China’s Plague of Cyber Breaches

China seems to regard cyberattacking as a venue in which it can compete, or even win, against the U.S. There is no single source for Chinese hacking. There appear to be groups closely affiliated with China’s intelligence organizations and groups with a more commercial footing. Chinese hackers have purposes ranging from political influence to monetary gain to theft of military technology.

The hackers are remarkably effective; the U.S. is being regularly victimized. Consumers are indirectly victimized and suffer diminished national security and higher costs for goods and services provided through hacked businesses.

Marriott International reported that a four-year long security breach exposed personal information of 500 million guests. The compromised data included names, passport numbers, addresses, phone numbers, birth dates and email addresses. Some accounts included scrambled payment card data. Marriott’s security consultants found “hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers.” Some of the techniques and tools may not be unique to Chinese hackers.

The long-running Marriott breach appears intended to collect espionage data rather than financial gain. Marriott is a popular accommodation for military and business travelers. The personal data has not been posted for sale on the dark web as it would have been if the motive was financial. It could be useful to establish travel patterns, or whether two persons of interest were in the same city at once.

A Chinese hotel group named Huazhu reported a similar breach involving the personal information for 500 million records that included name, mobile number, ID number and log-in pin, home address and birthday, credit card number, check-in and check-out time, consumption amount and room number. In this instance, the data were posted for sale on the dark web, priced at $56,000 for 150 million of the records. The breach occurred after Huazhu’s programmers uploaded the data to GitHub.

TEMP.Periscope has been a very active Chinese hacking group. In 2018, it used a suite of unique tools to breach multiple U.S. defense contractors, universities and maritime technology development firms. TEMP.Periscope also made widespread cyber intrusions into political organizations within Cambodia that included the National Election Commission, members of parliament representing the National Rescue Party (CNRP), high-profile Cambodians who’ve publicly advocated for human rights, two unnamed Cambodian media entities, the Cambodian People’s Party (CPP), the Ministry of the Interior, Ministry of Foreign Affairs, Cambodian Senate, and Ministry of Economics and Finance. The hacks underscore Beijing’s complex relationship with Cambodia’s ruling authoritarian regime led by Prime Minister Hun Sen. The scope of penetrations is reminiscent of Russia’s cyber domination of Ukraine’s government and military networks.

Sometimes the result of Chinese hacking is quickly lethal. In late 2010, Chinese authorities dismantled the CIA’s network of agents across the country, executing dozens of suspected U.S. spies. China was able to penetrate the CIA’s networks due to our misjudging the sophistication of the Chinese hackers.

SS&C Technologies succumbed to a phishing exploit from Chinese hackers. Emails gained the trust of a staffer who treated requests for disbursement of one client’s funds as legitimate, without following SS&C security protocols. Through a series of requests, the staffer disbursed $6 million. The defrauded client is, of course suing SS&C. Sometimes Chinese hackers are just after the money.

A cyberattack launched from China penetrated satellite operators, defense contractors and telecommunications companies in the United States and southeast Asia. The probe by a group called Thrip seemed to be driven by espionage goals, such as the interception of military and civilian communications. The hackers infected computers that controlled the satellites and “could have changed the positions of the orbiting devices and disrupted data traffic.” Satellites are essential to some internet operations, telephone traffic, and positioning services, although it is not clear whether those particular functions were on the satellites that Thrip attacked.

In early 2018, Chinese hackers penetrated a defense contractor’s computers and stole highly sensitive undersea warfare data from the Naval Undersea Warfare Center in Newport, RI. The theft from the contractor involved plans for a supersonic anti-ship missile (named Sea-Dragon) planned for use by American submarines. The attack emanated from a location commonly used by TEMP.Periscope.

RSA is a high-tech company that offers cyber-defense and response products and services. In March 2011, Chinese hackers stole data related to RSA’s SecurID, two-factor authentication devices that are “widely used by U.S. government agencies, contractors, and banks to secure remote access to sensitive networks.” Military contractors Lockheed Martin, L-3 Communications, and Northrop Grumman were soon attacked with falsified two-factor corporate IDs. Other victims were Yahoo, Symantec, and Dow Chemical.

The secure ID devices also need a password, so to complete the tools for system penetration, hackers would need to use phishing or emails bearing malware to obtain a password. The military contractors re-issued secure IDs and closed remote access to their networks.

A group called the Winnti umbrella is a collection of Chinese hacking organizations that attack digital game makers and casinos. Winnti targets money from casinos and code signing certificates from everyone else. Code certificates portray the computer code carrying them as trustworthy – a welcome disguise for malware. Once stolen, the certificate can be used to mask the origin of a high value political attack. Winnti umbrella is associated Chinese state intelligence organizations, and some parts of Winnti are located in the Xicheng District of Beijing.

No doubt our intelligence organizations are aware of these incidents and their implications for both the U.S. reputation and the monetary and military exposure they imply. Even without help from Russia, Iran and North Korea, China is making the U.S. look inept. It is unclear why the U.S. lets China’s hackers have almost free-rein across our military and political systems.

FacebooktwitterredditlinkedinFacebooktwitterredditlinkedin