Chinese Aggressions

Chinese Hackers Conduct Mass-Scale Espionage Attack On Global Cellular Networks
By Zak Doffman

An Israeli-U.S. cybersecurity firm released a new report on Monday evening, claiming that Chinese hackers had compromised the systems of at least ten cellular carriers around the world to steal metadata related to specific users. 

None of the affected carriers or targeted individuals have been named.
Cybereason claimed that the sophistication and scale of the attack, which they have dubbed Operation Softcell, bear the hallmarks of a nation-state action and that the individual targets—military officials and dissidents—tie to China. 

All of which points to the Chinese government as the culprit. 

The affected carriers were in Europe, Africa, the Middle East and Asia. 

None were thought to be in the United States.
"The advanced, persistent attack targeting telecommunications providers," the company said, "has been active since at least 2017... The Chinese were attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more."
The attack was described in the report as a "game of cat and mouse between the Chinese and the defenders." 

As soon as the compromise [of] critical assets, such as database servers, billing servers, and the active directory" was detected, "the Chinese stopped the attack" only to resume later.
The implications of China "infiltrating into the deepest segments of providers’ network, including some isolated from the internet," enabling hackers to "compromise critical assets and steal communications data of specific individuals in various countries" are extremely significant. 

It suggests almost open access for intelligence harvesting.
Cybereason also pointed out that "even though the attacks targeted specific individuals, any entity that possesses the power to take over the networks of telecommunications providers can potentially leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation."
According to the Wall Street Journal, "Cybereason Chief Executive Lior Div gave a weekend, in-person briefing about the hack to more than two dozen other global carriers. For the firms already affected, the response has been disbelief and anger, Mr. Div said. 'We never heard of this kind of mass-scale espionage ability to track any person across different countries'."

The nature of the data harvested in the attack is of real value to intelligence agencies, which analyze the metadata for patterns. 

Even if the call or messaging content is not retrieved, analysis of who talks to who and when and how often and for how long and from where is a rich seam to be mined. 

In essence, every piece of metadata collected by the networks from registered smartphones was potentially vulnerable. 

And once the network's core security was compromised, the threat became almost internal in nature.
In the U.S. and U.K., when national intelligence agencies "hoover up" such data or campaign for additional collection legislation to enable them to do so, there is inevitably a privacy backlash. 

And this collection campaign has gone beyond anything a national agency would campaign for. 

The WSJ reported that "Operation Soft Cell gave Chinese hackers access to the carriers’ entire active directory, an exposure of hundreds of millions of users... [with] the hackers creating high-privileged accounts that allowed them to roam through the telecoms’ systems, appearing as if they were legitimate employees."
Cybereason pointed towards China's APT10—Advanced Persistent Threat 10—as the likely hackers behind this attack. 

The group is known for long-term, persistent threat campaigns, harvesting information as might an actual agency. 

And this campaign is thought to have been running for as long as seven years. 

Coincidentally, NASA, one of the previous targets of APT10, confirmed in recent days that it had also been hacked, a compromise which again bears nation-state hallmarks.
"Cybereason said it couldn't be ruled out that a non-Chinese actor mirrored the attacks to appear as if it were APT 10," reported the WSJ, "as part of a misdirection. But the servers, domains and internet-protocol addresses came from China, Hong Kong or Taiwan... All the indications are directed to China."

FireEye and Crowdstrike, the cybersecurity firms that have painted the most complete profile of APT10, told Wired that "they couldn't confirm Cybereason's findings, but that they have seen broad targeting of cellular providers, both for tracking individuals and for bypassing two-factor authentication, intercepting the SMS messages sent to phones as a one-time passcode."
Two hackers allegedly linked to APT10 were indicted on federal charges in the U.S. last year.
The fact that a Chinese state hacking outfit has targeted cellphone metadata will clearly be tied to the ongoing U.S. campaign against Chinese telecoms equipment manufacturers in general, and Huawei in particular. 

The argument will now run that this is exactly the kind of vulnerability that becomes exposed if the Chinese government uses its influence over domestic companies to pull intelligence from overseas.
"We’ve concluded with a high level of certainty," Cybereason claimed on issuing its report, "that the threat actor is affiliated with China and is state-sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor operating on behalf of the Chinese Ministry of State Security."

Chinese and Iranian Hackers Renew Their Attacks on U.S. Companies

By Nicole Perlroth

Geoffrey Berman, the United States attorney for the Southern District of New York, discussing the charges last year against nine Iranians accused of hacking into the systems of hundreds of companies and academic institutions.

SAN FRANCISCO — Businesses and government agencies in the United States have been targeted in aggressive attacks by Iranian and Chinese hackers who security experts believe have been energized by President Trump’s withdrawal from the Iran nuclear deal last year and his trade conflicts with China.
Recent Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported.

Dozens of corporations and multiple United States agencies have been hit, according to seven people briefed on the episodes who were not authorized to discuss them publicly.
The attacks, attributed to Iran by analysts at the National Security Agency and the private security firm FireEye, prompted an emergency order by the Department of Homeland Security during the government shutdown last month.
The Iranian attacks coincide with a renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies, according to nine intelligence officials, private security researchers and lawyers familiar with the attacks who discussed them on the condition of anonymity because of confidentiality agreements.
A summary of an intelligence briefing read to The New York Times said that Boeing, General Electric Aviation and T-Mobile were among the recent targets of Chinese industrial-espionage efforts. 

The companies all declined to discuss the threats, and it is not clear if any of the hacks were successful.

Chinese cyberespionage cooled four years ago after Barack Obama and Xi Jinping reached a deal to stop hacks meant to steal trade secrets.
But the 2015 agreement appears to have been unofficially canceled amid the continuing trade tension between the United States and China, the intelligence officials and private security researchers said. Chinese hacks have returned to earlier levels, although they are now stealthier and more sophisticated.
“Cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war,” said Joel Brenner, a former leader of United States counterintelligence under the director of national intelligence.
Federal agencies and private companies are back to where they were five years ago: battling increasingly sophisticated, government-affiliated hackers from China and Iran — in addition to fighting constant efforts out of Russia — who hope to steal trade and military secrets and sow mayhem. 

And it appears the hackers substantially improved their skills during the lull.
Russia is still considered America’s foremost hacking adversary. 

In addition to meddling widely and spreading disinformation during United States elections, Russian hackers are believed to have launched attacks on nuclear plants, the electrical grid and other targets.
Threats from China and Iran never stopped entirely, but Iranian hackers became much less active after the nuclear deal was signed in 2015. 

And for about 18 months, intelligence officials concluded, Beijing backed off its 10-year online effort to steal trade secrets.
But Chinese hackers have resumed carrying out commercially motivated attacks, security researchers and data-protection lawyers said. 

A priority for the hackers, researchers said, is supporting Beijing’s five-year economic plan, which is meant to make China a leader in artificial intelligence and other cutting-edge technologies.
“Some of the recent intelligence collection has been for military purposes or preparing for some future cyber conflict, but a lot of the recent theft is driven by the demands of the five-year plan and other technology strategies,” said Adam Segal, the director of the cyberspace program at the Council on Foreign Relations. 

“They always intended on coming back.”
Officials at the Chinese embassy in Washington did not respond to a request for comment.
Mr. Segal and other Chinese security experts said attacks that once would have been conducted by hackers in China’s People’s Liberation Army are now being run by China’s Ministry of State Security.
These hackers are better at covering their tracks. 

Rather than going at targets directly, they have used a side door of sorts by breaking into the networks of the targets’ suppliers. 

They have also avoided using malware commonly attributed to China, relying instead on encrypting traffic, erasing server logs and other obfuscation tactics.

Two Chinese who are suspected of participating in an extensive hacking campaign to steal data from American companies.

