Sophisticated Chinese cyber espionage operation unveiled

A coalition of cyber security companies said Tuesday that a Chinese cyber-espionage syndicate is responsible for planting malicious software (malware) on computers owned by Western government agencies, private companies and human rights groups over the past six years, including the high-profile 2010 Aurora attack on Google.

The Axiom hacking group is believed to have ties to the Chinese government and be the most sophisticated cyber-espionage operation emanating from China, the coalition, which includes tech giants Microsoft and Cisco, said in a report.

“This is a great example of the capabilities of a well-funded adversary,” said Morgan Marquis-Boire, a senior researcher at the University of Toronto’s Citizen Lab, who worked at Google during the Aurora attack. “You see what is clearly a very professional group of people who are changing their tools, using sophisticated attacks, and being highly successful against a range of targets.”

The report comes as Secretary of State John Kerry and President Barack Obama prepare for successive visits to China over the next fortnight. It is expected they will broach the burgeoning cyber conflict between the U.S. and China. In recent years, the Obama Administration has made a point of calling out China on its alleged cyber spying, which includes the theft of U.S. trade secrets as well as a crackdown on political dissidents and journalists within the country, with Axiom playing a role.

U.S.-China tension was touched off in part by the Aurora attack, in which hackers who were believed to be based in China infiltrated Gmail servers to target Chinese dissidents. Google pointed the finger directly at the Chinese government, a claim that is supported by Tuesday's report. Beijing has denied all such accusations.

A spokesman for the Chinese embassy in Washington, Geng Shuang, said in an email Tuesday that while he had not read the coalition’s report, “judging from past experience, [these kinds] of reports or allegations are usually fictitious.”

He also pointed to the National Security Agency’s extensive surveillance of both U.S. citizens and foreign governments – China included – as revealed by former intelligence contractor Edward Snowden in a series of leaks. "The Chinese government has done whatever it can to combat such activities,” Geng said. “And China is a victim of these kinds of attacks, according to the Snowden revelations.”

Novetta, a Virginia-based cyber-security firm, spearheads the U.S. coalition, which includes several companies that do contract work for both private industry and U.S. intelligence agencies. The coalition launched the project, called the “Coordinated Malware Eradication” program, after Microsoft called in January for private companies to join resources to better detect and combat malware threats. As competitors, the firms had been previously reluctant to collaborate.

The coalition found that during the past six years, Axiom’s “Hikit” malware program, which opens a backdoor for hackers to probe computer systems, has infected everything from government agencies, human rights NGOs, media outlets, Cloud computing companies, and U.S. universities and think tanks. Their hackers have distinguished themselves by remaining remarkably well disguised, the report said. That, in part, is why they have operated “unfettered” for so long.

“Normally the process would be to set up infrastructure on the Internet somewhere and leverage that,” said Andre Ludwig, the senior technical director for Novetta. “These guys will know who you are, who you’re friends with, who you talk with,” and compromise one of those channels.

Whereas an organization’s security team would normally be tipped off by an unusual interaction with a server in Pakistan, for instance, it is less likely to be alarmed by contact with a friend's infected computer.

“Its not your typical cybercrime drive-by attacks,” Ludwig said. “They’re definitely playing the long game.”

Researchers say they have no way of knowing how much information has been compromised, but they have inferred that Axiom's targets seem to reflect China’s shifting global priorities. They suggested that Beijing is interested in pilfering trade secrets from U.S. tech companies and government agencies to wean China off American technology and software – a priority underlined in Beijing’s latest Five Year Plan of 2011 – as its rivalry with the U.S. heats up.

In its report, the cyber-security coalition said that stealing this technology from Western companies, especially those based in China, would be the “fastest” way to further their goals. “If you have a big enough scope of visibility, you can start to see these narratives emerge,” said Ludwig.

Security analysts said the Novetta-led coalition demonstrated how private security firms could better share intelligence with the rest of the industry, synthesizing their expertise when the threat posed by armies of hackers encompasses the gamut of cutting-edge cyber-espionage tactics. Most significantly, the researchers have created so-called signatures, which allow companies to detect known malware, and shared them with the cyber security industry instead of keeping them secret.

But while coordination between these companies is improving, experts say protecting U.S. assets against foreign hackers is not a war that can ever be won.

“I would expect this activity will never stop,” said Ludwig. “As security gets better and better at mitigating these tactics, the actors will evolve as well. So it’s very much a cat-and-mouse game. It always has been.”