US zeroes in on China's hacker army

US zeroes in on China's hacker army

China’s hacking culture is a complex mosaic of shifting motivations, employers and allegiances.

One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot.” Another, Sun Kailiang, also known as Jack Sun, grew up in wealthy Pei County in eastern China, the home of a peasant who founded the ancient Han dynasty and was idolised by Mao.

They and three others were indicted by the United States Justice Department this week, charged with being part of a Chinese military unit that has hacked the computers of prominent American companies to steal commercial secrets, presumably for the benefit of Chinese companies. Much about them remains murky. But Chinese websites, as well as interviews with cybersecurity experts and former hackers inside and outside China, reveal some common traits among those and other hackers, and show that China’s hacking culture is a complex mosaic of shifting motivations, employers and allegiances.

Many hackers working directly for the Chinese government are men in their 20s and 30s who have been trained at universities run by the People’s Liberation Army and are employed by the state in myriad ways. Those working directly for the military usually follow a 9-to-5 weekday schedule and are not well paid, experts and former hackers said. Some military and government employees moonlight as mercenaries and do more hacking on their own time, selling their skills to state-owned and private companies. Some belong to the same online social networking groups. “There are many types of relationships,” said Adam Segal, a China and cybersecurity scholar at the Council on Foreign Relations in New York. “Some PLA hackers offer their services under contract to state-owned enterprises. For some critical technologies, it is possible that PLA hackers are tasked with attacks on specific foreign companies.”

The Obama administration makes a distinction between hacking to protect national security, which it calls fair play, and hacking to obtain trade secrets that would give an edge to corporations, which it says is illegal. China and other nations accuse the United States of being the biggest perpetrator of both kinds of espionage.In what may be Chinese retaliation for the indictments, a state agency announced plans on Thursday for tighter checks on Internet companies that do business in China. The State Internet Information Office said the government would establish new procedures to assess potential security problems with Internet technology and with services used by sectors “related to national security and the public interest,” reported Xinhua, the state-run news agency.

In the indictments, unsealed on Monday, the United States accused Wang, Sun and three others of working in the Chinese Army’s Unit 61398, which a report last year by Mandiant, a cybersecurity company in Alexandria, Virginia, said operated out of a 12-story white tower on the outskirts of Shanghai. That unit is now the most infamous of China’s suspected hacking groups, and the Western cybersecurity industry variously calls it the Comment Crew, the Shanghai Group and APT1. Some members are active on Chinese social media. Wang, Sun and another of the men indicted, Wen Xinyu, are part of a group on QQ, a social networking and messaging tool, that calls itself “Poor Folks Fed by Public Funds,” according to an Internet search.

Espionage activity

The group, which has 24 members, also includes Mei Qiang, a hacking suspect named in the Mandiant report whose alias is SuperHard. Another member, Xu Yaoling, has the same name as someone from the PLA University of Science and Technology, a military institution in Nanjing, who has written papers on hacking and cybersecurity. Wang posted messages on an official Chinese military forum in 2004 under the alias Green Field. He called himself a “military enthusiast” and asked in one thread, “Does our military have the capabilities to fight against American troops?” His forum profile listed an English name, Jack Wang, and an email address; messages sent this week to that address went unanswered. He has been known to leave a signature, “ug,” on malware he has created.

The Comment Crew is not the only big player in China, where hacking is as common in the corporate and criminal worlds as in the government. It is even promoted at trade shows, in classrooms and on Internet forums. Western cybersecurity experts usually focus on hackers with state ties. FireEye, a cybersecurity company in Milpitas, California, that bought Mandiant in January, is tracking at least 25 “active Chinese-based threat groups,” of which 22 support the state in some way, said Darien Kindlund, the company’s manager of threat intelligence. At least five appear to be tied directly to one or more military groups, Kindlund said, adding that this was a conservative estimate.

Joe Stewart, a cybersecurity expert at Dell SecureWorks, said that as of last year, the Comment Crew and a unit he called the Beijing Group were using “the lion’s share” of 25,000 suspicious online domains he had been tracking. The Beijing Group, he said, used a dedicated block of IP addresses that could be traced to the Chinese capital and to the network of China Unicom, one of the three biggest state-owned Internet telecommunications companies.

“There’s espionage activity coming out of that,” Stewart said, though he added that he had seen no evidence of the Beijing Group’s working with China Unicom or any other state entity. A man who answered a China Unicom spokesman’s cellphone declined to comment.

The targets pursued by the Comment Crew and the Beijing Group overlap — both go after foreign corporations and government agencies, for example — but the Beijing unit also takes aim at “activist types,” Stewart said, including ethnic Tibetan and Uighur exile groups. The two units are responsible for creating most of the world’s 300 known families of malware, he added.

Western cybersecurity experts saw a surge of online espionage attacks on corporations starting in late 2006. Before that, attacks had been aimed mostly at government agencies or contractors. The experts said much of the initial wave of corporate espionage was traced to China, and specifically to the Comment Crew. About a year later, the Beijing Group appeared on the scene.

A smaller unit, the Kunming Group, whose attacks have been traced to IP addresses in Kunming, the capital of Yunnan Province, seemed focused on targets in Vietnam, Stewart said. It deployed malware and so-called spear phishing attacks that tried to entice victims to click on messages and links in Vietnamese.

It is unclear exactly what the Kunming Group sought to achieve, but tensions between China and Vietnam have been rising in recent years over territorial disputes in the South China Sea. China moved an oil rig near Vietnam this month, an action Vietnam has protested. Vietnam is also working with foreign oil companies to drill and explore in that sea.

Though the Obama administration has focused on exposing corporate espionage, hackers suspected of working for the Chinese government have breached a wide range of foreign government agencies, cybersecurity experts say.

For example, FireEye said it had observed spying attacks on Taiwanese government agencies and on a professor in India who held pro-Tibet views. The company called the attackers the Shiqiang Gang. A mainland Chinese group also carried out attacks on Japanese government agencies and companies last September by putting commands on Japanese news media websites that would infect users.

Kindlund, the FireEye executive, said people in his industry looked at a variety of factors to determine whether a hacker was a state employee or private contractor. One is the hacker’s security methods: Military hackers are less sloppy. Another is the victims: A hacker who jumps among wildly divergent victims, he said, is likely to be a contractor. In recent months, FireEye observed a hacker who took aim at foreign defense and aerospace companies, then hacked an online entertainment company. It appeared the hacker was a private contractor, Kindlund said.

There is no proven method of getting a Chinese hacking unit to
back down. In early 2013, American officials hoped that the release of the Mandiant report and loud criticism of Chinese cyberespionage by the Obama administration would silence the Comment Crew. The unit went dormant but resurfaced within five months, Mr. Kindlund said. Now, its attacks have returned to pre-2013 levels.

“They’re using similar tactics but launching attacks from different infrastructure,” Kindlund said. “The tools are only slightly modified. Over all, most of the changes are very minor.”