Chinese Cyberwarfare, Explained

So…just how screwed are we?

| Thu Feb. 21, 2013 6:01 AM EST

Read on for essential background on the escalating conflict or click here for the latest update. Previous updates are here:

On Monday, an American cybersecurity firm called Mandiant released a report accusing the Chinese government of systematically hacking into American computer networks and targeting state secrets, weapons programs, businesses, and even the nation's gas pipelines. The New York Times vetted the story and concluded that a growing body of evidence "leaves little doubt" that these attacks are originating from a secret Chinese army base. Adam Segal, senior fellow for China studies at the Council on Foreign Relations (an organization that, in the past, has also been targeted by hackers that appeared to be China-based), tells Mother Jones that this "raises the pressure on the increasing drum beat on the US to do something." 

So just how freaked out do you need to be? Here's everything you need to know: 

How do cyberattacks and cyberwarfare work? A cyberattack is what happens when a hacker penetrates computers or networks for the purpose of maliciously exploiting systems and information. This can lead to identity theft, viruses, theft of intellectual property, or full-on system infiltration (i.e., the hacker can watch your every move). Cyberwarfare is what happens when countries are the ones employing those hackers, often with the goal of stealing state secrets and/or causing damage. 

The scheme that Chinese hackers employ to gain footholds on victims' computers is known in computer-speak as spear phishing, according to Mandiant, and it's a scam that's been around for years. The sabotage begins when a victim receives an innocuous work-related email about a meeting or a project from what appears to be a colleague's email address. If the target takes the bait, he or she will click on a hyperlink or download an attachment from the message. In some cases, suspicious recipients have responded to phishing emails with questions about the file's authenticity. The Chinese hackers have responded: "It's legit." When the target downloads the files, they'll be unwittingly installing remote-access software (sometimes referred to as a "backdoor") that allows the hacker to assume control of the victim's computer.

With a few lines of code, the hacker can install other backdoors and programs, upload and download files, capture screenshots of the user’s desktop, record keystrokes and passwords, and shut down the system. The sleuthing can last months or even years, and confidential and top-secret files can be easily transported from the network into the hacker's hands.  Here's a video showing an attack in progress: 

So what is this mysterious Unit 61398? Unit 61398 (or "61398部队"​ for the Mandarin speakers among you) is believed to be a top-secret unit of the Chinese government that "engages in harmful 'Computer Network Operations,'" according to the Mandiant report. It's located in a 12-story facility in Shanghai, and could have up to thousands of employees, most of whom are required to speak English, demonstrate computer security skills, and exhibit "team spirit." Richard Bejtlich, the chief security officer at Mandiant, tells Mother Jones that the unit built new headquarters in 2007. Mandiant claims to have known about the unit for seven years, but it's unclear exactly how long it has been around. D.B. Grady, a national security journalist and author, makes the case that "concerns over Unit 61398—a perfectly unnerving name—are no more worrisome than Chinese spies recruiting American agents to steal folders from locked filing cabinets." He adds, "If the US government were really alarmed, we would be threatening to go to war. Instead, we're threatening to give a lot of money to government contractors."

Nevertheless, here are some infographics showing just how effective Unit 61398 is at getting on your computer, and staying there: 

​Who is the Chinese government hacking? The short answer: Your business, your water supply, your defense, your newspapers, and probably more. The longer answer: Since 2006, China's espionage division has stolen data from at least 115 American businesses—and that's only the hacking that Mandiant directly observed. The company believes that number represents only a small fraction of the China's overall hacking activity. Not surprisingly, Chinese spies were most interested in hacking national-security-related industries such as aerospace, energy, scientific research and information technology. Here's a chart showing the most-targeted industries (it only includes attacks Mandiant witnessed, and includes some that occurred outside the United States):

Mandiant

But even if you work for an alfalfa farm in Wyoming, hacking could still affect you: According to the New York Times, the hackers are interested in US critical infrastructure—electric grids, oil pipelines and water systems—and are attempting to unlock US military secrets by targeting defense contractors and weapons program (more on that later). Chinese hackers are also taking on media giants that produce journalism critical of China: the Times' computers were compromised recently after a high-profile investigation revealed that members of Chinese Prime Minister Wen Jiabao’s family had accumulated massive wealth from state contracts, and the Washington Post, Bloomberg News and the Wall Street Journal have also all been targeted. (Mother Jones liability note: China is great! 我们爱中国!)

Why is China hacking the United States? Segal, the Council on Foreign Relations expert, explains:

The Chinese want to move up the value chain. They want to move from "made in" to "innovated in China." So part of it is stealing industrial secrets and helping Chinese companies. There's [also] political and military espionage—having a better sense of what the US government and US opinion leaders and other people think about China and try to influence that, and wanting to steal US military secrets. It's also a kind of deterrent. [It] sends a message to the US that the US homeland is vulnerable and if there was going to be a regional conflict that escalated, the US should know that the Chinese have a way of reaching out and touching us.

Another explanation? Chinese hackers just really wanted to access their social-media accounts, many of which are blocked on the mainland. Mandiant was able to trace some of the hackers' identities because the "easiest way for them to log into Facebook and Twitter [was] directly from their attack infrastructure." And as our colleague Josh Harkinson noted, at least one hacker appears to be "a fan of American and British pop culture"—he used Harry Potter references for his passwords. 

So…just how screwed are we? Both private US companies and government infrastructure are pretty bad at stopping hackers from beating down the door. Most private companies "aren't in a position to defend themselves, and if you devote any length of time to break into one of these guys, you're going to find a way in," says Mandiant's Bejtlich.

When it comes to government, the forecast isn't much better: President Obama says that the "cyberthreat is one of the most serious economic and national security challenges we face as a nation." Between 2007 and 2009, the head of the Pentagon's Cyber Crime Center confirmed 102 instances in which hackers had infiltrated the networks of government agencies, military contractors, or other entities connected to the Department of Defense, according to a 2010 Forbes report. In 2007, the 10 largest defense contractors, including Lockheed Martin, Northrop Grumman, Raytheon, and Boeing, all suffered security breaches that traced back to China. CFR's Segal says that even though cyber attacks aren't new, "on the defense side, we haven't had too much success" defending against them. 

But experts don't necessarily say that means the United States is screwed. Segal says that US-China relations would have to "already be very, very bad or very, very close to military conflict anyway for the Chinese to consider a cyberattack." He adds that "there is some vulnerability to the power grid and industrial sector, but it's not a major threat right now. The major threat is espionage and stealing secrets."

"The way cybersecurity works is the way security works in the real world," Bejtlich says. "It's based on fast detection and response. It's hard to stop someone from breaking into your house, but you can call the police and kick them out." He adds that "defense contractors also learn from their experiences, and the ones who are making the news more tend to do the best job of protecting information that I've seen." 

Grady makes the case that many of the cybersecurity concerns are overblown, and are instead, simply a good way for the defense industry to squeeze more money out of taxpayers. "This isn't some kind of new horror. Cyberattacks will become worrisome when someone figures out how to use a copy of Linux to blow up something," he tells Mother Jones. "The motives of defense contractors are pretty obvious, aren't they?" he adds. "The war on terror is all but over, but cybersecurity could mean anything and everything. Where there's fear, there's a lot of money to be made." 

What is the Obama administration doing? Last week, Obama issued an executive order on cybersecurity with the aim of protecting US critical infrastructure from hackers, despite pushback from conservatives and big business. The order requests that companies participate in a voluntary information-sharing program so the government can help them stop attacks. "It's not clear that the executive order is going to make it better," Segal says. According to Bejtlich, the administration "is doing as much as it can with the order, but now the focus needs to shift to the House and the Senate."

Who else is China attacking? Wait, are we attacking anyone? Check out this amazing chart by Foreign Affairs, showing the number of cyber attacks, and by whom, from 2001 to 2011 (click link for the full chart): 

Foreign Affairs (Sam Pepple / Sample Cartography)

 

UPDATE 1, Saturday, February : Hackers use Mandiant cybersecurity report to lure victims

SC Magazine reports that hackers (of unconfirmed origin) are now using phishing emails that claim to include the Mandiant cybersecurity report, in order to gain access to victims. The phishing emails are reportedly targeting Japanese companies and Chinese journalists. Here's a screenshot of one of the fake emails, released by Symantec:

And here's a tweet from Malware Lab claiming that some of the victims may be Chinese journalists: