It reads like a bad spy novel: a secret unit of China’s People’s Liberation Army (PLA) is accused of spending the last seven years covertly infiltrating — or hacking — over a hundred large US corporations and stealing terabytes of sensitive data from their computer systems.
Unit 61398 of the PLA — nicknamed Comment Crew or Shanghai Group — was conclusively linked to the hacking of 141 US corporations by Mandiant, an Internet security firm. The firm, which has spent nearly a decade tracking attacks on large firms, recently published a report called “Advanced Persistent Threat 1” (APT1) on the group.
When Mandiant first revealed the existence of APT1 in 2010, the firm was careful not to imply complicity by the Chinese government. Now it is completely convinced “that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them”.
Naturally, China’s government vehemently denies the accusations, calling them “scientifically flawed”, “irresponsible” and “unprofessional”. But officials rather give the game away with their second point: “…there is still no internationally clear, unified definition of what consists of a ‘hacking attack’. There is no legal evidence behind the report subjectively inducing that the everyday gathering of online [information] is online spying.”
Kevin Mandia, founder and CEO of Mandiant, is unequivocal on the subject. In an interview with the New York Times he said that “either [the attacks] are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighbourhood.”
The neighbourhood Mandia is referring to is on the outskirts of Shanghai. Almost all of APT1’s activities can be traced back to a single building, which also happens to be the headquarters of PLA Unit 61398.
Of course, the New York Times itself has a bone to pick with the Chinese. In January, the media company revealed that it had been subject to months of cyberattacks, all of them originating in China — though not from APT1. The motive for the attacks seems to be a report in October about relatives of China’s Prime Minister Wen Jiabao, who had earned billions of dollars through shady business deals.
The New York Times was not the only media company to attract the wrath of the Chinese. The Wall Street Journal, Washington Post and Bloomberg News were all recently attacked and it is alleged all of the attacks could be traced back to China.
Should we be concerned that Chinese technology seems so much better than the US’s? That’s the thing: none of these hacks used particularly technologically advanced methods. Like all gifted hackers, the Chinese infiltrators focused on the weakest link in the security chain — the human beings.
We have all received one of those e-mails from “ABBSA” or “Standerd Bank”, telling us we need to “verify our details” — even though we have been lifelong customers of FNB. These blatant attempts to steal valuable data are called “phishing” because the hackers are simply casting out thousands of baited virtual hooks and hoping to catch a granny who does not know better.
The Chinese hackers used a clever variation on this method called “spear phishing”. Instead of sending hundreds of anonymous e-mails that any wary professional would quickly reject, they crafted e-mails to look like internal office communications.
So you might receive an e-mail that appeared to be from your HR department, addressing you by name, and asking you to complete the attached form. If you clicked on the attachment — which is really a piece of spyware designed to turn your computer into a gateway — the hackers would immediately have a foothold in your network.
This is almost certainly how the New York Times was hacked, as well as hundreds of other companies. The Mandiat report calls spear phishing APT1’s “most commonly used technique”. This tells us that it is not our computer systems we need to beef up so much as our staff.
That said, when hackers can successfully fool the smartest technical staff of Twitter, Facebook and Apple all in the space of a few weeks, then there is little hope for us mere mortals. Both Facebook and Apple were hacked using an ingenious and almost undetectable method: infecting a forum popular with software developers with a piece of spyware. As soon as anyone visited the forum, their computers would be compromised. Bingo.
Hacking of this kind is obviously a scourge. It wastes resources, breaches confidentiality and hurts customer confidence. But there are two less obvious dangers.
The first is that hacking may be used as a pretext for a cyberwar with China. Such a war might seem exciting but it would be terrible for diplomatic and trade relations and an unwanted distraction from the very real problems both nations face.
And, despite all its clumsy dissembling, there is a danger of turning China into the new “reds under the bed”. There is no evidence that China had anything to do with the hacks on Facebook or Apple, for instance, but hawks are already lumping them in with the “Chinese attacks”. As outgoing US secretary of state Hillary Clinton said: “The Chinese are not the only people who are hacking us.”
The second hidden danger is that politicians on both sides of the divide may use hacking as an excuse to regulate the Internet more closely. US president Barack Obama already signed an executive order to “give our government a greater capacity to secure our networks and deter attacks”. That is not necessarily sinister but it is worrying.
There is no mistaking the Chinese position. A secret US state department cable revealed the chilling details of a report by China’s state council information office to its Communist Party leadership.
The state department’s contact told the New York Times: “In the past, a lot of officials worried that the Web could not be controlled. But through the Google incident and other increased controls and surveillance, like real-name registration, they reached a conclusion: the Web is fundamentally controllable.”
The “Google incident” above refers to Google pulling out of mainland China in March 2010 after suffering from sustained hacking attacks, probably originating from the PLA.
The irony is that we would not have any of this information if it were not for WikiLeaks exposing secret cables between US government departments. Openness is a double-edged sword — if we clamp down in the name of security, we also stifle its ability to expose wrongdoing.
The US should not imitate China under any circumstances. However much openness might cost it, it is one of the things that made America great. Let us hope their lawmakers agree. — (c) 2013 NewsCentral Media
- Alistair Fairweather is GM for digital operations at the Mail & Guardian
- Visit the Mail & Guardian Online, the smart news source
