For years, China seemed to operate at the quieter end of the state-sponsored hacking spectrum. While Russia and North Korea carried out hack-and-leak operations, launched massively disruptive cyberattacks, and blurred the line between cybercriminals and intelligence agencies, China quietly focused on more traditional—if prolific—espionage and intellectual property theft. But a collective message today from dozens of countries calls out a shift in China’s online behavior—and how its primary cyber-intelligence agency’s trail of chaos increasingly rivals that of the Kim Regime or the Kremlin.
On Monday, the White House joined the UK government, the EU, NATO, and and governments from Japan to Norway in announcements that spotlighted a string of Chinese hacking operations, and the US Department of Justice separately indicted four Chinese hackers, three of whom are believed to be officers of China’s Ministry of State Security or MSS. The White House statement casts blame specifically on China’s MSS for a mass-hacking campaign that used a vulnerability in Microsoft’s Exchange Server software to compromise thousands of organizations around the world. It also rebukes China’s MSS for partnering with contract organizations that engaged in for-profit cybercrime, turning a blind eye to or even condoning extracurricular activities like infecting victims with ransomware, using victim machines for cryptocurrency mining, and financial theft. “The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the statement reads.
That long list of digital sins represents a significant shift in Chinese hackers’ modus operandi, much of which China watchers say can be traced back to the country’s 2015 reorganization of its cyber operations. That’s when it transferred much of the control from the People’s Liberation Army to the MSS, a state security service that has over time become more aggressive both in its hacking ambitions and in its willingness to outsource to criminals.
“They go bigger. The number of hacks went down but the scale went up,” says Adam Segal, the director of the Digital and Cyberspace Policy program at the Council on Foreign Relations, who has long focused on China’s hacking activities. That’s in no small part because the non-government hackers that the MSS works with don’t necessarily obey the norms of state-sponsored hacking. “There does seem to be kind of greater tolerance of irresponsibility,” Segal says.
The MSS has always preferred using intermediaries, front companies, and contractors to its own hands-on operations, says Priscilla Moriuchi, a non-resident Fellow at Harvard’s Belfer Center for Science and International Affairs. “This model in both HUMINT and cyber operations allows the MSS to maintain plausible deniability and create networks of recruited individuals & organizations that can bear the brunt of the blame when caught,” says Moriuchi, using the term HUMINT to mean the human, non-cyber side of spying operations. “These organizations can be quickly burned and new ones established as necessary.”
While those contractors offer the Chinese government a layer of deniability and efficiency, though, they also lead to less control of operators, and less assurance that the hackers won’t use their privileges to enrich themselves on the side—or the MSS officers who dole out the contracts. “In light of this model, it is not surprising to me at all that MSS-attributed cyber operations groups are also conducting cybercrime,” Moriuchi adds.
The White House statement as a whole points to a broad, messy and in some cases unrelated collection of Chinese hacking activity. It was accompanied by a separate indictment of four MSS-affiliated hackers, three of whom were MSS officers, all accused of a broad range of intrusions targeting industries around the world from health care to aviation.
But more unusual than the data theft outlined in that indictment was the mass-hacking called out in Monday’s announcement, in which a group known as Hafnium—now linked by the White House to China’s MSS—broke into no fewer than 30,000 Exchange Servers around the world. The hackers also left behind so-called “web shells,” allowing them to regain access to those servers at will but also introducing the risk that other hackers might discover those backdoors and exploit them for their own purposes. That element of the hacking campaign was “untargeted, reckless, and extremely dangerous,” wrote former Crowdstrike CTO and founder of Silverado Policy Accelerator Dmitri Alperovitch, along with researcher Ian Ward, in a March blog post. At least one ransomware group appeared to try to piggyback off of Hafnium’s campaign soon after it was exposed.
There’s no clear evidence that the MSS’s Hafnium hackers themselves deployed ransomware or cryptocurrency mining software on any of those tens of thousands of networks, according to Ben Read, the director of cyber-espionage analysis at incident response and threat intelligence firm Mandiant. Instead, the White House’s criticism of China’s government for blurring cybercrime and cyberspying seems to be related to other, years-long hacking campaigns that more clearly crossed that line. In September of last year, for instance, the DOJ indicted five Chinese men who worked for an MSS contractor known as Chengdu 404 Network Technology—known in the cybersecurity industry by the name Barium before they were identified—all of whom stand accused of hacking dozens of companies around the world in a collection of operations that seemed to liberally mix espionage with for-profit cybercrime.
The Russian hackers who breached SolarWinds IT management software to compromise a slew of United States government agencies and businesses are back in the limelight. Microsoft said on Thursday that the same “Nobelium” spy group has built out an aggressive phishing campaign since January of this year and ramped it up significantly this week, targeting roughly 3,000 individuals at more than 150 organizations in 24 countries.
The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.
“I don’t think it’s an escalation, I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred and I don’t think they’re likely to be deterred.”
Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.
While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft corporate vice president for customer security and trust Tom Burt wrote in a blog post on Thursday that the company views the activity as “sophisticated,” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.
