China and Cyber-Espionage

By Jamie Metzl

Jamie Metzl is Executive Vice President of Asia Society and a former official in the U.S. National Security Council, State Department, and Senate Foreign Relations Committee. The views expressed in this article are his own.

A number of people have asked me how I made the determination described in my Wall Street Journal editorial last Wednesday that China may be one of the world’s worst state perpetrators of cyber-espionage and malicious computer hacking. (See China's Threat to World Order: Computer hacking is typical of Beijing's disdain for global norms.)

Although I have spoken with a number of American officials with access to classified information who have made this assertion with great passion, I do not have access to any of these classified documents. Instead, I have decided to lay out the evidence gleaned from public sources.

If there is more evidence making the case that China is involved in these activities on an official or quasi-official level, please add it in a reply to this blog post.

Even more importantly, if you believe that these allegations are false, I very much encourage you to make your case on this site. The evidence is laid out below. Links to the source materials referenced are embedded in the text.

Let the dialogue begin.

The case that China is one of the world’s worst state perpetrators of cyber-espionage and malicious computer hacking

Reports

• In a 2010 report to Congress, the U.S. Defense Department asserted that China is “actively pursuing cyber capabilities with a focus on the exfiltration of information, some of which could be of strategic or military utility”.
• In its 2010 report to Congress, the U.S.-China Economic and Security Review Commission stated that “China’s government, the Chinese Communist Party, and Chinese individuals and organizations continue to hack into American computer systems and networks as well as those of foreign entities and governments.”
• An October 2009 report by Northrop Grumman for the U.S.-China Economic and Security Review Commission asserted that “government efforts to recruit from among the Chinese hacker community and evidence of consulting relationships between known hackers and security services indicates some government willingness to draw from this pool of expertise.” The report revealed that “a founding member of the influential Chinese hacker group Javaphile has a formal consulting relationship with the Shanghai Public Security Bureau and researcher credentials at the information security engineering institute of one of China’s leading universities.”
• A March 2011 report by Invictis Information Security Ltd. stated that “Chinese commercial espionage is as much a state‐sponsored activity as their military and civilian operations. The Chinese government supports commercial espionage as a necessary economic activity to help create Chinese commercial advantage and strategic success in the 21st century. Beijing has at its disposal an army of computer hackers, immigrants (resident in target countries), intelligence operatives, scientists and students.”
• A 2010 restricted report from MI5's Centre for the Protection of National Infrastructure (CPNI) reportedly detailed how China has hacked various British defense, energy, communications, and manufacturing companies.
• The United States Congressional Research Service (CRS) reported in 2001 that China was “moving aggressively toward incorporating cyber warfare into its military lexicon, organization, training, and doctrine [and] pursuing the concept of a Net Force, which would consist of a strong reserve force of computer experts trained at a number of universities, academies, and training centers.”

Statements by officials

• Former U.S. cyber-czar Richard Clarke asserted that “What’s going on is very large-scale Chinese industrial espionage…They’re stealing our intellectual property. They’re getting our research and development for pennies on the dollar”.
• In an April 15, 2011 testimony for the Oversight and Investigations Subcommittee of the Foreign Affairs Committee of the United States House of Representatives, Richard Fisher, Senior Fellow at the International Assessment and Strategy Center, asserted that “PRC uses its cyber capabilities to pursue a relentless global campaign of cyber espionage, in which every country in which the PRC has any kind of interest, is subject to continuous cyber probes seeking all manner of information of military, commercial or political value.”
• In a March 2010 testimony before the House of Representatives Committee on Foreign Affairs, Larry Wortzel, Commissioner of the U.S.-China Economic and Security Review Commission, explained that hacking by Chinese actors works to “speed the development and fielding of weapons in China, improve technology in sectors of China’s industries while saving time and money in research and development.”
• In a March 2010 testimony to the Senate Armed Services Committee, Director of National Intelligence James Clapper asserted that, when it comes to cyberwarfare, “The Chinese have made a substantial investment in this area. They have a very large organization devoted to it…this is just another way in which they glean information about us and collect on us for technology purposes, so it's a very formidable concern.”
• In a June 13, 2007 testimony before the House of Representatives Committee on Armed Services, then Deputy Undersecretary for Defense for Asian and Pacific Security Affairs, Richard Lawless, asserted that the Chinese are “leveraging information technology expertise available in China’s booming economy to make significant strides in cyberwarfare.”
• In 2007, Jonathan Evans, the Director‐General of the UK Security Service, MI5, stated that the Chinese “continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects and trying to obtain political and economic intelligence at our expense.”
• In August 2007, German Chancellor Angela Merkel reportedly confronted Chinese Premier Wen Jiabao after Chinese hackers attacked computers in her office and other German government ministries.

