China military

It would be even more surprising if the PLA did not resort to cyberspying

As the inventor of information warfare, the US should not be at all surprised that other nations - including China - are following suit

PUBLISHED : Sunday, 03 March, 2013, 12:00am
UPDATED : Sunday, 03 March, 2013, 2:13am

An investigative report released recently by Mandiant, a US IT security firm, predictably sparked controversy by pinning the blame for a series of cyberattacks on US companies on Shanghai-based Unit 61398 of the People's Liberation Army.

Some critics, such as the Post's popular columnist Alex Lo, have expressed incredulity that such professional cyberwarriors would leave the kind of digital fingerprints that will allow them to be traced back to Shanghai. And isn't it hypocritical for the US to get worked up about these attacks when they have been invading and attacking others for years? Lo also points out that Mandiant's report was not peer-reviewed. Let's deal with these points one by one.

In fact, PLA hackers did successfully cover their tracks in many cases. The report by Mandiant details how hackers successfully destroyed evidence of their crimes; routinely deleting archives of files which they compressed before downloading them from compromised computers. Thus it was often impossible to tell what they had stolen.

But a large group of hackers cannot hide industrial-scale hacking indefinitely. They spoofed their IP addresses and covered their tracks, but hacking and computer security is an evolving cat-and-mouse game in which it's inevitable that both sides will make mistakes.

The initial advantage is with the attackers, as the internet favours anonymity - and the rise of mobile computing and premature software releases constantly creates new attack opportunities. Governments and commercial security policies usually lag behind.

Unit 61398 has fluent English speakers who write phishing e-mails to unsuspecting targets with virus-loaded attachments. China's pool of such talent is much larger than America's supply of Mandarin speakers.

But web servers and FTP servers record internet traffic in log files, and spoofed IP addresses can be detected in a number of ways. Once the attackers slip up, leaving clues to their identity, computer security experts can begin to observe the group, recording their activities.

Investigators are aided by the fact that in any large organisation, there are always careless, cocky individuals, like the hacker in this case with the moniker "ugly gorilla" who proudly signed his malware by this name, and also used it to register for webmail accounts used to send bogus phishing emails.

It was only by observing unit 61398 and collecting supporting evidence over several years that Mandiant was able to draw firm conclusions. Despite intensive efforts by mainland authorities to scrub the Chinese internet of all traces of PLA unit 61398, Mandiant was able to find references to 61938 in several places, including an ad for a company installing flooring for offices with sensitive electronic equipment, listing unit 61398 as a customer.

PLA hackers are not stupid; after all, they have been getting away with this for at least five years. They have certainly destroyed lots of evidence and escaped time and time again by covering their tracks. It has taken that long to build up a convincing case.

Although not peer-reviewed in the academic sense, Mandiant builds on existing research by academic and commercial computer security researchers. "Shadow in the Cloud", a 2010 report on Chinese hacking of foreign governments and Tibetan exiles compiled by the quasi-academic Information Warfare Monitor group in Canada, correlates with the Mandiant report.

Other studies note the tendency of a hacker group to leave comments in HTML of webpages on sites they had infiltrated, leading to their nickname "the comment crew" among information security circles.

Mandiant's contribution has been to pinpoint the group's location and find corroborating evidence linking PLA unit 61398 to this location and a series of hacking cases.

Although convincing in its technical analysis, the report contains errors that suggest Mandiant knows more about IT security than they do about China. For example, they were unable to translate Chinese handwriting on a crucial document, and they listed the northern province of Hebei as a "district of Shanghai".

The People's Liberation Army began life as a guerilla force of the Chinese Communist Party, fighting an asymmetrical war against a better funded and equipped enemy.

As the civil war drew to a close, the Nationalist KMT forces continued to received vast amounts of US arms and other support, yet the PLA still won, due in large part to superior intelligence from its own agents planted within the KMT.

The KMT is still holding out on Taiwan, with the support of the US, and the PLA is still the armed wing of the Chinese Communist Party, which sees the US as interfering in an unfinished civil war.

It seems to view all US companies as legitimate targets, and the strengthening of the Chinese economy and the PLA-Party-State as one and the same in its attempt to challenge US hegemony.

Cyberwarfare is a method of shifting the balance of military power in its favour, and it would be surprising if it the mainland did not maximise its use in the way which Mandiant has described. The US invented cyberwarfare, the internet, and the software and hardware tools which are now being used against it.

Only now is the US beginning to get its comeuppance.

Stephen Thompson is a Hong Kong-based journalist and IT consultant.