10 June 2015

Dusting for Beijing’s Digital Fingerprints

BY ELIAS GROLL

Washington says China is behind the biggest hack of U.S. government servers in history. Proving the case will be much harder.

American officials are still trying to calculate the damage from a massive hack of the Office of Personnel Management that resulted in the loss of the personal data of millions of federal workers. It’s the second time in a year that the OPM has been attacked by hackers. And it’s the second time in a year that U.S. officials are pointing the finger squarely at China.

Anonymous officials speaking to the New York Times and Washington Post said they believed the attack was launched from China, though those two reports were marked by an important distinction: the Post said that U.S. officials believed the attack was state-sponsored; the Times said it was unclear whether the breach had been orchestrated at the behest of Chinese authorities.

Beijing reacted furiously to those accusations and said the United States was acting recklessly by so quickly blaming the attack on China. “We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source,” Foreign Ministry spokesman Hong Lei told reporters in Beijing. “It’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”

It’s possible that the United States has conducted such an investigation and has amassed the necessary evidence to conclude that the hackers that breached the OPM were members of the Chinese government or based in China. But that’s information that the United States isn’t releasing. When asked what evidence the United States has that the breach was executed by Chinese state hackers, Mark Stroh, a spokesman for the National Security Council, declined to comment.

The White House’s silence highlights a broader challenge in the new era of cyberwarfare and espionage: Hackers have become extraordinarily talented at masking their identities online, and companies and governments now face a generation of programmers adept at routing an attack through myriad servers online and making it seem like an attack that has its origins in France is in fact coming from Russia. That, in turn, means that corporations and governments under siege by cyber-criminals and state-sponsored hackers frequently have no idea who is actually attacking them.

Given time, resources, intelligence, and expertise, it’s usually possible to establish with at least some measure of certainty who was likely behind a given attack. Still, the anonymity offered by digital tools is part of the so-called “attribution problem” that is increasingly challenging government and private sector cybersecurity personnel. It’s a problem that also has deep political ramifications: When no one really knows — and can’t definitively prove — responsibility for a hack, politicians are left only with accusations, finger-pointing, and subsequent diplomatic scandals on their hands.

That’s the exact sequence of events currently playing out as Washington and Beijing trade diplomatic barbs about the veracity of the White House’s claims about China’s responsibility.

There’s already considerable bad blood between the two world powers: Last year, the U.S. Justice Department indicted five members of Unit 61398, a specialized hacking unit of the Chinese military, and accused them of conducting corporate espionage to help Chinese firms beat out their American rivals. According to the indictment, the Chinese hackers stole sensitive business information and other data from five large U.S. companies and one labor union.

Speaking Thursday night at a cocktail event in Washington hosted by the public relations firm Brunswick Group, Michael Morell, the former deputy director of the CIA, downplayed the notion that China, or any other foreign government, was responsible for the massive data breach.

“I actually think what happened at OPM, it’s more likely it was a criminal group than it was actually a government,” said Morrell, who also served as the acting director of the CIA. “I can think of only one reason the Chinese government is interested in that data, I can think of a whole bunch of reasons why a criminal group is interested in that data.”

Morell did not specify the incentive Beijing might have in obtaining the data, but he went on to emphasize the acceleration of trade in criminal cyberhacking going on around the world. “Criminal groups now generate more income via cybermeans than are generated from the illicit drug trade,” he said. “It’s a remarkable statistic.”

According to Bob Shaker, a malware specialist at Symantec, an IT cybersecurity company, a fertile black market has sprung up for the sale of data illicitly obtained from databases containing personal information. Depending on the data, such material can sell from 10 cents per entry all the way up to $30 to $40 per entry, he said. After being sold, information from such databases can be used to open false loans or submit false medical claims.

But even if America’s onetime top spy doesn’t see any real motive for Chinese hackers to raid U.S. personnel databases, other analysts see a clear reason for Beijing to carry out such operations. “They’re running a campaign to collect as much information about Americans as possible for counterintelligence purposes,” said Dmitri Alperovitch, the chief technology officer of CrowdStrike, a cybersecurity firm.

Alperovitch believes that hacking personnel databases like those at OPM — which, among other things, help carry out background checks for the U.S. government — is allowing China to assemble large amounts of information about federal workers that it can use, for example, to spot U.S. spies.

Let’s say a U.S. businessman applies for a visa. Alperovitch believes that his name could be inputted into a Chinese database that has access to stolen U.S. personnel data to see whether he has perhaps ever applied for a security clearance or worked for a U.S. intelligence agency. It’s a sophisticated, 21st century way for China to catch spies.

“We are starting to see a trend here. Hacker groups that were solely compromising American companies with the purpose of stealing intellectual property are starting to launch attacks with the purpose of collecting personally identifiable information instead,” Jaime Blasco, the vice president and chief scientist of AlienVault, another security firm, wrote in an email. “Information about federal workers, including those with security clearances, can be really valuable from an intelligence point of view.”

The OPM breach comes on the heels of a series of well-publicized and reportedly state-sponsored attacks on U.S. corporations and the government, perhaps most notably the attack on Sony Pictures over its release of The Interview, a film that depicted the assassination of North Korea’s supreme leader. The U.S. government has been adamant that the attack was carried out by North Korean hackers, but the public evidence pointing toward Pyongyang’s responsibility is largely circumstantial — though extremely compelling. Alperovitch’s firm, for example, has identified typos in the code used to attack Sony that also appear in North Korean attacks on South Korean banks and media outlets in 2013.

These are the kinds of coincidences that don’t just happen and is why Alperovitch speaks of what he calls the “attribution myth.” “We do attribution every day in the private sector,” he said. “The people who talk about the attribution problem say that because they’ve never done it.”

Attribution, Alperovitch argues, is possible, but it takes time, persistent effort, and talented sleuths.

But the nature of the cyber-playing field means that even the most compelling case to determine state-sponsorship often remains only circumstantial, leaving countries such as China in the catbird seat. Perhaps the U.S. government has some damning piece of evidence to implicate Beijing in the OPM breach that it isn’t releasing to preserve its intelligence methods. But Beijing’s response is obvious: “Perhaps.”

FP staff writer John Hudson contributed reporting to this article.

No comments: