Europe raises flags on rampant China’s cyber espionage

By LAURENS CERULUS 

The EU is gearing up to confront China on alarming levels of Beijing-linked cyber espionage on European industry.
The European Commission’s department for industry is drafting a document that would sum up Europe’s worries on the issue, two sources briefed on the plan told POLITICO, and could still come up with new measures to defend European trade secrets during this mandate, which ends in May next year.
The European Commission Thursday met a group of national government experts, foreign affairs officials and industry lobbyists to go over a study by PricewaterhouseCoopers and the Commission department that is likely to lead to EU action in coming months.
The study, an executive summary of which was obtained by POLITICO, offers a peek into “public and private sector concerns about the increasing risks associated with cyber-theft of trade secrets in Europe.”
In the manufacturing sector, it said, industrial espionage and cybertheft of trade secrets constitute up to 94 percent of all cyberattacks. 

The summary cites estimates that Chinese cyber espionage is costing Europe up to €60 billion in economic growth — a figure that would rise as European companies digitize their services.

Previous reports have consistently pointed fingers at Beijing as the world’s most active government on cyber espionage.

PwC will finalize the report later this month, it said at Thursday’s meeting, after which the Commission would release it and work on its own follow-up.
The Commission’s initiative comes as Bloomberg Businessweek on Thursday published a extensive investigation into how manufacturing subcontractors in China implanted chips as tiny as a grain of rice in parts of servers that make their way onto the global market and into the server centers of cloud services giant Amazon Web Services, Apple and other tech firms. 

The microchips would give Chinese actors access to data touching the servers.

Previous reports have consistently pointed fingers at Beijing as the world’s most active government on cyber espionage. 

A 2013 study by Mandiant raised flags across the world and governments have sought to strike deals with China to stop the practice.
The U.S. struck a deal with China in 2015. 

But intelligence officials have complained that Chinese counterparts have failed to abide by the terms of the agreement. 

On Wednesday, the Department of Homeland Security warned industry that the Beijing-linked “Cloudhopper” hacking group is again launching a widespread campaign on technology service providers to hack and steal industrial secrets.
The PwC study recommends that the European Union, as well as member countries, engage in talks similar to the U.S.-China dialogue. 

It also says that the EU could broaden its requirement to report cyber incidents to companies outside of critical infrastructure sectors. 

It adds that 60 percent of respondents that agree with the need for notifications said that such a notification system should be made mandatory across the EU.
Compared to national governments in and beyond Europe, the EU has in the past been cautious about wading into the debate. 

It lacks an intelligence agency, and is still struggling with the question of whether and how it can attribute cyberattacks to third countries — a naming-and-shaming power that is currently the purview of member countries and not Brussels.
European industry is getting increasingly anxious about the issue, however.
The PwC study says people working in industrial sectors in Italy, France, Germany and the Netherlands are most concerned about cyber espionage. 

Germany is most affected, the study says, as 17 percent of companies reported the theft of sensitive data between 2015 and 2017.
Europe’s largest business lobby BusinessEurope released a statement Thursday in which it asks the EU to come up with a “strategy to deter hostile actors” like China. 

“Diplomatic action or economic retaliation could be considered,” the group says, adding that “the EU could seek to cooperate with the United States, Japan and other OECD economies to apply political pressure.”

China Cyberspies Mined Japan Firms for North Korea Secrets

• Lure related to defense industry suggests possible motive
• Hackers left text in malware mocking security researchers

By David Tweed

Chinese hackers have targeted Japanese defense companies, possibly to get information on Tokyo’s policy toward resolving the North Korean nuclear impasse, according to cybersecurity firm FireEye Inc.
The attacks are suspected to come from a group known as APT10, a Chinese espionage group that FireEye has been tracking since 2009. 

One of the lures used in a “spear-phishing” email attack was a defense lecture given by former head of UNESCO, Koichiro Matsuura. 

Two attacks took place between September and October 2017.
“Lure content related to the defense industry suggests that a possible motive behind the intrusion attempt is gaining insider information on policy prescription to resolve the North Korean nuclear issue,” said Bryce Boland, chief technology officer for the Asia-Pacific region at FireEye.
China’s Ministry of Foreign Affairs didn’t respond to a faxed request for comment Friday. 

The suspected attacks coincided with a dramatic escalation in tensions over North Korea’s nuclear weapons program as Kim Jong Un tested a hydrogen bomb and U.S. President Donald Trump threatened to “totally destroy” the country. 

The U.S. and Japan have been coordinating their diplomatic and military pressure campaigns against the country, and neighboring China is anxious to avoid a clash on its border.
Tensions have eased since the two Koreas started talking ahead of the Winter Olympics and Winter Olympics and Trump granted an unprecedented meeting with the North Korean leader. 

Earlier this month, the foreign ministers of China and Japan agreed to work closely to push the regime to surrender its nuclear weapons program, although Japanese officials continue to express skepticism about Kim’s willingness to make a deal.

Multiple Attacks
The latest cyberattacks mirror other recent hacks with geopolitical overtones investigated by FireEye. Among the most recent, a wave of incursions on mainly U.S. engineering and defense companies linked to the South China Sea, where China’s claims for more than 80 percent of the water clash with five other nations. 

In 2016, the website of Taiwan’s Democratic Progressive Party was attacked months after the party won elections, securing its leader Tsai Ing-wen the presidency.
“We believe APT10 is primarily tasked with collecting critical information in response to shifts in regional geopolitics and frequently targets organizations with long research and development cycles,” Boland said, citing firms in construction and engineering, aerospace and military, telecommunications and high-tech industries.
In an unusual development, the hackers inserted lines of text in the malware associated with the Japanese attacks mocking the security researchers. 

Such gems included, “I’m here waiting for u,” “POWERED BY APT632185, NORTH KOREA,” and “According to the analysis report, some Japanese analysts have always been portrayed as a bit of joke.”
Also under attack since November 2017 have been Japanese healthcare companies. 

“China’s new push on pharmaceutical innovation as a national priority, along with rising cancer rates, will likely drive future espionage operations against the healthcare industry,” Boland said.
Mandiant, a unit of FireEye, alleged in 2013 that China’s military might have been behind a group that had hacked at least 141 companies worldwide since 2006. 

The U.S. issued indictments against five military officials who were purported to be members of that group.

FBI probes FDIC hack linked to China's military

Reuters

FBI investigating 2010 FDIC hack.

The FBI is investigating how Chinese hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said.
The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee.
The FDIC is one of three federal agencies that regulate commercial banks in the United States.
It oversees confidential plans for how big banks would handle bankruptcy and has access to records on millions of individual American deposits.
Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said.
In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers.
The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach.
Reuters was not able to review those records, and could not determine how long the FBI probe has been open, though it was described as still active. 
A third person with knowledge of the matter confirmed the FBI had opened a probe.
FDIC spokeswoman Barbara Hagenbaugh declined to comment on the previously unreported FBI investigation, or the hack's sponsorship by the Chinese military, but said the regulator took "immediate steps" to root out the hackers when it became aware of the security breach.
After FDIC staff discovered the hack in 2010, it persisted into the next years, with staff working at least through 2012 to verify the hackers were expunged, according to a 2013 internal probe conducted by the FDIC's inspector general, an internal watchdog.
The intrusion is part of series of cybersecurity lapses at the FDIC in recent years that continued even after the hack suspected to be linked to Beijing. This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.
An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request.
Rather than major breaches by hackers, however, these incidents included security lapses such as employees copying sensitive data to thumb drives and leaving the agency.
Twenty of the incidents were confirmed data breaches, according to an FDIC document provided to Reuters by the U.S. House of Representatives Committee on Science, Space and Technology.
That represents a higher number than was previously reported by the regulator under reporting guidelines for major incidents.
Throughout the lapses, the FDIC has said it is stiffening information security standards, including a ban on thumb drives and more coordination with the Department of Homeland Security to prevent hacks.
"We are continuing to take steps to enhance our cybersecurity program," Hagenbaugh said.
An audit by the FDIC's inspector general in November found the FDIC was failing to do "vulnerability scanning" in an important part of its network, a standard technique used to detect hackers. 
The audit stated the FDIC was working to address the shortfall.
The FBI declined to comment on its investigation.
When asked about China's possible role in the 2010 hack, Chinese Foreign Ministry spokeswoman Hua Chunying said: "If you have no definitive proof, then it is very hard for you to judge where the attacks really come from."
Washington has accused Beijing of hacking government offices before, including the theft of background check records from the Office of Personnel Management.
It was not clear whether the FBI probe of the FDIC hack would result in any action against China or whether the issue would be taken up by President Donald Trump, who has vowed to confront China on trade issues.
The Obama administration has struggled to develop a clear strategy for responding to cyber attacks, due to the difficulty of identifying hackers and fears of escalation.
The White House had no comment on the FDIC hack.
Trump's transition team did not respond to a request for comment.
Last year, Barack Obama and Xi Jinping reached an agreement to avoid economic cyber espionage on one another.

'Advanced persistent threat'
A July report by the House Science Committee said hackers linked to China's government gained deep access to FDIC computers starting in 2010. 
The probe at that point was unaware the hack was tied to China's military.
The committee, chaired by Texas Republican Lamar Smith, has continued to press the FDIC. Lawmakers accused FDIC employees of covering up the hack to protect the job of Chairman Martin Gruenberg, who was nominated for his post in 2011.
An FDIC review last month found no evidence Gruenberg's pending confirmation influenced handling of the breach.
In September, FDIC officials told the committee it could not share some documents because the FBI was investigating the breaches, two committee aides told Reuters.
FDIC staff realized in October 2010 that sophisticated intruders lurked within the agency's network, according to the FDIC inspector general's 2013 probe.
Staff at the regulator learned the computer of the FDIC's then-chairwoman, Bair, was breached by what they called an "advanced persistent threat."
Top FDIC officials were not briefed on the matter until August 2011, a month after Bair left the agency, according to the 2013 investigation.
Bair declined to comment when reached by Reuters this week.
Reuters was unable to determine when the hackers were expunged from the FDIC network.
The regulator hired Mandiant, a firm specialized in probing Chinese military hackers, to investigate, executing a contract in January 2013.
Mandiant was purchased in 2014 by FireEye, which did not immediately respond to a request for comment.