“The fingerprint of Chinese operations today is much different,” said Priscilla Moriuchi, who once ran the National Security Agency’s East Asia and Pacific cyber threats division. 

Her duties there included determining whether Beijing was abiding by the 2015 agreement’s terms. “These groups care about attribution. They don’t want to get caught.”
It is difficult to quantify the number of industrial-espionage attacks, in part because they have been designed mostly to steal strategic trade secrets, not the kind of personal information about customers and employees that companies must disclose. 

Only Airbus has acknowledged in recent weeks that Chinese hackers had penetrated its databases.
Many of the attacks by the Chinese Ministry of State Security have been against strategic targets like internet service providers with access to hundreds of thousands, if not millions, of corporate and government networks.
Last week, Ms. Moriuchi, who is now a threat director at the cybersecurity firm Recorded Future, released a report on a yearlong, stealth campaign by the Chinese to hack internet service providers in Western Europe and the United States and their customers.
The lone hacking target to publicly confront the Chinese was Visma, a Norwegian internet service provider with 850,000 customers. 

The goal of the attack on Visma was to gain broad access to its customers’ intellectual property, strategic plans and emails, including those of an American law firm that handles intellectual property matters for clients in the automotive, biomedical, pharmaceutical and tech sectors, according to Recorded Future.
The Visma attack was harder to trace than earlier incidents, which typically started with so-called spearphishing emails meant to steal personal credentials. 

This assault began with stolen credentials for a third-party software service, Citrix. 

And instead of using malware easily traced to China, the attackers used malware available on the so-called Dark Web that could have come from anywhere. 

They also used the online storage service Dropbox to move stolen emails and files.
Federal agencies are also trying to fend off new Iranian espionage campaigns.
After the Trump administration pulled out of the nuclear deal, Kirstjen Nielsen, the homeland security secretary, testified before Congress that her agency was “anticipating it’s a possibility” that Iran would resort to hacking attacks.

Stuart Davis, a director at a subsidiary of the security firm FireEye, which has attributed a recent wave of cyberattacks to Iranian hackers.

The Iranian attacks, which hit more than a half-dozen federal agencies last month, still caught the department off guard. 

Security researchers said the hacks, which exploited underlying weaknesses in the internet’s backbone, were continuing and were more damaging and widespread than agency officials had acknowledged.
Iranian hackers began their latest wave of attacks in Persian Gulf states last year. 

Since then, they have expanded to 80 targets — including internet service providers, telecommunications companies and government agencies — in 12 European countries and the United States, according to researchers at FireEye, which first reported the attacks last month.
The current hacks are harder to catch than previous Iranian attacks. 

Instead of hitting victims directly, FireEye researchers said, Iranian hackers have been going after the internet’s core routing system, intercepting traffic between so-called domain name registrars. 

Once they intercepted their target’s customer web traffic, they used stolen login credentials to gain access to their victims’ emails. (Domain name registrars hold the keys to hundreds, perhaps thousands, of companies’ websites.)
“They’re taking whole mailboxes of data,” said Benjamin Read, a senior manager of cyberespionage analysis at FireEye. 

Mr. Read said Iranian hackers had targeted police forces, intelligence agencies and foreign ministries, indicating a classic, state-backed espionage campaign rather than a criminal, profit-seeking motive.
There is a long history of Iranian attacks against the United States, and episodes from five years back or longer are just now being made public.
On Wednesday, the Justice Department announced an indictment against a former Air Force intelligence specialist, Monica Witt, on charges of helping Iran with an online espionage campaign. Four members of Iran’s Islamic Revolutionary Guard Corps were also charged with “computer intrusions and aggravated identity theft” directed at members of the United States intelligence community.
Also last week, the Treasury said it was putting sanctions on two Iranian companies, New Horizon Organization and Net Peygard Samavat Company, and several people linked to them. 

Treasury officials said New Horizon set up annual conferences where Iran could recruit and collect intelligence from foreign attendees.
Ms. Witt attended one of the conferences, the indictment says. 

