China accused of stealing 'terabytes' of US data

GONE PHISHING

What is known is the extent to which Chinese hackers use "spear-phishing" as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that "we have given up on the idea we can keep our networks pristine," said Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It's safer, government and private experts say, to assume the worst -- that any network is vulnerable.

Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in "target development" for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees' job descriptions, networks of associates, and even the way they sign their emails -- such as U.S. military personnel's use of "V/R," which stands for "Very Respectfully" or "Virtual Regards."

The spear-phish are "the dominant attack vector. They work. They're getting better. It's just hard to stop," says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.

Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as "Byzantine Anchor," "Byzantine Candor," and "Byzantine Foothold." A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.

A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. "Since 2002, (U.S. government) organizations have been targeted with social-engineering online attacks" which succeeded in "gaining access to hundreds of (U.S. government) and cleared defense contractor systems," the cable said. The emails were aimed at the U.S. Army, the Departments of Defense, State and Energy, other government entities and commercial companies.

Once inside the computer networks, the hackers install keystroke-logging software and "command-and-control" programs which allow them to direct the malicious code to seek out sensitive information. The cable says that at least some of the attacks in 2008 originated from a Shanghai-based hacker group linked to the People's Liberation Army's Third Department, which oversees intelligence-gathering from electronic communications.

Between April and October 2008, hackers successfully stole "50 megabytes of email messages and attached documents, as well as a complete list of usernames and passwords from an unspecified (U.S. government) agency," the cable says.

Investigators say Byzantine Hades intrusions are part of a particularly virulent form of cyber-espionage known as an "advanced persistent threat." The malicious code embedded in attachments to spear-phish emails is often "polymorphic" -- it changes form every time it runs -- and burrows deep into computer networks to avoid discovery. Hackers also conduct "quality-assurance" tests in advance of launching attacks to minimise the number of anti-virus programs which can detect it, experts say.

As a result, cyber-security analysts say advanced persistent threats are often only identified after they penetrate computer networks and begin to send stolen data to the computer responsible for managing the attack. "You have to look for the 'phone home,'" says Roger Nebel, managing director for cyber-security at Defense Group Inc., a consulting firm in Washington, DC.

It was evidence of malicious code phoning home to a control server -- a computer that supervises the actions of code inside other computers -- that provided confirmation to U.S. cyber-sleuths that Chinese hackers were behind Byzantine Hades attacks, according to the April 2009 State Department cable.

As a case study, the cable cites a 10-month investigation by a group of computer experts at the University of Toronto which focused in part on cyber-intrusions aimed at Tibetan groups, including the office of the exiled Dalai Lama in Dharamsala, India.

Referencing the Canadian research, the cable notes that infected computers in the Dalai Lama's office communicated with control servers previously used to attack Tibetan targets during the 2008 Olympics in Beijing. Two Web sites linked to the attack also communicated with the control server.

TARGETS DETAILED

The same sites had also been involved in Byzantine Hades attacks on U.S. government computers in 2006, according to "sensitive reports" cited in the cable -- likely a euphemistic reference to secret intelligence reporting.

The computer-snooping code that the intrusion unleashed was known as the Gh0stNet Remote Access Tool (RAT). It "can capture keystrokes, take screen shots, install and change files, as well as record sound with a connected microphone and video with a connected webcam," according to the cable.

Gh0st RAT succeeded in invading at least one State Department computer. It "has been identified in incidents -- believed to be the work of (Byzantine Hades) actors -- affecting a locally employed staff member at the U.S. Embassy in Tokyo, Japan," according to the cable.

Evidence that data was being sucked out of a target network by malicious code also appears to have led cyber-security investigators to a specific hacker, affiliated with the Chinese government, who was conducting cyber-espionage in the United States. A March, 2009 cable identifies him as Yinan Peng. The cable says that Peng was believed to be the leader of a band of Chinese hackers who call themselves "Javaphile."

Peng did not respond to three emails seeking comment.

The details of alleged Chinese military-backed intrusions of U.S. government computers are discussed in a half dozen State Department cables recounting intense global concern about China's aggressive use of cyber-espionage.

In a private meeting of U.S., German, French, British and Dutch officials held at Ramstein Air Base in September 2008, German officials said such computer attacks targeted every corner of the German market, including "the military, the economy, science and technology, commercial interests, and research and development," and increase "before major negotiations involving German and Chinese interests," according to a cable from that year.

French officials said at the meeting that they "believed Chinese actors had gained access to the computers of several high-level French officials, activating microphones and Web cameras for the purpose of eavesdropping," the cable said.

TESTING THE WATERS

The leaked State Department cables have surfaced as Reuters has learned that the U.S. is engaged in quiet, proxy-led talks with China over cyber issues.

Chronic computer breaches have become a major source of tension in U.S. relations with China, which intensified after the major Google hack was disclosed in January 2010, according to U.S. officials involved in the talks. Even before the Google hack, Chinese officials had recognised the problem as well.

In mid-2009, representatives of the China Institute for Contemporary International Relations, a nominally-independent research group affiliated with China's Ministry of State Security, contacted James A. Lewis, a former U.S. diplomat now with the Center for Strategic and International Studies.

Lewis said that in his first meeting with his Chinese counterparts, a representative of the China Institutes asked: "Why does the Western press always blame China (for cyber-attacks)?" Lewis claims to have replied: "Because it's true."

There was no response to request for comment on the talks from the Chinese embassy in Washington.

Preliminary meetings at CSIS have blossomed into three formal meetings in Washington and Beijing over the last 14 months. According to two participants, the talks continue to be marked by "a lot of suspicion." Attendees have focused on establishing a common understanding of cyber-related military, law enforcement and trade issues. Cyber-espionage isn't being discussed directly, according to one participant, because "the Chinese go rigid" when the subject is raised.

One reason: for China, digital espionage is wrapped into larger concerns about how to keep China's economy, the world's second largest, growing. "They've identified innovation as crucial to future economic growth -- but they're not sure they can do it," says Lewis. "The easiest way to innovate is to plagiarise" by stealing U.S. intellectual property, he adds.

There have been a few breakthroughs. U.S. and Chinese government officials from law enforcement, intelligence, military and diplomatic agencies have attended in the wings of each discussion. "The goal has been to get both sides on the same page," says Lewis. "We're building the groundwork for official discussions."

A former senior national security official who has also attended the talks says, "Our reports go straight to the top policymakers" in the Obama administration.

Chinese participants have sought to allay U.S. concerns about a Chinese cyber-attack on the U.S. financial system. With China owning more than $1.1 trillion in U.S. government debt, Lewis says China's representatives acknowledged destabilisation of U.S. markets would, in effect, be an attack on China's economy, itself.

Despite the talks, suspected Chinese cyber-espionage has hardly tapered off. Documents reviewed by Reuters show that CSIS itself recently was the target of a spear-phish containing malicious code with a suspected link to China.

On March 1, an email sent from an address on an unofficial U.S. Armed Forces family welfare network called AFGIMail was sent to Andrew Schwartz, chief spokesman for CSIS. Attached to the message was an Excel spreadsheet labeled "Titan Global Invitation List."

An analysis conducted for Reuters by a cyber-security expert who asked not to be identified shows the email may have been sent from a compromised AFGIMail email server. The Excel spreadsheet, if opened, installs malicious code which searches for documents on the victim's computer. The code then communicates to a Web-site hosting company in Orange County, California that has additional sites in China.

(Reporting by Brian Grow in Atlanta and Mark Hosenball in Washington; additional reporting by Peter Apps in London; editing by Jim Impoco and Claudia Parsons).