This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.guardian.co.uk/technology/2013/feb/19/china-hacker-attacks-west

The article has changed 5 times. There is an RSS feed of changes available.

Version 1 Version 2
China 'aiding hacker attacks on west' China 'aiding hacker attacks on west'
(about 1 hour later)
The Chinese government is directly aiding thousands of computer attacks against western companies and defence groups by top-level hackers based in Shanghai, according to a new study which warns that they have stolen vast amounts of data from their targets. The Chinese army has launched hundreds of cyber-attacks aganist western companies and defence groups from a nondescript office building in Shanghai, according to a new report that warns hackers have stolen vast amounts of data from their targets.
Mandiant, a security company which has been investigating attacks against western organisations for more than six years, says in a report (PDF) that the attacks come from a 12-storey building belonging to the People's Liberation Army (PLA) General Staff's Department, also known as Unit 61398, in Shanghai. Mandiant, a security company that has been investigating attacks against western organisations for over six years, said in a report (PDF) the attacks came from a 12-storey building belonging to the People's Liberation Army (PLA) general staff's department, also known as Unit 61398.
The discovery will further raise the temperature in the intergovernmental cyberwars, which have heated up in recent years as the US, Israel, Iran, China and UK have all used computer subterfuge to undermine rival state or terrorist organisations. One security expert warned that companies in high-profile fields should assume that they will be targeted and hacked and build systems that will fence sensitive data off from each other. "We need to concentrate less on building castles and assuming they'll be impervious, and more on building better dungeons so that when people get in they can't get anything else," said Rik Ferguson, global vice-president of security research at rival company Trend Micro. Mandiant said it believed a hacking network named the Comment Crew or the Shanghai Group, was based inside the compound, in a rundown residential neighbourhood. Although the report fails directly to place the hackers inside the building, it argues there is no other logical reason why so many attacks have emanated from such a small area.
Mandiant says that Unit 61398 could house "hundreds or thousands" of people and has military-grade high-speed fibre-optic connections from China Mobile, the world's largest telecoms carrier. "The nature of Unit 61398's work is considered by China to be a state secret; however, we believe it engages in harmful computer network operations," Mandiant said in the report. It said it has been operating since 2006, and is one of the most prolific hacking groups "in terms of quantity of information stolen" which it put at hundreds of terabytes, enough for thousands of 3D designs and blueprints. "It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively," said the report.
"APT1", as Mandiant calls it, is only one of 20 groups that Mandiant says has carried out scores of hacking attacks against businesses and organisations in the west to surreptitiously steal copious amounts of data without the owners' knowledge. The industries affected all work in industries viewed as "strategic" by the Chinese government. The discovery will further raise the temperature in the intergovernmental cyberwars, which have heated up in recent years as the US, Israel, Iran, China and UK have all used computer subterfuge to undermine rival state or terrorist organisations. One security expert warned that companies in high-profile fields should assume they will be targeted and hacked, and build systems that will fence sensitive data off from each other.
A typical attack would leave software that hid its presence from the user or administrator and silently siphoned data to a remote server elsewhere on the internet at the instruction of a separate "command and control" (C&C) computer. By analysing the hidden software, the pattern of connections and links from the C&C server the team at Mandiant said it was confident of the source of the threat. Rik Ferguson, global vice-president of security research at the data security company Trend Micro, said: "We need to concentrate less on building castles and assuming they will be imper[meable], and more on building better dungeons so that when people get in they can't get anything else." .
Mandiant said: "It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively." Mandiant says Unit 61398 could house "hundreds or thousands" of people and has military-grade, high-speed fibre-optic connections from China Mobile, the world's largest telecoms carrier. "The nature of Unit 61398's work is considered by China to be a state secret; however, we believe it engages in harmful computer network operations," Mandiant said in the report.
A Chinese foreign ministry spokesman denied the government was behind the attacks, saying on Tuesday: "Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don't know how the evidence in this so-called report can be tenable. Arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue." It said Unit 61398 had been operating since 2006, and was one of the most prolific hacking groups "in terms of quantity of information stolen". This it estimated at hundreds of terabytes, enough for thousands of 3D designs and blueprints.
But Ferguson told the Guardian: "This is a pretty compelling report, with evidence collected over a prolonged period of time. It points very strongly to marked Chinese involvement." Mandiant, based in Alexandria, Virginia in the US, investigated the New York Times break-in and suggested it had come from Chinese sources. "APT1", as Mandiant calls it, is only one of 20 groups Mandiant says has carried out scores of hacking attacks against businesses and organisations in the west, including companies that work in strategic industries such as US power and water infrastructure.
