The People's Republic of China
During the NATO attacks on Serbia in the spring of 1999, including the accidental bombing of the Chinese embassy, there were retaliatory attacks against NATO's public web server (instigated from Belgrade) and against a number of U.S. government sites, including Dept of Interior, Dept of Energy, the National Park Service (!), and the U.S. embassy in China (instigated from Beijing and from groups supporting the Beijing government).
There were also attacks against U.S. and NATO systems from China. Federal Computer Week, 1 Sep 1999.
April-May 2001 — A US Navy EP3 intelligence gathering aircraft landed on Hainan Island after a mid-air collision with a Chinese fighter, leading to scattered attacks using "Kill USA" and "China Killer" programs. New Scientist, 23 Feb 2008 pp 24-25.
2003 — The "Titan Rain" coordinated attacks from China on U.S. computer systems were announced. Systems were compromised at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. It had been going on at least since 2000. This was an early example of an advanced persistent threat.
October 2007 — The US Department of Homeland Security's U.S. Immigration and Customs Enforcement agency reported that it had launched more than 540 investigations into illegal exports of controlled U.S. technology to China since 2000. Homeland Security Affairs, (Journal of the Naval Postgraduate School Center for Homeland Defense and Security), vol V, No 1, Jan 2009.
2007 to present —
A group of entities sometimes called the
seems to be associated with the state intelligence apparatus.
Several state intelligence operations from 2009 at least
through 2018 are linked to it, and there are signs of some
activity as early as 2007.
Analysts have given several names to this
collection of operations.
ProtectWise 401TRG May 2018 Overview Grugq analyzes Winnt operation Kaspersky initial report on Winnti (2013) Kaspersky Winnti technical analysis Kaspersky Winnti honeypot analysis Novetta on "Operation SMN" Winnti compromise of Bit9 FireEye on "Operation DeputyDog" Mandiant on APT1 Cylance on "PassCV" TrendMicro on Winnti Citizen Lab on attacks on media Palo Alto Unit 42 on attacks against Thailand ProtectWise 401TRG July 2017 report ProtectWise 401TRG October 2017 update Kaspersky on ShadowPad Kaspersky on Winnti-APT17 connections Intezer on Winnti-APT17 connections
January 2008 — The US Air Force said, "China has been positively identified as a source of campaign-style cyber attacks on Department of Defense systems."
January 2008 — The US Air Force said that papers in Chinese military journals and textbooks discuss ideas for war against the US in a confrontation over Taiwan, including communication jamming and computer malware.
February 2008 — The Australian government announced that Chinese hackers were launching targeted attacks to gather information from sensitive military secrets to the prices Australian companies will seek for resources such as coal. The Age, 10 Feb 2008.
11 February 2008 — US officials arrested a former Boeing engineer on charges of stealing trade secrets from the space-shuttle program, Delta IV rocket and other projects and sending them to agents of the Chinese government. Orlando Sentinel, 12 Feb 2008.
12 February 2008 — The Washington Times had a story on Chinese espionage.
15 February 2008 — The Washington Post had a story on Chinese espionage:
3 March 2008 —
The US Defense Department said that attacks in 2007 against
computer networks operated by governments and commercial
institutions around the world "appear" to have originated
story Government Executive,
4 Dec 2007 Government Executive,
3 Mar 2008 Government Executive,
6 Mar 2008 Federal Computer Week,
4 Mar 2008 2007 Report To Congress of the U.S.-China
Economic and Security Review Commission
24 March 2008 — Tibet protest groups have been targeted for attack with hostile e-mail attachments sent from Chinese servers. BBC World News, 24 Mar 2008.
25 March 2008 — "A Chinese-born engineer convicted of conspiring to pass U.S. military secrets to the People's Republic of China was sentenced Monday to 24 years and five months in federal prison." Information Week, 25 Mar 2008.
10 April 2008 — Business Week ran a cover story "The New E-spionage". Summary: many prolific sources based in PRC launch spear-phishing attacks on government workers and contractors. The To: and From: fields look relevant, content is relevant. Message has spyware attachment that will capture keystrokes and harvest data files, sending product back to PRC. Plus capability for remote access of the system. BYZANTINE FOOTHOLD has been a US project to detect, track, and disarm intrusions on critical government networks. "Poison Ivy" was the name given to PRC code by commercial infosec companies.
6 May 2008 — "Over the past one and a half years, officials said, China has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability." Times of India, 6 May 2008.