Net Peygard used information she provided to begin a campaign in 2014 to track the online activities of United States government and military personnel, Treasury officials said.
Representatives for Iran’s Mission to the United Nations did not respond to requests for comment.
The recent Iranian attacks have unnerved American officials. 

But after issuing the emergency order about the ones last month, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has largely played them down.
An official with the cybersecurity agency said there was a belief that no information had been stolen and that the attacks had not “materially impacted” operations. 

But Mr. Read of FireEye and others said there had been a noticeable escalation in Iran’s digital espionage.
“If you tell the Iranians you’re going to walk out on the agreement and do everything you can to undermine their government,” said Mr. Brenner, the former counterintelligence official, “you can’t be surprised if they attack our government networks.”

The Japan-China rivalry is playing out in Cambodia's election

• Japan's support of Cambodia's general election is a strategic maneuver to counter Chinese influence in the developing state.
• Tokyo's actions are a direct backing for Hun Sen's authoritative regime.
• Japanese Prime Minister Shinzo Abe may ultimately need to decide between maintaining economic power in Cambodia or upholding democratic standards.

By Nyshka Chandran

July 8, 2018: An election poster with images of Heng Samrin, Honorary President of the Cambodian People's Party, and Prime Minister Hun Sen, in Siem Reap.

Cambodia's general election on July 29 has become a proxy theater for competition between China and Japan as the two vie for influence in the Southeast Asian state.
As Phnom Penh's largest foreign investor and economic benefactor, the world's second-largest economy has donated $20 million in polling booths, laptops, computers and other equipment to the National Election Committee, an agency that supervises elections, according to the Associated Press. Tokyo, also one of Cambodia's top donors, has provided over 10,000 ballot boxes worth $7.5 million, Reuters reported.
Those contributions aren't surprising since both Asian heavyweights hold historically deep ties with the frontier economy. 

But Tokyo, concerned about Beijing's rising influence across Southeast Asia, is likely acting with strategy in mind.
"Japan’s economic footprint is starting to be dwarfed by the scale of Chinese investment in the country, through Belt and Road projects, and Chinese political influence," said Champa Patel, head of the Asia-Pacific program at London-based policy institute Chatham House. 

For Japanese Prime Minister Shinzo Abe, "maintaining relations with Cambodia will be to act as a counterweight to Chinese influence in the country and the wider region," she continued.
Chinese dictator Xi Jinping's administration has offered Cambodian Prime Minister Hun Sen's government billions in development assistance and loans through bilateral frameworks and the continent-spanning infrastructure program known as Belt and Road. 

That, in turn, has produced a flood of Chinese commercial ventures in the country, including economic zones, casinos and industrial parks.
Beijing's economic leverage is also believed to have translated into political clout: During a 2016 ASEAN meeting, Phnom Penh was acting as an agent of China when it blocked mention of an international court ruling that rejected Beijing's territorial claims in the South China Sea in the group's official communique.
Meanwhile, security-research firm FireEye announced last week that it found evidence of a Chinese hacking team infiltrating computer systems belonging to Cambodia's election commission, opposition leaders and media. 

It wasn't immediately clear if any data was breached, but FireEye said the episode likely provided the Chinese government with visibility into Cambodia's election and government operations.
Amid those developments, Japan is looking to ramp up its presence in the developing state — the two nations signed a grant and loan agreement totaling over $90 million in April.
"Japan's foreign policy does seek to counter China's influence in Cambodia," said Paul Chambers, lecturer and special advisor on international affairs at Thailand's Naresuan University: "Japan, under Abe, wants to show Cambodia that trade and investment matter more for it than human rights — a consideration which has been of prime focus among Western countries."
Japan's support of the July 29 election translates to direct backing for Hun Sen's authoritarian regime.
The vote has been called a democratic sham amid the absence of the country's main opposition faction, the Cambodia National Rescue Party, which was dissolved by the Supreme Court on government orders late last year. 

