day attacks specifically targeting
the Defense Department. It utilized exploit code for Microsoft Word and Excel.
The group comprised of students from the Sichuan University of Science and
Engineering, led by Tan Dailin who used the pseudonym ‘Wicked Rose,’ with
KuNgBiM, Rodag, and Charles as members. Another hacker, a close affiliate
called WHG was identified. His name was Zhao Jibing and was employed in
the Sichuan province.
2007
a. Chinese national employed by Dow begins transferring trade secrets to
Chinese government-controlled institutes.
b. Germany’s domestic intelligence service discovered a Chinese hacking
operation which targeted and infected computers in the German chancellery
as well as foreign, economy, and research ministries with Chinese spy
software. This attack campaign has made German officials fear whether China
may also be targeting the computers of German companies to steal
technology secrets.
2008
a. Former DuPont employee picked by state-owned Pangang to make titanium
dioxide, supposedly using DuPont production method (later pled guilty to
espionage).
b. A 2008 virus infection began when an infected USB flash drive was inserted
into a U.S. military laptop at a base in the Middle East. The flash drive’s
malicious code uploaded itself onto a network run by the U.S. Central
Command. The malware eventually spread to both classified and unclassified
computer systems creating a “digital beach head” from which classified
information could be siphoned The malware known as Agent.btz spread
extensively on Defense Department networks, prompting the DOD to suspend
the use of USB drives or other external media by service members. The attack
origin could not be localized, but China was one of the possible source.
c. In November 2008, a mass hack attack was discovered that infected between
2000 and 10,000 servers, mainly Western European and American. The
attackers used SQL injection or using accounts to the sites which had already
been stolen. One common factor is that the majority of the hacked sites run
on some type of vulnerability in the ASP engine.
2009
a. Ford Motor employee arrested for stealing trade secrets—later found guilty—
supposedly on behalf of Beijing Auto.
b. Operation Aurora was a series of cyber-attacks conducted by Elderwood
Group based in Beijing, China, with ties to the People's Liberation Army. The
attacks began in mid-2009 and continued through December 2009. The attack
was aimed at dozens of other organizations, of which Adobe Systems, Juniper
Networks and Rackspace have publicly confirmed that they were targeted.
According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan
Stanley and Dow Chemical were also among the targets.
c. GhostNet was a cyber espionage campaign targeting over 1,295 computers
in 103 countries, with targets ranging from ministries of foreign affairs,
embassies, international organizations, news media, and NGOs. Many of
these targets were linked to Chinese foreign and defense policy, particularly
in South and Southeast Asia. The log files of malware trace back to the
Lingshui signals intelligence facility and the PLA on Hainan Island.
2010
a. Google announced in January 2010 that they had been the victim of a highly
sophisticated and targeted attack originating from China. Google accused
China of stealing intellectual property, comprising the security of its
infrastructure, and spying on Chinese dissidents.
b. In April 2010, it was revealed that China Telecom rerouted traffic sent to about
15 per cent of the internet’s destinations, including branches of the U.S.
military, the U.S. Senate and companies such as Microsoft Corp. A significant
volume of traffic was hijacked by redirecting it through servers in China.
2011
a. American Superconductor sues top Chinese turbine maker Sinovel for stealing
software used to drive wind turbines.
b. In the autumn of 2011, a Trojan was detected on a huge number of computers,
all of them engaged in a popular online game. The malware was embedded in
a DLL library as a properly signed malicious driver. It contained a backdoor
payload, with functionality of a fully-fledged Remote Administration Tool
(RAT), which gave cybercriminals the ability to control the victim computer
without the user’s knowledge. The attacks were attributed to the Winnti group.
At least 35 companies were infected by Winnti malware. The malicious
program injected code into certain processes and returned control back. Using
the backdoor, the attackers downloaded an auxiliary program ff._exe to the
Config.Msi folder on the infected machine. This code searched for HTML, MS
Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files
(.txt) on the hard drive. Research revealed that Winnti was a long-term
oriented large scale cyberespionage campaign of a criminal group with
Chinese origins.
c. Dubbed “Nitro Attacks”, Symantec Corporation uncovered a targeted attack
campaign on 29 private companies involved in the research, development and
manufacture of chemicals and advanced materials occurred. Symantec traced
the attacks back to a computer system that was a virtual private server (VPS)
located in the United States. The system was owned by a Chinese male living
in the Hebei region in China.
d. McAfee documented a coordinated and targeted cyber campaign starting in
November 2009, dubbed “Night Dragon”. It was conducted against global oil,
energy, and petrochemical companies. The attacks originated primarily in
China. C and C infrastructure was provided to the attackers by someone
based in Heze City, Shandong Province, China. The attackers also used
hacking tools of Chinese origin that are prevalent on Chinese underground
hacking forums.
2012
a. NSA director acknowledged that China-based hackers compromised defense
firms such as Lockheed Martin using attacks called as “Byzantine Hades
Hacks”. The method of attack involved a multi-layer strategy of social hacks
as well as technical ones. By hitting the lesser secured network/ company/
individuals they eventually escalated privileged access and hopped onto the
networks in a back-door manner. The scope of the attacks focused on
acquiring the radar design, detailed engine schematics, methods for cooling
gases, manufacturing process in leading and trailing edge treatments and aft
deck heating contour maps. The data included details on the F-22, F-35, B-2
stealth bomber, space-based lasers, missile navigation/ tracking systems,
CAD drawings of parts, chemical analysis, composition details, as well as the
source code and nuclear submarine/ anti-air missile designs. The theft
involved 30,000 hacking incidents, compromising 1600 DoD computers and
extracting 50 terabytes of data.
3rd Jan 2019 - PA2 7 | Page
Unique Selling Points: Walkie Talkie and SDR Features
g. A key element in fighting BGP hijacking is accurate and fast detection that
enables flexible and equally fast mitigation of these events. This is where the
Automatic and Real-Time dEtection and MItigation System (ARTEMIS) can
provide help. ARTEMIS, is a self-operated and unified detection and mitigation
approach based on control-plane monitoring. ARTEMIS continuously monitors
the Internet control plane by leveraging pervasive publicly available BGP
monitoring services, such as RIPE RIS and RouteViews (and their recently
acquired real-time streaming capabilities). Detection operates by cross-
checking the BGP updates received by the monitoring module/service, against
the local configuration files (for example, origin/neighbour ASNs and
announced prefixes) and a knowledge base (containing, for example,
observed AS-level links and related metadata) created automatically by
ARTEMIS and stored locally. Mitigation can be triggered immediately upon
detection, configurable per prefix, hijack type and observed impact.
DROWN (SSL vulnerability)
a. DROWN is a serious vulnerability that affects HTTPS and other services that
rely on SSL and TLS, the cryptographic protocols for Internet security. These
protocols allow everyone on the Internet to browse the web, use email, shop
online, and send instant messages without third-parties being able to read the
communication.
b. DROWN allows attackers to break the encryption and read or steal sensitive
communications, including passwords, credit card numbers, trade secrets, or
financial data.
c. SSLv2 is known to be badly insecure. It allows an attacker to decrypt modern
TLS connections between up-to-date clients and servers by sending probes
to a server that uses the same private key.
Logjam Attack (Weak Diffie-Hellman)
a. Diffie-Hellman key exchange is a cryptographic algorithm that allows two
systems to agree on a shared key and negotiate a secure connection. The
Logjam attack allows a man-in-the-middle to downgrade vulnerable TLS
connections to 512-bit export-grade cryptography. This allows the attacker to
read and modify any data passed over the connection. This is due to a flaw in
the TLS protocol that does not protect the Diffie-Hellman key exchange.
b. Millions of HTTPS, SSH, and VPN servers use the same prime numbers for
Diffie-Hellman key exchange. This was safe as long as new key exchange
messages were generated for every connection. However, the first step in the
number field sieve—the most efficient algorithm for breaking a Diffie-Hellman
connection—is dependent only on this prime. After this first step, an attacker
can quickly break individual connections.
c. An academic team can break a 768-bit prime and a nation-state can break a
1024-bit prime. Breaking the single, most common 1024-bit prime used by web
servers would allow passive eavesdropping on connections to 18% of the
websites. Published NSA leaks show that the agency's attacks on VPNs are
consistent with having achieved such a break.
