Menu
Navigation

Global articles on espionage, spying, bugs, and other interesting topics.

Keep abreast of the espionage threats facing your organisation.

5 SKoreans indicted over espionage

Prosecutors in Seoul have indicted five South Koreans for allegedly spying for North Korea.

Seoul prosecutors said on Thursday that the five allegedly passed military secrets and other sensitive information to North Korea beginning in the early 1990s.

Prosecutors say that among the funneled information were satellite photos of military bases in South Korea, US military field manuals and information on South Korean politicians.

Prosecutors say the five allegedly violated South Korea’s National Security Law, whose maximum penalty is capital punishment.

The two Koreas are still technically at war because the 1950-53 Korean War ended with an armistice, not a peace treaty.


Jamie Metzl: China and Cyber-Espionage

A number of people have asked me how I made the determination described in my Wall Street Journal editorial last Wednesday that China is one of the world’s worst state perpetrators of cyber-espionage and malicious computer hacking (See China’s Threat to World Order: Computer hacking is typical of Beijing’s disdain for global norms).

Although I have spoken with a number of American officials with access to classified information who have made this assertion with great passion, I do not have access to any of these classified documents. Instead, I have decided to lay out the evidence gleaned from public sources.

If there is more evidence making the case that China is involved in these activities on an official or quasi-official level, please add it in a reply to this blog post.

Even more importantly, if you believe that these allegations are false, I very much encourage you to make your case on this site. The evidence is laid out below. Links to the source materials referenced are embedded in the text.

Let the dialogue begin.

The case that China may be one of the world’s worst state perpetrators of cyberespionage and malicious computer hacking

Reports

  • In a 2010 report to Congress, the U.S. Defense Department asserted that China is “actively pursuing cyber capabilities with a focus on the exfiltration of information, some of which could be of strategic or military utility”.
  • In its 2010 report to Congress, the U.S.-China Economic and Security Review Commission stated that “China’s government, the Chinese Communist Party, and Chinese individuals and organizations continue to hack into American computer systems and networks as well as those of foreign entities and governments.”
  • An October 2009 report by Northrop Grumman for the U.S.-China Economic and Security Review Commission asserted that “government efforts to recruit from among the Chinese hacker community and evidence of consulting relationships between known hackers and security services indicates some government willingness to draw from this pool of expertise.” The report revealed that “a founding member of the influential Chinese hacker group Javaphile has a formal consulting relationship with the Shanghai Public Security Bureau and researcher credentials at the information security engineering institute of one of China’s leading universities.”
  • A March 2011 report by Invictis Information Security Ltd. stated that “Chinese commercial espionage is as much a state‐sponsored activity as their military and civilian operations. The Chinese government supports commercial espionage as a necessary economic activity to help create Chinese commercial advantage and strategic success in the 21st century. Beijing has at its disposal an army of computer hackers, immigrants (resident in target countries), intelligence operatives, scientists and students.”
  • A 2010 restricted report from MI5’s Centre for the Protection of National Infrastructure (CPNI) reportedly detailed how China has hacked various British defense, energy, communications, and manufacturing companies.
  • The United States Congressional Research Service (CRS) reported in 2001 that China was “moving aggressively toward incorporating cyber warfare into its military lexicon, organization, training, and doctrine [and] pursuing the concept of a Net Force, which would consist of a strong reserve force of computer experts trained at a number of universities, academies, and training centers.”

Statements by officials

 

  • Former U.S. cyber-czar Richard Clarke asserted that “What’s going on is very large-scale Chinese industrial espionage… They’re stealing our intellectual property. They’re getting our research and development for pennies on the dollar”.
  • In an April 15, 2011 testimony for the Oversight and Investigations Subcommittee of the Foreign Affairs Committee of the United States House of Representatives, Richard Fisher, Senior Fellow at the International Assessment and Strategy Center, asserted that “PRC uses its cyber capabilities to pursue a relentless global campaign of cyber espionage, in which every country in which the PRC has any kind of interest, is subject to continuous cyber probes seeking all manner of information of military, commercial or political value.”
  • In a March 2010 testimony before the House of Representatives Committee on Foreign Affairs, Larry Wortzel, Commissioner of the U.S.-China Economic and Security Review Commission, explained that hacking by Chinese actors works to “speed the development and fielding of weapons in China, improve technology in sectors of China’s industries while saving time and money in research and development.”
  • In a March 2010 testimony to the Senate Armed Services Committee, Director of National Intelligence James Clapper asserted that, when it comes to cyberwarfare, “The Chinese have made a substantial investment in this area. They have a very large organization devoted to it… this is just another way in which they glean information about us and collect on us for technology purposes, so it’s a very formidable concern.”
  • In a June 13, 2007 testimony before the House of Representatives Committee on Armed Services, then Deputy Undersecretary for Defense for Asian and Pacific Security Affairs, Richard Lawless, asserted that the Chinese are “leveraging information technology expertise available in China’s booming economy to make significant strides in cyberwarfare.”
  • In 2007, Jonathan Evans, the Director‐General of the UK Security Service, MI5, stated that the Chinese “continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects and trying to obtain political and economic intelligence at our expense.”
  • In August 2007, German Chancellor Angela Merkel reportedly confronted Chinese Premier Wen Jiabao after Chinese hackers attacked computers in her office and other German government ministries.

