Lessons from Paracels XXII: China cyber warfare scare

China has been reported to have deployed its sophisticated cyber warfare teams to hack US intelligence privy for clandestine information extraction.

Los Angeles times story:

China and Russia are using hacked data to target U.S. spies, officials say


Defense Secretary Ashton Carter, shown in Moutain View, Calif., says the military needs to boost its cyberdefenses. “We’re not doing as well as we need to do in job one in cyber, which is defending our own networks,” he said. (Justin Sullivan / Getty Images)
By BRIAN BENNETT AND W.J. HENNIGAN contact the reporters Asia Europe Russia China Cyber Crime Theft Blackmail and Extortion
Foreign spy services, especially in China and Russia, are aggressively aggregating and cross-indexing hacked U.S. computer databases — including security clearance applications, airline records and medical insurance forms — to identify U.S. intelligence officers and agents, U.S. officials said.

At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials.

The Obama administration has scrambled to boost cyberdefenses for federal agencies and crucial infrastructure as foreign-based attacks have penetrated government websites and email systems, social media accounts and, most important, vast data troves containing Social Security numbers, financial information, medical records and other personal data on millions of Americans.


Counterintelligence officials say their adversaries combine those immense data files and then employ sophisticated software to try to isolate disparate clues that can be used to identify and track — or worse, blackmail and recruit — U.S. intelligence operatives.

Digital analysis can reveal “who is an intelligence officer, who travels where, when, who’s got financial difficulties, who’s got medical issues, [to] put together a common picture,” William Evanina, the top counterintelligence official for the U.S. intelligence community, said in an interview.

Asked whether adversaries had used this information against U.S. operatives, Evanina said, “Absolutely.”
Evanina declined to say which nations are involved. Other U.S. officials, speaking on condition of anonymity to discuss internal assessments, say China and Russia are collecting and scrutinizing sensitive U.S. computer files for counterintelligence purposes.

U.S. cyberspying is also extensive, but authorities in Moscow and Beijing frequently work in tandem with criminal hackers and private companies to find and extract sensitive data from U.S. systems, rather than steal it themselves. That limits clear targets for U.S. retaliation.

The Obama administration marked a notable exception last week when a U.S. military drone strike near Raqqah, Syria, killed the British-born leader of the CyberCaliphate, an Islamic State hacking group that has aggressively sought to persuade sympathizers to launch “lone wolf” attacks in the United States and elsewhere.
Junaid Hussain had posted names, addresses and photos of about 1,300 U.S. military and other officials on Twitter and the Internet, and urged his followers to find and kill them, according to U.S. officials. They said he also had been in contact with one of the two heavily armed attackers killed in May outside a prophet Muhammad cartoon contest in Garland, Texas. Hussain is the first known hacker targeted by a U.S. drone.

The Pentagon also is scouring the leaked list of clients and their sexual preferences from the Ashley Madison cheating website to identify service members who may have violated military rules against infidelity and be vulnerable to extortion by foreign intelligence agencies.


Far more worrisome was last year’s cyberlooting — allegedly by China — of U.S. Office of Personnel Management databases holding detailed personnel records and security clearance application files for about 22 million people, including not only current and former federal employees and contractors but also their families and friends.

“A foreign spy agency now has the ability to cross-check who has a security clearance, via the OPM breach, with who was cheating on their wife via the Ashley Madison breach, and thus identify someone to target for blackmail,” said Peter W. Singer, a fellow at the nonprofit New America Foundation in Washington and coauthor of the book “Cybersecurity and Cyberwar.”

The immense data troves can reveal marital problems, health issues and financial distress that foreign intelligence services can use to try to pry secrets from U.S. officials, according to Rep. Adam B. Schiff of Burbank, the top Democrat on the House Intelligence Committee.

“It’s very much a 21st century challenge,” Schiff said. “The whole cyberlandscape has changed.”
U.S. intelligence officials have seen evidence that China’s Ministry of State Security has combined medical data snatched in January from health insurance giant Anthem, passenger records stripped from United Airlines servers in May and the OPM security clearance files.

The Anthem breach, which involved personal data on 80 million current and former customers and employees, used malicious software that U.S. officials say is linked to the Chinese government. The information has not appeared for sale on black market websites, indicating that a foreign government controls it.

U.S. officials have not publicly blamed Beijing for the theft of the OPM and the Anthem files, but privately say both hacks were traced to the Chinese government.

The officials say China’s state security officials tapped criminal hackers to steal the files, and then gave them to private Chinese software companies to help analyze and link the information together. That kept the government’s direct fingerprints off the heist and the data aggregation that followed.
In a similar fashion, officials say, Russia’s powerful Federal Security Service, or FSB, has close connections to programmers and criminal hacking rings in Russia and has used them in a relentless series of cyberattacks.

According to U.S. officials, Russian hackers linked to the Kremlin infiltrated the State Department’s unclassified email system for several months last fall. Russian hackers also stole gigabytes of customer data from several U.S. banks and financial companies, including JPMorgan Chase & Co., last year.

A Chinese Embassy spokesman, Zhu Haiquan, said Friday that his government “firmly opposes and combats all forms of cyberattacks in accordance with the law.” The Russian Embassy did not respond to multiple requests for comment. U.S. intelligence officials want President Obama to press their concerns about Chinese hacking when Chinese President Xi Jinping visits the White House on Sept. 25.

After the recent breaches, U.S. cybersecurity officials saw a dramatic increase in the number of targeted emails sent to U.S. government employees that contain links to malicious software.
In late July, for example, an unclassified email system used by the Joint Chiefs and their staff — 4,000 people in all — was taken down for 12 days after they received sophisticated “spear-phishing” emails that U.S. officials suspect was a Russian hack.

The emails appeared to be from USAA, a bank that serves military members, and each sought to persuade the recipient to click a link that would implant spyware into the system.


Defense Secretary Ashton Carter said the hack shows the military needs to boost its cyberdefenses.

“We’re not doing as well as we need to do in job one in cyber, which is defending our own networks,” Carter said Wednesday. “Our military is dependent upon and empowered by networks for its effective operations…. We have to be better at network defense than we are now.”
Carter spent Friday in Silicon Valley in an effort to expand a partnership between the Pentagon, academia and the private sector that aims to improve the nation’s digital defenses. Carter opened an outreach office in Mountain View this year to try to draw on local expertise.

U.S. intelligence officers are supposed to cover their digital tracks and are trained to look for surveillance. Counterintelligence officials say they worry more about the scientists, engineers and other technical experts who travel abroad to support the career spies, who mostly work in U.S. embassies.

The contractors are more vulnerable to having their covers blown now, and two U.S. officials said some already have been compromised. They refused to say whether any were subject to blackmail or other overtures from foreign intelligence services.

But Evanina’s office, the National Counterintelligence and Security Center, based in Bethesda, Md., has recently updated pamphlets, training videos and desk calendars for government workers to warn them of the increased risk from foreign spy services.
“Travel vulnerabilities are greater than usual,” reads one handout. Take “extra precaution” if people “approach you in a friendly manner and seem to have a lot in common with you.”


This is very serious because China has been intensifying its intelligence and clandestine information operations through its cyber warfare units.

Six months ago, Pentagon admitted deploying its counter cyber warfare mechanisms to ward off these cyber attacks by the China’s crack cyber warfare teams.

Skynews story:

Pentagon Admits Cyberwarfare Plan For First Time

America’s Department of Defense intends to establish a full-time unit of computer experts in the San Francisco Bay area.
11:10, UK,
Thursday 23 April 2015
Pentagon in Washington DC
The US Department of Defense is taking on recruits to conduct cyberwarfare
The Pentagon has admitted for the first time it plans to use cyberwarfare in its battle to keep up with its enemies.

In a 33-page ‘cybersecurity strategy’ the US Department of Defense has publicly laid out the approach plans to take.

The document says the DoD “should be able to use cyber operations to disrupt an adversary’s command and control networks, military-related critical infrastructure and weapons capabilities”.

The previous strategy, published in 2011, made little reference to clandestine warfare using computer networks, although US officials are known to have spoken privately about the issue.

Reports in 2013 claimed that senators had received a closed-door briefing on how the New York City power grid could be taken down by a computer virus.
Play video “2014: China Source Of Most Attacks”

Video: 2014: China Source Of Most Attacks
The television reports said officials had told NBC off the record that the US was already employing cyberwarriors who were capable of shutting down the power system of a smaller country – like Iran.

The new document takes a more open approach because the Pentagon wants more transparency in its cyber mission – and because it could be a deterrent to adversaries.

Defense Secretary Ash Carter said: “I think it will be useful to us for the world to know that, first of all, we’re going to protect ourselves, we’re going to defend ourselves.”

He added that the new strategy is “more clear and more specific about everything, including (US) offence”.

Play video “Cybercrime As Lucrative As Drugs”

Video: Cybercrime As Lucrative As Drugs
The strategy also, for the first time, refers to US concerns over cyber-espionage by China.

China admitted the existence of dedicated cyber warfare units in a document produced by the People’s Liberation Army earlier this year, according to the Daily Beast.

The hacking of Sony’s emails last year, which the US government blamed on North Korea, also showed the dangers to American interests from other unfriendly states.

The document says the US will continue to try to work with Beijing to bring greater understanding and transparency of each nation’s cyber missions to “reduce the risks of misperception and miscalculation”.
Play video “Latest Strategy To Tackle Terror”

Video: Latest Strategy To Tackle Terror
“One of the things we need to do is have that dialogue,” said Mr Carter.

According to officials, Mr Carter is setting up a full-time unit of military, civilian and reservist workers in the San Francisco Bay area in the next month or so.

But he said one of the things holding back progress was that the US military suffers from a lack of “coolness”.

He said some of the bright young recruits the DoD needs to maintain its war are more likely to want to work for Silicon Valley’s top tech firms, rather than with the Pentagon.


The China’s cyber warfare aggression which demonstrated its threatening capabilities has escalated into a very serious defense agenda.

The Diplomat story:

China’s Growing Cyberwar Capabilities

A recent attack on GitHub highlights China’s growing expertise – and aggression – in cyberspace.

By Marcel A. Green
April 13, 2015

With recent news suggesting that the recent massive denial-of-service attacks against online hosting and code-sharing site GitHub was either sponsored or encouraged by Chinese authorities, the spotlight has once again been turned on China’s intentions in cyberspace and whether or not its activities pose a threat to worldwide, and especially U.S. cybersecurity.

China is one of the most active nations in cyberspace. Moreover, China has made no secret that President Xi Jinping’s “new model of great power relations” policy means that it will not be afraid to challenge the U.S. and the rest of the world in areas it considers a core interest, such as cyberspace.

Much like the U.S., China has devoted substantial money, manpower and resources to developing its cyber capabilities. Chinese cyber capabilities include a mix of dedicated personnel, advanced equipment, and cyberattack methodologies. According to the cybersecurity firm Mandiant, since as early as 2006, the People’s Liberation Army (PLA) has been using an elite cyberwarfare unit based in Shanghai to launch hundreds of cyberattacks targeting American interest. The unit, officially known as Unit 61398, operates under the PLA’s Second Bureau of the General Staff Department’s (GSD) Third Department, which is focused on cyber surveillance and monitoring of foreign electronic communications. Unit 61398 has a staff of “hundreds if not thousands” of people, trained in advanced network security, digital signal processing, and covert communications who have access extensive “infrastructure of computer systems around the world.” Recently the Taipei Times reported that Taiwan’s National security Bureau (NSB) has identified another unit of the GSD’s Third Department that is involved in cyber-activities. This unit has been revealed to be Third Department’s Sixth Bureau based out of Wuhan University in Hubei Province. According to the NSB, the Sixth Bureau is “engaged in technical aspects of surveillance and intelligence gathering on the Taiwanese agencies, intercepting telecommunications signals, hacking computers and mobile phone service networks and satellite imagery reconnaissance.”

In addition to its official cyberwarfare units, China is believed to also have “reached out” to people with the necessary cyber skills in the IT sector and academic community to help fill any gaps in state expertise and personnel when needed. As the GitHub attacks illustrate, there is also ample evidence that China uses hackers and other cybercriminals to accomplish operations that it is officially unwilling or unable to commit. To be sure, cybercrime is often intimately tied to state-sponsored threats to cybersecurity. The use of affiliated hackers is based on the idea that cybercriminals can be used to escape the attribution that may otherwise provide the necessary legal, military or diplomatic links that other countries can use to prove China’s official participation in cyberattacks. Consequently, in October 2014, the FBI issued a warning that a Chinese hacking collective known as Axiom has been engaged in a well-resourced, sophisticated campaign to steal valuable data from U.S. government agencies. According to the warning, Axiom, and other state-sponsored Chinese hacking groups like them, are “exceedingly stealthy and agile by comparison” to Unit 61398. Later in 2014, the U.S. Department of Justice indicted five Chinese citizens, affiliated with Unit 61398 on charges of theft of business information and unauthorized access to the computers of a number of U.S. companies.

China’s cyber capabilities are organized by a strategy that calls for the early application of its cyberwarfare units against an adversary “to establish information dominance.” Information dominance refers to: (1) taking and maintaining control of an adversary’s access to its own information, and (2) disrupting the flow of information necessary for “decision-making or combat operations.” Information dominance, moreover, requires that Chinese cyber capabilities are deployed pre-emptively or as early as necessary to support more traditional combat actions. Moreover, establishing information dominance requires China to have a fairly extensive and ongoing knowledge of an adversary’s capabilities.

Lastly, in order to achieve its cyber strategic goals and effectively make use of its cyberwarfare units, China has employed a wide range of advanced cyberattack methodologies. For instance, The PLA’s Unit 61398 is known for its use of zero-day exploits. A zero-day exploit refers to vulnerability in software that the software maker itself does not know exists. Discovering zero-day exploits require broad access to a software developer’s internal routines and procedures. It also requires a better understanding of the software then the developer. This is often achieved by employing a technique known as advanced persistent threat (APT). APT refers to a hacking process that involves a long-term campaign to break into a computer network, avoid detection, and harvest valuable information over days, months and even years. According to Mandiant, Unit 61398’s informal name was APT1 due to their skill at successfully carrying out advanced persistent threats.

Understanding China’s cyber capabilities will play a large role in resolving the challenge of determining the appropriate response that the U.S. and other nations can make to cyberattacks that can be attributed to China. Where the attack can be traced to an official Chinese organ, perhaps a diplomatic or military response will be suitable. Where the attack is traced to non-official organs, non-conventional responses such as economic sanctions or criminal penalties will prove more effective.

Marcel A. Green is an attorney and legal researcher specializing in American and Chinese Criminal Law.


Published in: on September 2, 2015 at 23:45  Comments (6)