By Paul Rosenzweig, The George Washington University Law School
Before the attack on Iran’s nuclear program occurred, a larger data mapping program, known as Flame, spent months—and perhaps years—reportedly building a picture of the Iranian network. The same objective lay behind the exploitation of Anthem, Inc., and the U.S. Postal Service. The postal employees’ weren’t the target. They were a vehicle to a different, more significant, target—the United States of America.
The hack of the U.S. Office of Personnel and Management—of which OPM manages the security clearance process for federal employees—was much more of a classical espionage attack. With the security clearance given to anyone since 2000 being exposed, China now knows the names of almost everyone in America who has a security clearance.
This means two things: First, it makes it very much harder for the US to stage covert operations when the identity of many of its spies is already known to the Chinese. Second, it means that the Chinese now have information about those who work in U.S intelligence and law enforcement communities which they can use to extort cooperation from them, upon threat of public exposure.
US Chamber of Commerce Servers Hacked
Here’s another good example of how this sort of foreign surveillance works. In December 2011, the FBI told the US Chamber of Commerce that the Chamber’s servers had been penetrated by intrusions and cyberattacks from China. Until the FBI told them, the Chamber had no idea it had been compromised.
Most analysts think that the Chamber was attacked as a way of getting at other major American companies. Using the email addresses and other personal information harvested from the Chamber of Commerce, the intruders would be better able to craft a host of sophisticated spear phishing attacks against the CEOs, CFOs, and CIOs of the Fortune 500 companies.
Learn more about the government’s electronic surveillance programs.
Advancing the Chinese Economy
Chinese cyberattacks on OPM, Anthem, or the US Chamber of Commerce are stepping stones to bigger, and better, things. It is a source of both traditional national security intelligence, and, in the end, also means of stealing intellectual property and advancing the Chinese economy.
The American security companies, Mandiant—now owned by FireEye—and Crowdstrike, have actually identified two arms of the People’s Liberation Army—known by their Military Unit Cover Designations as units 61398 and 61486—as special operations aimed at hacking foreign economies and cyberattacks.
PLA’s Unit 61398
It appears that these units are tasked with the object of launching cyberattacks and intruding into the system and database of business enterprises and research institutions in order to steal trade secrets, technical talents, and any useful data from and through the Internet.
In Unit 61398 alone, several hundred operators worked for more than five years, penetrated more than 140 known corporate and government systems, and stole more than 6.5 terabytes of data, according to FireEye. Nearly 90% of the victims were in English-speaking countries, and nearly 98% of the cyberattacks were based on systems using a simplified Chinese language input. The Chinese government, of course, has denied everything.
This is a transcript from the video series The Surveillance State: Big Data, Freedom, and You. Watch it now, on Wondrium.
US Healthcare Under Cyberattack
The FBI has warned US healthcare companies specifically that malicious threat actors were targeting them in cyberattacks to steal intellectual property and personally identifiable information.
However, FireEye says, “The Chinese government is expanding the scope of its cyber operations, and Chinese-based advanced threat actors are keen to acquire data about how businesses operate—not just about how they make their products.”
It revealed that a Chinese hacker group had also systematically stolen data and information of the US medical device manufacturers and pharmaceutical companies.
The SecurID Hack
In yet another chilling hack, the security firm RSA was penetrated by an intrusion that compromised the company’s SecurID system. This SecurID system was, at the time, the single most common piece of security hardware in use by banks and private companies.
It is a little token that periodically generates random six-digit numbers. When one goes to login to one’s bank, or access company’s servers from offsite, in addition to one’s regular login—username and password—one is also asked to type in the six-digit number, which will be matched against that held by the company or bank one is trying to connect to. If they match, you are considered authentic. If they don’t, then the company or bank thinks that your password has been compromised. So SecurID tokens are an important extra layer of security.
This cyberattack was reported to have been thwarted. But the focus on a defense contractor, rather than on a bank, seemed to be an indication that the RSA hack might have been undertaken by a sovereign nation, rather than cybercriminals.
Learn more about how geolocation data is gathered.
China Disclaims Responsibility
China denied responsibility for the RSA attack, but of the 334 command and control servers used by the malware, 299 were located in China. In fact, except for one mistake that China apologized for, the Chinese have denied any role in all of the cyberattacks, as well as dozens of other known attacks.
What are we to make of these Chinese activities? How should we assess them? Are they significant threats? Should we credit the routine denials that China makes, disclaiming responsibility for cyber attacks? Well, there is little basis for accepting Chinese denials of awareness and responsibility.
Nobody who seriously studies the issue doubts that the attacks on American systems are part of a systematic espionage campaign that could not really occur without Chinese state approval.
We should also think about how one should respond to this sort of activity and cyberattacks, if at all. The response, if any, must come from the US government. The American private sector has virtually no leverage to use to modify Chinese behavior.
As complex as the problem is, it is a threat here to stay. Although, sooner or later these attacks are detected, it does leave the state vulnerable, politically and economically. It also makes one wonder: If these exploits are the ones we can identify typically, after the fact, what about the ones we are missing?
Common Questions about Chinese Cyberattacks
The two arms of the People’s Liberation Army are known by their Military Unit Cover Designations as units 61398 and 61486. They are special operations aimed at hacking foreign economies.
The Chinese government is expanding the scope of cyber operations by trying to acquire data about how businesses operate—not just about how the products are made.
Though China denied responsibility for the RSA cyberattack, but of the 334 command and control servers used by the malware, 299 were located in China.