Operation Shady RAT

 

  • In response to questions as to whether China was behind the recent, high-level hacking campaign known as ‘Operation Shady RAT’, Vice President of Threat Research at cybersecurity firm McAfee Dmitri Alperovitch, responded: “If others want to draw that conclusion, I certainly wouldn’t discourage them.”
  • Center for Strategic and International Studies (CSIS) cyber security expert James A. Lewis, stated that “the most likely candidate [as perpetrator of ‘Operation Shady RAT’ is China.”
  • Among the 72 hacking targets in 14 countries in ‘Operation Shady RAT’ was the International Olympic Committee and several national Olympic Committees — all breached in the months leading up to the 2008 Beijing Olympics. Three targeted entities were located in Taiwan and 49 were located in the United States. None of the victims were located in China (with the exception of a U.S. News Organization’s Hong Kong Bureau).
  • Remote administration tool (RAT) malware was also used in the ‘Night Dragon’ attacks in 2011, which McAfee had concluded came from China.

Night Dragon

 

  • In February 2011, a report from McAfee concluded that the cyber-attack known as ‘Night Dragon’ against major Western energy firms had originated “primarily in China,” effectively tracing it back to Chinese IP addresses in Beijing. Command and control was found to be based in Heze City, the malware tools used were regularly offered for download by Chinese hacker websites, and the hackers appeared to work on regular weekdays, nine-to-five Beijing time-zone schedule.

 

Operation Aurora

  • In Jan 2010, Google openly accused China of stealing some of the company’s source code via an attacked dubbed ‘Operation Aurora’. Servers at two schools in China, Jiaotong University in Shanghai and Lanxiang Vocational School in Shandong Province, were determined to have been used in the attack. Lanxiang was founded with military support and continues training many of the military’s computer scientists. After being briefed by Google on ‘Operation Aurora’, Secretary of State Hillary Clinton issued a statement saying, “We look to the Chinese government for an explanation.”
  • A report by Verisign iDefense, a security-intelligence service based in Virginia, reportedly determined that ‘Aurora’ was directed by “agents of the Chinese state or proxies thereof.”

RSA Attacks

  • The command-and-control servers used in the March 2011 attacks on RSA — the security division of high-tech company EMC Corp. — were traced to networks in Beijing and Shanghai. The location of the servers was identified due to use of the malware tool “HTran,” which Chinese backers are known to bundle with their code. EMC’s products are used to protect high-level computer networks throughout the U.S. government as well as large corporations and defense contractors.

 

Other attacks

  • In June 2011, Google announced it had thwarted an attempt from China to steal the Gmail passwords of senior U.S. government officials. Google said the attacks originated in Jinan, China, one of seven regional command centers for the Chinese military.
  • On April 8, 2010, state-owned China Telecom rerouted U.S. and other foreign Internet traffic, causing 15 percent of the all internet traffic to travel through Chinese servers for nearly 20 minutes. The long-term impact of this rerouting remains unknown.
  • In April 2009, hackers broke into the Pentagon’s Joint Strike Fighter project — an attack that former U.S. officials attributed to China after it was traced back to Chinese IP addresses.
  • According to Senior Fellow at the International Assessment and Strategy Center, Richard Fisher, Chinese hackers attacked computer systems at the U.S. Naval War College, National Defense University, and the U.S Army’s Fort Hood throughout 2006.
  • The 2005 ‘Titan Rain’ cyber-espionage ring, responsible for breaking into a number of U.S. military and defense contractor computer systems, was traced back to three Chinese routers in China’s Guangdong Province.

Jamie Metzl is Executive Vice President of Asia Society and a former official in the U.S. National Security Council, State Department, and Senate Foreign Relations Committee. The views expressed here are his own.


Primary research conducted by Johan Kharabi, Asia Society

This post has been modified since its original publication.


Espionage is Golden

A citizen of Tajikistan Saidkul Ashurov, Who was chief technologist at the gold-mining venture in Uzbekistan, was sentenced to 12 years in prison on charges of espionage. It is reported by the Tajik service of Radio “Liberty”.

