Alaska News

Meet Zhang. He hacks for Beijing.

HONG KONG — These days, any conversation about hacking and cyber warfare inevitably has to turn to China.

The People's Republic is, by just about any measure, home to the world's most relentless, prolific and successful hackers in the world. More cyber-attack traffic comes from China than any other country: over 40 percent of the world total in the last quarter of 2012, according to a new report by Akamai Technologies (Disclosure: Paul Sagan, Akamai's executive vice chairman, is one of GlobalPost's investors).

And when it comes to spying, China's preponderance is even more striking. Verizon estimates that 96 percent of all cyber-espionage intrusions in 2012 had Chinese hackers behind them, possibly making them "the most active source of national and industrial espionage in the world today." Their alleged targets have ranged from Coca Cola and Google to journalists, human-rights lawyers, air-traffic control systems and the Pentagon.

To many, hackers are a nuisance who clutter their inboxes with poorly crafted spam, but to the US economy, according to Greg Autry of the Coalition for a Prosperous America, it's a $400 billion problem. The crisis is so great that the White House has begun speaking out publicly against the attacks.

When chairman of the US Joint Chiefs of Staff Martin Dempsey visited Beijing in April, he discussed the matter with Fang Fenghui, chairman of the People's Liberation Army General Staff. While Fang denied that China was hacking the US, he stressed the gravity of the issue by saying that cyber-attacks could have consequences "no less serious than a nuclear bomb."

In early May, the Pentagon upped the tension, explicitly accusing the Chinese government of cyber espionage targeting US government computers. "China is using its computer network exploitation capability to support intelligence collection against the US diplomatic, economic and defense industrial base sectors," a Pentagon report noted.

Chinese officials have long maintained that Beijing has no connection to cyber-espionage, despite mounting evidence to the contrary. Moreover, they argue — with some justice — that they are also victims of cyber-assault.

ADVERTISEMENT

But who are the hackers behind this threat? Are they quasi-anarchist mobs like Anonymous? Organized crime rings? Or just tech-savvy kids with too much free time?

The answer, according to several anti-malware researchers consulted for this article, is none of the above.

While many details remain unknown, security experts are convinced that China's most persistent, diligent hackers are inextricably connected to the military and government. And though Beijing denies they exist, the hackers' sloppiness — or indifference — has allowed researchers to uncover some of their individual names and identities.

A spate of new reports and discoveries by cyber security firms paint a strikingly detailed composite portrait of some of the individuals behind these attacks.

Here's a guide.

How many are there?

Estimates of the number of state-sponsored hackers in China range from hundreds to thousands, given the volume of sustained attacks and the amount of support staff that would be needed to maintain servers and technical infrastructure.

Joe Stewart, director of malware research at Dell SecureWorks, tracks tens of thousands of websites that have been taken over by Chinese hackers. These websites are used by hackers to communicate with machines infected with their malware.

How sophisticated are they?

"Not very," says Stewart. Compared to mafia hackers in Russia and the Ukraine, Chinese hackers tend to use simpler techniques, he says, and make less of an effort to cover their tracks.

Their primary tactic for penetrating systems is phishing — sending targets malware-filled emails that pretend to be from a trusted colleague or partner. Though simple, it's undeniably effective. According to the latest Verizon report, this trick is used in 95 percent of state-sponsored espionage attacks. Chinese actors have become particularly ingenious at crafting plausible-sounding emails and attachments. In fact, after Mandiant released its report tying hackers in Shanghai to the People's Liberation Army, a fake copy of the report was filled with malware and sent to Japanese reporters.

"Their tools and techniques are not sophisticated but they are very persistent when it comes to targets," says Cyb3rsleuth, an India-based anti-malware researcher. "[Chinese hackers] are focused. They are best in the business when it comes to hacking."

What's their goal?

Unlike Russian criminal syndicates, Chinese groups are not so interested in your credit-card numbers or PayPal password. Their target is information: weapon designs, chemical formulas, product blueprints, negotiating strategies, private emails. They feed this information not only to the military or government, but also to Chinese firms that might profit from it. This, in addition to sheer scale, is what makes China's hackers different. While all governments spy, China's is unique for the degree to which it systemically raids private companies for industrial advantage.

The other main goal is security and intimidation. Chinese hackers have been found to target law firms, media organizations, and human-rights groups that deal with "sensitive" issues like Tibet, Taiwan and political dissidents.

What sort of life is it?

Those who track them say that for China's most active groups, hacking is less a secret hobby than a 9-to-5 desk job. The servers used to host malware switch on around 7:00 or 8:00 in the morning, Beijing time, and turn off around 6:00 p.m. During China's two major holiday weeks, Stewart says, the hacking activity typically ceases.

ADVERTISEMENT

Like any American office drones, they also have their complaints.

One hacker named Wang whose blog was uncovered by the Los Angeles Times wrote about a litany of grievances. The office was located in one of "the most remote areas of the city." His boss wanted him to improve his English, but forbade him from reading foreign media. His manager hovered over his shoulder early in the mornings. "Fate has made me feel that I am imprisoned," he wrote. "I want to escape."

And like any white-collar worker, of course, he also slacked off. One day, Wang wrote that he "didn't do much" and went for a swim in the afternoon. "As far as work goes, if you master it to a degree, as long as you don't get on the wrong side of the boss, it's okay."

Who are they?

Perhaps the best authority on this subject is the India-based intelligence researcher who goes by the pseudonym Cyb3rsleuth. While the American firms who track Chinese hackers usually stop at the point of identifying individuals, Cyb3rsleuth goes the extra step in tracking them on social media sites and Internet forums in order to gain a clearer picture of who these hackers are.

To date, he has tracked some 10 individual Chinese hackers, and he shared his insights with Global Post last week.

The one he discovered the most about is Zhang Changhe, 33, whom Cyb3rsleuth describes as an "assistant professor" at the People's Liberation Army Information Engineering University. Zhang is married with a child, and Cyb3rsleuth has pictures from his blog on QQ, a popular chat site in China.

The images show a man posing with a woman at a pagoda and visiting a pebble beach. In addition to work related to hacking, Zhang also has side businesses selling mobile phones offline and offering to (illicitly) boost businesses' Facebook "likes" and Twitter followers. Zhang describes himself as a Buddhist, and kept a blog where he reflected on how he had broken the precepts of his faith, confessing that he "continuously and shamelessly stole" in the previous year, according to a translation by Bloomberg.

ADVERTISEMENT

Connections to academia are a common theme among the exposed hackers. Cyb3sleuth found that another of his targets, named Mei Quang, had co-authored two academic papers in 2007 and 2008 about hacking techniques. Wang, the hacker whose blog the LA Times exposed, also authored academic papers while a student at the PLA Information Engineering University — that is, when he wasn't watching NBA games or pining for a girlfriend.

The increasing exposure of Chinese hackers may bring unwanted publicity (Cyb3rsleuth says that several hackers have taken down their profiles after he featured them on his blog), but it's unclear if there are any real consequences.

"I am pretty sure my blog is being watched by China," he says. "I keep getting attachments from unknown people."

How do they get into hacking?

Some are drawn by patriotism, others by job listingsand still others by college recruitment. After Mandiant published its February report claiming to expose the PLA's Shanghai-based cyber-hacking Unit 61398, Chinese netizens found a recruiting ad for the group posted at Zhejiang University's website. It read:

"The graduate school has received notice that unit 61398 of China's People's Liberation Army (located in Pudong district, Shanghai) seeks to recruit 2003-class computer science graduate students. Students who sign the service contract will receive a 5,000 yuan per year national defence scholarship. After graduation, students will work in the same field within the PLA."

Who are they targeting?

Well, you could say that just about any company, think tank, university, government agency or non-governmental organization with valuable intellectual property is a potential target.

More precisely, Adam Meyers, director of intelligence at digital security company CrowdStrike, says that different China-based groups have different targets. The group he calls SamuraiPanda infiltrates banking, aerospace, and chemical companies based in other Asian countries. The AnchorPanda group aims for maritime targets close to the PLA Navy's South Sea Fleet, and for American or European companies with valuable maritime technology. NumberedPanda goes after time-sensitive intelligence, such as information on Japan's Fukushima cleanup operations.

In its most recent report on threats, Dell SecureWorks found that an American defense contractor and energy company were attacked, along with a major university involved in military research. The amount of data lost is unknown.

What can be done?

Private companies can do plenty to boost their defenses, but when it comes to deterring Chinese hackers entirely, Joe Stewart says, "I'm not optimistic." As long as America's companies have more advanced technology, there will be someone — whether government-sponsored or privately hired — who will try to steal it.

But that doesn't mean hacking targets are helpless; they just need to get savvier. In a recent report, Stewart underscored how important for hacking victims to speak out: "As an Internet community, we must make a collaborative effort to share information with their colleagues as a collective measure against attacks," he wrote. "If we don't, then we will surely see continued success by these highly organized and motivated APT [i.e. Chinese espionage] hacker groups."

ADVERTISEMENT