Tracing the Hacking Trail to China

A study released Feb. 10 by McAfee, an anti-virus company, describes an organized hacking effort originating, from all indications, in China and specifically targeting five multinational corporations (MNCs) involved in the energy sector. The operation, which McAfee dubbed "Night Dragon," fits well within Chinese intelligence-gathering methods and capabilities. While trying to counter commercial espionage by foreign businesses, China is actively engaged in its own commercial espionage activities. These activities traditionally have been carried out using China's "mosaic" intelligence system, which plants low-level agents inside companies to steal trade secrets, but this effort has been significantly expanded over the past two decades to include cyber-capabilities. McAfee will not identify the targeted MNCs because some are clients. (Some of the hacking may have been conducted against ExxonMobil, ConocoPhillips and Marathon Oil, which admitted to The Christian Science Monitor in January 2010 that they had been targeted, along with some 30 other companies.) All of the companies in the study, going as far back as 2007, had their computer networks penetrated by such measures as exploiting security holes in Microsoft operating systems and misconfigured web servers, stealing and cracking passwords and installing backdoors and remote administration tools. In the process, hackers were able to obtain gigabytes of sensitive information, including bidding documents, notes on oil and natural gas field operations and data on project financing and industrial control systems. All of the programs were used for information extraction, cyber-espionage, rather than cyber-sabotage. However, if they accessed data on SCADA industrial-control systems, hackers could use the data for cyber-sabotage, exploiting it in a fashion similar to the Stuxnet computer worm. While McAfee is not absolutely sure who the hackers are — according to a disclaimer in the study, it "has no direct evidence to name the originators of these attacks but rather has provided circumstantial evidence" — all available evidence points to China. First, all of the hacking tools were designed in China and are readily available on Chinese hacking sites, including Hookmsgina and WinlogonHack. Though sophisticated and clandestine enough to avoid detection for a few years, the hackers did not take steps to cover their tracks. Apparently, Beijing believed there was enough separation between the act and its sponsor to ensure plausible deniability, and there was no need to be completely covert. Second, the Internet Protocol addresses were all traced back to Beijing addresses and the hacking activity occurred between 9 a.m. and 5 p.m. Beijing time. This suggests an organization employing professionals and not amateur or freelance hackers. Third, the hackers rented servers owned by a man named Song Zhiyue in Heze, Shandong province. (While all of this points to an organized effort based in China, there is an outside chance it could be a very sophisticated false-flag operation.) As technology has developed, Chinese intelligence services have found that cyber-espionage can be a significant force-multiplier when applied to traditional mosaic intelligence-gathering. The People's Liberation Army Military Intelligence Department's Seventh Bureau, which is responsible for cyber-intelligence, historically has been stationed in Shandong province, where it employs large numbers of hackers to access adversary systems. The fact that the servers traced in the McAfee study were run through that province is likely not coincidental — the hacking against Google was also traced to Shandong. While China remains deeply concerned about Chinese-born foreign nationals spying on its own corporations, it also appears to be consistently and successfully hacking into the computer systems of foreign corporations. Such cyber-espionage will continue to be detected, which for Beijing is not necessarily an issue.