A Chinese Hacker’s Identity Unmasked

China and the United States have traded accusations of hacking following reports that The New York Times, Wall Street Journal and Washington Post were all infiltrated by allegedly Chinese intruders. Google’s Eric Schmidt blasts China for waging undeclared cyber war in a forthcoming book, while Rupert Murdoch—perhaps relieved to find one of his newspapers hacked, rather than hacking—has taken to Twitter to highlight alleged attacks. But conclusively tracing any intrusion back to its source is usually impossible, allowing all parties some measure of plausible deniability.

In one case that has unfolded over the past two years, however, a trail of reused email addresses and aliases led to the business website and personal QQ and Kaixin accounts of a teacher at the P.L.A.’s Information Engineering University. At Bloomberg Businessweek, Dune Lawrence and Michael Riley describe and build researchers Joe Stewart’s and Cyb3rsleuth’s investigations of suspected hacker Zhang Changhe.

Computer attacks from China occasionally cause a flurry of headlines, as did last month’s hack on the New York Times (NYT). An earlier wave of media attention crested in 2010, when Google (GOOG) and Intel (INTC) announced they’d been hacked. But these reports don’t convey the unrelenting nature of the attacks. It’s not a matter of isolated incidents; it’s a continuous invasion.

[…] Investigators at dozens of commercial security companies suspect many if not most of those hackers either are military or take their orders from some of China’s many intelligence or surveillance organizations. In general, they say the attacks are too organized and the scope too vast to be the work of freelancers. Secret diplomatic cables published by WikiLeaks connected the well-publicized hack of Google to Politburo officials, and the U.S. government has long had classified intelligence tracing some of the attacks to hackers linked to the People’s Liberation Army (PLA), according to former intelligence officials. None of that evidence is public, however, and China’s authorities have for years denied any involvement.

Up to now, private-sector researchers such as Stewart have had scant success putting faces to the hacks. There have been faint clues left behind—aliases used in domain registrations, old online profiles, or posts on discussion boards that give the odd glimpse of hackers at work—but rarely an identity. Occasionally, though, hackers mess up. Recently, one hacker’s mistakes led a reporter right to his door.

[…] Outing one person involved in the hacking teams won’t stop computer intrusions from China. Zhang’s a cog in a much larger machine and, given how large China’s operations have become, finding more Zhangs may get easier. Show enough of this evidence, Stewart figures, and eventually the Chinese government can’t deny its role. “It might take several more years of piling on reports like that to make that weight of evidence so strong that it’s laughable, and they say, ‘Oh, it was us,’ ” says Stewart. “I don’t know that they’ll stop, but I would like to make it a lot harder for them to get away with it.”

Meek confessions from China do seem a long way off for now, as Adam Segal of the Council on Foreign Relations wrote shortly after the Times hacking was revealed:

Several commentaries and an article in the People’s Daily all suggest that Beijing is not reacting to the public announcements with anything approaching shame. In fact, they all portray the claims as part of an effort to discredit China and distract from the offensive actions the United States is taking in cyberspace. The People’s Daily notes that while the United States is portraying itself as the “patron saint of the free Internet” it has plans to expand U.S. Cyber Command fivefold. He Hui, deputy director at the Communication University of China, argues that the claims about Chinese hacking are getting tiresome and in fact serve three alternate purposes: they raise suspicion about China’s rise in the United States and the rest of the world; help raise defense budgets, especially for cyber weapons; and justify protectionist trade measures against Chinese firms that are beginning to challenge the big American companies.

Other recent news may do little to dispel these views. The New York Times reported early this month, for example, that a secret legal review had authorized pre-emptive strikes in response to “credible evidence of a major digital attack looming from abroad”. From David E. Sanger and Thom Shanker:

One senior American official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief.

[…] “While this is all described in neutral terms — what are we going to do about cyberattacks — the underlying question is, ‘What are we going to do about China?’ ” said Richard Falkenrath, a senior fellow at the Council on Foreign Relations. “There’s a lot of signaling going on between the two countries on this subject.”

China is not alone in its wariness of U.S. policy. At The New Republic, Thomas Rid argued that the Obama administration’s “lousy” record on cyber security includes neglecting defensive in favor of offensive capabilities.

Indeed, the Obama administration has been so intent on responding to the cyber threat with martial aggression that it hasn’t paused to consider the true nature of the threat. And that has lead to two crucial mistakes: first, failing to realize (or choosing to ignore) that offensive capabilities in cyber security don’t translate easily into defensive capabilities. And second, failing to realize (or choosing to ignore) that it is far more urgent for the United States to concentrate on developing the latter, rather than the former.

[…] So amid all the activity, little has been done to address the country’s major vulnerabilities. The software that controls America’s most critical infrastructure—from pipeline valves to elevators to sluices, trains, and the electricity grid—is often highly insecure by design, as the work of groups like Digital Bond illustrates. Worse, these systems are often connected to the internet for maintenance reasons, which means they are always vulnerable to attack. Shodan, a search engine dubbed the Google for hackers, has already made these networked devices searchable. Recently a group of computer scientists at the Freie Universität in Berlin began to develop their own crawlers to geo-locate these vulnerable devices and display them on a map. Although the data are still incomplete and anonymized, parts of America’s most vulnerable infrastructure are now visible for anyone to see.

Defending these areas ought to be the government’s top priority, not the creation of a larger Cyber Command capable of going on the offense. Yet the White House has hardly complained that the piece of legislation that would have made some progress towards that goal, the Cybersecurity Act of 2012, has stalled indefinitely in the Senate.

On Tuesday, however, the Associated Press reported that fear of “America […] losing cyber war to China” might help drive legislation through an otherwise gridlocked Congress:

Declaring that America is losing an aggressive cyber-espionage campaign waged from China, administration officials and lawmakers on Wednesday agreed to push legislation that would make it easier for the government and industry to share information about who is getting hacked and what to do about it.

They say this new partnership, codified by law and buoyed by President Barack Obama’s new executive order, is critical to keeping countries like China, Russia and even Iran from rummaging in American computer networks and targeting proprietary data they can use to wreak havoc or compete against U.S. businesses.

[…] “Until Congress acts, President Obama will be fighting to defend this country with one hand tied behind his back,” said Senate Majority Leader Harry Reid, D-Nev., who promised Wednesday to advance a bipartisan proposal “as soon as possible.”

The threat from China has already proven lucrative for some in the private sector. Previously at Businessweek, Brad Stone and Michael Riley profiled security firm Mandiant, enlisted by both The New York Times and The Washington Post to exorcise suspected Chinese intrusions. The company’s $100 million business has been built in large part on the threat of attacks from China.

In one large central control room, dubbed the Bridge, a dozen security analysts peer quietly at their computer monitors, looking for anomalous activity on the computer networks of Mandiant’s hundreds of corporate clients around the world. A large computer display on the wall shows an image of the earth, seen from space, that highlights inbound and outbound network activity in each country. Mandiant monitors the entire planet, yet a printout taped to the desk of one analyst suggests that these days, the company has a more specific focus. “To accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless,” reads an excerpt from a recent Chinese government statement. Jennifer Ayers, who manages the Redwood City facility, removes the printout and folds it in half. “We’re not supposed to editorialize,” she says.

[…] For the first few years, [Mandia's] company remained small and relatively unknown outside computer security circles. But it was in the right place at the right time. In 2011, as anxieties about attacks by China spread, the company raised $70 million from venture capital firm Kleiner Perkins Caufield & Byers and the investment arm of JPMorgan Chase (JPM). […]

See also a ChinaFile conversation on recent hackings between CDT founder Xiao Qiang, Orville Schell, James Fallows, Bill Bishop and others, and more on hacking and cyber security via CDT.