Chinese hackers were able to worm their way into “dozens of victim companies, universities and government entities” around the world for years to steal an invaluable amount of information, everything from secrets about submarines to genetic sequencing, according to charges unsealed Friday by the U.S. Department of Justice. How’d they manage all that?
The hacks described in the indictment are not the same as the more recent Microsoft breach, which the White House also pinned on Chinese hackers today. Rather, four Chinese nationals were named for their purported roles in numerous hacks from 2011 to 2018 — acts the White House said were “in stark contrast to [China’s] commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage.”
According to the U.S., the hacks started, as many do, via spear-phishing campaigns, in which hackers impersonate a trustworthy person or organization in an email to their target. Even if the email appeared to come from someone unfamiliar, the hackers had backstopped fake, virtual identities online with public profiles and websites.
RELATED: U.S. Formally Accuses China of Hacking Microsoft (NYTimes)
If the target doesn’t spot the fake, they might click on a link in the email, which would download malicious files directly or lead them to another forgery: a familiar-looking website that’s actually a perfect, fake duplicate. The charging documents skip over this next step, but it’s likely the purpose there is to trick the target into entering login information to the fake site, which exposes it to the hacker.
From that “toe hold,” the hackers would move “laterally,” as the former head of the NSA’s elite hacking unit would likely put it, using the account they’ve newly accessed to try and trick others in the organization into giving up greater and greater network access, and greater opportunities to install their malware.
RELATED: Head of NSA’s Elite Hacking Unit: How We Hack (ABC News)
The hackers employed a handful of malware programs hosted at newly registered domains, the DOJ says — one accessed by using the password “goodperson,” which was a repeated password for the group.
To hide some of the data they exfiltrated, the DOJ said the hackers used a technique called steganography, which is the “concealment of a file within another file.” In this case, the indictment says information was hidden in photographs of a koala bear and one of then-president Donald Trump. The Trump photo held “hydroacoustic and marine research data.” (Code and Dagger previously reported how a GE engineer allegedly used the method to hide stolen information about turbine engines in a photograph of a sunset.)
RELATED: Engineer Allegedly Hid Stolen Files in Sunset Photo (Code and Dagger)
The hackers used common online file programs to store their malware and the exfiltrated files, the indictment says. In an attempt to cover their tracks, the hackers used TOR, or The Onion Router, which anonymizes I.P. addresses and which has been hailed by privacy advocates.
Despite their efforts, the indictment unsealed today reveals that investigators were able to track the hackers’ operations with a granular amount of detail — from the exact day they were alleged to have installed specific pieces of malware on victims’ systems over nearly eight years of activity. It also tracked the careers of the individual purported hackers, down to the awards one won for their online exploits.
The Chinese government has not yet responded to the hacking allegations, according to Reuters. But the news service noted that the country has pushed back on similar allegations in the past, claiming that it is a victim of cyberattacks and opposes them.
[Do you have a tip or question for Code and Dagger? Send it along at CodeAndDagger@protonmail.com. Also, consider contributing to Code and Dagger on Patreon at Patreon.com/CodeAndDagger.]