Because that party is unable to participate, Hun Sen and his ruling Cambodian People’s Party are likely to emerge victorious.
Hun Sen, a former Khmer Rouge commander, is the world’s longest-serving premier. 

His 33-year rule has been marked by numerous allegations of corruption, politically motivated prosecutions and crackdowns on civil liberties.
The United States and the European Union have suspended funding to the National Election Committee, which is meant to be independent, but is widely believed to be controlled by the ruling party. 

The United Nations, meanwhile, has warned that the election won't be "genuine" and urged Phnom Penh to lift a ban on the CNRP, which is advising Cambodians to boycott the vote.
According to CNRP Deputy President Mu Sochua, Tokyo should withdraw its cooperation: "Cambodia needs to move forward, and it can only do so with democracy ... that's why we continue to explain to Japan that the only chance to help Cambodia is to side with democracy."
The CNRP has tried reaching out to Beijing to explain its argument, but so far has been unsuccessful, Sochua told CNBC over the phone.
"To support Hun Sen is to support dictatorship and with dictatorship, no government can protect their investments," she said, adding that "Hun Sen will keep giving more concessions to Chinese companies, so if Japan wants to protect its investments, it should stay on the side of democracy."
In recent public comments, Japanese officials have urged Phnom Penh to hold free and fair elections, but didn't touch on on the government's human rights violations. 

Japan's embassy in Cambodia told CNBC that Tokyo's assistance was aimed at enhancing the credibility of the electoral process.
"Although Japan supports the technical and logistical aspects of the electoral process, they are not, at least in their own view, necessarily endorsing the legitimacy of the election itself," echoed Deth Sok Udom, a political science professor at Phnom Penh's Zaman University.
Ultimately, Abe may find he has to choose between maintaining economic power in Cambodia or upholding democratic standards.
"I suspect that Japan would opt for the first strategy," Chambers said.

Chinese Aggressions

China Hacked South Korea Over Missile Defense
By Jonathan Cheng in Seoul and Josh Chin in Beijing

This 2015 handout photo from the U.S. Department of Defense shows a terminal High Altitude Area Defense interceptor being test launched on Wake Island in the Pacific Ocean. 
Chinese state-backed hackers have recently targeted South Korean entities involved in deploying a U.S. missile-defense system, despite Beijing’s denial of retaliation against Seoul over the issue.
In recent weeks, two cyberespionage groups that the firm linked to Beijing’s military and intelligence agencies have launched a variety of attacks against South Korea’s government, military, defense companies and a big conglomerate, John Hultquist, director of cyberespionage analysis at FireEye Inc., said in an interview.
The California-based firm, which counts South Korean agencies as clients, including one that oversees internet security, wouldn’t name the targets.
While FireEye and other cybersecurity experts say Chinese hackers have long targeted South Korea, they note a rise in the number and intensity of attacks in the weeks since South Korea said it would deploy Terminal High-Altitude Area Defense, or Thaad, a sophisticated missile-defense system aimed at defending South Korea from a North Korean missile threat.
China opposes Thaad, saying its radar system can reach deep into its own territory and compromise its security. South Korea and the U.S. say Thaad is purely defensive. 

The first components of the system arrived in South Korea last month and have been a key issue in the current presidential campaign there.
One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. Hultquist, a former senior U.S. intelligence analyst. 

FireEye believes the other, known as APT10, is linked to other Chinese military or intelligence units.
China’s Ministry of Defense said this week Beijing has consistently opposed hacking, and that the People’s Liberation Army “has never supported any hacking activity.” 

China has said it is itself a major hacking victim but has declined to offer specifics.
The two hacking groups gained access to their targets’ systems by using web-based intrusions, and by inducing people to click on weaponized email attachments or compromised websites. 

He declined to offer more specific details.

HACK ATTACKS
Recent cyberattacks attributed to Chinese state-backed groups.