3 Nov 2008 —
Diplomatic Security Daily
publication of the U.S. Department of State reported the
sophisticated threat assigned code word Byzantine Candor,
with a subset of that known as Byzantine Hades.
BC = Byzantine Candor,
CNE = Computer Network Exploitation,
USG = United States Government,
DoS = Department of State (and not Denial of Service!), and
CTAD = Cyber Threat Analysis Division. As millions of copies of the WikiLeaks file contain, that report said:
¶39 (S//NF) Worldwide - BC conducting CNE on USG systems:
¶40. (S//NF) Key highlights:
BC actively targets USG and other organizations via
socially engineered e-mail messages.
BC actors recently compromised the systems of a U.S. ISP
to carry out CNE on a USG network.
Additional IP addresses were identified this month as
compromised and used for BC activity.
BC has targeted DoS networks in the past and may again in
the future via spoofed e-mail.
¶41. (S//REL TO USA, FVEY) Source paragraph: Byzantine
Candor (BC) actors have compromised multiple systems located
at a U.S. Internet service provider (ISP) and have used the
systems as part of BC's U.S.-based attack infrastructure
since at least March, targeting multiple victims including at
least one USG agency.8
¶42. (S//NF) CTAD comment: Since late 2002, USG organizations
have been targeted with social-engineering online attacks by
BC actors. BC, an intrusion subset of Byzantine Hades
activity, is a series of related computer network intrusions
affecting U.S. and foreign systems and is believed to
originate from the PRC. BC intruders have relied on
techniques including exploiting Windows system
vulnerabilities and stealing login credentials to gain access
to hundreds of USG and cleared defense contractor systems
over the years. In the U.S., the majority of the systems BC
actors have targeted belong to the U.S. Army, but targets
also include other DoD services as well as DoS, Department of
Energy, additional USG entities, and commercial systems and
networks. BC actors typically gain initial access with the
use of highly targeted socially engineered e-mail messages,
which fool recipients into inadvertently compromising their
systems. The intruders then install malware such as
customized keystroke-logging software and command-and-control
(C&C) utilities onto the compromised systems and exfiltrate
massive amounts of sensitive data from the networks. This
month, BC actors attempted to compromise the network of a
U.S. political organization via socially engineered e-mail
messages (see CTAD Daily Read File dated October 16).
¶43. (S//REL TO USA, ACGU) CTAD comment: Also discovered this
month by USG analysts was the compromise of several computer
systems located at a commercial ISP within the United States.
According to Air Force Office of Special Investigations
(AFOSI) reporting, hackers based in Shanghai and linked to
the PRC's People's Liberation Army (PLA) Third Department
have been using these compromised systems as part of the
larger BC attack infrastructure to facilitate computer
network exploitation (CNE) of U.S. and foreign information
systems. Since March, the responsible actors have used at
least three separate systems at the unnamed ISP in multiple
network intrusions and have exfiltrated data via these
systems, including data from at least one USG agency. AFOSI
reporting indicates, on March 11, BC actors gained access to
one system at the ISP, onto which the actors transferred
multiple files, including several C&C tools. From here, the
intruders used the tools to obtain a list of usernames and
password hashes for the system. Next, on April 22, BC actors
accessed a second system at the ISP, where they transferred
additional software tools. From April through October 13, the
BC actors used this computer system to conduct CNE on
multiple victims. During this time period, the actors
exfiltrated at least 50 megabytes of e-mail messages and
attached documents, as well as a complete list of usernames
and passwords from an unspecified USG agency. Additionally,
multiple files were transferred to the compromised ISP system
from other BC-associated systems that have been previously
identified collecting e-mail messages from additional
victims. The third system at the U.S. ISP was identified as
compromised on August 14, when BC actors transferred a
malicious file onto it named
"salaryincrease-surveyandforecast.zip." According to AFOSI
analysis, BC actors use this system to host multiple webpages
that allow other BC-compromised systems to download malicious
files or be redirected to BC C&C servers.
