Analysis: Should government spies target foreign firms?

CyberespionageBy JOSEPH FITSANAKIS | intelNews.org
Last month, the government of the United States indicted five officers of the Chinese People’s Liberation Army with conspiracy to commit computer fraud, economic espionage, and theft of trade secrets, among other charges. In indicting the five PLA officers, the US Department of Justice went to great pains to ensure that it did not accuse the suspects of engaging in cyberespionage in defense of China’s national security. What sparked the indictments was that the accused hackers allegedly employed intelligence resources belonging to the Chinese state in order to give a competitive advantage to Chinese companies vying for international contracts against American firms. In the words of US Attorney General Eric Holder, the operational difference between American and Chinese cyberespionage, as revealed in the case against the five PLA officers, is that “we do not collect intelligence to provide a competitive advantage to US companies, or US commercial sectors”, whereas China engages in the practice “for no reason other than to advantage state-owned companies and other interests in China”. I recently authored a working paper that was published by the Cyberdefense and Cybersecurity Chair of France’s Ecole Spéciale Militaire de Saint-Cyr, in which I argued that the American distinction between public and private spheres of economic activity is not shared by PLA. The Chinese see both state and corporate cyberespionage targets as fair game and as an essential means of competing globally with the United States and other adversaries. In the paper, I argue that Beijing sees the demarcation between state and private economic activity as a conceptual model deliberately devised by the US to disadvantage China’s intelligence-collection ability. Read more of this post

About these ads

Western companies to suffer backlash in China-US espionage spat

China and the United StatesBy IAN ALLEN | intelNews.org
China’s response to America’s allegations of cyberespionage will probably not be directed against the United States government, but at Western technology companies, according to business insiders. On Monday, the United States Department of Justice identified five members of the Chinese People’s Liberation Army as directly responsible for a series of cyberespionage operations targeting American firms. Since then, sources in the business community have said that American companies operating in China were “caught off guard” by the Justice Department’s charges, and that they were “given no advanced notice” by US government officials. On the one hand, business insiders claim that Chinese cyberespionage against Western firms is so aggressive that many in the corporate community were broadly supportive of Washington’s move. But, on the other hand, some industry analysts have told the Reuters news agency that, although Beijing’s response to Washington’s allegations will not be “immediate or obvious”, Western technology firms should prepare to face a lot more difficulties in doing business in China. Specifically, some business observers expect the Chinese government to respond to America’s cyberespionage allegations by “precluding foreign companies from certain sectors” of its economy. Beijing might even use the controversy to justify a “turn to internal suppliers” of technological products and services, say experts. The news agency reports that American hardware and software suppliers have already seen their sales in China drop as a result of the revelations by American intelligence defector Edward Snowden. The current clash over cyberespionage between America and China is likely to have a further negative effect on American business activities all over Southeast Asia. The ongoing dispute between the two countries is likely to have an effect in Europe as well, say The Financial Times. The London-based paper reports that Washington’s recent indictment has “struck a chord in German industry”, which is also concerned about the perceived theft of intellectual property by Chinese hackers. Read more of this post

The mysterious Chinese unit behind the cyberespionage charges

Shanghai, ChinaBy JOSEPH FITSANAKIS | intelNews.org
On Monday, the United States government leveled for the first time charges against a group of identified Chinese military officers, allegedly for stealing American trade secrets through cyberespionage. The individuals named in the indictment are all members of a mysterious unit within the Chinese People’s Liberation Army (PLA) command structure, known as Unit 61398. It is estimated that the unit has targeted at least 1,000 private or public companies and organizations in the past 12 years. Western cybersecurity experts often refer to the group as “APT1”, which stands for “Advanced Persistent Threat 1”, or “Byzantine Candor”. It is believed to operate under the Second Bureau of the PLA’s General Staff Department, which is responsible for collecting foreign military intelligence. Many China military observers argue that Unit 61398 is staffed by several thousand operatives, who can be broadly categorized into two groups: one consisting of computer programmers and network operations experts, and the other consisting of English-language specialists, with the most talented members of the Unit combining both skills. Computer forensics experts have traced the Unit’s online activities to several large computer networks operating out of Shanghai’s Pudong New Area district, a heavily built neighborhood in China’s largest city, which serves as a symbol of the country’s rapid industrialization and urbanization. Among other things, Unit 61398 is generally accused of being behind Operation SHADY RAT, one of history’s most extensive known cyberespionage campaigns, which targeted nearly 100 companies, governments and international organizations, between 2006 and 2011. The operation is believed to be just one of numerous schemes devised by Unit 61398 in its effort to acquire trade secrets from nearly every country in the world during the past decade, say its detractors. American sources claim that the PLA Unit spends most of its time attacking private, rather than government-run, networks and servers. As the US Attorney General, Eric Holder, told reporters on Monday, Unit 61398 conducts hacking “for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States”. But The Washington Post points out that the recent revelations by US intelligence defector Edward Snowden arguably make it “easier for China to dismiss” Washington’s charges, since they point to Read more of this post

German magazine reveals more information on elite NSA spy unit

NSA headquartersBy JOSEPH FITSANAKIS | intelNews.org
Last June, we reported on the existence of an elite cyberatack unit within the United States National Security Agency (NSA), which operates under the Agency’s Office of Tailored Access Operations. Veteran NSA watcher Matthew M. Aid, who made the initial revelation, said at the time that the Office, known at NSA simply as TAO, maintains a substantial “hacker army” that works in close cooperation with the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI). Now German newsmagazine Der Spiegel says it viewed internal documents that confirm the existence of TAO as the NSA’s elite operational unit. The publication describes TAO as “something like a squad of plumbers that can be called in when normal access to a target is blocked”. It adds that TAO operatives are routinely detailed to a host of American intelligence agencies to help conduct intelligence operations ranging from traditional espionage to counterterrorism and cyberwarfare. Furthermore, TAO’s personnel, which are allegedly far younger than the average NSA officer, are experts in exploiting the technical deficiencies of the information-technology industry. They have therefore been able to compromise communications hardware and software produced by some of the world’s biggest IT companies and service providers, including Huawei, Cisco and Microsoft. The Spiegel article claims that TAO was established in 1997, several years before the Internet became a prominent engine of economic and cultural activity around the world. Its personnel, which initially consisted of a few select technical experts, was housed at the NSA headquarters in Fort George Meade, Maryland, but “in a separate wing, set apart from the rest of the agency”. Notably, Der Spiegel cites a paper produced by a former TAO unit head, which states that the program has produced “some of the most significant intelligence our country has ever seen” and urges for its continued growth. Read more of this post

China ‘hacked European government computers’ prior to G20 summit

G20 Summit participantsBy IAN ALLEN | intelNews.org
A group of hackers from China managed to compromise computer networks belonging to the foreign ministries of several European governments prior to last September’s G20 Summit, according to a private computer security firm. The Summit, which took place in St. Petersburg, Russia, on September 5 and 6 of this year, brought together the heads of state of 20 major economies, including the United States and many European Union countries. The meeting agenda was dominated by discussions concerning the response of the international community to the chemical attacks in Ghouta, Syria. According to the Reuters news agency, the hackers managed to infiltrate carefully targeted computer networks by sending emails containing infected attachments to employees of foreign ministries. The attached files bore titles such as “US_military_options_in_Syria”, which appeared designed to bear reference to the upcoming G20 Summit. The hacking revelations were made by FireEye, Inc., a California-based security firm, which says it has proof the hackers came from China. The firm says its confidence on the matters stems from “a variety of technical evidence”, such as the language used on the control server used by the hackers, as well as the types of machines that were used to test the virus before it was deployed. FireEye said its experts were able to keep tabs on the “inner workings” of the primary computer server that the hackers used to monitor the compromised computer networks. However, shortly before the Summit begun, the hackers migrated to another server, at which point the FireEye team lost contact with them. Read more of this post

News you may have missed #857 (hacking edition)

Mossad sealBy IAN ALLEN | intelNews.org
►►UK spies hacked Belgian phone company using fake LinkedIn page. British spies hacked into the routers and networks of a Belgian telecommunications company Belgacom by tricking its telecom engineers into clicking on malicious LinkedIn and Slashdot pages, according to documents released by NSA whistleblower Edward Snowden. The primary aim, reports the German newsmagazine Der Spiegel, which obtained the documents, was to compromise the GRX router system that BICS controlled, in order to intercept mobile phone traffic that got transmitted by the router.
►►Indonesian hackers behind attack on Australian spy service website. Indonesian hackers are believed to have brought down the website of the Australian Secret Intelligence Service, Australia’s leading spy agency. The page was not working on Monday afternoon after hackers launched a “denial of service” attack. A “404 not found” message typically appears when a website crashes under a “denial of service” attack. The cyber attack is reportedly a response to revelations that Australia had been spying on its closest neighbor through its Jakarta embassy.
►►Hamas blasts alleged Mossad website. Hamas officials released a warning about a website called Holol (“solutions”), claiming it is a ruse set up by Israel’s Mossad intelligence agency to recruit Gazans as informants. The website’s “Employment” page states, “due to our connections with the Israeli Civil Administration, we can help you bypass the bureaucratic tape and procedural processes which prevent you from leaving Gaza”. The site also offers Israeli medical assistance, “due to connections with the Ministry of Health and the Israeli Civil Administration”. Palestinians interested in contacting the website’s officials are asked to provide their full name, telephone number, email, topic of inquiry, and an explanation of why they are asking for help. Last month, Lebanese group Hezbollah accused the Mossad of being behind a website seeking information on Hezbollah’s intelligence wing.

Secretive US cyber unit has been spying on China for 15 years

NSA headquartersBy JOSEPH FITSANAKIS | intelNews.org |
A secretive cyberattack unit within the United States National Security Agency (NSA) has been engaged in protracted offensive cyberespionage operations against China for nearly 15 years. The revelation, made this week by veteran NSA watcher Matthew M. Aid, appears to confirm recent allegations made by Chinese government officials that Beijing’s secrets come under regular attack by US government-sponsored hackers. It also agrees with claims made by several intelligence observers, including this blog, that America’s cyber-security posture is not purely defensive. According to Aid’s article, published this past Monday in Foreign Policy, China’s allegations that it has been the target of sustained cyberespionage attacks by the US “are essentially correct”. Citing “a number of highly confidential sources”, Aid alleges that the NSA maintains a substantial “hacker army”. These ‘cyberwarriors’ allegedly operate under the NSA’s Office of Tailored Access Operations, known inside NSA simply as TAO. Its personnel is said to have successfully penetrated the Chinese government’s telecommunications networks and servers since the late 1990s, generating “some of the best and most reliable intelligence information” gained by Washington. It does so through computer network exploitation (CNE) techniques, such as surreptitious hacking, password exploitation, and even by compromising Chinese network security technicians. Aid alleges that TAO works closely with the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI), through a small “clandestine intelligence gathering unit”. The latter employs CIA and FBI operatives who perform what are known as “off-net operations”, a term that refers to physical break-ins of Chinese and other foreign diplomatic facilities, in order to compromise the security computer hardware. Read more of this post

News you may have missed #842 (world reaction to Snowden leak)

Edward SnowdenBy IAN ALLEN | intelNews.org |
►►Chinese media focus on Snowden leaks. The front pages of Chinese state media were covered Thursday with the allegations of ex-CIA employee Edward Snowden, who says the US government has been hacking computers in China for years. Speaking to media in Hong Kong, where he is currently staying, Snowden said the US has been hacking computers in Hong Kong and mainland China since 2009. He said targets include public officials, businesses and the Chinese University of Hong Kong. Those claims by Snowden were the top story on most of China’s major news portals on Thursday
►►Switzerland furious about Snowden’s charge that CIA spies on Swiss banks. One of the many lurid details in The Guardian’s remarkable interview with NSA whistleblower Edward Snowden was his account of what initially prompted him to leak: namely a CIA tour in Switzerland, where CIA officers recruited Swiss banking officials. The Snowden disclosure could not come at a worse time for the Swiss government, which is trying to convince parliament to back its emergency plan that would allow Swiss banks to turn over data on tax evaders to the US government.
►►Is Russia considering giving asylum to Snowden? Asked if the 29-year-old could claim asylum from Russia, a spokesman for President Vladimir Putin told the newspaper Kommersant: “If such a request is received, it will be considered”. Any attempt by the Kremlin to give refuge to Mr Snowden, amid calls for his prosecution under the US Espionage Act, is likely to infuriate the White House and provoke a major diplomatic standoff.

News you may have missed #838 (analysis edition)

Predator droneBy IAN ALLEN | intelNews.org |
►►Delisle spy case barely caused ripples between Canada and Russia. The arrest of Jeffrey Delisle, a Canadian naval officer spying for Russia, did little to discourage Canada from welcoming that country’s defense chief to a Newfoundland meeting of Arctic nations last year. The visit underscored the puzzling lengths to which the Canadian government went to carry on a business-as-usual relationship with the one-time Cold War adversary. Most other planned military contacts between the two nations last year —including participation in the anti-terrorism exercise Operation Vigilant Eagle— also remained curiously normal.
►►Don’t believe the hype on Chinese cyberespionage. Within a day of each other, The Washington Post published a shocking list of US defense programs whose designs have reportedly been stolen by Chinese cyberattacks, and ABC news said the plans for Australia’s spy headquarters were also stolen by Chinese hackers. It makes China sound like a secret-sucking cyber espionage machine, but is that really the case? The knee-jerk interpretation to this disclosure (and others) is that China is a powerhouse of cyber espionage capable of stealing whatever secrets they want and that the US is powerless to stop them. This seems very unlikely.
►►US Predator drone program quietly shifted from CIA to DoD. The White House has quietly shifted lead responsibility for its controversial armed drone program from the CIA to the Defense Department. In a landmark speech last week at National Defense University in Washington, US President Barack Obama offered some clues into the status of the program, opaquely signaling it will now primarily be conducted by the United States military.

Sophisticated cyberespionage operation focused on high-profile targets

Rocra malware programming codeBy JOSEPH FITSANAKIS | intelNews.org |
After Stuxnet and Flame, two computer programs believed to have made cyberespionage history, another super-sophisticated malware has been uncovered, this time targeting classified computer systems of diplomatic missions, energy and nuclear groups. The existence of the malware was publicly announced by Russian-based multi-national computer security firm Kaspersky Lab, which said its researchers had identified it as part of a cyberespionage operation called Rocra, short for Red October in Russian. The company’s report, published on Monday on Securelist, a computer security portal run by Kaspersky Lab, said that the malware has been active for at least six years. During that time, it spread slowly but steadily through infected emails sent to carefully targeted and vetted computer users. The purpose of the virus, which Kaspersky Lab said rivals Flame in complexity, is to extract “geopolitical data which can be used by nation states”. Most of the nearly 300 computers that have so far been found to have been infected belong to government installations, diplomatic missions, research organizations, trade groups, as well as nuclear, energy and aerospace agencies and companies. Interestingly, the majority of these targets appear to be located in Eastern Europe and former Soviet republics in Central Asia. On infected computers located in North America and Western Europe, the Rocra virus specifically targeted Acid Cryptofiler, an encryption program originally developed by the French military, which enjoys widespread use by European Union institutions, as well by executive organs belonging to the North Atlantic Treaty Organization. Read more of this post

Did US spies hack French government computers using Facebook?

The Palais de l'ÉlyséeBy JOSEPH FITSANAKIS | intelNews.org |
A sophisticated computer virus discovered at the center of the French government’s secure computer network was planted there by the United States, according to unnamed sources inside France’s intelligence community. Paris-based magazine L’Express, France’s version of Time magazine, says in its current issue that the alleged American cyberattack took place shortly before last April’s Presidential elections in France. It resulted in the infection of the entire computer system in the Palais de l’Élysée, which is the official residence of the President of France. The French magazine cites unnamed sources inside the French Network and Information Security Agency (ANSSI), which is responsible for cybersecurity throughout France. The sources claim that the snooping virus allowed its handlers to gain access to the computers of most senior French Presidential aides and advisers during the final weeks of the administration of French President Nicolas Sarkozy, including his Chief of Staff, Xavier Musca. The article claims that the virus used a source code nearly identical to that of Flame, a super-sophisticated version of Stuxnet, the virus unleashed a few years ago against the computer infrastructure of the Iranian nuclear energy program. Many cybersecurity analysts believe that the US and Israel were instrumental in designing both Stuxnet and Flame. IntelNews understands that the alleged virus was initially directed at employees of the Palais de l’Élysée through Facebook. The targets were allegedly befriended by fake Facebook profile accounts handled by the team that operated the virus. The targets were then sent phishing emails that contained links to phony copies of the login page for the Palais de l’Élysée intranet website. Read more of this post

News you may have missed #771

Shawn HenryBy IAN ALLEN | intelNews.org |
►►Analysis: Ex FBI official says foreign spies biggest online threat. Former FBI executive assistant director Shawn Henry has warned that the biggest threat online comes not from terrorists or hackers, but from foreign intelligence organizations looking to steal intellectual property. “The threat from computer attack is the most significant threat we face as a society, other than a weapon of mass destruction”, he said in his opening keynote at the Black Hat 2012 conference in Las Vegas. “Everything we do —R&D, intellectual property, and corporate strategies— is stored or transmitted electronically. The DNA of companies is available to bad guys”.
►►Taiwanese officials jailed for espionage. Two Taiwanese former officials have been sent to prison by the Taiwan High Court for leaking state secrets to China. Presidential Office official Wang Ren-bing was jailed for two years after being found guilty of passing confidential information about President Ma Ying-jeou’s May 2008 inauguration to Chinese intelligence operatives. Chen Pin-jen, a former aide of Chinese Nationalist Party (KMT) Legislator Liao Kuo-tung, was sentenced to eight months in prison for delivering the confidential information Wang gave him to China. The two were arrested in 2009.
►►Germany charges suspected Syrian spy. A spokeswoman for federal prosecutors in Germany said Sunday that they have filed charges against suspected Syrian spy Akram O., one of two men arrested on suspicion of having spied on Syrian opposition activists in Germany for several years. The two were arrested in February during a sting operation involving over 70 German counterintelligence operatives, who searched the suspects’ apartments. The spokeswoman said she could not give further details before an official confirmation is issued that the suspect and the defense team have received the indictment.

