The indictment of five People’s Liberation Army computer hackers last week has revealed that U.S. intelligence agencies have made progress in developing capabilities to trace the source of cyber attacks used for both economic and traditional espionage.
A federal grand jury in Pittsburgh on May 1 indicted the five PLA hackers who are part of the notorious Unit 61398 of the PLA General Staff 3rd Department, or 3PLA, located in Shanghai.
The charges against the Chinese military were unprecedented for the U.S. government in specifically targeting the Chinese government and its military. But they are viewed as largely symbolic because the prospect of prosecuting the men is remote.
The indictment represents a significant step, however, for identifying for the first time in a legal document the activities of the PLA hackers – activities that have been largely ignored by the Obama administration for years because of its conciliatory policies aimed at not upsetting China, a major business and trading partner.
China responded to the charges by cutting off ties to a U.S.-China joint working group on cyber security. Chinese official media also denounced the United States for the action and said it was the United States that has engaged in espionage against Chinese companies.
The administration in announcing the indictment sought to distance itself from Chinese government spying against U.S. secrets, in part to avoid countercharges made by China in the wake of disclosures by renegade National Security Agency contractor Edward Snowden. Snowden revealed details of NSA spying against Chinese companies, including the state-linked Huawei Technologies Inc. telecommunications giant. The U.S. government, unlike China, insists it does not spy on behalf of U.S. companies.
The FBI issued wanted posters of the five men on its Cyber’s Most Wanted page.
Although not mentioned in the indictment, U.S. officials said the work of identifying and tracing the hackers was carried out by NSA counter cyber spies at the agency’s headquarters at Fort Meade, Md.
Details of the U.S. tracing of Chinese military hacking contained in the indictment reveal that NSA counterspies were able to identify the PLA hackers, trace their activities to Unit 61398 in Shanghai, and then trace the transfer of the stolen corporate trade secrets to Chinese state-owned industries, including the State Nuclear Power Technology Corp.
The China State nuclear company concluded a deal with Westinghouse to build four of AP1000 reactors in China. As if to boast of its successful corporate spying, China announced last week that the first of the Westinghouse design reactors had been completed.
The economic espionage against Westinghouse was carried out using spearphishing attacks by the PLA using fake but familiar-author emails to entice six company executives into clicking on foreign links. Once connected to the links, sophisticated malicious software was installed covertly on Westinghouse networks.
The software then created backdoor access points in at least two networks that were used by the PLA to siphon off large amounts of data that was then provided to Chinese government companies. The Westinghouse malware was identified as a file named ccape.exe and liam.exe.
Once the backdoors were in place, the Chinese military software contacted the other computers controlled by the hackers through the use of “beacons” – short, difficult to detect messages that are part of the command and control mechanism for searching penetrated networks and sending back valuable data.
The method used by the PLA for its economic espionage also is very similar to the methods used by the Chinese to penetrate government computer networks in stealing defense, foreign policy and national security secrets.
As part of the cyber espionage operation, the PLA also used additional pirated computer networks in the United States — beyond the targeted networks – as “hop points.” The hop points were used to mask the origin of the original attacks. The indictment reveals that NSA counterspies were able to identify the hop points and trace the users back to China, a relatively difficult technical feat.
“Among other things, the co-conspirators used hop points to research victims, send spearphishing emails, store and distribute additional malware, manage malware, and transfer exfiltrated data,” the indictment says. “Some hop points were used as command and control servers, which received communications from, and returned instructions to, malware on other compromised computers.”
Another technique was the PLA’s use of commonly used domain names with slightly different spellings to appear familiar. The purpose was to further mask the origin of the cyber attacks. Among the names used were “finaceanalysis,” “gmailboxes.com,” and “busketball.com.” The disclosure of the fake domain names is another clue to NSA’s prowess in counter cyber spying.
“After obtaining a foothold in a victim’s computers, the co-conspirators performed a variety of functions designed to identify, collect, package and exfiltrate targeted data from the victim’s computers under” the PLA’s control, the indictment says.
The NSA was able to identify when the hackers created the fake email accounts, including one at Yahoo.
The six networks attacked in the case included Westinghouse, SolarWorld, U.S. Steel, ATI, United Steel Workers union, and Alcoa.
The hackers were identified as Wang Dong, Sun Kailiang, Wen Xinyu, Wang Zhenyu, and Gu Chunhui.
It is probable that NSA opposed releasing the intelligence used in the indictment over concerns that revealing how the PLA hackers were tracked will make it more difficult to pursue similar cases in the future. But in the end, policymakers argued in favor of going ahead with the indictment.
In the case of the U.S. subsidiary of the German firm SolarWorld AG, which makes solar panels, the Chinese military obtained pricing and cost data through cyber espionage.
“The FBI deliberately provided remarkable details about the secret techniques and goals of the clandestine cyber attacks in Pittsburgh,” said Michael Pillsbury, a former Pentagon official during the Reagan administration.
“This will scare the PLA hackers, at least for a few months, while they try to find out how they were detected,” he said. “But this approach will only work once. If the five indicted PLA hackers continue their hacking, but just use new names and develop more stealthy penetration methods, then these indictments will appear inadequate.”
Pillsbury, senior fellow at the Hudson Institute, said, “much stronger medicine will be needed next time” in dealing with PLA hacking.
— Bill Gertz
May 25, 2014