¶44. (S//REL TO USA, FVEY) CTAD comment: Additional DoD
reporting this month indicates BC actors have used multiple
other systems to conduct CNE against U.S. and foreign systems
from February through September. A October 23 DoD cable
states Shanghai-based hackers associated with BC activity and
linked to the PLA have successfully targeted multiple U.S.
entities during this time period. The cable details dozens of
identified Internet Protocol (IP) addresses associated with
BC activity as well as the dates of their activity. All of
the IP addresses listed resolve to the CNC Group Shanghai
Province Network in Shanghai, and all the host names of the
addresses contained Asian keyboard settings as well as China
time zone settings. Most of these IP addresses were
identified as responsible for direct CNE of U.S. entities,
including unspecified USG organizations, systems and
networks. Interestingly, although the actors using each IP
address practiced some degree of operational security to
obfuscate their identities, one particular actor was
identified as lacking in these security measures. On June 7,
the BC actor, using an identified IP address, was observed
using a Taiwan-based online bulletin board service for
¶45. (S//NF) CTAD comment: BC actors have targeted the DoS in
the past on multiple occasions with socially engineered
e-mail messages containing malicious attached files and have
successfully exfiltrated sensitive information from DoS
unclassified networks. As such, it is possible these actors
will attempt to compromise DoS networks in the future. As BC
activity continues across the DoD and U.S., DoS personnel
should practice conscientious Internet and e-mail use and
should remain informed on BH activity. (Appendix sources
I do not understand what is meant by:
and all the host names of
the addresses contained Asian keyboard settings
as well as China time zone settings.
Yes, the DNS PTR records might contain non-ASCII characters in the host names, and "Asian keyboard settings" might be a clumsy way of saying that. But "China time zone settings"? That says to me that they were looking at e-mail headers.
20 Nov 2008 — A U.S. Congressional advisory committee releases a report warning that Chinese attacks on civilian, government, and military networks are rising. This was also reported in Information Week.
18 Apr 2009 — Newsweek magazine reports on "Ghostnet". It was politically oriented, compromising systems belonging to the Dalai Lama's Tibetan exile centers in India, London and New York, along with embassies, foreign ministries and other government offices. See the reports from the SecDev Group and the Munk Centre for International Studies, and the University of Cambridge. Also see the McAfee—Foundstone detailed analysis Know Your Digital Enemy: Anatomy of a Gh0st RAT.
Some calm thinking on the Chinese hacking threat — Bruce Schneier's essay for the Discovery Channel pointed out that the truth is a lot more complicated. Much is from patriotic Chinese citizens, plus a lot of automated attacks run on compromised systems that just happen to be located in China.
Mid-2009 — China began "Operation Aurora" in the middle of the year, continuing through December. It was aimed at stealing intellectual property from dozens of technical corporations, including Google (the first to publicly disclose it, in December), Rackspace, Adobe Systems and Juniper Networks, all of whom publicly confirmed being targeted, plus Northrop Grumman, Dow Chemical, Morgan Stanley, Yahoo and Symantec.
Nov 2009 — The "Night Dragon" attacks began, launched against several global petrochemical and energy companies. These evolved into sophisticated attacks, advanced persistent threats as they're now known. McAfee has a good overview and detailed white paper describing these.
Jan 12-13 2010 — Google announced that they detected "a highly sophisticated and targeted attack" originating from China. Reuters reported on this. Dark Reading had a summary mentioning that Adobe was also a victim.
Feb 11 2011 — Dark Reading reported that McAfee had detected the "Night Dragon" series of APT attacks on major energy firms beginning as early as 2008, saying that they had "identified tools, techniques, and network activities utilized ... that point to individuals in China as the primary source", saying the hackers appear to be based in Beijing and working standard local business hours. Paris Match reported, and the French government subsequently confirmed, that over 150 computers in the Ministry of Economy and Finances had been penetrated for months leading up to the French-hosted G20 summit in February 2011.
May 8 2012 — Dark Reading reported that Cyber Squared had infiltrated the attackers' communications channel and gathered information on a widespread series of attacks dating back to 2011 against over twenty private firms, government organizations, and think tanks linked to Chinese strategic interests.
Sep 7 2012 — Symantec reported on the Elderwood Project, which includes the Aurora Trojan horse and other related attacks re-using components of a shared attack infrastructure. The primary targets are primarily members of the defense supply chain. Dark Reading has a summary.
Sep 25 2012 — Dark Reading reported on the "VOHO" attack campaign with ties to China. RSA's report is The VOHO Campaign: An In Depth Analysis. The VOHO attack is reported to share components of the Elderwood Project.