“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.
But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.
“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”
As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.
“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.“
Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.
“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”
Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.
Hacking didn’t need to be confined to some tactic on the periphery of war: Cyberattacks could themselves be a weapon of war. It was perhaps that definition of cyberwar that President Bill Clinton had in mind in 2001 when he warned in a speech that “today, our critical systems, from power structures to air traffic control, are connected and run by computers” and that someone can sit at the same computer, hack into a computer system, and potentially paralyze a company, a city, or a government.”
Since then, that definition for cyberwar has been honed into one that was perhaps most clearly laid out in the 2010 book Cyber War, cowritten by Richard Clarke, a national security advisor to Presidents Bush, Clinton, and Bush, and Robert Knake, who would later serve as a cybersecurity advisor to President Obama. Clarke and Knake defined cyberwar as “actions by a nation-state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption.” Put more simply, that definition roughly encompasses the same things we’ve always identified as “acts of war,” only now carried out by digital means. But as the world was learning by the time Clarke and Knake wrote that definition, digital attacks have the potential to reach out beyond mere computers to have real, physical consequences.
The first major historical event that could credibly fit Clarke and Knake’s definition—what some have dubbed “Web War I”—had arrived just a few years earlier. It hit one of the world’s most wired countries: Estonia.
In the the spring of 2007, an unprecedented series of so-called distributed denial of service, or DDoS, attacks slammed more than a hundred Estonian websites, taking down the country’s online banking, digital news media, government sites, and practically anything else that had a web presence. The attacks were a response to the Estonian government’s decision to move a Soviet-era statue out of a central location in the capital city of Tallinn, angering the country’s Russian-speaking minority and triggering protests on the city’s streets and the web.
As the sustained cyberattacks wore on for weeks, however, it became clear that they were no mere cyberriots: The attacks were coming from botnets—collections of PCs around the world hijacked with malware—that belonged to organized Russian cybercriminal groups. Some of the attacks’ sources even overlapped with earlier DDoS attacks that had a clear political focus, including attacks that hit the website of Gary Kasparov, the Russian chess champion and opposition political leader. Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders.
By the next year, that Russian government link to politically motivated cyberattacks was becoming more apparent. Another, very similar series of DDoS attacks struck dozens of websites in another Russian neighbor, Georgia. This time they accompanied an actual physical invasion—a Russian intervention to “protect” Russia-friendly separatists within Georgia’s borders—complete with tanks rolling toward the Georgian capital and a Russian fleet blockading the country’s coastline on the Black Sea. In some cases, digital attacks would hit web targets associated with specific towns just ahead of military forces’ arrival, another suggestion of coordination.
The 2008 Georgian war was perhaps the first real hybrid war in which conventional military and hacker forces were combined. But given Georgia’s low rate of internet adoption—about 7 percent of Georgians used the internet at the time—and Russia’s relatively simplistic cyberattacks, which merely tore down and defaced websites, it stands as more of a historic harbinger of cyberwar than the real thing.
The world’s conception of cyberwar changed forever in 2010. It started when VirusBlokAda, a security firm in Belarus, found a mysterious piece of malware that crashed the computers running its antivirus software. By September of that year, the security research community had come to the shocking conclusion that the specimen of malware, dubbed Stuxnet, was in fact the most sophisticated piece of code ever engineered for a cyberattack, and that it was specifically designed to destroy the centrifuges used in Iran’s nuclear enrichment facilities. (That detective work is best captured in Kim Zetter’s definitive book Countdown to Zero Day.) It would be nearly two more years before The New York Times confirmed that Stuxnet was a creation of the NSA and Israeli intelligence, intended to hamstring Iran’s attempts to build a nuclear bomb.
Over the course of 2009 and 2010, Stuxnet had destroyed more than a thousand of the six-and-a-half-foot-tall aluminum centrifuges installed in Iran’s underground nuclear enrichment facility in Natanz, throwing the facility into confusion and chaos. After spreading through the Iranians’ network, it had injected commands into the so-called programmable logic controllers, or PLCs, that governed the centrifuges, speeding them up or manipulating the pressure inside them until they tore themselves apart. Stuxnet would come to be recognized as the first cyberattack ever designed to directly damage physical equipment, and an act of cyberwar that has yet to be replicated in its virtuosic destructive effects. It would also serve as the starting pistol shot for the global cyber arms race that followed.
Iran soon entered that arms race, this time as aggressor rather than target. In August of 2012, the Saudi Arabian firm Saudi Aramco, one of the world’s largest oil producers, was hit with a piece of malware known as Shamoon that wiped 35,000 of the company’s computers—about three-quarters of them—leaving its operations essentially paralyzed. On the screens of the crippled machines, the malware left an image of a burning American flag. A group calling itself “Cutting Sword of Justice” claimed credit for the attack as an activist statement, but cybersecurity analysts quickly suspected that Iran was ultimately responsible, and had used the Saudis as a proxy target in retaliation for Stuxnet.