Protecting its image: Chinese military allegedly behind hacks on major US newspapers

A new Shanghai-based hacker unit with ties to the People's Liberation Army (PLA) in China has been identified, according to a report from security company CrowdStrike. The New York Times writes that the group is codenamed "Putter Panda" due to its penchant for preying upon golf-playing conference attendees. The organization is believed to have been operational since at least 2007, targeting American, European, and Japanese companies involved with the satellite, aerospace, and communication industries. CrowdStrike also writes that Putter Panda has been conducting intelligence-gathering operations on government sectors in the US. The hackers used innocuous-seeming emails containing job postings, PDF invitations to conferences, and even a yoga studio brochure to lure victims into downloading custom malware.

The US Department of Homeland Security and FBI provided a list of IP addresses used by alleged Chinese military hackers to American internet service providers (ISPs) earlier in February, and not-so-subtly encouraged the ISPs to block them, The Wall Street Journal reported today. Based on The Journal's report, the IP addresses that were on the list handed to ISPs were ones linked to the "Comment Crew," an alleged Chinese military hacking outfit that was described in a widely-publicized February report from cybersecurity firm Mandiant. As it turns out, Mandiant actually alerted the US government to its findings a week before it went public with them on February 18th. According to The Journal, the DHS and the FBI then released a memo listing the Comment Crew's suspected IP addresses. DHS officials then sent a follow-up email to ISPs telling them to "institute actions" based on the memo.

The Journal cites US officials as saying the goal of giving the IP addresses to the ISPs was to let these companies know that traffic coming over their networks could be actually attacking other US companies. At least some ISPs appear to have followed the urging of DHS, because The Journal reports that shortly after the DHS / FBI memo was released, there was a noticeable drop in observed attacks and infiltrations by the Comment Crew. But that also appears to have been short-lived, as the number of attacks quickly rebounded, and The Journal's sources in the US government say that it was because the Comment Crew wised up and changed their IPs.

It's no secret that major US companies have been victims of a growing number of hacks from overseas in recent years, allegedly by attackers looking to steal corporate information and intellectual property, such as patented software. The Department of Defense and US diplomats have also accused China's government and military of being behind some of these attacks. Now, a new report by a group of influential former government officials and private executives says that if intellectual property theft continues at future levels, Congress should consider passing laws allowing US companies to "counterattack" against such hackers, whoever they may be.

After a relative lull in activity, it looks as though the Chinese hacking group uncovered in a February security report has resumed its attacks on US targets. According to new information that security firm Mandiant submitted to The New York Times, attacks against identical, but unspecified, targets have been gradually increasing over the past two months, now sitting at 60 to 70 percent of their previous strength. Obama administration officials say that the issue will continue to be revisited until it can convince the Chinese leadership that "there is a real cost to this kind of activity."

In recent months, President Obama’s national security advisor Tom Donilon has talked tough about Chinese cyberattacks on US businesses and infrastructure targets, saying that "the international community cannot afford to tolerate such activity from any country." The resumption of attacks is expected to figure heavily in Donilon’s upcoming visit to China, notes The Times.

Yesterday a Pentagon report laid the blame for some of the recent hacking attacks in the United States at the feet of the Chinese government and military, and now a group of four US senators have proposed legislation aimed at hurting those the benefit from such actions. The Deter Cyber Theft Act was proposed by Carl Levin (D-MI), John McCain (R-AZ), Jay Rockefeller (D-WV), and Tom Coburn (R-OK), and is designed to address what NSA head General Keith Alexander has called "the greatest transfer of wealth in history" — theft of intellectual property in cyber-related crime.

If it were to become law, the Act would require the Director of National Intelligence (DNI) to put together an annual report listing what foreign countries are engaging in economic or industrial cyber-espionage in the US, including a watch list of those considered the most egregious offenders. The report would include what information had been targeted by these attacks, what had been stolen, what materials were created using that stolen information, and what foreign companies — including government entities — benefitted. It would also list what steps the DNI and other federal agencies had taken to combat the attacks.

China's Ministry of Defense has steadfastly denied any role in the hacking attacks, and while the US has been looking at more aggressive tactics to deal with future problems they've mostly been couched in the context of dealing with hackers that happen to be within China's borders. However gentle the language may be, the statements made in the new report are much more clear: pinning some of the blame directly on China's government and military.

After years of accusations over Chinese government-sponsored hacks of American companies and agencies, the US government looks to be taking a more agressive stance. The Wall Street Journal reports that the Obama administration is looking into an array of options to send a message to China and proactively defend against future attacks.

Current officials and others who have recently left the government inform the paper that the administration is considering using the Justice Department to prosecute individuals connected to the hacks. While it's unlikely that China would release its citizens for US prosecution, the indictments could limit where suspects could travel out of fear of being released into US custody. Other options include placing sanctions on Chinese companies said to be involved in the attacks, or placing visa restrictions on suspected hackers, like researchers working for the Chinese military. The administration is also said to be considering a formal complaint to the World Trade Organization. Lastly, the US could consider offensive or defensive countermeasures against the cyberattacks.

The United States and China will form working groups that focus in on two of today's most pressing issues: cybersecurity and climate change. That's according to US Secretary of State John Kerry, who outlined the plans during a visit to Beijing. The collaboration on cybersecurity is particularly notable; both countries have traded barbs and accusations of cyber espionage in recent months. It's unclear what (if anything) will come as a result of the joint effort, but the working group's formation suggests both sides are eager to quell months of rising tension and public squabbling.

Both countries are also promising to work together on a "more focused and urgent" response to climate change concerns. "The United States of America and the People's Republic of China recognize that the increasing dangers presented by climate change," reads a joint statement announcing the second working group. "Forceful, nationally appropriate action by the United States and China – including large-scale cooperative action – is more critical than ever," it says. Each acknowledges climate change as a crisis, but the US and China often disagree on the best way of tackling the issue — China insists developing nations shouldn't need to invest the same resources as larger carbon emitters. Set to begin immediately, the global warming-focused group will work to discover new ways in which which the US and China can "advance cooperation on technology, research, conservation, and alternative and renewable energy." Findings will be presented at this summer's Strategic and Economic Dialogue (S&ED).

China has come out in strong opposition to a new US law that restricts government purchases of Chinese technology, saying the measure threatens to harm economic relations between the two countries. The provision, passed Thursday as part of a larger US spending bill, requires NASA, the Department of Justice, and the Commerce Department to consult with federal law enforcement before procuring Chinese IT systems. The law purportedly aims to mitigate the risk of cyber-espionage, but as Reuters reports, Chinese authorities say it could have drastic consequences.

The latest US appropriations bill, signed into law just this week, includes a provision that is likely to further raise tensions between the country and China. The provision requires the Department of Justice, Department of Commerce, NASA, and the NSF to perform a formal assessment of risk of cyber-espionage before purchasing computer systems and other IT equipment. There is a clause in the bill that states that the assessment must specifically analyze — with the assistance of the FBI — any "such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized" by the People's Republic of China to determine if the purchase is "in the national interest of the United States." Stewart A. Baker first wrote about the provision on his blog yesterday, and Reuters published a report on the restriction earlier today.

The provision comes shortly after a spate of attacks against US media outlets and government agencies. A report from security agency Mandiant traced those incidents to a building in Shanghai housing the People's Liberation Army Unit 61398, which is involved in cyber-espionage — a claim the Chinese government has denied.

One of China's most elite and prestigious research universities appears to have a working relationship with the military unit that's said to be behind recent cyber-espionage attacks on US companies and government agencies. Reuters has discovered at least three research papers on cyber warfare co-authored by professors at Shanghai Jiao Tong University and members of PLA Unit 61398. Last month, a report from computer security agency Mandiant implicated that the military unit was responsible for hacks like those that compromised media outlets like The New York Times and The Washington Post — a claim that the Chinese government has denied.

