The Chinese hacking tools that came to light the other day show not only the scope of the Chinese government’s activities to expand computer penetration through its network of contractors, but also the vulnerability of its emerging systems.
The newly leaked documents show the extent to which China has ignored or sidestepped U.S. efforts to limit its extensive hacking activities for more than a decade. Not only has it created its own cyber intelligence unit, but it has also developed a network of independent firms that operate as hackers.
Last weekend, FBI Director Christopher Wray said in Munich that hacking operations from China were now targeting the United States on an “unprecedented scale. At a recent congressional hearing, Ray said that China’s hacking program was “bigger than all the major countries combined.”
In fact, if you had all of the FBI’s cyber agents and intelligence analysts focusing on the Chinese threat, China would still outnumber the FBI in hacking by 50 to 1.,” he said.
U.S. officials say China quickly built up that numerical advantage by contracting with companies like Anshun. Someone stole Anshun’s documents and hacking tools and put them online more than a week ago.
The documents show Anshun’s wide-ranging activities involved targets in South Korea, Taiwan, Hong Kong, Malaysia and India.
But the documents also show that Anshun was in financial trouble, and that it used ransomware attacks to get funding after the Chinese government cut funding.
U.S. officials say this shows a serious weakness in the Chinese system. China’s economic problems and rampant corruption often mean that funds meant for contractors are misappropriated. Short of funds, contractors have stepped up their illegal activities, selling hacking services and ransomware, which has made them targets for retaliation and exposed other problems.
The U.S. government and private cybersecurity firms have long tracked Chinese espionage and malware threats, and experts say these activities aimed at stealing information have become almost the norm. But even more troubling are Chinese cyberhacking operations that threaten critical infrastructure.
(U.S. officials say China uses a network of contractors to run a computer infiltration campaign, but economic problems and rampant corruption have weakened the campaign.)
The intrusions, dubbed “Volt Typhoon”, a name derived from the network of Chinese hackers that infiltrated critical infrastructure in the United States, have raised alarms in the United States Government. Unlike the Anshun hack, these intrusions avoided the use of malware and instead used stolen credentials to gain covert access to critical networks.
Intelligence officials believe the intrusions were designed to send a message that China can disrupt U.S. power supplies, water supplies or communications at any time. Some of the implanted code was found near U.S. military bases that depend on civilian infrastructure to keep them running, especially those that could be involved in a quick response to a Chinese attack on Taiwan.
But while China has devoted resources to the Volt Typhoon program, much of the conventional malware work has continued. China has used its own intelligence agencies, as well as contractors associated with them, to expand its espionage activities.
Anshun was primarily in direct contact with China’s Ministry of Public Security, which has traditionally been concerned with domestic political threats rather than international espionage. But the leaked documents also show that An Xun had ties to the Ministry of State Security, which collects intelligence inside and outside China.
Jon Condra, an intelligence analyst on threats at security firm Recorded Future, said An Xun was also linked to Chinese state-sponsored cyber threats.
“This is the most significant data breach associated with a company suspected of providing cyber espionage and targeted intrusion services to the Chinese security services,” Condra said. “The leaked material suggests that Anshun was likely working as a private contractor for Chinese intelligence.”
U.S. efforts to curb Chinese hacking operations date back to the Obama administration era, when the People’s Liberation Army Unit 61398 was revealed to be behind intrusions into many U.S. industry computer networks that were designed to steal trade secrets for Chinese competitors. The U.S. indicted a number of PLA officers in connection with the intrusions, and their pictures were posted on the Justice Department’s “Most Wanted” list, which angered China. But no one was ever brought to trial.
Since then, the U.S. has also discovered that some of the most audacious thefts of government data were carried out by China: the theft of more than 22 million personal background check documents from computers at the U.S. Office of Personnel Management. The hackers who broke into the computers went undetected for more than a year, and the information they gathered gave them insight into what people inside the U.S. government did for a living, and what financial, health, or relationship problems they had. The result was that the CIA had to remove the officials who were scheduled to be sent to China.
The incident resulted in an agreement between President Xi Jinping and President Obama in 2015 aimed at curbing hacking, which was announced with great fanfare in the White House Rose Garden.
But not even two years after the agreement was announced, China was already beginning to develop a network of hacking contractors, a practice that allows its security agencies to deny to some extent that they had anything to do with the intrusions.
Ray said in an interview last year that China’s resources for espionage had grown so much that it no longer had to “pick and choose” its targets much.
“They want everything,” he said.
