Tag Archives: cyberwar China

How to Create Panic? China’s Typhoons

Leave a reply

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in 2024 in pursuit of sensitive information…The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing’s massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America’s broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack…Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet, according to people familiar with the matter. Microsoft is investigating the intrusion and what sensitive information may have been accessed, people familiar with the matter said.

China has made a practice of gaining access to internet-service providers around the world. But if hackers gained access to service providers’ core routers, it would leave them in a powerful position to steal information, redirect internet traffic, install malicious software or pivot to new attacks.

In September 2024, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January 2024, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure. “The cyber threat posed by the Chinese government is massive,” said Christopher Wray, the Federal Bureau of Investigation’s director, speaking earlier this year at a security conference in Germany. “China’s hacking program is larger than that of every other major nation, combined.”

U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China’s actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.’s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island….

Excerpts from Sarah Krouse et al., China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack, WSJ, Sept. 26, 2024

Delete America: China’s Document 79

Leave a reply

A 2022 Chinese government directive aims to get US technology out of China—an effort some refer to as “Delete A,” for Delete America.  Document 79 was so sensitive that high-ranking officials and executives were only shown the order and weren’t allowed to make copies… It requires state-owned companies in finance, energy and other sectors to replace foreign software in their IT systems by 2027. 

American tech giants had long thrived in China as they hot-wired the country’s meteoric industrial rise with computers, operating systems and software. Chinese leaders want to sever that relationship, driven by a push for self-sufficiency and concerns over the country’s long-term security…Document 79, named for the numbering on the paper, targets companies that provide software—enabling daily business operations from basic office tools to supply-chain management. The likes of  Microsoft  and Oracle are losing ground in China

Excerpts from Liza Lin, China Intensifies Push to ‘Delete America’ From Its Technology, Mar. 7, 2024

Cars as a National Security Risk: Tesla v. BYD

Leave a reply

In February 2024, President Biden ordered the Commerce Department to open an investigation into foreign-made software in cars, citing Chinese technology as a potential national-security risk. Chinese efforts to dominate the global auto industry posed clear security risks to the U.S. “Connected vehicles from China could collect sensitive data about our citizens and our infrastructure and send this data back to the People’s Republic of China,” Biden said in a statement. “These vehicles could be remotely accessed or disabled.”

The Biden administration has been trying to reduce the U.S. auto industry’s reliance on China, including using tax credits to boost electric-vehicle sales and pushing automakers away from Chinese suppliers. China became the world’s biggest auto exporter, shipping an estimated 5.26 million domestically made vehicles overseas, according to the China Passenger Car Association. Part of that growth came in the electric-vehicle market, where the country sold more than one million China-made EVs overseas.

Tesla Chief Executive Elon Musk has said Chinese car companies have already had much success outside of China and that they are now the “most competitive” globally.  “If there are not trade barriers established, they will pretty much demolish most other car companies in the world,” Musk said during Tesla’s earnings call in January 2024.

The Chinese government has also raised national-security concerns about Western-designed cars sold to its own citizens, saying they could be used for gathering data and information. In 2021, China restricted the use of Tesla vehicles by military staff and employees of key state-owned companies, saying the car’s cameras record images constantly and obtain data, including when, how and where the vehicles are used.

Excerpts from Gareth Vipers, Chinese Automakers Pose U.S. National-Security Threat, Biden Says, WSJ, Feb. 29, 2024

Sinophobia or Rational Paranoia: the Cranes

Leave a reply

The Biden administration plans to invest billions in 2024 in the domestic manufacturing of cargo cranes, seeking to counter fears that the prevalent use of China-built cranes with advanced software at many U.S. ports poses a potential national-security risk. The move is part of a set of actions taken by the administration that is intended to improve maritime cybersecurity….Administration officials said more than $20 billion would be invested in port security, including domestic cargo-crane production, over the next five years. The money, tapped from the $1 trillion bipartisan infrastructure bill passed in 2021, would support a U.S. subsidiary of  Mitsui, a Japanese company, to produce the cranes, which officials said would be the first time in 30 years that they would be built domestically.

Cranes at some ports used by the U.S. military were flagged as surveillance threats. Officials also raised the concern that the software on the cranes could be manipulated by China to impede American shipping or, worse, temporarily disrupt the operation of the crane.  “By design these cranes may be controlled, serviced and programmed from remote locations,” said Rear Adm. John Vann, who leads the Coast Guard cyber command, during a press briefing….

The U.S. military has been concerned about the cranes for years and has made efforts to skirt ports with the China-made cranes as best as possible, according to the senior U.S. military commander who oversees the military’s logistics operations.The Chinese can track the origin, destination and other data of the U.S. military’s containerized materiel to determine exactly where the military is shipping it, Cranes made by China-based ZPMC contain sensors that can register and track the origin and destination of containers…

China’s military doctrine gives priority to targeting “systems that move enemy troops,” including harbors and airports, Craig Singleton, a senior fellow at the Foundation for Defense of Democracies, a Washington think tank, said during congressional testimony in February 2023…“Increasingly, the Chinese are not merely seeking access to our networks; they are pre-emptively positioning to compromise and control them,” Singleton said in his testimony. “As a result, China is poised to impede the mobilization of American military forces, foment a state of disarray, and redirect national attention and resources in both war and short-of-war scenarios.”

Excerpts from Dustin Volz, U.S. to Invest Billions to Replace China-Made Cranes at Nation’s Ports, WSJ, Feb. 21, 2024

The Under-Our-Noses Nasty Wars

Leave a reply

Christopher Wray warned in February 2023 that Beijing’s efforts to covertly plant offensive malware inside U.S. critical infrastructure networks is now at “a scale greater than we’d seen before,” an issue he has deemed a defining national security threat. Citing Volt Typhoon, the name given to the Chinese hacking network that was revealed in 2023 to be lying dormant inside U.S. critical infrastructure, Wray said Beijing-backed actors were pre-positioning malware that could be triggered at any moment to disrupt U.S. critical infrastructure. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, planting malware inside U.S. computer systems responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a conflict.

The Netherlands’ spy agencies said in February 2024 that Chinese hackers had used malware to gain access to a Dutch military network in 2023. The agency, considered to have one of Europe’s top cyber capabilities, said it made the rare disclosure to show the scale of the threat and reduce the stigma of being targeted so allied governments can better pool knowledge.

A report released in February 2024 by agencies including the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency said Volt Typhoon hackers had maintained access in some U.S. networks for five or more years, and while it targeted only U.S. infrastructure directly, the infiltration was likely to have affected “Five Eyes” allies…

Excerpts from  Joe Parkinson, BI Director Says China Cyberattacks on U.S. Infrastructure Now at Unprecedented Scale, WSJ, Feb. 19, 2024

Invisible CyberAttack: Volt Typhoon

Leave a reply

Cybersecurity agencies in the U.S., the U.K., Canada, Australia and New Zealand—an intelligence-sharing group of countries known as the Five Eyes—said a Chinese state-sponsored actor is employing a tactic known as “living off the land,” which involves using built-in network administration tools to gain access to systems. The activity blends in with normal Windows system activities, allowing the actor to evade detection. The campaign is impacting communications, manufacturing, transportation, maritime and other sectors in parts of the U.S. and Guam, the American territory that hosts major military installations in the Pacific, according to a blog post from Microsoft, publisher of the Windows operating system. The tech giant said the Chinese actor, known as Volt Typhoon, is pursuing capabilities that could disrupt communication infrastructure between the U.S. and Asia in a future crisis.

China has consistently denied carrying out cyberattacks and has accused the U.S. of being the biggest culprit of such efforts…By gaining access to a system through the “living off the land” approach—and maintaining that access while remaining undetected—hackers can glean intelligence about how the system operates. It could also give them the ability to disrupt the system later with no warning—though the intent could just be information gathering…

Excerpts from Mike Cherney and Austin Ramzy, Hack Hurts Bid for Beijing Reset, WSJ, May 26, 2023

Cyberwar: government hackers

Leave a reply

The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May 2017 has been releasing alleged National Security Agency secrets for the past eight months.  Former intelligence officials now fear that the hackers, who go by the name Shadow Brokers, are taking a new tack: exposing the identities of the NSA’s computer-hacking team. That potentially could subject these government experts to charges when traveling abroad.

The Shadow Brokers on April 14, 2017 posted on a Russian computer file-sharing site what they said were NSA files containing previously unknown attack tools and details of an alleged NSA hack affecting Middle Eastern and Panamanian financial institutions.

But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.  Additionally, the hacking group in April, 2017 sent several public tweets that seemingly threatened to expose the activities of a fifth person, former NSA employee Jake Williams, who had written a blog post speculating the group has ties to Russia… Security experts who have examined the documents believe they contain legitimate information, including code that can be used in hacks, as well as the names of the files’ creators and editors.

Because nation-state hackers might run afoul of other countries’ laws while discharging their duties, they could, if identified, face charges when outside their country. So, to keep their own people safe, governments for decades have abided by a “gentleman’s agreement” that allows government-backed hackers to operate in anonymity, former intelligence officials say….

Some former intelligence officials suggested the U.S. prompted the outing of state-sponsored hackers when it indicted five Chinese military hackers by name in 2014, and more recently brought charges against two officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.  By exposing cyberagents, the Shadow Brokers appear to be taking a page from the U.S. playbook, said Mr. Williams, who worked for the NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman said the agency doesn’t comment about “most individuals’ possible current, past or future employment with the agency.”  “We’ve fired first,” Mr. Williams said, referring to the U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”…

The documents revealed jealously guarded tactics and techniques the NSA uses to access computer systems…For example, the files include source code for software designed to give its creators remote access to hacked machines, and to evade detection from antivirus software. If the code was created by the NSA, it now gives security professionals a digital fingerprint they can use to track the NSA’s activities prior to the leak.

That could prove disruptive to NSA activities, forcing the agency to consider pulling its software from others’ networks and taking other steps to erase its tracks. And while the information could help companies determine whether they have been hacked by the NSA, it could also be used to create more malicious software. The Shadow Brokers tools, for example, are now being used to install malicious software such as WannaCry on corporate networks.

Mr. Williams initially thought the Shadow Brokers had access only to a limited set of NSA tools. His assessment changed after three tweets directed at him April 9, 2017 included terms suggesting the group had “a lot of operational data or at least operational insight” into his work at the NSA, he said.  The tweets, which are public, are cryptic. They express displeasure over an article Mr. Williams wrote attempting to link the Shadow Brokers to Russia. They also mention apparent software code names, including “OddJob” and “Windows BITS persistence.”…..OddJob is a reference to software released by the Shadow Brokers five days after the tweets. “Windows BITS persistence” is a term whose meaning isn’t publicly known.

Excerpts from In Modern Cyber War, the Spies Can Become Targets, Too, Wall Street Journal, May 25, 2017