As coronavirus tore through Europe in March and April, so did hackers acting on behalf of the Chinese government. Looking to make the most of organisations scrambling to respond to the health crisis, criminals working for China attacked private companies, research institutions, and governments across the world.
State-sponsored actors working on behalf of the Chinese government and its security services have tried to “profit from the crisis” and steal information that could be beneficial to the country, a senior Western security source says. These include attacks on a major social care company in the UK.
Hackers working for the group known as Advanced Persistent Threat 41 (ATP41) compromised a major private provider of social care services in the UK and in the process disrupted its systems, a cybersecurity expert with knowledge of China’s actions says. The attack took place in March as the UK was hurtling towards the most serious weeks of its Covid-19 outbreak.
On another occasion, state-sponsored hackers from a different Chinese group are thought to have targeted two technical companies, one in the UK and one in the US, that handle anonymised patient data. The attackers conducted reconnaissance on the firms but, the source says, there is no evidence they were actually compromised. They add that during April and May Chinese cyber actors based in Wuhan, where Covid-19 first emerged, targeted a number of European governments and their systems.
While specific details of the attacks are not publicly known, efforts by China to compromise the systems of European governments has been confirmed by other security researchers.
The new details paint a picture of widespread and indiscriminate Chinese cyber activity during the pandemic. The latest developments follow US government officials indicting two alleged Chinese-backed hackers on July 21 for conducting a decade of global cyberattacks designed to “rob, replicate and replace” multiple companies, from Australia to Sweden. These attacks included one against an unnamed UK artificial intelligence and cancer research company in April.
“Whilst the rest of the world prioritised protecting their citizens from coronavirus, China has prioritised standing up its hacking teams to profit from the crisis and enhance its espionage capabilities,” a senior Western security source says. They say the “vast scale” of China’s hacking operation isn’t widely understood and multiple Advanced Persistent Threat groups, or APTs, with links to the country’s Ministry of State Security, are working to access confidential information. APTs are hacking groups that conduct continuous and sophisticated attacks. They can lurk inside networks for months or years at a time and use previously unknown vulnerabilities.
The source claims there are “significantly more” hacking groups working across China’s 23 regions than many people know about. These groups work to a number of ends, including undermining the democratic process in Taiwan and elsewhere, the source says.
The claims are the latest in a series of state-sponsored hacking attempts said to have taken place during the pandemic. Last week, officials in the UK, US and Canada publicly shamed Cozy Bear, a group of hackers formally known as ATP29 and believed to be linked to the Russian state, with trying to steal information relating to the development of coronavirus vaccines. Earlier in July, the FBI pointed its finger at China. It singled out the nation as “working to compromise” American healthcare organisations, pharma companies and universities that are conducting research into the virus.
The result is increasingly strained tensions between China and the West. The ban on Huawei’s 5G technology in the UK, human rights abuses against Uighur Muslims and Hong Kong’s National Security Law have all sparked criticism of China’s domestic and foreign activities. “It's perfectly clear that we're moving out of the era of engagement policy with China, where the emphasis was on cooperation, predominantly, to now a situation where I think the rise of China is being viewed a bit more critically,” says Veerle Nouwens, a research fellow at the Royal United Services Institute, who focuses on policy issues related to China.
“China presents both opportunities for cooperation but some serious challenges as well,” she adds. In the last five years, president Xi Jinping has set ambitious goals for China to become a superpower in artificial intelligence, quantum computing and the common rules that underpin how key technologies, such as 5G, work.
Despite being publicly criticised for alleged hacking – by governments, law enforcement and private security firms – China has consistently denied the claims made against it. At the time of writing, the Chinese Embassy in the UK had not responded to a request for comment for this story. However, following the publication of this article a spokesperson for the embassy said: “The Chinese government is a staunch defender of cybersecurity. We firmly oppose and fight all forms of cyber attacks and cyber crimes.” They added that those investigating cyberattacks should present evidence and “groundless speculations must stop”.
After this week’s US indictment, China’s ambassador to the UK tweeted to refute claims of data being stolen. “Such accusations constitute disrespect for Chinese scientists & their achievements; they could also undermine international cooperation on R&D,” Liu Xiaoming said. “The world must strongly oppose and reject such groundless claims.” Other denials have been similarly strong. In 2018 it said the US should “respect the truth” and “stop deliberately slandering China”.
But China’s hacking activities aren’t new. Over the last decade high-profile hacks have been routinely attributed to groups working on behalf of the Chinese government, with law enforcement agencies in the US issuing warrants for those it believes to be guilty. Targets included military and technology secrets and personal data – four Chinese hackers are alleged to have stolen 143 million people’s data from credit reporting agency Equifax in 2017.
“They are a massive country that does more hacking than anyone else,” says Ben Read, a senior manager of cyber-espionage analysis at Mandiant Threat Intelligence, which is owned by security firm FireEye. Earlier this month, the FBI said it was opening a new China-related counterintelligence case every ten hours, adding that half of its current counterintelligence cases are against the country. The FBI also said that it was now “more likely than not” that American adults have had their data stolen by China.
During the pandemic Read has seen Chinese-backed hackers focus their efforts towards Covid-related information. “We have seen some targeting of healthcare organisations,” Read says. “The most active [group] we have seen are APT41,” he adds. “They continue to do stuff that is financially motivated and what looks traditional espionage targeting.” Read confirms the company has uncovered Chinese-backed hacking attempts on EU governments and institutions over the last six months. In June, the European Commission called out China for attacking hospitals. China denied this by saying cyberattacks relating to the pandemic should be “unequivocally condemned by all”.