Evidence of a tie between such an influential university and a military unit involved with cyber-espionage operations is notable, though there is nothing yet that suggests university faculty worked together with PLA employees involved in espionage operations. The Unit 61398 members who co-authors papers with professors were all researchers, according to Reuters. Experts tell Reuters that the three papers suggesting a link between the PLA and the university appear to be related to keeping computer networks secure, not breaking into them. They add, however, that detailing defenses can help create plans of attack. Reuters was unable to obtain comment from either the PLA or Shanghai Jiao Tong University.

China has signalled it is willing to open a "constructive dialogue" to help stem the wave of cyberattacks allegedly coming from within its borders. Speaking to the Associated Press, a foreign ministry spokesperson condemned the recent attacks, adding that "cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States."

Today's statement appears to be in direct response to strong comments from US government officials yesterday that called for a crackdown on cyberattacks originating from China. White House national security adviser Tom Donilon said that China "should take serious steps to investigate and put a stop to these activities," and asked the country to "engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace."

China's Defense Ministry today revealed new details about alleged cyberattacks on its websites, claiming that the US was responsible for nearly two-thirds of the 144,000 security breaches the ministry saw each month last year. The Chinese government accused the US of frequently hacking into state websites last week, but today's announcement marks the first time that China has disclosed details on the breadth of the alleged attacks.

"The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established, and the number of hacks has risen steadily in recent years," said Geng Yansheng, a Defense Ministry spokesman. "According to the IP addresses, the Defense Ministry and China Military Online websites were, in 2012, hacked on average from overseas 144,000 times a month, of which attacks from the U.S. accounted for 62.9 percent."

Following yesterday’s explosive New York Times report implicating the Chinese military in a string of international cyber attacks, the country is once again denying it had any involvement, calling security company Mandiant’s investigation "scientifically flawed." Reuters reports that a response on the country’s Ministry of Defense website directly refutes Mandiant’s claims, saying that, "the report, in only relying on linking IP address to reach a conclusion the hacking attacks originated from China, lacks technical proof."

The country has consistently denied any official involvement in the attacks, but the newest response takes a more relativistic stance, saying that the US is also engaged in its fair share of hacking attacks against China, "but we don’t use this as a reason to criticize the United States." It also questions where to draw the line between "hacking" and "everyday gathering of online (information)," although presumably months of spear phishing attacks, password cracking, and installing malware on the other party's systems would fall under the former.

The location of the "overwhelming percentage" of Chinese cyberattacks on US corporations and government agencies is believed to have been found, and it’s a People’s Liberation Army base in Shanghai, reports The New York Times. According to a 60-page study from computer security agency Mandiant, the hacking group, referred to as "Comment Crew," could not be placed inside the 12-story office tower, the home of PLA Unit 61398, but there is no other explanation how so many of the attacks could have come from such a small geographical area. The alternative, says Mandiant, is that "a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission."

In the past weeks, major media outlets like The Washington Post, Wall Street Journal, and The New York Times have been hacked. The latter reported that it believed the Chinese military was involved in the four-month-long attack on its systems; a charge that China staunchly denied. According to The Times, representatives of the Chinese embassy in Washington denied the charge again on Monday, insisting that the Chinese government does not engage in illegal computer hacking. Obama administration officials are quoted as saying that they plan to tell the Chinese leadership that the "volume and sophistication" of the attacks threaten the relationship between the two countries.

There have been an unusually high number of hacks this week, and today The Washington Post confirmed yesterday's reports that it was also the target of what the publication suspects is Chinese hackers. The Post joins The Wall Street Journal and The New York Times, which all appear to have been hacked to monitor their coverage of China. However, the Post reports that the extent of its attack, which may have begun as early as 2008 or 2009, was "unusual."

In an official statement, the Post confirmed reports from Krebs on Security that the publication had indeed been hacked. Anonymous sources speaking to the Post provided further information, and said that the hack targeted the publication's main server and several other computers. It's not clear what information was taken, but the Post reports that administrative passwords were likely compromised, giving hackers access to a number of company systems during the attack. However, the Post denies allegations from Krebs that the company turned over one of its servers to the NSA and Department of Defense for analysis, saying "that would be an unusual step for a news organization that traditionally has carefully guarded the security of its e-mail and other information from government intrusion."

It was revealed this week that several high-profile US newspapers suffered attacks from hackers, and now information is coming to light that indicates The Washington Post may have been yet another victim. Krebs on Security reports that a former Post information technology employee was part of a group that responded to a security breach the paper suffered that had ramifications throughout 2012. According to the report, servers and desktops at the Post had been compromised with software that allowed the attackers access to the network and the machines themselves. The Post newsroom and other operations were all reportedly compromised.

Usernames and passwords were reportedly transmitted back to the perpetrators of the attack, with signs at the time indicating that Chinese hackers were to blame in this instance as well. One of the servers from the Post is said to have been taken by individuals from the National Security Agency and Defense Department for analysis at one point. When contacted by Krebs on Security, the Post declined to comment.

The relationship between Google and China has grown increasingly contentious, and in a new book former CEO Eric Schmidt reportedly has some harsh words for the country. The Wall Street Journal reports that it has seen preliminary galleys of The New Digital Age, written by Schmidt and Google Ideas director Jared Cohen. In the book, the pair reportedly call China "the world's most active and enthusiastic filterer of information" — something Google has had to deal with firsthand in recent years. The book also states that China operates "sophisticated and prolific" hacking campaigns targeting foreign companies. Concerns about the latter have been a particular point of focus this week, with both The New York Times and The Wall Street Journal reporting that they had recently been infiltrated by hacking attacks; both targets said they traced their attackers to China.

The concerns are raised in the context of global competition; the book warns that with an increasing dependence on digital communication and commerce, the Chinese government's alleged willingness to participate in cyber attacks could give the country economic and political advantages. "The disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States as a distinct disadvantage," the book reportedly reads, with Schmidt and Cohen warning that the US will not be able to take advantage of the same tactics due to the US legal system and "sense of fair play."

Yesterday the New York Times revealed that it had suffered attacks at the hands of what it claimed were hackers from China, and today the Wall Street Journal has joined the group of victims. The Journal is reporting that its computers had been compromised by Chinese hackers, apparently to monitor the paper's coverage of China itself. The timeframe or length of these specific attacks weren't detailed, but Paula Keve — chief spokesperson for WSJ parent company Dow Jones & Co. — said in a statement that a network overhaul had recently been completed in order to enhance security. That said, the infiltration is an "ongoing issue," but Keve stressed that the company is continuing to work with authorities and security experts in order "to protect our customers, employees, journalists and sources."

The Beijing bureau of the WSJ is one of the ways in which the hackers are said to have been able to gain access to the publication's systems. "Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China, and are not an attempt to gain commercial advantage or to misappropriate customer information," Keve said. The Federal Bureau of Investigation has been investigating both the Times and Journal incidents, considering them both part of a national-security case against the US.

China is staunchly denying a report from The New York Times that suggests its military colluded with hackers to launch a four-month cyber attack against the US newspaper. Foreign Ministry spokesman Hong Lei took a harsh tone in responding to the NYT's accusations. "The competent Chinese authorities have already issued a clear response to the groundless accusations made by The New York Times," he told reporters earlier today. "To arbitrarily assert and to conclude without hard evidence that China participated in such hacking attacks is totally irresponsible. The intrusion, which has been described as consistent with other hacks supposedly led by the Chinese military, targeted a journalist responsible for authoring a report analyzing the family wealth of prime minister Wen Jiabao.

Additionally, security firm Symantec isn't pleased with the Times for implying that its antivirus software was an unreliable, essentially useless defense against the hackers. In a statement released today, the company emphasized that it's critical for major media corporations like The New York Times to harness "the full capability" of its security offerings. "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats," the statement reads, concluding again that "anti-virus software alone is not enough." The Times report says Symantec's software caught just one instance of malware on its systems when in fact 45 pieces of software would later be discovered.