and ZTE. The investigation was conducted over a period of one year starting
in 2011.
b. It was a known fact that China accorded highest priority to tamper with the
global telecommunications supply chain and called it a “Strategic Sector.” The
ability to maliciously modify or steal information from government and
corporate entities provided China access to expensive research and
development to accelerate China’s growth. Huawei and ZTE were grown with
the aim of furthering this aim of the Chinese. They were benefited by billions
of dollars in Chinese government financing. Further, the products were
subsidized by the Chinese government, so that the companies could offer
bargain basement prices to unsuspecting consumers and kill competition. The
companies were well poised to provide a wealth of opportunities for Chinese
intelligence agencies to compromise critical telecommunications components
and systems.
c. Being a communist country, China could compel these companies to provide
it information or worse spy using their equipment. Under Chinese law, they
were bound to cooperate with any request by the Chinese government to use
their systems or access for malicious purposes. However, Huawei, which was
founded in 1987 by former PLA officer Ren Zhengfei, has repeatedly denied
being linked to the Chinese government or military or receiving financial
support from either. On the other hand, ZTE, initially founded as Zhongxing
Semiconductor Co., Ltd in Shenzhen, Guangdong province, in 1985, was
incorporated by a group of investors associated with China's Ministry of
Aerospace Industry. In March 1993, it had a capital of RMB 3 million, and
became one of the first company to come under a new business model called
"state-owned and private-operating" economic entity.
d. In the course of the investigation by the US Intelligence Committee, the
companies provided little actual evidence to ameliorate the Committee’s
concerns. When the committee visited China, they were disappointed with the
lack of direct answers to in-person questions and vague responses to letters.
The Companies did not provide documentation supporting or confirming their
claims about their formal relationships or regulatory interaction with Chinese
authorities, corporate structure, ownership, operations, or management. They
claimed that to turn over internal corporate documents would violate China’s
state-secret laws. It was strange that internal corporate documents of private
sector firms are considered classified secrets in China. This fact alone was a
reason to question their independence.
G.2. Hayden Revelations
a. In 2013, Michael Hayden, a retired United States Air Force general who used
to head the National Security Agency, said in an interview with Australian
Financial Review (AFR) that Huawei had shared “intimate and extensive
knowledge” of all the telecommunications infrastructure it was involved in with
the Chinese government. He further confirmed that he had seen “hard
evidence” of spying activity performed by Huawei on behalf of the Chinese
government.
H. Conclusion
1. Of the ongoing inter-state cyberwar, China and the United States were the most active, with
China attacking US assets 18 times and the US responding only twice. Experts have
suggested not to allow China Telecom to set up PoPs in North America. For years, US has
maintained that Huawei and ZTE have embeded stealth espionage technology inside the
gear they produce for the world's Internet routers, switches, and wireless transmitters.
Unlike normal cyber threats, hardware implants enable deeper infiltration into systems and
3rd Jan 2019 - PA2 14 | Page
Unique Selling Points: Walkie Talkie and SDR Features
end devices supplied by the companies. Software programs are relatively easy to update
or replace; the threat of embedded and exploitable hardware is difficult to mitigate. The
affected organizations might never realize that infiltration is occurring.
2. There is increasing loss of trust in Chinese electronics hardware. Across the world, critical
telecommunication infrastructure has been infiltrated by Chinese routers and switches.
Hardware manipulation is extremely difficult to detect due the complexity of modern circuit
design. This is why intelligence agencies invest billions of dollars in such sabotage. The
U.S. is known to have extensive programs to seed technology heading to foreign countries
with spy implants, based on revelations from former CIA employee Edward Snowden. China
has progressed aggressively in this direction and has surpassed the US and the West.
3. China’s economic, military and technological espionage has reached an intolerable level
and has become difficult to stop or contain. Today, China is the greatest source of cyber-
attacks and intrusions in the world. These attacks are widespread and coordinated,
suggesting state involvement. These campaigns have infiltrated thousands of computers
across dozens of countries and international organizations to steal information for the PRC.