Return to Winter: Russia, China, and the New Cold War Against America (17 page)

Finally, hackers are also targeting defense partners and suppliers. Lockheed Martin has identified China as the main suspect in what the company called a “sophisticated” attack on its systems. In December 2006, a major cyber attack forced the Naval War College in Rhode Island—where much military strategy against China is developed—to take all its computer systems offline. One professor at the school told his students that the Chinese had brought down the system.
⁴⁵
Some hackers target defense firms, seeking to gain information on weapons systems; others target tech firms to steal valuable source code that powers software applications—the firms’ bread and butter.
⁴⁶

In addition to the damage these attacks do to U.S. firms, the perpetrators use everything they obtain for their own purposes—that is, not only to weaken the United States but also to strengthen themselves. In an earlier time, aggressor nations helped themselves to the raw materials and energy stores of vulnerable nations. Today, our adversaries are helping themselves to our innovation.

The Mandiant Report and China’s War on the U.S. Media

One calls himself UglyGorilla. He once kept a blog about his job as a People’s Liberation Army hacker, in which he “lamented his low pay, long hours, and instant ramen meals.”
⁴⁷
Another goes by the moniker DOTA and appears to be a Harry Potter fan, frequently setting account-security questions such as “Who is your favorite teacher?” and “Who is your best childhood friend?” to the values “Harry” and
“Potter” and creating accounts such as
[email protected]
. They sound like high school geeks, but they are at the forefront of a cyber-hacking effort of unprecedented scale and effectiveness.

Even doubters began to understand the reach and determination of the Chinese cyber-warfare effort with the stunning news in January 2013 that the
New York Times
had been extensively hacked over several months the year before. Chinese hackers infiltrated the paper’s computer systems, stealing passwords for reporters and other employees by installing malware (malicious software designed to disrupt computer operations or gain access to systems) that provided entry to computers on the
Times
network. The hackers eventually gained access to the personal computers of 53
Times
employees.
⁴⁸

What were they after? As it turns out, the attacks coincided almost to the day with the paper’s extensive investigative report on the family wealth of former Prime Minister Wen Jiabao, which totaled more than several billion dollars raised from a host of businesses, from real estate to rubber manufacture to Ping An, one of the world’s largest financial-services firms.
⁴⁹
The Chinese government warned the
Times
that there would be consequences for its investigation, and soon enough, the paper discovered what those consequences were. The hackers broke into the email accounts of the paper’s Shanghai bureau chief, David Barboza, the lead reporter on the Wen story, as well as the account of Jim Yardley, the paper’s South Asia bureau chief. The
Times
claimed that the hackers did not obtain any crucial information, however.

To track the invaders and understand what was happening, the
Times
hired a computer-security consulting firm, Mandiant, which has been doing big business of late. The firm now serves 30 percent of the Fortune 500 firms and saw an amazing 76 percent increase in revenue in 2012. That’s no accident. Mandiant is sweeping up clients victimized by Beijing’s nonstop assault on private- and public-sector computer servers.

The Mandiant investigators weren’t sure how the hackers broke into the
Times
system to install the malware, but their best guess was that they used some variation of a “spear-phishing” attack. Spear-phishing involves sending emails to employees that contain malicious links or attached files, often in the guise of useful information. The most sophisticated phish attacks can appear to come from someone in the recipient’s address book, even a close colleague. Once the recipient clicks on the link or attachment, the hackers can install the malware, which often takes the form of “remote access tools,” or RATs, which can pilfer oceans of data, from passwords to document files, and send them back to the hackers’ Web servers.
⁵⁰

Shockingly, the
Times
attack was only the tip of the iceberg. As Mandiant made clear in a more comprehensive report, Chinese hackers targeted and penetrated just about every institution of American life. The firm documented attacks on 141 targets in the U.S. and around the world that occurred over six years—and “those are only the ones we could easily identify,” said Kevin Mandia, founder and chief executive of the firm.

The targets ranged from the U.S. military and government to defense-industry firms, energy and communications infrastructure, think tanks, law firms, embassies, media companies—not only the
Times
but also Bloomberg, the
Washington Post
, and others—and manufacturing concerns. What’s more, Mandiant traced the origins of most of these attacks: They came from a Shanghai office tower belonging to Chinese military intelligence and were predominantly the work of a unit of the People’s Liberation Army known as Unit 61398.

Mandiant’s 60-page report tracked the behavior of the most sophisticated groups in this unit, known as Comment Crew and Shanghai Group. Intelligence officials believe that both groups, along with other sophisticated Chinese hackers, have state sponsorship and are run from inside the Chinese intelligence apparatus. The Mandiant report made the Chinese connection official, despite Beijing’s denials. “It
is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence,” the Chinese Defense Ministry said in a statement—but Mandiant has the digital goods on the attackers.
⁵¹

Comment Crew even broke into the systems of Telvent (now Schneider Electric), an information-technology and industrial-control firm that designs software for the remote management of power grids for gas-pipeline and power companies. The software controls access to valves, switches, and security systems. Telvent has remote access to more than
60 percent of oil and gas pipelines in North America
—and it keeps detailed blueprints of most. Comment Crew stole the project files.

“This is terrifying because—forget about the country—if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,” said Dale Peterson, head of Digital Bond, a security firm that specializes in industrial-control computers. “It’s the holy grail.”
⁵²

The Mandiant report was a landmark moment in the ongoing cyber war with China. As a result, soon after the
Times
broke the hacking story, many hackers in Unit 61398 went silent and removed their spying tools from the servers of the organizations they had infiltrated. Some of the group’s most prolific and colorful hackers—not just UglyGorilla and DOTA, but others with names such as SuperHard—disappeared. Within a few months, though, Unit 61398 was operating at 60 to 70 percent of its original capacity, re-inserting many spying tools with minor alterations to the code while working from different servers.

Clearly, neither the Mandiant report nor the U.S. government’s approach of “naming and shaming” is sufficient to stop China’s cyber attacks. Something else would be needed. As Dennis Blair, President Obama’s former director of national intelligence, put it: “Jawboning alone won’t work. Something has to change China’s calculus.”
⁵³

Skeptics might ask, if the Chinese military, through its cyber hackers, can gain access to such critical U.S. information and infrastructure systems, then why haven’t they tried to take them down? And since they haven’t, how much is there to worry about? Perhaps these are merely exercises. Others say the attacks are purely about obtaining information. In the media examples, for instance, the Chinese wanted to learn what U.S. reporters knew about the inner workings of their government. Besides, even if the Chinese launched a major cyber attack that brought down, say, the U.S. banking system, they would be hurting only themselves—as prime owners of American debt, they are deeply invested in the U.S. economy. Sabotaging it would make no sense.

All of that sounds reasonable but assumes that there aren’t other uses to such attacks and such access—blackmail, for instance, on the far end of the spectrum, or just coercive pressure on the less dramatic end. The U.S. is engaged in a number of diplomatic and potential military disputes with China involving its conflicts with our allies over islands in the South and East China Seas. We have a half-century-old impasse over Taiwan. And then there is the lingering North Korean situation. What if China were to use what it learned through cyber attacks as leverage against us in these matters?

“Would an American president respond with full military force if he knew that the Chinese would retaliate by turning out all the lights on the Eastern Seaboard?” Fred Kaplan asks.
⁵⁴
Scoffing at these scenarios is foolhardy.

Corporate Sabotage, Hacking, and Spying

In 2010, the U.S. Navy received shipment of 59,000 microchips from China for installation in a wide range of American defense systems. The chips turned out to be counterfeits. The Navy discarded them, but the episode made American officials wonder.

What if, in the future, they didn’t catch the mistake—if it was in fact a mistake? What if, with increased sophistication, the Chinese could sneak purposefully defective chips into its shipments? “Instead of crappy Chinese fakes being put into Navy weapons systems,” Adam Rawnsley wrote in
Wired
, “the chips could have been hacked, able to shut off a missile in the event of war or lie around just waiting to malfunction.”
⁵⁵

Regardless of what really happened in 2010, the Chinese are expert at a whole range of tools involved in cyber sabotage. They excel, for instance, at “backdoor” hacking—stealing data through the use of compromised computer parts. A “back door” is an embedded piece of computer code that makes it possible to hack into whatever processes the code controls. Such codes are notoriously difficult to remove.
⁵⁶
Backdoors can be added to code or installed in a computer’s physical machinery. Hardware-encoded backdoors are more threatening than software-encoded ones, because they can’t be removed or detected by anti-virus software or reformatting. They can override any part of the software in the computer. Extraordinarily difficult to detect, they’re built with “open-source” tools, making it much harder to identify the perpetrator.
⁵⁷

It’s a problem that isn’t going away, because the U.S. is no longer the sole global manufacturer of computer chips and has begun buying foreign-sourced chips. China manufactures a great deal of the material used in the U.S. for computers and digital transmissions. China’s opaque manufacturing sectors, with links to the military and to the Communist Party, control some of these processes and are suspected of inserting a range of mechanisms into materials in order to monitor, interrupt, or sabotage U.S. networks.

In May 2012, Cambridge University researchers declared that Chinese hardware manufacturers were inserting backdoors into computer chips used in Pentagon weapons as well as in nuclear power plants and
public transportation. A researcher, Sergei Skorobogatov, found the backdoor in a computer chip from Microsemi, a Chinese hardware maker. The U.S. government uses the Microsemi chip for civilian and military applications, including software that operates Boeing 787s and surveillance drones.

Skorobogatov described how he had found the backdoor and its “key,” both inserted by the manufacturer: “If you use this key, you can disable the chip or reprogram it at will, even if locked by the user with their own key,” he said. “In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. . . . The scale and range of possible attacks has huge implications for [U.S.] national security and public infrastructure.”
⁵⁸

The incident was far from isolated. In October 2012, the U.S. House Permanent Select Committee on Intelligence recommended that U.S. companies avoid hardware made by Chinese telecom giants Huawei and ZTE, saying that its use constitutes a risk to national security. Huawei and ZTE manufacture network hardware for telecommunications systems. The House report criticized both firms for not being forthcoming about their relationship with the Chinese government or how they conducted their operations in the United States.
⁵⁹

Backdoors allowing remote access have been found on ZTE devices, and the FBI is investigating the firm for stealing American intellectual property and selling it to Iran.
⁶⁰
But in the end, Huawei may be the more dangerous actor. The firm’s founder, Ren Zhengfei, served in the People’s Liberation Army engineering corps in the 1960s. Some American executives believe that Huawei has stolen designs from Cisco; the two companies settled a lawsuit in 2004. In the U.S., after all, telecom companies have assisted with espionage. It’s perfectly reasonable to worry that in China, where boundary lines between corporations and government are much fuzzier, such firms might be engaging in the same practices.
⁶¹

Huawei officials even showed off their ability to hack into American telecom systems at a technology and intelligence conference in Dubai. They claimed that they did this only to eliminate “malicious data” and protect their networks, but the demonstration raised questions about what other uses the company may find for these capabilities.
⁶²

In short, China has become notorious for intellectual-property theft. By one estimate, cyber attacks of Chinese origin tripled in the third quarter of 2012 over the previous three years. There seems to be a direct correlation between the increased attacks and China’s ambition to develop leading high-tech industries and compete against American businesses with low-cost products.
⁶³
It mirrors Chinese military hacking, similarly motivated by the desire to improve their technologies by stealing U.S. secrets. China is well positioned here, since, as Richard Clarke notes, “China is very familiar with [America’s] routers. Most of them are made by the U.S. firm Cisco, but made in China.”
⁶⁴