And they're coming to an inbox near you.
- By Melissa ChanMelissa Chan is a national and foreign affairs reporter. She was a broadcast correspondent for Al Jazeera, where she reported everywhere from China to Cuba. As a John S. Knight Journalism Fellow at Stanford, she worked on media innovation and entrepreneurship. She a collaborator with the Global Reporting Centre and a term member of the Council on Foreign Relations.
The New York Times‘ announcement in January that Chinese hackers had compromised its computers, stolen employee passwords, and wormed around its network for four months made for a chilling read to those of us concerned about press safety and digital security. But the paper’s latest installment, based on a report released by computer security firm Mandiant, lays out even more spectacular and serious possibilities that China’s military has stolen information from companies "involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks."
An alarmed American public may wonder whether it’s time to push the panic button, but in many respects, this is old news to those in the digital security industry. Chinese hackers have been tracked and traced before. Experts with a dismal view assume everything’s hacked, until proven otherwise.
"There’s a saying in the security industry," says Eva Galperin of the Electronic Frontier Foundation, an Internet advocacy group. "Everybody is ‘owned’ all the time. These attacks are constant."
Mandiant’s report is the result of years spent tracking a Shanghai-based hacking team dubbed the "Comment Crew," also known as APT1. The company’s investigators even managed to pinpoint the hackers’ work space: a Shanghai building owned by Unit 61398 of the People’s Liberation Army. Mandiant says it has observed some 140 attacks by Comment Crew since 2006.
While the corporate and governmental attacks described by Mandiant and the attacks against New York Times reporters are separate cases executed by different hacking groups, the digital trail leads back to the same location: China.
Galperin has the solution. "If organizations are concerned about security, and they want to know what the one thing is that they can do — they can teach their users not to click on these links or open these attachments," she says.
The problem is, Chinese hackers are getting dangerously good at tricking users into clicking on what are known as "phishing emails" — messages with links or attachments that seem innocuous, but actually dump spyware on recipients’ computers. One of the secrets? Language skills. Over the course of my five years in China, hackers targeting foreign correspondents became more advanced, upgrading from early phishing attempts using haphazard "Chinglish" to more convincing and polished English.
In one case in 2012, an email appeared to have come from organizers of the Boao Forum, a China-run meeting modeled after Switzerland’s World Economic Forum. The English text, grammatically perfect, was copied and pasted from legitimate emails sent by Ogilvy, the international PR firm. It made for a much more convincing phishing attempt from the days when we would receive one-liners that read: "China’s environmental topic. The latest news."
Mandiant’s report observes the same developing sophistication: "They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China — before beginning the cycle again. They employ good English — with acceptable slang — in their socially engineered emails."
Opening the Boao attachment would have shown a sign-up sheet for journalists interested in attending the event. The actual payload would take place in the background, installing a rare "Trojan" that would send information stolen from the computer to a server located in Chongqing, China. The recipient would have never known he or she had been compromised.
Some phishing emails were bespoke. To my knowledge, I was the only recipient in August 2011 of an email that took advantage of the CVE-2010-3333 vulnerability, a flaw in Microsoft Word’s codebase. The message, in Chinese, concerned a July 2011 high-speed rail crash in the city of Wenzhou, a story I had covered and complemented with prolific live-tweeting. The message discussed comments from press freedom organization Reporters Without Borders concerning media access to the crash site. The hackers would have had to know I understood Chinese and would have put in some time to research recent stories I’d worked on. A few other journalists received custom phishing attempts during this period, each email message different but all taking advantage of the same exploit.
Mandiant’s report underscores how difficult it is these days to spot a hacker. "The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel — and uses these accounts to send the emails."
The irony in this brave new world of the digital frontier is that we need to return to old technologies. If you want to check an attachment’s safety, pick up the phone and call the sender. Even writing back with email might not work. Mandiant describes how in one instance, the hacker responded to a query by confirming the attachment ("It’s legit," the email read). Email back … and you may well start chatting with the very person who is trying to deceive you.
Keeping an eye out for suspicious file extensions no longer works, either. The primitive days of mysterious and suspicious .exe, .rar, and .zip attachments have been replaced by attachments with reassuring but false file formats. The hackers from Unit 61398 "even went to the trouble of turning the executable’s icon to an Adobe symbol to complete the ruse," Mandiant notes.
Mandiant’s report, titled "APT1," refers to "advanced persistent threats" — hacker groups of an institutional, well-resourced nature. Those who’ve followed APTs know they’re nothing new.
A 2009 investigation by Infowar Monitor, a team of technologists at the University of Toronto and the SecDev Group, a Canadian consultancy, revealed an advanced cyber-spying operation called GhostNet. Researchers traced GhostNet’s command-and-control center back to China. Hackers had infiltrated computers across 103 countries, from embassies to the offices of the Dalai Lama. In its report, Infowar Monitor declared GhostNet "capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras." The hackers used polished phishing emails to gain entry to those systems.
What’s different with what’s happening now is that the scope and target of APTs, bleeding beyond governmental espionage to commercial groups and even to individual reporters, highlight a messier, more complex, and dangerous hacker universe where individuals and institutional players fight with different political, economic, and social agendas.
Even the most advanced technology companies have been hit. In this one month alone, Twitter, Facebook, and Apple all announced their systems had been penetrated by hackers. Bloomberg’s latest report says they belong to an Eastern European criminal group. Chinese hackers, while not the sole culprits, pose a bigger geostrategic threat: The same group of hackers targeting a Fortune 500 company may well go after the State Department or a lone activist the next day.
That pattern will likely continue because of one compelling fact: It’s affordable. Frank Smyth is founder of Global Journalist Security, an organization working to equip reporters with complete security training, including a digital component. "No one should be surprised, because it doesn’t take that much infrastructure. If you have a team of people in a room, you can create a lot of havoc," he says. "That’s much cheaper than building a tank or a jet fighter."