Sep 2012 — Peter the Great Versus Sun Tzu is an interesting analysis and comparison of Chinese and Russian hackers. Eastern European hackers tend to develop and use far more sophisticated malware running on their own fairly bulletproof hosting infrastructure, while East Asian hackers use simpler techniques running on cheap infrastructure at mass-hosting ISPs. Eastern European hackers work in small elite teams to steal credentials and directly derive profit, while East Asian hackers work in large groups at the direction of large institutions to steal sensitive corporate data.
Oct 2012 — The House Intelligence Committee warned U.S. companies to avoid Chinese telecommunications companies Huawei and ZTE See the Dark Reading report or the full investigative report.
January 2013 — The New York Times announced that an advanced persistent threat with suspected ties to the People's Republic of China, called APT12, had compromised its networks over the preceding four months. "Hackers in China Attacked the Times for Last 4 Months" The New York Times, 30 January 2013.
February 2013 — Mandiant released a detailed report on APT1, their label for a very sophisticated multi-year cyber espionage operation of the Chinese government. They provide evidence linking APT1 to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD's) 3rd Department, using Military Unit Cover Designator Unit 61398. APT1 conducted economic espionage since 2006 against 141 victims in multiple industries in English-speaking countries, stealing hundreds of terabytes of data. The Washington Post reported on the story.
March 7 2013 — A Foreign Policy article reports: "Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate." And: "In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks."
March 11 2013 — The Australian Financial Review reported that Chinese-developed malicious software had repeatedly penetrated the Reserve Bank of Australia's networks and extracted sensitive internal information.
March 14 2013 — Cyber Squared published a report Medical Industry — A Cyber Victim: Billions Stolen and Lives At Risk describing three APT attacks out of China against the medical industry. Mandiant reports at least five active Chinese hacker groups targeting the medical industry. A Dark Reading report summarizes this trend.
The same day, International Business Times reported that China launched a probe against Coca-Cola for alleged spying activities especially "collecting classified geographic information using handheld GPS devices".
Mar 2013 — The journal Science had an article "A Call to Cyber Arms" (vol 339 pp 1026-1027) discussing Mandiant's APT1 discussion and reporting: "In the academic world, a leader in cyber defense research is Shanghai Jiao Tong University's School of Information Security Engineering. In the past several years, its scientists have published openly on the injection of Trojan Horses into the Windows platform, for instance, and on the pros and cons of Rootkit, a program for hijacking a computer system. In Changsha, the National University of Defense Technology has a research program in electronic and information warfare. And at Dalian University of Technology in northeast China, a pair of researchers funded by the science ministry and the National Natural Science Foundation of china published a report in Safety Science in July 2011 on vulnerabilities in the western U.S. power grid.
Apr 2013 — FireEye released their Advanced Threat Report detailing 2,000 incidents involving Gh0st RAT, a remote-access tool and APT believed to have been developed in and deployed from China.
May 2013 — China was accused of high-profile cyber-espionage, stealing information on U.S. weapons systems including the FF-35, PAC-3, THAAD, Aegis, F/A-18, V-22 Osprey, Black Hawk helicopter, and the Littoral combat ship, in addition to more mundane business information. See "Plans for More Than Two Dozen U.S. Weapons Systems — Including an F-35 Fighter — Have Been Stolen by Chinese Hackers, Claims Pentagon", The Daily Mail, 28 May 2013.
June 14 2013 — Kaspersky Lab announced the analysis of the Red Star or NetTraveler APT. They had samples going back to 2005, although it seems to have been active at least since 2004. It's also known as TravNet and Netfile. Targets include Tibetan and Uyghur activists, oil industry companies, governments and government institutions including embassies, and military contractors. Their analysis of the malware indicates that it was developed by a team of about 50 people, most of which speak Chinese natively and have working knowledge of English. See Kaspersky's detailed report for more.
12 Nov 2013 — FireEye concluded that a number of Chinese APT campaigns may be more connected than previously thought. Eleven Chinese APTs shared malware tools, code, and digital certificates. See FireEye's report Supply Chain Analysis: From Quartermaster to Sunshop
19 May 2014 — The U.S. Department of Justice issued an indictment of five Chinese military officers "for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals, and solar products industries." Time and CNN reported on this. Wired covered the indictment and also ran a story "How a Chinese Tech Firm Became the NSA's Surveillance Nightmare". The Lawfare blog discussed why the indictment was made. The five defendants were Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, members of Unit 61398 of the Third Department of the People's Liberation Army.