News you may have missed #770

Horn of Africa mapBy TIMOTHY W. COLEMAN | intelNews.org |
►►Kaspersky Lab is ‘thwarting US cyber spies’. According to an article in Wired magazine, Eugene Kaspersky, the CEO of Russia-based Kaspersky Labs has been working to support Russian allies in the Kremlin and the FSB. Kasperksy’s firm first discovered the cyber attack weapon known as Stuxnet. As the profile piece notes, “Kaspersky’s rise is particularly notable —and to some, downright troubling— given his KGB-sponsored training, his tenure as a Soviet intelligence officer, his alliance with Vladimir Putin’s regime, and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB”.
►►Al-Shabaab executes alleged CIA and MI6 assets. Somalia’s largest and most deadly armed Islamist group, al-Shabaab, announced that it had captured and executed at least three informants who were allegedly passing intelligence to the CIA and to MI6. The Associated Press stated that Al-Shabaab’s official Twitter feed stated that the individuals, who were summarily interrogated and then executed by firing squad, “were part of a wide network of spies deployed by the British and American intelligence agencies”.
►►Australian intelligence briefed on Canadian spy. The espionage case against accused Canadian spy, former Sub-Lieutenant Jeffrey Paul Delisle, continues to garner intrigue. As was previously reported on this blog, Delisle, a former navy intelligence officer is accused of spying for Russia. But a report in The National Post states that representatives of Canada’s intelligence service briefed members of Australia’s intelligence services on the Delisle’s case and that information exchanges appear ongoing. The particulars of Australia’s involvement in the case are explained here.

Situation Report: Hacker convention brings out top NSA spy

DefConBy TIMOTHY W. COLEMAN | intelNews.org |
In less than a week, the 20th annual DefCon Hackers convention will take place in Las Vegas, Nevada. The yearly gathering brings out the good, the bad and the script kiddies alike. Computer security practitioners, cyber-criminals, grey and white hat hackers, law enforcement, and members of both the US intelligence community as well as probably foreign government representatives will be on hand to listen to presentations, see novel techniques, and view new innovative methods for cyber intrusion. DefCon has become a Mecca of sorts for those interested in groundbreaking developments and nefarious possibilities within the computer security and cyber realm. As organizers of the event explain in their call for presentations, “DefCon is all about thinking up cool and new ways to approach everything from the most complex modern technology to hacking grandma’s toaster [...] what attack exploits, defensive techniques, or unique research [have] you have been working on”. The focus is often two-fold “how to break it”, followed by a segment on “how to fix it”. “Spot the Fed” is an ongoing and widely popular contest at the convention. The task of regular attendees is to properly identify plain-clothed members of law enforcement or the intelligence community. As DefCon explains, “if you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out”.

Read more of this post

News you may have missed #763

RedHack posterBy IAN ALLEN | intelNews.org |
►►Taiwan ex-colonel nabbed for spying for China. Cheng Lin-feng, a retired Lieutenant Colonel in the Taiwanese army, and civilian Tsai Teng-han, were taken in by Taiwanese police last week on suspicion of spying for China. Cheng was allegedly recruited by Chinese intelligence when he travelled to the mainland to do business, Taiwan’s Ministry of National Defense said in a statement, adding that he had been investigated ever since a tip-off in 2009. A court spokesman said that details of case will be held until the investigation is completed.
Russian law brands foreign-funded NGOs ‘foreign agents’. Russia’s Lower House of Parliament has approved a bill that brands non-governmental organizations receiving funding from abroad as “foreign agents”, a law that activists fear the Kremlin will use to target critics. The bill is almost certain to be approved by the Upper House before being signed into law by President Vladimir Putin, who last year accused the US State Department of funding protests against him. The bill is seen by many analysts as setting up a legal infrastructure for a crackdown on the opposition. Meanwhile, official statistics show that wiretapping in the Russian Federation has nearly doubled over the past five years. The main driver of the rise, analysts say, involves the myriad of Russia’s rival security services spying on each other.
►►Turkish hackers release names of police informants. Members of Turkey’s Marxist cyberactivist group RedHack have dumped online a 75-megabyte text file with thousands of emails from Turkish police informants. The group said it released the information in retaliation against ultra-nationalist hackers who have been threatening opposition academics and journalists. RedHack, which has been using ‘defacement hacking’ to promote a Marxist political agenda since its founding, in 1997, is included on the Turkish government’s list of terrorist organizations. In March of this year, RedHack stole data from the Turkish police’s network, forcing the police to shut down all its servers.

Follow

Get every new post delivered to your Inbox.

Join 637 other followers