Strong Evidence Points to China as Cyberhack Source
Only five nations would be capable of sponsoring a massive cyber-espionage
campaign that infiltrated governments, international organizations, and
high-tech companies, persisted over years, and stole billions of dollars’ worth
of intellectual property—like the operation unveiled by security firm McAfee
The United States and the U.K. can be removed from the
equation because they don’t spy on each other. Iran and Russia are capable, but
the evidence doesn’t suggest they were involved. Taking into account past
campaigns of monumental hacking, and considering the Asian focus in the recent
attack, there’s only one country left, according to James Lewis, director of the
Technology and Public Policy Program at the Center for Strategic and
International Studies, in a Twitter post.
The onslaught has been termed Operation Shady RAT (referring to one of the
items of software used in the attack, a “Remote Administration Tool”), and bears
a striking resemblance to similar campaigns that have been traced back to China
and, many experts believe, actors sponsored by the Chinese
Atlanta-based Dell SecureWorks has also traced the attacks. They
pinpoint them to two major Chinese cities: Shanghai and
According to McAfee, hackers stole petabytes (thousands of
terabytes) of information, including industry-relevant secrets from a sweeping
variety of targets since 2006: classified state secrets from governments, design
schematics and source code from technology companies, and exploration plans from
natural resources companies.
McAfee won’t say whether they have evidence
that the attacks originated in China, but experts don’t see much room for
The Work of a State
In its report, security firm McAfee said the large-scale cyber-espionage
operation was conducted not by a group of independent hackers but a “state
actor." This is due to the “sophistication, target list, or type of information”
targeted, McAfee spokesperson Joris Evers told The Epoch Times in a telephone
“It’s not typical stuff that a cybercriminal could go after or
turn into money,” he said. “That’s why we think it was a nation-sponsored
the signs point to China.
— James Lewis, a cybersecurity expert.
number of important indicators implicate China.
Of the 72 compromised
parties from 14 countries, Chinese entities were entirely missing from the hit
list of hacks. Also, most of the targets in the operation are of definite
interest to the Chinese regime, including Taiwan and the U.S.’s defense
“All the signs point to China,” Lewis, the cybersecurity
expert, said to Vanity Fair. “Who else spies on Taiwan?”
A China expert
quoted in the Nelson Report, a newsletter sent to Washington insiders, also
believed China was the source of the attacks. “Only such a police state is
capable of a cyber-act of war of that scale and scope,” he said.
Targets All Over the World
The Epoch Times looked at over a dozen of the hacking incidents and, through
targeted news searches, traced them to business deals and political events
around the time they occurred.
A pattern emerges of friendly meetings,
deal announcements, or cooperative efforts between China and a variety of
groups, closely followed or in some cases preceded by, a hacking intrusion.
Snooping on the targets in all of these cases would potentially have netted the
Chinese regime’s high-tech blueprints, top-secret documents, and other pieces of
insider information invaluable in political or business discussions, in some
cases of very high financial value.
The Pohang Iron and Steel Company
(POSCO), based in Pohang, South Korea, is the third largest steel maker in the
world. In July 2006, POSCO initiated a takeover of a large mill in China’s
Jiangsu Province, and in November, POSCO developed a “new efficient steel.”
McAfee says that Korean Steel Company was hacked in July 2006—the same date of
takeover negotiations. The intrusion lasted beyond
of the Chinese destination IPs belong to large ISPs, making further attribution
of the hacking activity difficult or impossible without the cooperation of the
— Dell SecureWorks
McAfee documents an
intrusion into ASEAN’s secretariat in October 2006. On Oct. 30–31 China held a
“commemorative summit” celebrating the 15th anniversary of the establishment of
relations between ASEAN and China. Between August and September 2006, ASEAN held
two more summits involving China.
An intrusion into the U.S. Department
of Energy Labs (DOE) began in July 2006. In April 2006, the Chinese Academy of
Sciences announced a collaborative project with an American university to
develop detectors for a DOE particle accelerator.
Encroachments into the
networks of Northern California and Southern Californian County governments took
place in June 2007, August 2007, and December 2007. In May 2007, Gov.
Schwarzenegger announced with much fanfare that several Californian companies
had signed contracts with Chinese businesses worth $3 billion.
International Olympic Committee (IOC) was infiltrated in November 2007. In
August 2007, IOC representatives met with Beijing officials over the next year’s
Beijing Summer Games. Hacks also took place against national Olympic Committees
in Asia and the West and the World Anti-Doping Agency in the prelude to and
after the 2008 Beijing Olympics.
The systems of a Denmark satellite
telecommunications company were penetrated in August 2008 and September 2010. In
June 2008, Thrane & Thrane, Denmark’s only manufacturer of satellite
communication equipment, showed “excellent performance under harsh conditions”
in the effort to rescue survivors of the May 2008, earthquake in Sichuan, as
stated by the Chinese regime’s overseas mouthpiece China Daily.
United Nations was hacked in September 2008. The U.N. Security Council’s
elections during the 63rd General Assembly were held in October 2008.
February of 2009 a bus crashed near Las Vegas, killing seven Chinese tourists;
the Clark County Medical Examiner’s Office in Nevada handled the bodies, while
the Chinese regime expressed interest in the case. A Nevada County government
was hacked in April of 2009.
So was a “U.S. Solar Power Company” in
September 2009, November 2009, and December 2010, according to McAfee. In August
2009, First Solar, a U.S. company, announced plans to build the world’s largest
solar plant in China. In November 2010, its “cutting edge” photovoltaic
technology was used during the Shanghai Expo.
According to experts and McAfee’s documents, the current round of hacking
uses the same techniques as previous operations traced back to China.
These include GhostNet, which
targeted diplomatic posts, media organizations, and NGOs; Operation Aurora,
which successfully hacked Google; Byzantine Hades, which was run by the Chinese
military and targeted the U.S. government; and Night Dragon, which plundered
intellectual property from major oil and gas companies.
engineering and hacking techniques used were the same. And so were the tools,
which “are widely available on the Chinese Web forums,” McAfee said in a
previous report. They “tend to be used extensively by Chinese hacker groups.”
In previous massive hacking operations exposed by McAfee, researchers
have fingered “attackers based in China” as the culprits, but have not gone so
far as to say the Chinese regime was behind the attacks.
this case, McAfee refers to “a state actor” but declines to say whether that
actor is China or not. Evers, the spokesperson, would not say whether that was
due to a deficit of evidence. McAfee has an office in China.
SecureWorks was less reserved, noting in its forensics, “Most of the Chinese
destination IPs belong to large ISPs [Internet Service Providers], making
further attribution of the hacking activity difficult or impossible without the
cooperation of the PRC government.”