As the newspaper writes, a resident of Penjikent Sughd Tajikistan recently arrived in Uzbekistan from South Africa. The British company Oxus Gold, which owns 50 percent stake in the joint British-Uzbek venture “Amantaytau Goldfields”, invited him to the post of chief technology officer. Law enforcement agencies of Uzbekistan was detained Ashurova March 5 on charges of collecting information, which is a state secret.

“Ashurov was detained by Uzbek authorities on trumped-up charges of espionage. There are no legal grounds to arrest him,” – said in an interview with radio “Freedom” company lawyer Robert Amsterdam. Uzbek rights activist Sukhrob Ismoilov, Who is also an advisor to the company Oxus Gold, said that the Uzbek authorities have assessed the stored information as a state secret, despite the fact that she was working Ashurova and the public. “Information on the disc represents the mystery and can be obtained freely available on the Internet. It was also found in the court. Some of the information was posted on the website of the joint venture. There was only one file with information about the transportation of gold in 2009, which has lost its relevance “, – he said.

Meanwhile, the Uzbek authorities have not given permission to meet with the prisoner to his wife and three children. “His no show is not allowed to talk, not allowed to meet with relatives. We have asked the UN High Commissioner for Human Rights, to David Cameron, the British Prime Minister, but to no avail,” – says his brother Ashurov.

The Tajik authorities have appealed to Uzbekistan for permission to attend Tajik diplomats at the hearing on Ashurov, but their requests went unanswered. Relatives and lawyers believe was a victim of Ashurov dispute arose between the company Oxus Gold and the Uzbek authorities, and tense relations between Uzbekistan and Tajikistan. Recall that in recent years in both countries have recorded numerous cases of accusations of espionage in favor of a neighboring state.


Regular screening at Fin Min offices to detect bugging devices

The Finance Ministry today said its office premises are subjected to regular screening for the presence of bugging devices, but no such material has been found so far.

“… All these premises (in Finance Ministry) have been subjected to regular screening. During these exercises, no devices have been detected,” the Minister of State for Finance, Mr S.S. Palanimanickam, said in a written reply to the Rajya Sabha.

He said that security checks are periodically conducted in the Ministry of Finance and the Finance Minister’s Office.

One such routine security check was conducted on September 4, 2010, by the Investigation Directorate of the Central Board of Direct Taxes (CBDT), which engaged the services of an expert with domain knowledge of the subject, he added.

During the check, adhesive-like substances were noticed at various locations.

“This was brought to the notice of the Prime Minister by the Union Finance Minister in September, 2010,” he said.

Subsequently, the Prime Minister directed the Intelligence Bureau to conduct a secret inquiry into the matter.

“Adhesive patches were found stuck at a few places. The adhesive patches were subjected to chemical/forensic analysis, which revealed that the substance contained contents comparable with contents of chewing gum,” the Minister added.

Physical examination of the recovered substance did not reveal any sign or mark suggestive of any device having been attached thereto.


Leaked data points to Sino-cyber espionage ring

A massive Pastebin dump of domain names and IP addresses appears to be linked to a Sino-cyber espionage ring.

The data – posted on August 15th by an unknown individual – lists approximately 850 entries which are allegedly exploited to facilitate command and control operations.

Leaked data points to Sino-cyber espionage ring

“My motivation is purely selfless in nature and I only wish the security community to improve upon what has already been done in this realm. Most of the security community is a fraud and continues to subsist on half-assed analyses and bogus data. All information was compiled from open sources and leaked information; no customer-based data was used for the analysis,” ‘RSA Employee #15666’ wrote in a recent Pastebin post.

“My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved. These attacks have targeted US and Canadian companies almost exclusively for at least five years; the tools, tactics, and procedures have changed very little during that timeframe and continue to be extremely effective.”

According to #15666, the cyber espionage ring is motivated primarily by financial considerations.

“If your company is one outlined in the list below chances are you’re doing business in the Peoples’ Republic of China or plan to shortly.

“Negotiations are a common target for economically motivated hackers and hence email and other relevant information pertaining to contract negotiation data will be taken. If you currently conduct business with the PRC chances are that your organization has knowingly or unknowingly been compromised.”

As Patrick Gray of Risky.Biz notes, the mysterious data leak is lent “serious credibility” by a previously hacked and extracted analysis from HBGary – which matches a number of the IP addresses and domain names in the new Pastebin dump.

“HBGary codenamed the operation ‘Soysauce.’ The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China,” Gray explained.

“The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong. The vast majority of the leaked IP addresses are physically located in the US.”

Although the true identity of “RSA Employee #15666” remains unknown, there is little reason to believe he or she actually works for the RSA. The enigmatic individuals claims: “I have no allegiances, I make no money, I am not legion [Anonymous].”