22 December 2021

Chinese Spies Accused of Using Huawei in Secret Australia Telecom Hack

Jordan Robertson and Jamie Tarabay

(Bloomberg) -- The U.S. government has warned for years that products from China’s Huawei Technologies Co., the world’s biggest maker of telecommunications equipment, pose a national security risk for any countries that use them. As Washington has waged a global campaign to block the company from supplying state-of-the-art 5G wireless networks, Huawei and its supporters have dismissed the claims as lacking evidence.

Now a Bloomberg News investigation has found a key piece of evidence underpinning the U.S. efforts — a previously unreported breach that occurred halfway around the world nearly a decade ago.

In 2012, Australian intelligence officials informed their U.S. counterparts that they had detected a sophisticated intrusion into the country's telecommunications systems. It began, they said, with a software update from Huawei that was loaded with malicious code.

The breach and subsequent intelligence sharing was confirmed by nearly two dozen former national security officials who received briefings about the matter from Australian and U.S. agencies from 2012 to 2019. The incident substantiated suspicions in both countries that China used Huawei equipment as a conduit for espionage, and it has remained a core part of a case they’ve built against the Chinese company, even as the breach’s existence has never been made public, the former officials said.

The episode helps clarify previously opaque security concerns driving a battle over who will build 5G networks, which promise to bring faster internet connectivity to billions of people around the globe. Shenzhen-based Huawei dominates the more than $90 billion global telecommunications equipment market, where it competes against Sweden’s Ericsson AB and Finland’s Nokia Oyj. But the U.S., Australia, Sweden and the U.K. have all banned Huawei from their 5G networks, and about 60 countries signed on to a U.S. Department of State program where they’ve committed to avoiding Chinese equipment for their telecommunications systems. Such efforts, which have also included U.S. sanctions against the Chinese company, have slowed Huawei’s growth and heightened tensions with China.

The briefings described to Bloomberg contained varying degrees of detail, and the former officials who received them had different levels of knowledge of — and willingness to discuss — specifics. Seven of them agreed to provide detailed accounts of the evidence uncovered by Australian authorities and included in their briefings.

At the core of the case, those officials said, was a software update from Huawei that was installed on the network of a major Australian telecommunications company. The update appeared legitimate, but it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China, they said. After a few days, that code deleted itself, the result of a clever self-destruct mechanism embedded in the update, they said. Ultimately, Australia's intelligence agencies determined that China’s spy services were behind the breach, having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the update to the telecom’s systems.

Guided by Australia's tip, American intelligence agencies that year confirmed a similar attack from China using Huawei equipment located in the U.S., six of the former officials said, declining to provide further detail.

Mike Rogers, a former Republican congressman from Michigan who was chair of the U.S. House of Representatives intelligence committee from 2011 to 2015, declined to discuss the incidents. But he confirmed that national bans against Huawei have been driven in part by evidence, presented in private to world leaders, that China has manipulated the company’s products through tampered software updates, also known as patches.

“All their intelligence services have pored over the same material,” said Rogers, a former FBI agent who is now a national security commentator on CNN. “This whole body of work has come to the same conclusion: It's all about administrative access, and the administrative patches that come out of Beijing are not to be trusted.”

Many people familiar with Australia’s intelligence told Bloomberg that they were bound by confidentiality agreements and couldn’t discuss it on the record. But Michèle Flournoy, former under secretary of defense for policy at the Department of Defense under President Barack Obama, said she wasn’t constrained from doing so.

Flournoy, who is co-founder and managing partner of WestExec Advisors LLC, a national security consulting firm closely aligned with the Obama and Biden administrations, confirmed the intrusion and the tampered software update from Huawei. She said she learned about the episode after leaving government in early 2012, emphasizing that the information was shared in unclassified forums.

“The Australians from the get-go have been courageous in sharing the information they had, not only with the intelligence channels but more broadly in government channels,” Flournoy said. “Australia experienced it, but it was also a vicarious wake-up call for Australia’s allies.”