• Since February Spear-phishing* and watering hole** attacks were conducted against South Korean government, military and commercial targets connected to a U.S. missile defense system.
• February, March Attendees of a board meeting at the National Foreign Trade Council were targeted with malware through the U.S. lobby group’s website.
• Since 2016 Mining, technology, engineering and other companies in Japan, Europe and North America were intruded on through third-party IT service providers.
• 2014-2015 Hackers penetrated a network of U.S. Office of Personnel Management to steal records connected to millions of government employees and contractors.
• 2011-2012 South Korean targets, including government, media, military and think tanks were targeted with spear-phishing attacks.
• *Sending fraudulent emails made to look as if they come from a trusted party in order to trick a target into downloading malicious software.
• **A strategy in which the attacker guesses or observes which websites​ a targeted​ group often uses and infects them with malware ​to infect the group’s network..
• Sources: FireEye, Trend Micro, Fidelis, PricewaterhouseCoopers and BAE Systems, WSJ reporting

Mr. Hultquist added that an error in one of the group’s operational security provided FireEye’s analysts with new information about the group’s origins.
South Korea’s Ministry of Foreign Affairs said last month that its website was targeted in a denial-of-service attack—one in which a flood of hacker-directed computers cripple a website—that originated in China.
A spokesman said that “prompt defensive measures” ensured that the attacks weren’t effective, adding that it was maintaining an “emergency service system” to repel Chinese hackers.
The ministry this week declined to comment further, or to say which cybersecurity firm it had employed or whether he thought the attacks were related to Thaad.
Another cybersecurity company, Russia’s Kaspersky Lab ZAO, said it observed a new wave of attacks on South Korean targets using malicious software that appeared to have been developed by Chinese speakers starting in February.
The attackers used so-called spear-phishing emails armed with malware hidden in documents related to national security, aerospace and other topics of strategic interest, said Park Seong-su, a senior global researcher for Kaspersky. 

The company typically declines to attribute cyberattacks and said it couldn’t say if the recent ones were related to Thaad.
The two hacking groups with ties to Beijing have been joined by other so-called hacktivists—patriotic Chinese hackers acting independently of the government and using names like the “Panda Intelligence Bureau” and the “Denounce Lotte Group,” Mr. Hultquist said.
South Korea’s Lotte Group has become a particular focus of Chinese ire after the conglomerate approved a land swap this year that allowed the government to deploy a Thaad battery on a company golf course.
Last month, just after the land swap was approved, a Lotte duty-free shopping website was crippled by a denial-of-service attack, said a company spokeswoman, who added that its Chinese website had been disrupted with a virus in February. 

She declined to comment on its source.
China’s Ministry of Foreign Affairs didn’t respond to questions about the website attacks. 

The ministry has previously addressed Lotte’s recent troubles in China by saying that the country welcomes foreign companies as long as they abide by Chinese law.
The U.S. has also accused Chinese state-backed hacking groups of breaking into government and commercial networks, though cybersecurity firms say such activity has dropped since the two nations struck a cybersecurity deal in 2015.
The two Chinese hacking groups named by FireEye are suspected of previous cyberattacks.
FireEye linked Tonto Team to an earlier state-backed Chinese hacking campaign, identified by Tokyo-based cybersecurity firm Trend Micro Inc. in 2012, which focused on South Korea’s government, media and military. 

Trend Micro declined to comment.
Two cybersecurity reports this month accused APT10 of launching a spate of recent attacks around the globe, including on a prominent U.S. trade lobbying group. 

One of those reports, jointly published by PricewaterhouseCoopers LLP and British weapons maker BAE Systems, said the Chinese hacker collective has recently grown more sophisticated, using custom-designed malware and accessing its targets’ systems by first hacking into trusted third-party IT service providers.
Because of the new scrutiny from that report, FireEye said in a recent blog post that APT10 was likely to lay low, though in the longer run, it added, “we believe they will return to their large-scale operations, potentially employing new tactics, techniques and procedures.”