Chinese Cyber Warfare: Has the US Found a Smoking Gun?

by Justin Rohrlich, Minyanville staff writer

According to a leaked draft of the US-China Economic and Security Review Commission’s annual report to Congress, obtained by Bloomberg News a week before its scheduled release, Chinese hackers are employing “increasingly advanced types of operations or operations against specialized targets.”

A US intelligence official interviewed by Bloomberg describes the Chinese as having been “relentless” in its efforts to “blind or disrupt” those targets, which include “deployed US military platforms,” as well as “US intelligence and communications satellites, weapons targeting systems, and navigation computers.” (Indeed, a report [PDF] prepared for the Commission last March by Northrop Grumman (NYSE:NOC) determined that China could severely hamper the US military’s ability to protect Taiwan in the event of a strike.)

“Irrespective of the sophistication, the volume of exploitation attempts yielded enough successful breaches to make China the most threatening actor in cyberspace,” the draft states, describing China’s “cyber warfare militia… usually comprised of workers with high-tech day jobs” which “focus on military communications, electronic warfare and computer network operations.”

According to data provided to the Commission by CloudFlare Inc., a San Francisco-based security outfit, cyber attacks make up approximately 15% of all daily total global Internet traffic. Then, oddly, on October 1 of last year, that figure “plummeted to about 6.5%.”

Or, perhaps not so oddly -- October 1 happens to be China’s National Day, when, the report says, “many workers take leave.”

A Smoking Gun?

Like most such issues, it all depends upon whom you ask.

“I think it's an ancillary indicator that supports the hypothesis that these hacking incidents is both a ‘job’ and possibly mission driven by government surrogates,” Jarrett Kolthoff, a former US counterintelligence agent and the current president and CEO of strategic security firm SpearTip, tells me.

“The threats directed at US firms by the Chinese are very systematic and often mimic a traditional workday,” Kolthoff continues. “We are also seeing an increase in using both Human Intelligence (HUMINT) and cyber methods of attack.”

Kolthoff says these cyber attacks against "western" assets not only come via China, but also from Russia and Iran. And they’re not limited to military targets. Says Kolthoff, we are witnessing “substantive examples of the clear and present danger to US firms.”

“The technical aptitude of these groups is ever-increasing and they are noticeably embracing/utilizing cyber weaponry to accomplish their goals,” he says. 

However, Collin Anderson, an independent Internet researcher and free speech advocate, warns against a rush to convict -- particularly before studying the Commission’s full findings.

“I think [the data] is interesting and may be more of a reflection on Chinese culture than anything else, but without the full metrics it’s really hard to be satisfied with something like that,” he tells me. “If anything, I’m always a bit skeptical of the whole ‘cyber warfare’ notion; there are a lot of groups that have sort of a vested interest in the fear that surrounds so-called cyber warfare and you don’t often see metrics from people who aren’t making money off of it.”

No Rules of Engagement

A report out last year from cyber security firm Symantec (NASDAQ:SYMC) revealed that 29 chemical companies and “another 19 in various other sectors, primarily the defense sector” were the victims of a two-and-a-half-month cyber espionage campaign.

According to Technical Director for Security Response Eric Chien and Security Response Manager Gavin O’Gorman, the attacks were traced to a US-based computer network, owned and controlled by a “20-something male located in the Hebei region in China.”

From Chien and O’Gorman [PDF]:

The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. At­tacks on the chemical industry are merely their latest attack wave.

The attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May. From June until mid-July no activity was detected. At this point, the current attack campaign against the chemical industry began. This particular attack has lasted much longer than previous attacks, spanning two and a half months.

While Symantec did not identify the companies targeted, Reuters contacted a DuPont (NYSE:DD) spokesman, who said simply, "We don't comment on cyber security issues." However, Dow Chemical (NYSE:DOW) confirmed to the BBC that “it had been the target of ‘unusual emails’ received during the summer."

Employees at the targeted companies typically received bogus emails warning of security issues in Adobe (NASDAQ:ADBE) Reader, along with an attached file containing a “fix.” After clicking on one of the two attachments, control of the user’s computer would then be turned over to the intruders through the use of a virus known as “Poison Ivy.”

"This is unfortunately becoming a new normal behavior,” Greg Day, Symantec's chief technology officer, told the BBC.

This “new normal” has, by one estimate, 50,000 individual cyber espionage attacks occurring every 24 hours. The solution, if there is one, may lie in shifting the approach companies take in fighting it, Kolthoff explained to me after the Symantec report was released.

“Organizations have invested a lot of capital in proactive measures,” he said. “But I believe the key is in being reactive.”

“When I was working for the government, I never got to the office and said, ‘Hmm, I wonder if foreign intelligence agencies are collecting against us,” Kolthoff told me. “Of course they were. So, my thinking was always, ‘I hope we get a report in today that will help us identify who is behind this.’”

“Most companies -- and countries -- are too willing to turn a blind eye to this and just not acknowledge it; it’s too politically fraught,” Kolthoff continued. “But civilian entities are finally waking up to the fact that businesses don’t play nice. Whether that’s an insider that didn’t receive the promotion or bonus they wanted, or a competitor overseas, there are no rules of engagement.”

A Delicate Balance

When national security, online privacy, and China come together, the possibility of an outsized response is a very real one. For Collin Anderson, the context in which this matters revolves around one thing: freedom of expression.

“These same security mechanisms and policies can interfere with anonymous communications and be used for malicious purposes -- a valid fear, a common fear," Anderson says. "But the Commission is talking about infrastructure and economic interests, and when you start framing the conversation like that, it often runs contrary to freedom of expression issues, which butts up against people like me.”

The final version of the US-China Economic and Security Review Commission's 2012 Report to Congress will be released on Wednesday, November 14.

Follow Justin Rohrlich on Twitter: @chickenalaking