Recently released Chinese hacking tools demonstrate how far the Chinese government is using its network of contractors to expand the reach of computer intrusion campaigns, and the vulnerabilities of emerging systems.
The new revelations highlight the extent to which China has ignored or evaded U.S. efforts to curb its large-scale hacking operations for more than a decade. Instead, China has built up its intelligence agency's cyber operations and a web of independent companies to do that work.
Last weekend, FBI Director Christopher A. Wray said in Munich that hacking operations from China were directed toward the United States on a “scale never seen before.” And Wray said at his recent Congressional hearing that China's hacking program is larger than “all the major countries combined.”
“In fact, even if we assembled all of the FBI's cyber agents and intelligence analysts to focus solely on the Chinese threat, Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1.” he said.
U.S. officials said China quickly built up a numerical advantage through contracts with companies like Isun, whose documents and hacking tools were stolen last week and placed online.
According to the documents, Isoon's wide-ranging operations included targets in South Korea, Taiwan, Hong Kong, Malaysia and India.
But the documents also show that I-Soon was in financial trouble and used ransomware attacks to raise money when the Chinese government cut funding.
U.S. officials say this points to a serious weakness in the Chinese system. China's economic problems and rampant corruption often siphon off funds meant for contractors. Because contractors are strapped for cash, they have stepped up illegal activities such as hacking and ransomware, making them targets for retaliation and exposing other problems.
The U.S. government and private cybersecurity companies have been tracking Chinese espionage and information-theft malware threats for years, and these practices have become almost routine, experts say. But far more problematic are China's cyber-hacking activities that threaten critical infrastructure.
The intrusion, dubbed “Volt Typhoon” after the Chinese hacker network that breached critical infrastructure, set off alarms throughout the U.S. government. Unlike the I-Soon hack, these operations avoid the use of malware and instead use stolen credentials to covertly access sensitive networks.
Intelligence officials believe the intrusion was intended to send a message that China could disrupt power and water supplies or communications at any time. Some operations were detected near U.S. military bases that rely on civilian infrastructure, particularly those involved in rapid response to attacks on Taiwan.
But while China is pouring resources into its Bolt Typhoon effort, it also continues to work on more mundane malware. China used intelligence agencies and their associated contractors to expand its intelligence operations.
Mr. Yisun has most direct ties to China's Ministry of Public Security, which has traditionally focused on domestic political threats rather than international espionage. But the documents also show links to the Ministry of State Security, which collects intelligence inside and outside China.
John Condra, a threat intelligence analyst at security firm Record Future, said Yisun was also involved in Chinese state-sponsored cyber threats.
“This represents the most significant data breach involving a company suspected of providing cyber espionage and targeted intrusion services to Chinese security agencies,” Condra said. “Leaked materials indicate that Yi-sun is likely a private contractor working on behalf of Chinese intelligence services.”
U.S. efforts to curb Chinese hacking date back to the Obama administration, when the People's Liberation Army Unit 61398 infiltrated large swaths of U.S. industry to steal secrets for Chinese competitors. It became clear that it was happening. To China's outrage, PLA officers were indicted in the United States and their photos appeared on Justice Department “wanted” posters. No one was ever brought to trial.
Then China became involved in the most audacious data theft from the US government. He had over 22 million security clearance files stolen from the Office of Personnel Management. The hackers went undetected for more than a year, and the information they gathered gives us a deep understanding of who was working on what inside the U.S. government and the financial, health, and relationship problems they face. I was able to gain understanding. In the end, the CIA was forced to withdraw its personnel who were scheduled to enter China.
The result was a 2015 agreement between President Xi Jinping and President Barack Obama aimed at curbing hacking, announced to great fanfare in the White House Rose Garden.
But within two years, China had begun building a network of hacking contractors, a tactic that provided security agencies with a degree of deniability.
Mr. Ray said in an interview last year that China has increased its espionage resources so much that it no longer needs to be “picky and picky” about its targets.
“They're targeting everything,” he said.