It had been clear for some time that the NSA had been attacking Chinese networks, see reports from CNN, Wired, and Bruce Schneier here and here. NSA had also been intercepting Cisco equipment shipments and modifying the contents to install their "implants". And, the Washington Post reported in 2013 that U.S. spy agencies had mounted 231 offensive cyber operations in 2011. China complained about what they saw as the hair-splitting distinction between NSA hacking China for purely national security reasons versus China hacking the US for economic reasons. See reports in the New York Times and DailyTech. Chinese retaliation was described by Reuters and Bloomberg and in Foreign Policy and The Los Angeles Times.
Foreign Policy ran a story "Exclusive: Inside the FBI's Fight Against Chinese Cyber-Espionage".
Xinhua reported "A spokesperson for China's State Internet Information Office on Monday published the latest data of U.S. cyber attack, saying that China is a solid defender of cyber security. The U.S. is the biggest attacker of China's cyber space, the spokesperson said, adding that the U.S. charges of hacking against five Chinese military officers on Monday are 'groundless'. Latest data from the National Computer Network Emergency Response Technical Team Coordination Center of China (NCNERTTCC) showed that from March 19 to May 18, a total of 2,077 Trojan horse networks or botnet servers in the U.S. directly controlled 1.18 million host computers in China."
July 2014 — CrowdStrike reported on what they called Deep Panda, a Chinese government cyber-operation against national security think tanks and human rights organizations. The think tanks in particular are staffed by former senior government officials with lots of insight of interest to the Chinese government and its military. CrowdStrike had noticed a sudden shift in interest by the Deep Panda operation, moving from Southeast Asia policy information to Iraq and related Middle East issues. This seems to be because of sudden advances in which the Islamic State of Iraq and the Levant group took control of large regions of Iraq, a country providing 20% of China's oil. See the CrowdStrike Deep Panda report for details on the shift in focus and the technology used in the continuing penetrations. The same group is thought to be behind the massive Anthem breach discovered in early 2015.
March 2015 — China explicitly acknowledged the existence of their cyber-warfare forces in The Science of Military Strategy, published by the top research institute in the People's Liberation Army and analyzed in the U.S. by the Center for Intelligence Research and Analysis and described in the book China's Evolving Military Strategy. See the story in The Daily Beast.
April 2015 — FireEye reported on what they called APT30, an advanced and very persistent operation against government and commercial entities across southeast Asia and India for over ten years. It was aimed at stealing information on political, economic, and military topics. FireEye concluded that it was a Chinese government operation.
June 2015 — The U.S. Government announced a data breach at the Office of Personnel Management or OPM that will likely have long-term geopolitical repercussions as it seems to have included a huge archive of background investigations used to grant security clearances. As the Washington Post described the data in July, 2014, when Chinese intrusion into OPM data was first noticed:
In those files are huge treasure troves of personal data, including "applicants' financial histories and investment records, children's and relatives' names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers."
See the nice overview at Krebs on Security, here is further summarization of that:
- March 2014 — Breach of OPM networks from China.
- July 2014 — OPM investigates the March breach.
- August 2014 — Investigators announce that USIS, a contractor doing background checks for DHS, was hacked.
- November 2014 — OPM's Office of the Inspector General publishes a report listing "significant" deficiencies in OPM's IT security. No comprehensive inventory of servers, databases, and network devices, no sign of a vulnerability scanning program. The report concluded, "We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency's IT security program."
- December 2014 — Keypoint had taken over the USIS contract, now Keypoint is hacked.
- February 2015 — Insurance company Anthem is hacked. Later analysis suggests it's the same group of Chinese hackers. A private firm, not a government or military agency.
- May 2015 — Premara Blue Cross and Carefirst Blue Cross are hacked, affecting 11 million and 1.1 million customers, respectively. Again, the same attack infrastructure and methods seems to have been used.
- June 2015 — OPM discloses their breach, initial reports said it affects "up to 4 million federal employees" but later reports add that it may be many, if not all, applicants for security clearances over decades.
- 9 July 2015 — OPM concludes its investigation of the breach discovered in June 2015, revealing that 19.7 million individuals (plus 1.8 million non-applicants such as spouses and partners) were affected by the intrusion. This is in addition to the 4.2 million whose personal information was compromised in April 2015.
November 2016 — The Citizen Lab group at the University of Toronto reported on a malware operating targeting members of the Tibetan Parliament in exile over August through October 2016. It's a good, detailed report describing a combination of social engineering and customized malware known as KeyBoy.