Operation Shady RAT

• In response to questions as to whether China was behind the recent, high-level hacking campaign known as ‘Operation Shady RAT’, Vice President of Threat Research at cybersecurity firm McAfee Dmitri Alperovitch, responded: “If others want to draw that conclusion, I certainly wouldn’t discourage them.”
• Center for Strategic and International Studies (CSIS) cyber security expert James A. Lewis, stated that “the most likely candidate [as perpetrator of ‘Operation Shady RAT’ is China.”
• Among the 72 hacking targets in 14 countries in ‘Operation Shady RAT’ was the International Olympic Committee and several national Olympic Committees—all breached in the months leading up to the 2008 Beijing Olympics. Three targeted entities were located in Taiwan and 49 were located in the United States. None of the victims were located in China (with the exception of a U.S. News Organization’s Hong Kong Bureau).
• Remote administration tool (RAT) malware was also used in the ‘Night Dragon’ attacks in 2011, which McAfee had concluded came from China.

Night Dragon

• In February 2011, a report from McAfee concluded that the cyber-attack known as ‘Night Dragon’ against major Western energy firms had originated “primarily in China,” effectively tracing it back to Chinese IP addresses in Beijing. Command and control was found to be based in Heze City, the malware tools used were regularly offered for download by Chinese hacker websites, and the hackers appeared to work on regular weekdays, nine-to-five Beijing time-zone schedule.

Operation Aurora

• In Jan 2010, Google openly accused China of stealing some of the company’s source code via an attacked dubbed ‘Operation Aurora’. Servers at two schools in China, Jiaotong University in Shanghai and Lanxiang Vocational School in Shandong Province, were determined to have been used in the attack. Lanxiang was founded with military support and continues training many of the military’s computer scientists. After being briefed by Google on ‘Operation Aurora’, Secretary of State Hillary Clinton issued a statement saying, “We look to the Chinese government for an explanation.”
• A report by Verisign iDefense, a security-intelligence service based in Virginia, reportedly determined that ‘Aurora’ was directed by “agents of the Chinese state or proxies thereof.”

RSA Attacks

• The command-and-control servers used in the March 2011 attacks on RSA—the security division of high-tech company EMC Corp.—were traced to networks in Beijing and Shanghai. The location of the servers was identified due to use of the malware tool “HTran,” which Chinese backers are known to bundle with their code. EMC’s products are used to protect high-level computer networks throughout the U.S. government as well as large corporations and defense contractors.

Other attacks

• In June 2011, Google announced it had thwarted an attempt from China to steal the Gmail passwords of senior U.S. government officials. Google said the attacks originated in Jinan, China, one of seven regional command centers for the Chinese military.
• On April 8, 2010, state-owned China Telecom rerouted U.S. and other foreign Internet traffic, causing 15 percent of the all internet traffic to travel through Chinese servers for nearly 20 minutes. The long-term impact of this rerouting remains unknown.
• In April 2009, hackers broke into the Pentagon's Joint Strike Fighter project—an attack that former U.S. officials attributed to China after it was traced back to Chinese IP addresses.
• According to Senior Fellow at the International Assessment and Strategy Center, Richard Fisher, Chinese hackers attacked computer systems at the U.S. Naval War College, National Defense University, and the U.S Army’s Fort Hood throughout 2006.
• The 2005 ‘Titan Rain’ cyber-espionage ring, responsible for breaking into a number of U.S. military and defense contractor computer systems, was traced back to three Chinese routers in China’s Guangdong Province.

Primary research conducted by Johan Kharabi.