How Chinese hackers steal U.S. secrets

Cyber spies have already stolen hundreds of billions of dollars in corporate secrets from plans for military hardware to paint formulas, but the security firm Mandiant warns that hackers could do even greater damage. Bob Orr reports.

To steal the designs for America's advanced weapons systems, as Chinese hackers are alleged to have done by in a confidential report prepared for the Pentagon, you don't necessarily have to break into classified Department of Defense systems. 

Many of America's military secrets can be stolen by exploiting the networks over which unclassified information is shared by military contractors and subcontractors. While these contractors, like the government, have improved their cyber-security over the past decade, many still do not have systems in place to quickly discover whether a hacker in Beijing, or elsewhere, is harvesting information off the computer of a staffer in Virginia, according to cyber-security experts interviewed for this story.

On Monday, the Washington Post reported that Chinese hackers are believed to have stolen the designs for "more than two dozen major weapons systems," potentially weakening the U.S. military advantage over China. While we don't know precisely how the information was accessed, cyber-security experts say it did not necessarily come from the Department of Defense itself.  

"I just don't think that's necessary," said Richard Bejtlich, the Chief Security Officer for cyber-security company Mandiant. "You can get what you need from the contractors."

While no computer networks are impenetrable, federal agencies like the FBI, DOD and NSA devote significant resources to guard their computer networks, and also have in place rules to protect sensitive data. Many of the contractors who build parts for U.S. weapons systems, however, do not have that level of resources. That makes them more vulnerable to attacks from hackers in China and elsewhere, who often use sophisticated "spear phishing" attacks to infiltrate a system and harvest data. By piecing together stolen information from various contractors, hackers can recreate U.S. systems even if they don't have the entire design in one place.

James E. Harris Jr., a senior specialist for cyber-security at Obsidian and former FBI cyber-division official, said that while "we may protect a final design," important aspects of it go to vendors for fabrication. Those vendors may order parts from another supplier or subcontractor, potentially exposing sensitive information to a network with a lower level of security than the contractor itself. "Nobody produces anything from soup to nuts," he said.

While spear-phishing attacks involve email, they are far more sophisticated than the clumsy, implausible email appeals you've most likely gotten from an alleged Nigerian prince or other scammer. A hacker may spoof or break into the email of a friend or colleague - they might use Facebook to figure out your connections - and send along a link or attachment that downloads malware onto your computer; when you click it installs malware can then record your keystrokes, turn on your camera, and go through your windows registry for sensitive information. These emails are often well-written and believable: The National Association of Manufacturers recently received an email ostensibly from a Bloomberg reporter with a link to an Excel spreadsheet relevant to a story. The email had actually come from Chinese hackers seeking proprietary information.

Indeed, U.S. weapons systems are just one of the many targets of hackers, who are equally (if not more) interested in industrial secrets and intellectual property. And the Chinese government is far from the only game in town: There are organized criminal gangs, other state actors and other autonomous groups constantly trying to break into systems. Christopher Ling, executive vice president at Booz Allen Hamilton focusing on military intelligence and cyber-security, said that Russia and Israel are among the countries (along with the United States) that have excelled in the "cat and mouse" game of cyber-warfare, though he added that there is now a black market for sophisticated malware that allows less sophisticated nations to mount serious attacks. And the threat isn't just to military and industrial secrets: Some hackers are also interested in terrorism, with the Department of Homeland Security reporting 198 attacks on critical U.S. infrastructure in fiscal year 2012.

But China is "the most active and prolific" state player in the hacking game, according to Ling. "It is a national focus agenda item for the Chinese to be active in this way," he said. "It's not a small group of people who just decided they want to do this on their own accord." While the United States was reticent to specifically accuse China of hacking until relatively recently, the Office of the National Counterintelligence Executive said in 2011 that U.S. firms and cyber-security specialists had reported "an onslaught" of network intrusions from China, and in March President Obama's national security advisor, Tom Donilon, warned of "cyber intrusions emanating from China on an unprecedented scale." 

According to Bejtlich - whose company, Mandiant, made international headlines when it released a detailed report on China's cyber-espionage efforts in February - Chinese hackers take a decentralized approach to stealing U.S. secrets. Mandiant tracks 20 different hacking groups, which range in size from dozens of hackers to thousands. The groups may have specialties or receive specific instructions on what to target from China's Ministry of State Secrecy, but they can be in competition with each other. "We have seen cases where they are six or seven independently operating groups inside a single target," said Bejtlich.