Are US and Chinese Cyber Intrusions So Different?
Image Credit: REUTERS/Jim Urquhart

Are US and Chinese Cyber Intrusions So Different?


At the Shangri-La Dialogue in Singapore in June of this year, Defense Secretary Chuck Hagel voiced concern about “the growing threat of cyber intrusions, some of which appear to be tied to the Chinese government and military.” Indeed, earlier this year the long-suspected role of the People’s Liberation Army in cyber espionage was confirmed by Mandiant, a U.S. security firm. Now intrusions seem to be targeted at defense and aerospace industries using the same tactics. Similarly, those Chinese hackers who breached the New York Times computer network last year appear to be mounting intrusions with updated malware. Asked about its connection to the attack against the Times, the Ministry of National Defense replied, accusing “the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”

The issue is whether such accusations of Chinese cyber intrusions, which Beijing considers unsubstantiated, are disingenuous because of charges the United States also has conducted cyber activities of its own, such as Stuxnet. President Barack Obama recently dampened European indignation over revelations alleging U.S. spying, based on leaks by Edward Snowden, saying “all nations . . . collect intelligence on each other.” Given that espionage has existed as long as the nation-state, are U.S. and Chinese cyber intrusions really all that different? The Coordinator for Cyber Issues at the State Department has indicated that there is a distinction when cyber intrusions access information for commercial purposes, adding “that’s something that the [United States] doesn’t do.”

What the U.S. has undertaken in this area started when President Barrack Obama ordered the Stuxnet attack on Iran under the program code-named Olympic Games. This advanced and persistent threat was discovered in June 2010 infecting nuclear plants by exploiting previously unidentified zero-day Microsoft vulnerabilities. Stuxnet interferes with the frequency of converter drives to control the speed of and damage the system. It likely put 25 percent of the centrifuges at Natanz out of action in the second half of 2009. The Iranian Minister of Defense Ahmad Vahidi claimed the incident was computer terrorism by dominant powers. This cutting-edge Stuxnet malware was subsequently connected in some fashion with three discoveries:

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

—The Flame virus infiltrated thousands of computers in Iran and adjacent areas in May 2012 by copying keyboard entries, sifting through emails and text messages, capturing screen shots, and recording microphone sounds. In addition, infected computers scanned and queried Bluetooth devices to create social profiles. This virus takes up 20 megabytes, making it 20 times larger than Stuxnet, and occupies a command and control network with 50 to 80 domains registered around the world for both built-in and downloadable modules. Flame also shares portions of its code with Stuxnet, for instance, exploiting vulnerabilities in the same printing routine.

—The Gauss virus, so-called because of a name in its code, was found in 2012 on some 2,500 computers, largely in Lebanon. It acquired logins for email as well as instant messaging, social accounts and financial transactions. Targeting banking customers posed the likelihood of cyber espionage by Americans against the Syrian regime and Hezbollah. The Kaspersky Lab, which discovered Gauss, reported it appeared to be written by programmers who created Flame because both viruses used C++ language and shared code and other features.

—The Duqu virus, so named for files used by its key logger to store collected data such as DQx.tmp, was detected in 2011 to be mining data from Hungarian and Iranian computers. Commonalities in the drivers suggest the Duqu and Stuxnet programs were created by the same platform. However, given that cybercriminals often sell platforms that create malware, similarities in code base do not necessarily indicate they came from the same operation.

Sign up for our weekly newsletter
The Diplomat Brief