US hackers believed to have stolen substantial sensitive info: analysts
Using cyberspace weapons, a hacking organization affiliated with the US Central Intelligence Agency (CIA) has been attacking Chinese organs for over a decade, involving aerospace sector, scientific research institutions, internet companies, oil industry and government agencies, a report from a Chinese security company revealed on Tuesday.
Cybersecurity experts believe it's the first time that detailed evidence of US attacks against China has been disclosed extensively, which proves that the US is the real hacking empire. They are worried that US hackers may have stolen large amounts of sensitive data from China and suggested the Chinese government file a case against the CIA and relevant hackers.
A reputed "white hat" hacker told the Global Times Tuesday on condition of anonymity that through big data analysis, the Chinese company compared the characteristics, targets and malignant viruses of a large number of cyberattack cases with the information leaked by "Vault7," cyber weapon disclosed by WikiLeaks in 2017, which has a high credibility.
Evidence points to CIA
By tracking and analyzing the leaked "Vault7," Chinese tech giant 360 Security Technology had discovered a series of attacks against China's aerospace, scientific research institutions, petroleum industry and large-scale internet companies by a hacking organization affiliated with the CIA.
Numerous evidence shows that the hacking group, APT-C-39, belongs to the CIA. The hack was traced back to 2008, mainly targeting organizations in Beijing, Guangdong and Zhejiang provinces, the company said in a statement sent to the Global Times on Tuesday.
The tech company found the CIA backed the hacking group which mainly targeted system developers of China's aerospace and scientific research institutions, which engage in aviation services such as flight control systems, freight information and passenger information services. Hundreds of overseas airlines also have fallen victim to the hacking group.
"By comparing the attacking samples in the network of victims with the CIA's exclusive cyber weapon Vault7, we found the proprietary technical details in them coincided or were exactly the same," 360 Security Technology told the Global Times in an exclusive interview.
Reports showed that these cyber weapons were developed by the CIA's research and development team for years and cost millions of dollars. Only those CIA personnel who have undergone strict scrutiny and management can use them, the technology company said.
"Based on targeted victims, we found CIA has breached these targets or may have acquired substantial confidential information on both domestic and international aviation," the company said.
Joshua Adam Schulte, a former CIA employee (Photo from blogs.360.cn)
360 Security Technology was able to identify the CIA and the Vault7 thanks to Joshua Adam Schulte, a former CIA employee. Schulte was born in 1988 in Texas and worked as an intern in the NSA and joined the CIA in 2010. He was in charge of technology intelligence at CIA's National Clandestine Service.
As a core member in developing CIA's many hacking tools and cyberspace weapons, Schulte participated in the development of Vault7. In 2016, Schulte used his administrator rights and backdoors to copy the Vault7 program and gave it to Wikileaks, which published related data in 2017 on its website.
Schulte was arrested and sued in 2018 by the US Department of Justice, and was prosecuted on February 4.
Schulte and these events provided evidence to 360 Security Technology, and the Vault7, the existence of which was confirmed by US prosecutors, became a breakthrough point to confirming that APT-C-39 was affiliated with the CIA.
According to 360 Security Technology's research, APT-C-39 used many exclusive CIA cyber weapons like Fluxwire and Grasshopper against Chinese targets.
After comparing related code samples and behavior fingerprints, 360 Security Technology was able to confirm that these cyber weapons were the ones described in the Vault7 program.
A cybersecurity industry forum held in Beijing on December 9, 2019. Photo: CNS photo
360 Security Technology monitored multiple Vault7 attacks on Chinese targets since 2010 through Vault7's Fluxwire backdoors. The monitored results showed APT-C-39 have been upgrading the cyber weapon and has been frequently attacking Chinese targets since 2010.
360 Security Technology also found connections between some APT-C-39 cyber weapons and the NSA. In a cyberattack on a major Chinese internet company in 2011, APT-C-39 used WISTFULTOOL, an attack plugin used by NSA leaked in 2014.
According to alleged CIA documents released by Wikileaks, NSA supported the CIA in developing cyber weapons, which is additional proof that APT-C-39 is related to US intelligence agencies.
The compilation time of the attack sample is in line with US Eastern Time, and their frequent activities showed the hacking group had been operating from the US state of Virginia, where the CIA is located.
All of this evidence points to the fact the APT-C-39 is a US intelligence organization.
Foreign countries usually launch cyberattacks on government agencies, aerospace companies and other institutions by sending bulk "phishing" emails, which can contain vulnerability code and viruses. Once clicked, they may infect the internal network system of the organization and gain access to obtain sensitive information, the "white hat" hacker said.
Using cyber weapons, the CIA could turn any device into a surveillance one, including Windows computers, Mac, Linux, iPhone, Android, video game consoles, routers and smart TVs. The CIA has even been able to hack cars, trucks and planes, Deng Huan, director of the security research institute at internet security firm Baimaohui in Beijing, told the Global Times Tuesday.
"The US has been claiming it is the victim of cyberattacks but evidence shows it has always been a habitual criminal," said Qin An, head of the Beijing-based Institute of China Cyberspace Strategy.
Qin called on the Chinese government to file a case against the CIA and relevant hackers.
Having attacked China for such a long time, the US takes the mind-set of a world leader and assumes it would control cyberspace through its behavior of hegemony, which should be despised by the world, Qin said.
During the continuous attacks over the years, those US hackers may have stolen loads of sensitive data and release huge amounts of internet virus on computer systems of Chinese institutes.
White-hat hackers work on attacking the Cyber Mimic Defense system on May 11. Photo: Courtesy to the Qiangwang International Elite Challenge
Frequent hacking source
Facts have shown that the US has been a frequent source of hacking.
In June 2019, the US called off a military strike against Iran but conducted cyberattacks instead, targeting multiple Iranian computer systems, the New York Times reported in June.
Former CIA director Mike Pompeo had boasted to an audience in April 2019 that CIA especially trains employees to "lie, cheat and steal."
The US has been trying to stigmatize China and curb China's influence in cyberspace by advocating the "China threat theory," which has been frequently used when it tries to siege Huawei and block Chinese technology, experts noted.
Huawei has accused US government of attempting to break into its information systems and the US has used unscrupulous means to disrupt its business, the company had said in a statement in September 2019.
Wu Qian, spokesperson of China's Ministry of National Defense, at a regular press conference held on Friday, said that it has been proven time and again that the US has been conducting large-scale, organized and indiscriminate cyber theft and surveillance activities against foreign governments, businesses and individuals. It is a real "hacking empire."
Wu's statement came after the US Department of Justice announced in February an indictment against four members of the Chinese People's Liberation Army on allegations of hacking Equifax, a credit reporting agency, and "stealing" private information of nearly 150 million US residents in 2017.
The world knows that the US side has an infamous record on cyber security issues. From WikiLeaks and Snowden revelations to the recent Crypto AG incident, the US has never been able to offer a proper explanation to the world, Wu said.
China's National Computer Network Emergency Response Technical Team (CNCERT) released an annual report in June 2019, suggesting that most of the cyberattacks targeting Chinese networks in 2018 were conducted by the US.