Despite what the US alleges against China, would any government spy agency be so stupid as to combine extortion for profit with spy activities?
The US Justice Department’s indictment of two alleged Chinese hackers, Li Xiaoyu and Dong Jiazhi, provides an extraordinarily wide-ranging list of companies and activities said to have been targeted by the hackers around the world.
The two are charged with offences including conspiracy to damage computers, conspiracy to commit theft of trade secrets, conspiracy to commit wire fraud and aggravated identity theft.
Unsealing the charges US Assistant Attorney General John C. Demers fuelled a Chinese spy conspiracy story saying that the two hackers had worked with the Chinese Ministry of State Security (MSS), including the Guangdong State Security Department (GSSD) to engage in a sweeping global computer intrusion campaign.
But the victims are not all security related entities, defence contractors or sensitive operations.
Far from it. A Swedish gaming company is said to have had 169 gigabytes of data concerning codes for its products, keys and certificates, user names and passwords stolen. Another gaming company, this time Lithuanian, had 38 gigabytes of data concerning programming data, Java files and encoding files stolen. And a third from California, together with a subsidiary of a Japanese company, had the source code for one of their games stolen.
It seems that the Chinese are excessively interested in the games we play.
Other non-defence related targets include a US educational software company, a US medical device company, a Californian pharmaceutical company researching treatment for a common chronic disease and biotech and other firms researching Covid 19 vaccines, treatment and testing technologies.
Two Australian companies, a defence contractor and a solar energy engineering concern were allegedly hacked. The hackers are accused of stealing 320 gigabytes of documents from the defence contractor, including source codes for products and technical manuals. The solar energy company is said to have had its network compromised.
The indictment says the defendants stole hundreds of millions of dollars’ worth of trade secrets and at least once returned to a victim from which they had stolen valuable source code to attempt extortion.
But the indictment claims the hackers, Li and Dong did not just hack for themselves. “While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest [my emphasis] to the PRC Government’s Ministry of State Security…”
Information might be of interest to the Chinese government but does that mean that Chinese intelligence agency was actually involved in the crime?
We are continually told that we are being targeted by sophisticated foreign “state-based” hackers. When making such statements Prime Minister Scott Morrison has not publicly named the state, leaving others to identify the culprit (read China) for him.
But if it’s a sophisticated operation, why is it possible to track it back. Surely a sophisticated operation would be hard to track?
Take this Li and Dong operation as a case study. Would any government spy agency be so stupid as to combine extortion for profit with spy activities? Not as a matter of policy you would think. Payment gives any counter-hacking agency another avenue to track and find the criminals. (But then again CIA operations in South East Asia in the sixties were the prime conduit for criminal drug-running operations.)
Maybe the Chinese aren’t so sophisticated after all: they’ve foolishly employed run of the mill cyber criminals Li and Dong as cyber espionage agents.
Or could it be that like so many cyber criminals, Li and Dong cast their net everywhere and anywhere?
By classifying the operation as a spying conspiracy the US authorities have of course lessened the chances of any Chinese co-operation in prosecuting the case and improved Li and Dong’s chances of acquittal.
There are a number of other questions raised by the indictment. Most striking is that these activities are said to have been running since 2009.
How long have the agencies known about the hacking? Why did they take so long to take action? Were they incompetent? And why are so many of these companies so vulnerable?
Some insight into this comes from a CIA taskforce internal investigation into the 2016 theft of top-secret computer hacking tools from no less than the CIA itself.
The Washington Post reported on 16 June that the tools were stolen from the CIA as a result of a workplace culture in which the agency’s elite computer hacking researchers “prioritized building cyber weapons at the expense of securing their own systems.”
The breach — allegedly committed by a CIA employee — was discovered a year after it happened, when the information was published by WikiLeaks in March 2017. Security procedures were “woefully lax” within the special unit that designed and built the tools, the taskforce report said. Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the taskforce concluded.
If the CIA’s elite computer hacking unit cannot secure its own work, is it any surprise that companies around the world fail to secure their secrets?
One further point. The media has made much of the claim that Li and Dong hacked into operations researching Covid 19. No doubt there is a race around the world to be the first to come up with an effective vaccine, but hopefully those doing the research are freely exchanging as much useful information as they can. And hopefully all companies or government research establishments that come up with a vaccine or treatment, will make it freely available as a generic product with little or no propriety charges.