President Obama is already beefing up US cybersecurity, introducing an executive order in his state of the union speech earlier in February which would let the government work with the private sector to tend off hacking. But that will take until February 2014 to have a final version ready for implementation. A typical attack would leave software that hid its presence from the user or administrator and silently siphon data to a remote server elsewhere on the internet at the instruction of a separate "command and control" (C&C) computer. By analysing the hidden software, the pattern of connections and links from the C&C server, the team at Mandiant said it was confident of the source of the threat.
The revelation comes just days after the New York Times, Wall Street Journal and Washington Post, as well as the social networks Facebook and Twitter, said that they had been subjected to "highly sophisticated" hacks which in some cases were focussd on correspondents writing about China and its government. A Chinese foreign ministry spokesman denied the government was behind the attacks, saying: "Hacking attacks are transnational and anonymous. Determining their origins is extremely difficult. We don't know how the evidence in this so-called report can be tenable. Arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue."
Separate investigations by the computer company Dell working with news company Bloomberg tracked down another alleged hacker, Zhang Changhe, who had written a number of papers on PC hacking and who works at the PLA's "Information Engineering University" in Zhengzhou, in Henan province in north-central China. But Ferguson told the Guardian: "This is a pretty compelling report, with evidence collected over a prolonged period of time. It points very strongly to marked Chinese involvement."
The allegations will raise the temperature in an ongoing "cyberwar" between the west and China, which has been steadily rising since the Pentagon and MI6 uncovered "Titan Rain", a scheme that tried to siphon data from the Pentagon and the House of Commons in 2006 which one security expert said at the time dated back at least to 2004. Mandiant, based in Alexandria, Virginia, in the US, investigated the New York Times break-in, for which it suggested Chinese sources could be to blame.
Ferguson suggested that western governments are also carrying out attacks against Chinese targets "but that's not a culture which would open up about being hit. I would be surprised and disappointed if most western nations don't have a cybersecurity force." President Obama is already beefing up US security, introducing an executive order in his State of the Union speech earlier in February that would let the government work with the private sector to fend off hacking. But that will take until February 2014 to have a final version ready for implementation.
The Stuxnet virus which hit Iran's uranium reprocessing plant in 2010 is believed to have been written jointly by the US and Israel, while Iranian sources are believed to have hacked companies which issue email security certificates so that they could crack secure connections used by Iranian dissidents on Google's Gmail system. China's is also reckoned to have been behind the hacking of Google's email servers in that country in late 2009 which files from Wikileaks suggested was government-inspired. The revelation comes just days after the New York Times, Wall Street Journal and Washington Post, as well as the social networks Facebook and Twitter, said they had been subjected to "highly sophisticated" hacks that in some cases focusd on correspondents writing about China and its government.
Separate investigations by the computer company Dell, working with the news company Bloomberg, tracked down another alleged hacker, Zhang Changhe, who had written a number of papers on PC hacking. Zhang works at the PLA's "information engineering university" in Zhengzhou, in Henan province, in north-central China.
The allegations will raise the temperature in the continuing "cyberwar" between the west and China, which has been steadily rising since the Pentagon and MI6 uncovered Titan Rain, a scheme that tried to siphon data from the Pentagon and the House of Commons in 2006, and which one security expert said at the time dated back at least to 2004.
Ferguson suggested that western governments were also carrying out attacks against Chinese targets – "but that's not a culture which would open up about being hit. I would be surprised and disappointed if most western nations don't have a cybersecurity force."
The Stuxnet virus, which hit Iran's uranium reprocessing plant in 2010, is believed to have been written jointly by the US and Israel, while Iranian sources are believed to have hacked companies that issue email security certificates so that they can crack secure connections used by Iranian dissidents on Google's Gmail system. China's is also reckoned to have been behind the hacking of Google's email servers in that country in late 2009, in an operation files from Wikileaks suggested was inspired by the Beijing government.
A timeline of government-sponsored hacking attacksA timeline of government-sponsored hacking attacks
2004 suspected: Chinese group in Shanghai begins probing US companies and military targets.2004 suspected: Chinese group in Shanghai begins probing US companies and military targets.
2005: "Titan Rain" pulls data from the Pentagon's systems, and a specialist says of a December 2005 attack on the House of Commons computer system that "The degree of sophistication was extremely high. They were very clever programmers."2005: "Titan Rain" pulls data from the Pentagon's systems, and a specialist says of a December 2005 attack on the House of Commons computer system that "The degree of sophistication was extremely high. They were very clever programmers."
2007: Estonia's government and other internet services are knocked offline by a coordinated attack from more than a million computers around the world – reckoned to have been run from a group acting at the urging of the Russian government. Nobody is ever arrested over the attack.2007: Estonia's government and other internet services are knocked offline by a coordinated attack from more than a million computers around the world – reckoned to have been run from a group acting at the urging of the Russian government. Nobody is ever arrested over the attack.
2008: Russia's government is suspected of carrying out a cyberattack to knock out government and other websites inside Georgia, with which it is fighting a border skirmish over the territory of Ossetia.2008: Russia's government is suspected of carrying out a cyberattack to knock out government and other websites inside Georgia, with which it is fighting a border skirmish over the territory of Ossetia.
December 2009: Google's email systems in China are hacked by a group which tries to identify and take over the accounts of Chinese dissidents. Google withdraws its search engine from the Chinese mainland in protest at the actions. Wikileaks cables suggest that the Chinese government was aware of the hacking.December 2009: Google's email systems in China are hacked by a group which tries to identify and take over the accounts of Chinese dissidents. Google withdraws its search engine from the Chinese mainland in protest at the actions. Wikileaks cables suggest that the Chinese government was aware of the hacking.
2010: The Flame virus begins silently infecting computers in Iran. It incorporates cutting-edge cryptography breakthroughs which would require world-class experts to write. That is then used to infect Windows PCs via the Windows Update mechanism which normally creates a cryptographically secure link to Microsoft. Instead, Flame puts software that watches every keystroke and frame on the PC. Analysts say that only a "wealthy" nation state could have written the virus, which breaks new ground in encryption.2010: The Flame virus begins silently infecting computers in Iran. It incorporates cutting-edge cryptography breakthroughs which would require world-class experts to write. That is then used to infect Windows PCs via the Windows Update mechanism which normally creates a cryptographically secure link to Microsoft. Instead, Flame puts software that watches every keystroke and frame on the PC. Analysts say that only a "wealthy" nation state could have written the virus, which breaks new ground in encryption.
The Stuxnet worm is discovered to have been affecting systems inside Iran's uranium reprocessing establishment, passing from Windows PCs to the industrial systems which control centrifuges that separate out heavier uranium. The worm makes the centrifuges spin out of control, while suggesting on their control panel that they are operating normally – and so break them. Iran denies that the attack has affected its project. The US and Israel are later fingered as being behind the code.The Stuxnet worm is discovered to have been affecting systems inside Iran's uranium reprocessing establishment, passing from Windows PCs to the industrial systems which control centrifuges that separate out heavier uranium. The worm makes the centrifuges spin out of control, while suggesting on their control panel that they are operating normally – and so break them. Iran denies that the attack has affected its project. The US and Israel are later fingered as being behind the code.
September 2011: a new virus that silently captures data from transactions in Middle Eastern online banking is unleashed. The principal targets use Lebanese banks. It is not identified until August 2012, when Russian security company Kaspersky discovers the name "Gauss" embedded inside it. The company says the malware it is "nation state-sponsored" – probably by a western state seeking to trace transactions by specific targets.September 2011: a new virus that silently captures data from transactions in Middle Eastern online banking is unleashed. The principal targets use Lebanese banks. It is not identified until August 2012, when Russian security company Kaspersky discovers the name "Gauss" embedded inside it. The company says the malware it is "nation state-sponsored" – probably by a western state seeking to trace transactions by specific targets.
2012: About 30,000 Windows PCs at Saudi Aramco, the world's most valuable company, are rendered unusable after a virus called "Shamoon" wipes and corrupts data and the part of the hard drive needed to "bootstrap" the machine when it is turned on. In the US, Secretary of Defense Leon Panetta described Shamoon as "one of the most destructive viruses ever" and suggested it could be used to launch an attack as destructive as the 9/11 attacks of 2001.2012: About 30,000 Windows PCs at Saudi Aramco, the world's most valuable company, are rendered unusable after a virus called "Shamoon" wipes and corrupts data and the part of the hard drive needed to "bootstrap" the machine when it is turned on. In the US, Secretary of Defense Leon Panetta described Shamoon as "one of the most destructive viruses ever" and suggested it could be used to launch an attack as destructive as the 9/11 attacks of 2001.