9 March 2020

CIA Hackers Accused Of 11-Year Attack In New Chinese Cyber Report: This Is What’s Behind It

Zak Doffman

Chinese security company Qihoo 360 has taken the security world something by surprise, with published claims that it has exposed an eleven-year campaign by “CIA hacking group (APT-C-39),” which, it says, targeted a range of Chinese industries, including aviation, oil and gas and tech, as well as several government agencies.

“It is worth noting,” the report says, “that the attacked information technology sectors of civil aviation by the CIA are not only in China, but also involves hundreds of commercial airlines [in other] nation states.”

This is is a report heavy on speculation and inferences from already public data, and lacking in detailed attribution. What’s more interesting is that the company has elected to do this now in the public domain. We can now likely expect further Chinese exposure of alleged U.S. exploits, the potential for individuals to be identified, and a further shift of this cyber tit-for-tat into the public domain.

China, alongside Russia and (to a lesser extent) Iran and North Korea, has been framed by the U.S. government as the primary cyber threat globally. Legal action has been taken against multiple Chinese nationals, charged with cyber crimes and cyber espionage on U.S. soil. We also have the backdrop of the ongoing standoff with China over tech and AI, with Huawei and China’s AI unicorns front and center.


With that in mind, the Qihoo 360 report appears to be China’s equivalence of the naming and shaming campaigns against its own state-sponsored cyber operations. Chinese state-controlled media was the first to cover the report, citing “numerous evidence” that the hackers were affiliated with CIA. “The CIA,” it says, “backed the hacking group which mainly targeted system developers of China's aerospace and scientific research institutions... Hundreds of overseas airlines also fell victim.”

As to why there was a specific focus on the airline industry, the researchers claim CIA may be tacking “the real-time global flight status, passenger information, trade freight and other related information,” asking “what unexpected things will CIA do if it has such confidential and important information? Get important figures’ travel itinerary, and then pose political threats, or military suppression?”

Central to the report is “Vault 7,” the data dump of alleged CIA cyber weapons published on WikiLeaks. This data dump exposed multiple exploits against multiple platforms, and for CIA and its operations was a damaging exposure.There is no detailed attribution in the report, with the researchers saying “as it involves national security, we will only disclose part of the intelligence data held by Qihoo 360.”

The report links Vault 7 to the hacking group to the CIA through Joshua Adam Schulte, who is standing trial for the document leak.

The researchers also claim that exploit fingerprints link back to known CIA cyber weapons, which they in turn link to APT-C-39. They also claim consistency between what they say they’ve found in the wild and what was referenced in the Vault 7 documents. But, then again, one of the core evidential points listed in the report is the stretch that “the compilation time of the captured [cyber weapon] samples is in line with North American business working hours.”

The exploit tools listed in the report have been linked to U.S. intel operations before, including Fluxwire, Grasshopper and WISTFULTOLL. That is not in issue. But there claims as to the structured campaigns and their underpinning objectives, as well as the claims around APT-C-39, all require further data to substantiate.

So what can we make of this report? Suggesting the CIA and sister U.S. agencies are conducting long-term cyber operations against China, just as China is doing against the U.S., is not a major claim. Drawing inferences between open source data and those campaigns is interesting but non-attributed. The case against APT-C-39 is not made by this report and the data provided.

What’s most interesting is what happens next. This is part of the ongoing cyber and high-tech standoff between the U.S. and China. It is a reminder, from China to the world, that the U.S. is in its mind as guilty as China of cyber crimes. It will almost certainly be followed by further reports and intelligence designed to do the same.

For Beijing, the public outing of Chinese nationals and major companies, accused by the U.S. of espionage and IP theft, has been one-sided. This may be the beginning of an attempt to even the scales.

No comments: