Chinese hacking tools made public in recent days illustrate the extent to which Beijing has expanded the scope of its cyber infiltration campaigns by using a network of contractors, as well as the vulnerabilities of its emerging system.
The new revelations underscore the extent to which China has ignored or evaded American efforts for more than a decade to curb its extensive hacking operations. Instead, China has built up the cyber operations of its intelligence services and developed a web of independent companies to do the job.
Last weekend in Munich, Christopher A. Wray, director of the FBI, said that hacking operations from China were now directed against the United States on “a larger scale than we had seen before.” And at a recent congressional hearing, Wray said China's hacking program was larger than that of “all major nations combined.”
“In fact, if you took every single FBI cyber agent and intelligence analyst and focused them exclusively on the China threat, China hackers would still outnumber FBI cyber personnel by at least 50 to one.” “, said.
U.S. officials said China had quickly built up that numerical advantage through contracts with companies like I-Soon, whose documents and hacking tools were stolen and placed online last week.
The documents showed that I-Soon's extensive activities involved targets in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere.
But the documents also showed that I-Soon was having financial difficulties and that it used ransomware attacks to raise money when the Chinese government cut funding.
US officials say this shows a critical weakness in the Chinese system. China's economic problems and rampant corruption often mean that money intended for contractors is diverted. Short of cash, contractors have stepped up their illegal activity, hacking for hire and ransomware, making them targets for retaliation and exposing other problems.
The U.S. government and private cybersecurity companies have long tracked Chinese espionage and malware threats aimed at stealing information, which have become almost routine, experts say. Much more worrying, however, have been Chinese cyber-hacking efforts that threaten critical infrastructure.
The intrusions, called Volt Typhoon after the name of a Chinese hacking network that has penetrated critical infrastructure, set off alarms throughout the US government. Unlike the I-Soon hacks, those operations have avoided using malware and instead used stolen credentials to stealthily access critical networks.
Intelligence officials believe the intrusions were intended to send a message: that at any moment China could disrupt electricity and water supplies, or communications. Some of the operations have been detected near US military bases that rely on civilian infrastructure, especially bases that would be involved in any rapid response to an attack on Taiwan.
But even as China poured resources into the Volt Typhoon effort, its work on more routine malware efforts has continued. China used its intelligence services and contractors linked to them to expand its espionage activity.
I-Soon is most directly linked to China's Ministry of Public Security, which has traditionally focused on domestic political threats, not international espionage. But the documents also show he has ties to the Ministry of State Security, which collects intelligence both inside and outside China.
Jon Condra, a threat intelligence analyst at Recorded Future, a security firm, said I-Soon had also been linked to Chinese state-sponsored cyber threats.
“This represents the largest data breach involving a company suspected of providing cyber espionage and targeted intrusion services to Chinese security services,” Condra said. “Leaked material indicates that I-Soon is likely a private contractor operating on behalf of Chinese intelligence services.”
The United States' effort to curb Chinese hacking dates back to the Obama administration, when it was revealed that Unit 61398 of the People's Liberation Army, the Chinese military, was behind intrusions into a wide swath of American industry, seeking to steal secrets for Chinese competitors. To China's outrage, PLA officers were indicted in the United States and their photographs appeared on the Justice Department's wanted posters. None have ever been tried.
China then found itself caught up in one of the U.S. government's most audacious data thefts: it stole more than 22 million security clearance files from the Office of Personnel Management. Their hackers went undetected for more than a year, and the information they obtained gave them a deep understanding of who worked and what within the US government and what financial, health or relationship problems they faced. In the end, the CIA had to withdraw the officers who were planning to enter China.
The result was a 2015 agreement between President Xi Jinping and President Barack Obama aimed at curbing computer hacking, announced with fanfare in the White House Rose Garden.
But within two years, China had begun developing a network of hacking contractors, a tactic that gave its security agencies some deniability.
In an interview last year, Wray said China had increased its espionage resources so much that it no longer had to “cherry-pick” its targets much.
“They're chasing everything,” he said.
