Many experts believe that the Chinese government is responsible for an ongoing campaign of cyber espionage that targets US government agencies and private defense contractors.

The US government and the cyber security community are debating China’s role in an ongoing campaign of cyber attacks. It is widely believed that cyber attacks began as early as 2003 and have targeted US government agencies and private defense contractors. The goal of these attacks has been to steal intellectual property and sensitive government information.

Selected Attacks

In particular, a sampling of the targets of these attacks include the US Army Information Systems Engineering Command at Fort Huachuca, Arizona; the Defense Information Systems Agency in Arlington, Virginia; and the Naval Ocean Systems Center and the United States Army Space and Strategic Defense installation in Huntsville, Alabama (source).

In addition, in July 2006, around the time of the North Korean missile tests , the US Department of State suffered ‘large-scale’ intrusions of its unclassified computer network. These intrusions appeared to have targeted the Bureau of East Asian and Pacific Affairs and where believed to have originated in China .

The US government was not the only target of this type of electronic espionage. According to MessageLabs, an email security software vendor, on January 2, 2006, an attack exploiting the Windows Metafile (WMF) vulnerability targeted the British Parliament (source). These attacks, too, were traced back to servers in China (source).

Methods of Attack

In many instances, these attacks were carried out through the use of zero-day exploits, which are released prior to or on the same day as the vendor patch. Many of the recent Microsoft Office zero-day exploits appear to have been created in China and were used in targeted attacks of private companies (source). In some cases, these exploits install trojan horses onto the targeted computers and siphon off sensitive data. Many of these trojans ship data to servers hosted in China (source).

Is China Responsible?

LURHQ, a security management firm, analyzed one of the trojans used in this suspected espionage campaign. Once installed, the Myfip.B trojan steals .pdf, .doc, AutoCAD documents, CirCAD documents, and Access database files (source). These types of documents can hold much of a company’s intellectual property or a government agency’s sensitive information. According to Joe Stewart, senior security researcher at LURHQ, all the IP addresses associated with the attack, from the originating mail hosts that initiated the attack to the servers where the stolen documents were uploaded, are hosted in China (source).

Based on the above and other evidence, many security experts concluded that the Chinese People’s Liberation Army (PLA; Group Profile) is responsible for this campaign of attacks. According to Allan Paller, the director of the SANS Institute, “these attacks come from someone with intense discipline. No other organization could do this if they were not a military organization” (source). Paller further pointed out that the attackers “were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?” (source).

Other security experts point out that while the available evidence is convincing, it does not prove that the Chinese government is responsible for the attacks. One US government official said, “Is this an orchestrated campaign by PRC or just a bunch of disconnected hackers? We just can’t say at this point” (source). Even if these attacks were routed through China, it is possible that hackers not affiliated with the Chinese government hijacked vulnerable computers located in China to stage these attacks.

Conclusions

While identifying the source of these attacks is important, it is even more important for both government agencies and private companies to take cyber security seriously. Had the State Department not received an “F” for its 2005 computer security report card, the attack against its computer network might not have been so damaging. The private and public sector must embrace a defense-in-depth strategy?the creation of multiple layers of defense that monitors not only the perimeter of the network but internal network operations as well–that lessens the impact of any single security failure.