“In EU countries it has been spear-phishing with your normal sort of attachments,” Read says. Spear-phishing attacks involve hackers trying to trick people into providing login details to sensitive systems or downloading files that contain malware. They are targeted at individuals, leveraging lures that make them look genuine – for instance, an email may be spoofed to look like it has come from your boss. Successful spear-phishing can help hackers get a foothold in a network from which they can move around and collect data.
Across Europe, Mandiant has spotted Chinese hackers attempting to access presidential administrations and ministries of foreign affairs – the aim may have been to access diplomatic intelligence but since the attacks didn’t compromise their targets it is impossible to be certain. Read says he can’t name countries or specific governments that have been targeted due to client confidentiality. Mandiant’s parent company, FireEye, is expected to publish further analysis of Covid-19 espionage attempts against the UK – from China and elsewhere – in the coming days.
There have been parallels with the tactics of the alleged Russian-backed hackers who were trying to steal coronavirus vaccine information. Those working on behalf of China appear to have been quick to take advantage of vulnerabilities in hardware and software. “In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the vulnerability,” the US Department of Justice said on July 21 as it indicted two Chinese nationals – Li Xiaoyu (李啸宇) and Ddon Jiazhi (董家志) – for stealing data and making millions in personal profit.
There are two ways countries often conduct cyber operations, explains Lotem Finkelsteen, the global manager of threat intelligence at security firm Check Point. During the pandemic, Check Point has publicly linked two separate cyberattacks to China. It says the country used spear-phishing emails that pretended to be from Mongolia’s government and attempted to trick public sector groups into opening malware-laden attachments that claimed to contain details about Covid-19’s spread. The second alleged a Chinese-based hacking group was carrying out espionage against governments across the Asia-Pacific region.
“One way is you can use your own agencies to maintain these kinds of attacks,” Finkelsteen says. “The other way is to use proxy units, meaning outsourcing the attack to some private actors and usually it is done to detach yourself from an attack.” China is believed to do a mixture of both. The People’s Liberation Army Strategic Support Force is “at the forefront of Beijing’s efforts to achieve information dominance,” a report presented to US congress in 2019 stated. The Support Force is not the only group involved though. Past analysis has included government and military hackers alongside “contractors, patriotic hackers, and even criminal elements”.
What has recently been emerging, as highlighted by the senior Western security source, is the prevalence of hackers being linked to local Ministry of State Security, or MSS, offices. The MSS can be considered a blend of the US Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI). The two Chinese nationals indicted by the US this week have been linked to the Guangdong Province division of the MSS; two other Chinese intelligence officers working for the Jiangsu Province branch of the MSS were indicted by the US in October 2018 for stealing aviation and tech data.
“We can find techniques that they use,” Finkelsteen says. “Due to the common techniques we see, we tend to believe they share knowledge, if they share knowledge there is some network to do that.” Mandiant’s Read adds that he has seen Chinese groups sharing hacking tools, including shared malware libraries and similar pieces of code across different attacks. “There are some groups that are very regionally focused,” he says. “There's a group that goes really hard at Central Asia and Mongolia.”
Details of Chinese-backed hacking culture were exposed in December 2018 when the US and UK government publicly named the hacking group APT10 – also known as Stone Panda – for stealing “hundreds of gigabytes of sensitive data” from 45 different people. The attacks included theft of information from Nasa. Those working for ATP10 were closely associated with the Tianjin province arm of the MSS led standard nine-to-five lives. They “worked in an office environment and typically engaged in hacking operations during working hours in China,” the US indictment for two men said. The hackers indicted this week worked in an uninspiring office block in Guangdong province.
Countries opposing state-backed hacking from China have a difficult time combatting it – many, including the UK and US, have their own offensive cyber divisions and very little is known about how they operate. “Most of this isn’t governed by treaties,” says Dapo Akande, a professor of public international law at the University of Oxford. “The rules really are not necessarily specific to cyber operations and cyber activities”. Akande has led a group of 120 international lawyers in stating that hacking attempts on medical facilities during the pandemic should be treated as international crimes.
Many of the claims made appear to fly the face of agreements made between the UK, US and China in 2015. A mutual UK-China statement says both countries agreed to not conduct or support “cyber-enabled theft of intellectual property, trade secrets or confidential business information”. The agreement added there should be “mutual respect and understanding” between the countries.
Cyberattacks can be prosecuted under existing international laws, Akande says. There may not be a need for new international laws governing what can and can’t be hacked. Existing rules around states not interfering in the internal affairs of other countries, the prohibition of the use of force, and human rights aspects, such as the right to health and the right to life, can cover state-backed hacking, Akande adds.
In the last three years there has been an increase in public naming and shaming of hackers believed to be working for China. Politicians in the UK and US hope that if they try to humiliate the countries that attack them, it may disrupt their future hacking efforts. In reality, named hackers, whether in China or Russia, are unlikely to travel internationally and risk arrest. The statements may also serve another purpose: to set out what is considered unacceptable.
“These statements indicate quite a lot of collaboration across governments and cybersecurity agencies,” Akande says. He adds that when multiple countries can agree to what incorrect espionage behaviour is, it will become easier to tackle nations that break the rules.“Countries are very keen to avoid the idea that cyberspace is an ungoverned space. They want to make it clear that law applies here as well.”
Updated July 24, 2020 19:00 BST: A statement from the Chinese Embassy in the UK has been added
Matt Burgess is WIRED's deputy digital editor. He tweets from @mattburgess1
This article was originally published by WIRED UK