The Australian Signals Directorate, that country’s leading cybersecurity agency, declined to answer specific questions about the incident. “Whenever ASD discovers a cyber incident affecting an entity, it engages the relevant entity to provide advice and assistance,” the agency said in a statement. “ASD’s assistance is confidential — it is a matter for relevant entities to comment publicly on any cybersecurity incident.”

“Australia is not alone in the threats we face from state-based actors in cyberspace,” the agency said, noting that the government has “joined with others in the world to express serious concerns about malicious cyber activities by China’s Ministry of State Security.”

In the U.S., the Federal Bureau of Investigation, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the National Counterintelligence and Security Center declined to comment.

Bloomberg didn’t find evidence that Huawei’s senior leadership was involved with or aware of the attack. Huawei declined to address specific questions. “It is hard to comment on speculation and unquoted ‘senior sources,’” John Suffolk, Huawei’s global cybersecurity officer, said in a statement. “It is also hard to comment on generalizations such as ‘Australian telecommunications,’ ‘software update,’ ‘equipment,’ etc.”

But, he added, “no tangible evidence has ever been produced of any intentional wrongdoing of any kind.”

Suffolk said that Huawei’s technicians can access networks only when customers authorize it, and that customers control when updates are installed on their systems. He said Huawei considers the possibility of its workers being compromised a “valid threat” and takes steps to protect against it, including restricting access to source code and using “tamper-proofing mechanisms” to guard against abuse. “We closely monitor all of our engineers. Where the law allows we undertake additional vetting,” he said. “We control the software and equipment they use, and mandatory compliance training is required every year.”

Suffolk said that Huawei urges governments, customers and the “security ecosystem” to review its products and look for vulnerabilities, and “it is this openness and transparency that acts as a great protector.”

China’s Ministry of Foreign Affairs said in a statement that the country “opposes and would crack down on any forms of cyberattack and internet espionage activities in accordance with the law, not to mention refraining from encouraging, supporting or conspiring with hacking attacks.”

“Australia’s slander on China carrying out cyberattacks and espionage penetration are purely a move like a thief crying to catch a thief. This kind of arbitrary smear on another county is an extremely irresponsible action that China firmly opposes,” the ministry said. “We urge Australia not to abuse the name of ‘national security’ and put groundless accusations and unreasonable pressures on Huawei and other Chinese companies.”

Huawei was founded in 1987 by a former officer of China’s People’s Liberation Army, Ren Zhengfei, as a sales agent for business telephone systems, and over the last three decades it has grown to become the world's biggest maker of telecommunications equipment, which includes the routers, switches and cell-tower antennas used to shuttle voice and data traffic over mobile networks.

Huawei entered the Australian market in 2004 and built relationships with two of the country’s three main wireless network operators.

Australia’s dominant telecom — Melbourne-based Telstra Corp. Ltd. — has long avoided Huawei products, owing to concerns about potential Chinese tampering and the company’s partnership with Ericsson, according to three former Telstra executives. “Telstra does not have any equipment from Huawei in its network now, nor have we in the past,” the company said in a statement.

But Telstra’s two smaller rivals embraced the technology.

An early and symbolically important partner was Optus, a division of Singapore Telecommunications Ltd., which is Singapore’s biggest telecom. Optus picked Huawei for several large-scale infrastructure upgrades, starting in 2005 with a deal for digital subscriber line equipment. Optus later picked Huawei in 2007 to supply part of its nationwide 3G wireless network and in 2012 for part of its 4G network. In addition to being Australia’s second-biggest mobile carrier, Optus also operates the country’s largest fleet of satellites, and it works closely with the Australian military.

Huawei’s other key partner in Australia was Vodafone Hutchison Australia, the country’s third-biggest mobile carrier. It selected Huawei to overhaul its entire 2G and 3G infrastructure in 2011 and later for parts of its 4G networks as well.

The identity of the telecom impacted by the breach in Australia wasn't shared widely in the briefings by Australian and U.S. intelligence officials, according to the people who received them. But a former senior U.S. intelligence official and a former Australian telecommunications executive who worked in a national security role said they were told it was Optus.

