It contained a link to access a shared document relating to a project the staffer was working on. Once clicked, they were asked for their login details, which they provided — just one of dozens of times a day they had to type them out.
The moment the staffer pressed Enter, a notification was triggered on the other side of the world. A cascading series of actions then kicked into gear, which would eventually compromise the staffer’s entire computer network and expose huge quantities of sensitive documents and information.
Sensitive cables from that network were released by Area 1 — a cybersecurity firm founded by former US National Security Agency employees — including communications that revealed deep concerns within the EU about the Trump administration’s negotiations with China, Russian relations with Western Europe and Iran’s nuclear program.
In a statement Friday, China’s Ministry of Foreign Affairs reacted forcefully to what it described as “groundless accusations,” saying the US had “fabricated facts out of thin air” and “seriously violated the basic norms of international relations and severely harmed bilateral cooperation.”
US President Barack Obama and Chinese President Xi Jinping stood side by side, facing a gaggle of reporters in the White House’s Rose Garden.
It was September 2015. After months of escalating tensions and accusations, the two leaders announced that they had reached a “common understanding” on cyber espionage and security.
“We’ve agreed that neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage,” Obama said.
Xi added that both governments would “not be engaged in or knowingly support online theft of intellectual properties,” and would “establish a high-level joint dialogue mechanism on the fight against cybercrimes and related issues.”
The announcement was seen as a major diplomatic win for Obama, coming after escalating tensions between the US and China over cyber espionage.
Nevertheless, while the Obama-Xi deal was limited and full of compromises, it still served as a much-needed reset just as tensions were threatening to boil over.
A report this year from the US government’s National Counterintelligence and Security Center said that China “continues to use cyber espionage to support its strategic development goals — science and technology advancement, military modernization, and economic policy objectives.”
“The Intelligence Community and private sector security experts continue to identify ongoing Chinese cyber activity, although at lower volumes than existed before (the 2015 deal),” it added.
On Thursday, the US Department of Justice indicted two Chinese nationals — Zhu Hua and Zhang Shilong — it said were members of a hacking group operating in China known within the cybersecurity community as Advanced Persistent Threat 10 (APT10). Contrary to the original rosy assessments of the deal, the DOJ claims that Zhu and Zhang began their operations in 2014 and continued through 2018.
“The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” Deputy Attorney General Rod Rosenstein said. “This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system.”
Back to normal
As tensions rise once again — amid an ongoing US-China trade war and a diplomatic tussle over the detention of Huawei CFO Meng Wanzhou — the broad outlines of Beijing’s capabilities and motivations are fairly well known. What remains unclear are Washington’s.
In the statement Friday, China’s Ministry of Foreign Affairs said it was an “open secret that relevant US government agencies have long engaged in large-scale and organized cyber theft and surveillance against foreign governments, companies and individuals.”
“The ‘cyber theft’ accusations against China by the US are purely groundless counter-charges and can deceive no one but itself. China will never accept such charges,” the statement added.
China has long insisted it is also a victim of cyber attacks, but it does not usually go public about incidents like the US does. Nor do Chinese companies routinely reveal breaches or accuse other countries of carrying out campaigns against them.
The US vociferously objects to any allegation it carries out cyber attacks for commercial or trade purposes, as China has been accused of doing.
What is undeniable is that the US has an advanced cyber operation carrying out traditional espionage, defensive and even offensive actions. Many observers suggested at the time of the Obama-Xi deal that it was confined to commercial issues precisely because the White House did not want to limit its own intelligence-gathering capabilities.
And while the targets of Washington’s cyber warriors may be different to Beijing’s, their techniques are likely to be similar — especially when it comes to intelligence gathering.
Both the Area 1 report and the latest DOJ indictments show that for well-resourced hackers like those working for state-sponsored groups, cyber espionage can sometimes be absurdly simple.
While the campaign described in the recent DOJ indictments is more sophisticated, the method used to break into the European Union communication network relied far more on human engineering — and human sloppiness — than ultra-sophisticated software.
In both cases the potential for damage, and the amount of information the attackers were able to acquire, was huge.
Area 1 documented a coordinated phishing campaign against dozens of government agencies, think tanks, NGOs and trades unions. Phishing, the report’s authors said, remains the number one way for attackers to breach a network, used in nine out of 10 incidents.
It is also one of the hardest tactics to guard against, relying more on human engineering rather than coding. In a phishing attack, a target receives an email which appears to be trustworthy, encouraging them to click on a link or open a file.
The genius of a well-run phishing campaign is how the attackers can work their way up an organization. Rather than going straight after the ultimate target — such as an employee with access to sensitive data, who may be more on guard — the hackers look for the weak links. Once they have compromised one account, even if it provides no information, it can be used to launch new phishing attacks from directly within the company’s network.
Few people who work within a big corporate network question links and attachments sent from a trusted colleague. Even if employees are suspicious, if their colleague’s account is thoroughly compromised the attacker will have access to emails and instant messages they can use to make their phishing attack as realistic-looking as possible.
“Very little about cyber attacks is cutting-edge computer science,” wrote the authors of the Area 1 report. “Cyber actors continually use their imagination to find the weakest links in the digital chain, breaching their intended targets through open side doors instead of breaking the locks down on the front door.”
Increasingly, those side doors don’t even belong to the targeted company. According to the DOJ release, APT10 targeted managed service providers (MSPs), “companies that remotely manage the information technology infrastructure of businesses and governments around the world.”
Once the hackers had broken into an MSP, they were able to access the data of numerous companies and government bureaus at once. In once instance, the hackers “obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain … clients involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining.”
How to stop such attacks remains unclear. State-sponsored groups have potentially unlimited resources — not only unknown computer exploits which cannot be guarded against, but also the time and patience to constantly probe companies and government entities for weaknesses.
“Because the cybersecurity doom narrative has become so embellished, we’ve lost our nerve to take action to prevent future damages,” the Area 1 report said. “Our democracy remains susceptible to cybersecurity attacks; our computing infrastructure is permeated with deep vulnerabilities; major corporations entrusted with the safeguarding of information continue to be compromised; and we as individuals have adopted a laissez-faire attitude towards the whole thing.”