Cyber-attacks upon American computer networks, and the theft of massive amounts of information by means of cyber-espionage — both against private industry and against the U.S. government itself — are very much in the news of late, and the People’s Republic of China (PRC) is increasingly being fingered as the culprit.
Since the mid-2000s, Western cyber-security experts have been reporting a dramatic rise in cyber-attacks apparently originating in China, a phenomenon that has come to be known in such circles as the “advanced persistent threat” (APT). The office of the U.S. government’s National Counterintelligence Executive recently reported that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.” China hardly has a monopoly on modern cyber-espionage against Western targets, but Chinese hackers are acquiring an unequaled notoriety from garden-variety industrial espionage, to attacks on U.S. defense contractors and government entities, to intimidation and message-control games such as the cyber-attacks on the New York Times after it ran an embarrassing exposé of apparent corruption in the family of then-Chinese premier Wen Jiabao.
Because of the ease with which cyber-attackers can conceal their points of origin, however, it has always been difficult to “prove” what has nonetheless seemed ever more clear to cyber-security experts for several years — namely, that the Chinese government is itself responsible for much of the APT, directly orchestrating such attacks itself, enlisting cyber-“privateers” to invade Western networks on its behalf, or (more likely) doing both of these things. Officials in Beijing strenuously deny any such involvement, and have lately been trying to turn the rhetorical tables by playing to modern China’s well-nursed sense of historical victimization by alleging that a blameless China is in fact the innocent target of malevolent Western cyber-campaigns.
In the past couple of years, however, notwithstanding the difficulty of attributing the origin of attacks undertaken in cyberspace, cracks have been appearing in Beijing’s wall of denial. In 2011, the web security company McAfee released a report detailing the results of its own efforts to trace a series of cyber assaults back to a cyber-attack command-and-control server in China used by an entity that McAfee experts nicknamed “Shady Rat.”
Perhaps the most interesting thing about the Shady Rat episode is the window it seemed to provide into likely PRC state sponsorship of APT attacks. The McAfee team decorously declined publicly to point fingers in this regard, but having themselves essentially hacked back in to the attacker’s computer, the McAfee experts downloaded and published the logs of Shady Rat’s cyber-attack targets since mid-2006. The list is illuminating, for in addition to containing a good many of just the sort of potentially lucrative industrial espionage targets one would expect a freelance, organized crime, or corporate cyber spy to pursue, Shady Rat’s target list included a range of non-remunerative political targets of the sort only really likely to be attractive to the PRC regime itself.
Among these political targets, in the period leading up to the 2008 Summer Olympics in Beijing, were the International Olympic Committee, various Western and Asian national Olympic Committees, and the World Anti-Doping Agency. China believed the Olympics were an event of inestimable propaganda and political importance and the leadership treated the Games as a sort of debutante ball to mark China’s emergence as a great power after long years of “humiliation” by Western imperialists. They invested enormous energy in trying to ensure that China outshone the rest of the world there.
Also targeted by Shady Rat during the period for which McAfee experts downloaded its records were various political non-profit organizations that the Chinese regime dislikes, including one Western outfit devoted to promoting democracy around the world, a U.S. national security think tank, a second U.S. think tank, a major U.S. news organization, the United Nations itself, the Secretariat of the Association of Southeast Asian Nations (ASEAN), twelve U.S. government agencies, some U.S. state and local governments, some U.S. defense contractors, and government agencies in both India and Canada. (Shady Rat apparently never targeted anybody in China, by the way.)
Beijing’s mask of denial slipped further later that year when a Chinese news documentary about the PRC’s military broadcast on a government-run television channel aired a clip appearing to show a technician actually launching a cyber-attack on a U.S.-based web address belonging to the Falungong spiritual group that PRC authorities detest and have fiercely persecuted since 1999. After Western reporters called attention to the cyber-attack braggadocio in the mere six seconds of “B roll” footage in the documentary, it was quickly removed from the [Chinese] Internet. The episode, however, provided yet another data point suggesting that the longstanding talk in PRC military and strategic journals about the imperative of preparing for what is termed “informationized” warfare is no longer just talk.
Earlier this year another important watershed occurred : the first instance of cyber-security experts being willing publicly to identify the PRC regime itself as the point of origin for key components of the APT. Last month, the security company Mandiant released a report publicly identifying a component of the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s 3rd Department — a military outfit awkwardly known as Military Unit Cover Designator 61398 — as probably having been the originator of a series of APT assaults on at least 141 organizations across multiple industries. In fairness, Mandiant apparently only traced the attacks to the Shanghai neighborhood where Unit 61398 is based, but this is generally believed to be a distinction without much of a difference. (As The Economist recently put it, it is unlikely that a well-funded group of professional cyber-attackers are based in the noodle joints that surround Unit 61398’s PLA-controlled high-rise building.)
Mandiant’s report is thus very significant, for it has explicitly injected into the public discourse on cyber conflict what security experts have privately emphasized for years : that our massive data-losses to the usually-anonymous Chinese entities of the APT are in significant part thefts orchestrated by the CCP regime itself, apparently as part of a broad economic, political, and indeed strategic policy devoted to the PRC’s advancement vis-à-vis the West in general and the United States in particular. Such state-sponsorship is not news to policy community insiders, but the PRC’s cyber-strategy is now a subject of open discourse for the first time — and Mondiant’s report has indeed made something of a splash in the media.