Optus disputed the information. “Optus has a strong track record of providing trusted and secure services, including to major government agencies. These are delivered in close collaboration with government and with strict adherence to its advice on security matters,” the company said in a statement. “Optus takes security very seriously. Any incidents of breaches or inappropriate vendor behavior would be taken into account in our network investment decisions, but we have no knowledge of the alleged incidents.”

After a 2020 merger, Vodafone Hutchison Australia became TPG Telecom Ltd. The company said it wasn’t aware of an attack. “We can confirm that there was no such malware in our network, and we have never heard of this alleged incident in respect of any Australian networks,” the company said in a statement. “We comply with all directions and advice from the Australian government in relation to national security.”

Starting around 2010, officials in Australia and the U.S. had grown alarmed by two trends: the rising number of hacking attacks from China and Huawei’s expanding role in their countries’ telecommunications systems, according to Michael Wessel, who for more than 20 years has been a commissioner on the congressionally created U.S.-China Economic and Security Review Commission. The commission examines national security implications of the trade and economic relationships between the two countries and reports its recommendations.

The countries began investigating whether any of those hacks traced back to Huawei equipment, he said.

“If there’s a locksmith who’s installing more and more locks on the doors in a community and suddenly there’s a rash of silent robberies, at some point the locksmith becomes a person of interest,” Wessel said. “Huawei around that time became a significant entity of interest.”

By that point, the NSA had already penetrated Huawei’s corporate networks in China, looking for evidence of any links between the company and China’s military, according to documents leaked by former NSA contractor Edward Snowden and published in news articles in 2014. Under a program called Shotgiant, the U.S. monitored e-mail accounts belonging to Huawei employees including Ren, the company’s founder. NSA also looked for ways to exploit Huawei products in Chinese-built networks in countries considered high-priority intelligence targets, including Afghanistan, Cuba, Iran, Kenya and Pakistan, according to the documents and articles.

Huawei’s Suffolk said in his statement that “no such evidence was ever presented that demonstrated Huawei was anything other than highly professional and that our founder Mr. Ren has many, many boring e-mails.”

Concerned about potential intrusion into its communications systems, Australia began taking a harder line on Huawei and China. In particular, Australia blocked Huawei from participating in massive project to build a nationwide broadband network, a surprise decision that triggered a diplomatic uproar when the news leaked in early 2012. Then-Prime Minister Julia Gillard said the decision involved “national security matters” that she couldn’t discuss. Gillard declined to comment for this story.

Around that time, Australia discovered the breach — an extraordinary find given the hackers' efforts to cover their tracks.

The seven former officials who provided detailed accounts of their briefings said that Australia’s intelligence agencies had detected suspicious traffic flowing from the country’s telecommunications systems to China, a trail that led to Huawei equipment. Investigators gained access to some of the infected systems, but they arrived too late. Digital forensics on those systems revealed only fragments of the malicious code’s existence, and investigators reconstructed the attack using a variety of sensitive sources, including human informants and secretly intercepted conversations, the former officials said.

The attackers had siphoned all the data flowing through the equipment during the malware's short window of operation, the former officials said. The data gave them access to the contents of private communications and information that could be used to target specific people or devices in future attacks, the former officials said. Bloomberg was unable to learn what, if anything, the attackers did with it.

Also in 2012, around the time Australian officials were briefing U.S. agencies about the breach, the intelligence committee of the House of Representatives published findings that China’s spy services had a “wealth of opportunities” to tamper with products from Huawei and a similar company, ZTE Corp., from their design to their maintenance on customer networks. One of those involves so-called managed services, a common offering where companies provide ongoing support, including remote software updates, for their equipment after it’s installed at customer sites, the report found. “Unfortunately, such contracts may also allow the managed-service contractor to use its authorized access for malicious activity under the guise of legitimate assistance,” the report found.

Huawei and ZTE don’t need to be a participant in — or even be aware of — any attacks for them to occur through their employee ranks. “Chinese intelligence services need only recruit working-level technicians or managers in these companies” to carry out compromises of customer networks, the report found.

At the time, Huawei said the report “employs many rumors and speculations to prove nonexistent accusations,” while a ZTE spokesman said that after a year-long investigation, “the committee rests its conclusions on a finding that ZTE may not be ‘free of state influence.’” That standard “would apply to any company operating in China,” the spokesman said.

In the years since then, various reports have linked Huawei or its employees to spying and surveillance. In 2019, for example, the Wall Street Journal reported that Huawei technicians, in at least two instances, helped African governments spy on political opponents, intercepting their encrypted communications and using cellphone data to track their locations. Last year, Australia’s Financial Review found that Huawei built a facility to store the entire data archive for the Papua New Guinea government, but it contained glaring security gaps that exposed sensitive files to being stolen. And on Dec. 14, the Washington Post published documents from Huawei showing that the company has played a broader role in tracking China’s populace than it has acknowledged.

Huawei denied each of the reports, and the company has consistently pushed back against allegations that its products pose a security risk.

“Huawei has not had any major cybersecurity incidents while working with more than 500 telecom providers, including most of the top 50 telecom operators, for nearly 20 years in 170 countries to connect more than 3 billion people,” the company says on its website. “No other vendor can claim this level of cybersecurity success.”

Keith Krach, the former under secretary for economic growth, energy and the environment at the U.S. Department of State under President Donald Trump, declined to discuss specific incidents. But he confirmed that the U.S. and its allies have had evidence for years that China has manipulated Huawei equipment through software updates.

“Huawei has thrown a lot of head fakes by saying it would never put a back door in the hardware — a back door means nothing because there's a front door that's open every day through software,” he said. “Huawei’s software updates can push whatever code they want into those machines, whenever they want, without anyone knowing.”

That characterization is a “fantasy,” said Huawei’s Suffolk. “There is not a general software update mechanism, patches are not pushed at will and Huawei has no control or say when an operator decides to upgrade or patch their network,” he said.

In Australia, after nearly a decade of hostility with the government, Huawei has abandoned many of its operations. Last year, the company revealed a $100 million financial cut to its Australian investment and more than 1,000 local job losses, according to the Financial Review. A key factor behind that 5G ban, the Sydney Morning Herald reported, was an intelligence assessment that the vulnerabilities associated with Huawei products were so severe that more than 300 separate risks would need to be mitigated in order to use it securely.

In Huawei’s statement to Bloomberg, the company said that former Australian Prime Minister Malcolm Turnbull publicly stated that “no evidence had been provided to demonstrate that Huawei had undertaken anything untoward in Australia.” In his memoir, which was published in 2020, Turnbull wrote that his administration's 5G ban against Huawei was a “hedge against a future threat, not the identification of a smoking gun, but a loaded one.”

Turnbull, in a statement to Bloomberg, rejected Huawei's characterization. “That is not what I have said — I made no comment as to whether evidence of untoward conduct by Huawei had been presented or observed,” he said. “So I was, if you like, deliberately making no comment on that point at all.”

Turnbull declined to comment about the 2012 incident or any other intelligence matters related to Huawei.

Australia continues to deal with the fallout from challenging China on a range of issues, including Huawei.

China has imposed damaging one-sided tariffs on Australian commodities, and Chinese hackers have targeted Australian institutions with relentless attacks since the country called last year for an independent probe into the origins of Covid-19. Australia also announced a pact in September with the U.S. to build nuclear-powered submarines, a challenge to China’s growing military presence that has further heightened tensions in the region.

Flournoy, the former Defense Department official under Obama, said China continues to punish Australia in part because of it longstanding position on Huawei, which was informed in part by the breach the country discovered nearly a decade ago.

“They didn’t do the typical thing of trying to hide the vulnerability; they talked about what happened with their closest allies and took a public stand,” Flournoy said. “They are still taking a hit for it.”

No comments: