In RetroTech: NetLingo Blog

An ongoing campaign of computer attacks on the U.S. this year has been traced to China. What are the hackers after?

Who has been hacked?
Government agencies, newspapers, utilities, and private companies—literally hundreds of targets. The cybersecurity firm Mandiant, which has been tracking these attacks since 2004, says data has been stolen from at least 140 companies, mostly American, including Google, DuPont, Apple, The New York Times, and The Washington Post, as well as think tanks, law firms, human-rights groups, and foreign embassies. A company that provides Internet security for U.S. intelligence was attacked; so was one that holds blueprints for the nation’s pipelines and power grids. Hackers even stole classified information about the development of the F-35 stealth fighter jet from subcontractors working with the plane’s producer, Lockheed Martin. Congressional and federal offices have reported breaches. In 2007, the Pentagon itself was attacked—and it won’t say what was stolen.

Who’s doing it?
Ten years ago, Chinese patriots working independently were behind many of the attacks. These young hackers were outraged by the 1999 U.S. bombing of the Chinese Embassy in Belgrade, Serbia, an accident during the Kosovo War. Using the name Honkers, or Red Guests, they launched a series of denial-of-service attacks on U.S. government websites. But within a few years some of them had begun working with the Chinese government, targeting Tibetan and Taiwanese independence groups, the religious group Falun Gong, and anyone in the West who communicated with Chinese dissidents. In recent years, says anti-malware specialist Joe Stewart, the number of hackers has doubled, with 10 major hacking groups in China. “There is a tremendous amount of manpower being thrown at this from their side,” Stewart told Bloomberg Businessweek. China’s government now appears to be directing the attacks. “We’ve moved from kids in their bedroom and financially motivated crime to state-sponsored cybercrime,” said Graham Cluley, a British security expert.

Why is China doing this?
China sees cyberwarfare as a valid form of international business and military competition, and is pursuing what it calls “information dominance.’’ Mandiant has traced many of the U.S. attacks to a Shanghai office building that appears to be the home of the People’s Liberation Army’s cyberwarfare unit. Thousands of hacks, including ones by two of the prominent aliases, Ugly Gorilla and SuperHard, were traced definitively to the district, and in recent years, that building has installed super-high-tech fiber-optic cables able to handle massive data traffic. About 2,000 people are estimated to be working in the building. This group appears to specialize in English-language computers, and hackers seem well versed in Western pop culture; one of the hackers used Harry Potter references for his passwords. China has issued a blanket denial, calling Mandiant’s claims “groundless” and “irresponsible.”

How do the hackers get access?
Mostly by the technique known as “spear phishing”. They send an email with a link that an employee of a targeted company then opens, activating malware programs that sweep through databases, vacuuming up information, including emails, blueprints, and other documents. Some phishing emails are recognized as spam by the recipients—but the Chinese are getting better at disguising them, sometimes using email accounts with real people’s names that are known to the recipient, and using colloquial English, so the emails read as plausible company business.

What does China do with the information?
The corporate secrets are worth a lot of money to Chinese business. Blueprints of advanced plants or machinery could help many Chinese industries, and so could data on corporate finances and policies. Energy companies, for example, can benefit from knowing what their foreign competitors are willing to bid for oil field sites. Chinese companies have already been sued for allegedly stealing DuPont’s proprietary method for making chemicals used in plastics and paints. More ominously, some of the information could be used to disrupt U.S. industry or infrastructure (see below). And while China is the main source of attacks, other countries also frequently hack U.S. sites, including Russia, North Korea, and Iran.

What is the U.S. doing to protect itself?
Congress refused to pass a comprehensive cybersecurity act last year because of opposition from business groups, which complained that new computer regulations would be costly and onerous. As a result, President Obama recently issued an executive order requiring Homeland Security to identify “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Those companies will have to beef up their cybersecurity by installing multiple layers of protection for the most sensitive systems. Right now, some companies have only a single firewall, and once that is breached, all the data is available. “The dirty little secret in these control systems is once you get through the perimeter, they have no security at all,” said Dale Peterson of security company Digital Bond. Hackers “can do anything they want.”

A worst-case scenario
Derailed trains. Air traffic control systems suddenly shut down with thousands of planes in the air. Exploding chemical plants and gas pipelines. Blackouts over large parts of the country, lasting weeks or even months. These are some of the apocalyptic events cybersecurity experts fear—hacks that could kill people and sow widespread panic. But what might be even more damaging, the experts say, is a coordinated attack on multiple banks in which hackers alter—not wipe—much of the financial data stored on their computers. With balances, debts, and other data changed, no transaction would be trustworthy. Nobody’s bank account or mortgage statement could be deemed accurate. “It would be impossible to roll that back,” said Dmitri Alperovitch of the computer security company CrowdStrike. “You could wreak absolute havoc on the world’s financial system for years.” Leon Panetta, the outgoing defense secretary, warns that hackers are now testing the defenses of banks, utilities, and government agencies, and figuring out how to launch a paralyzing attack. “This is a pre-9/11 moment,” Panetta recently told business executives in New York. “The attackers are plotting.”