11 October 2019

Information Warfare: Chinese Hackers Caught Down Under


October 7, 2019: Recently leaked details of a Chinese hacking campaign on the Australian government earlier this year revealed embarrassing (for all concerned) details about continued Chinese Internet mischief. The ASD (Australian Signals Directorate) concluded in March that the Chinese MSS (Ministry of State Security) was responsible for the wide ranging hacking attack on the parliament and three major political parties before the May national elections. ASD apparently could find no evidence that the Chinese effort was directed at influencing the election. Even before the ASD had reached their conclusion, after calling in American and British government Cyber War experts, there were unavoidable indications that something was going on. In February the government suddenly admitted there had been a widespread Internet hack and that all government Internet users were ordered to change their passwords and take other precautions that are normal after widespread attacks.

At the time there was no official mention of China or the extent and apparent purpose of the attack. The government was trying to keep secret the Chinese involvement. In part that was because China is Australia’s largest trading partner but also because the government and ASD were still seeking to find out more about the extent and purpose of the attack. Some aspects of the Chinese hacking had been going on for some time but the main effort was three months before the May elections. Forensics on the attack and measuring the full extent are still underway and maybe for some time. The government is still trying to play down the MSS Cyber War department involvement as well as details of what ASD knows and what they are looking for,


This latest MSS hacking effort is nothing unique and this sort of thing has been going on for over a decade. While China consistently denies any knowledge of or participation in numerous Internet-based attacks, a growing number of Internet security firms have succeeded in developing the ability to track the activities of dozens of known Chinese hacking groups believed to be working for the Chinese government. In many cases, the Chinese simply use hacking to discover what Western nations know about matters of mutual interest. When ISIL (Islamic State in Iraq and the Levant) broke into the news in 2014 one of the more capable Chinese hacking groups (Deep Panda) was detected searching Western research organizations for recent data on ISIL, a terrorist group that was then seizing oil fields and refineries in northern Iraq. This was of great interest to China, which was and still is a major customer for Iraqi oil and one of the largest investors in Iraqi oil industry projects. If ISIL managed to gain control over all of Iraq, China would want to be prepared to do business with this Islamic terrorist group. ISIL would want to sell its oil and China has demonstrated a willingness to buy from anyone.

This indicated how China had already come to treat its hacking resources as a handy intelligence tool for when there is a need for specific information that is not posted on the Internet but can be stolen via hacking into organizations that are vulnerable to plundering by skilled hackers. Western Internet security firms had by then long known of Chinese hacker groups and after 2010 more frequently shared their knowledge with the public. For example, in early 2013 it was revealed for the first time that a specific Chinese military organization, “Unit 61398,” had been responsible for over a thousand attacks on foreign government organizations and commercial firms since 2006. China denied this, and some Unit 61398 attacks ceased and others changed their methods for a month or so. But after that Unit 61398 returned to business as usual. The Chinese found that, as usual, even when one of their Cyber War organizations was identified by name and described in detail there was little anyone would or could do about it. There was obviously a Chinese reaction when the initial news became headlines. After a month or so it was realized that the revelations didn’t make any difference and the Chinese hackers went back to making war on the rest of the world. At the time Unit 61398 was believed to consist of several thousand full-time military and civilian personnel, as well as part-time civilians, often contractors brought in for a specific project. Thus after a year or so the Chinese thought they were safe despite all this attention received by the normally secretive Unit 61398.

This unit is still around and the U.S. and other hacked nations are increasingly fighting back. Specific individuals associated with the Chinese hacking efforts, often officers in the Chinese military, are being named and indicted for their crimes. The Chinese hacker groups have been around for so long that some are identified with the preface APT (Advanced Persistent Threat). Some of the more recent Chinese hacking groups include APT10, APT3, Red Apollo, CVNX, Stone Panda, POTASSIUM, and MenuPass. There are many more that are less active recently but capable of jumping into the headlines for a major attack. ASD may know the name of such a group, or groups, but that information has not been revealed yet.

China's Cyber War hackers have become easier to identify because for years they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human-readable text that programmers create and then turn into smaller binary code for computers to use) and techniques for using it in hacking software used against specific targets and commercial software sold by some firms in China. These Chinese companies are known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this. Chinese hackers have found that it doesn’t matter. Their government will protect them.

It's been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect when they are breaking in and much more difficult to track down. Thus, the East Europeans go after more difficult and lucrative targets. Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents, who often slip over to the dark side and scam Chinese. This is forbidden by the government, and these hackers are often caught and punished, or simply disappear. The Chinese hackers are, compared to the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision, or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly.

For Chinese hackers that behave (don't do cyber-crimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can't handle. The pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

No comments: