“Love your Enemies, for they tell you your Faults.” Benjamin Franklin wrote that.
“The supreme art of war is to subdue the enemy without fighting.” The Chinese philosopher Sun Tzu wrote that.
Both come to mind as the world is waking up a newly disclosed body of evidence from the Internet security firm Mandiant, publicly illustrating, in the starkest terms yet, how wide, deep and pervasive computer hacking attacks from China have become. As reported on the front page of today’s New York Times, numerous attacks on American, Canadian and British companies, dating as far back as 2006, have been carried out by a single unit of the China’s People’s Liberation Army. Mandiant, a firm based in Alexandria, Va., has identified it as Unit 61398, operating out of a single building just walking distance from the point in outer Shanghai where the Huangpu and Yangtze Rivers meet.
The company maintains that the unit has compromised the networks of at least 141 companies or organizations, and probably more than that, spending an average of 356 days perusing their networks. In one case, the attackers had unfettered access to a target’s computers and networks for a grand total of four years and 10 months.
Who do they attack? None of the companies are named. But, if you think back, you can remember some names that have disclosed attacks blamed on China, that might fit the bill: Google and Intel have over the years complained in public of attacks carried out by China. The Times says the army unit was the one responsible for the attacks carried out in 2011 against RSA, the security unit of the technology company EMC, which were described at the time as “extremely sophisticated.”
More recently, a series of attacks against media organizations have been attributed to China: The New York Times, The Wall Street Journal (which, like this website, is owned by News Corp.), Bloomberg News, the Washington Post and the Associated Press are among them.
Other targeted industries include information technology, defense and aerospace, energy, transportation, satellites and communications, navigation, chemicals, health care and mining, to name a few.
What do the attackers take? Here’s a list taken directly from Mandiant’s report:
- product development and use, including information on test results, system designs, product manuals, parts lists, and simulation technologies;
- manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes;
- business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions;
- policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
- emails of high-ranking employees; and user credentials and network architecture information.
Most of the time, the victim company doesn’t even know that its information has been stolen until it is far too late to do anything about it.
Who gets the information in the end? It’s unclear, exactly, and so Mandiant engages in educated conjecture and looks at the available evidence. In one case in 2008, a targeted company suffered an intrusion lasting two and a half years, during which emails and attachments of the CEO and general counsel were stolen. During the same time period, news reports showed that a Chinese company had managed to negotiate a significant increase in the price of a certain commodity component with an unnamed victim company. It may be a coincidence, Mandiant concedes, but then again, it may not.
How do they attack? Usually by sending innocent-looking attachments in email messages. An employee at the target company opens it, triggering software embedded within it that gives attackers remote access to that employee’s machine, which then serves as a beachhead for more attacks. You can see a short video showing some of the attacks actually taking place in the video below.
Certainly, suspicions about China and its intentions, capabilities and actions in this area have pervaded for months. Knowledge about all this has probably circulated within the classified community for years, and no doubt plays a part in the concern among lawmakers and U.S. federal government agencies about the growth of the Chinese networking company Huawei.
Mandiant points to another: Unit 61398, it says, carried out a series of attacks against a unit of a Canadian company called Schneider Electric. The incident was first reported by security blogger Brian Krebs, and was carried out when the unit was an independent company called Telvent. What does the company make? Remote access tools, basically software that lets you control one computer from another computer far away.
The part that should scare you is what kinds of computers this software is intended to control: They’re known generally as SCADA systems, or supervisory control and data acquisition systems. They’re the stripped-down machines that sit between large industrial machinery like generators or pumps, or any other kind of big, automated equipment, and regular computers.
In a series of letters to customers in September of last year, Telvent disclosed that attackers traced to China had installed malicious software on its network, and had stolen files related to a key product called OASyS SCADA, which is designed to connect older IT assets to certain “smart grid” systems running on electrical power networks.
Attacks on SCADA systems can be very effective, in part because the machines involved are older and have tended to be less well-secured. How effective? Remember Stuxnet? The malware attack carried out by American and Israeli intelligence agencies against the Iranian nuclear research program? In that attack, nuclear centrifuges were caused to spin out of control, and ultimately explode. That was an attack against SCADA systems. We already know how easily attacks like it might be carried out here.
Stealing intellectual property and trying to gain an edge in business negotiations is one thing. Penetrating the systems that run critical infrastructure is rather more serious, bordering on sabotage. Now that the government officially considers cyberspace a theater of warfare, similar to land, sea, and sky, this is starting to look serious.