Chinese cyber crime: More crooks than patriots

May 19, 2013 3:22 pm

Chinese cyber crime: More crooks than patriots

By Kathrin Hille

The biggest threat is posed by online criminals the state is ill-equipped to police, says Kathrin Hille

On a muggy spring night five years ago in the southern Chinese city of Shenzhen, six young men were slowly getting drunk. “We’d all had a few beers when someone first mentioned Foxconn,” one of them recalls. “But we immediately saw that it was a great idea.” The plan was to hack into the computer systems of the giant Taiwanese contract manufacturer, which assembles many of the world’s best-selling electronic gadgets, such as Apple’s iPhones. This was no drunken whim. Four months later, the six hackers had breached Foxconn’s email system, according to three people with knowledge of the operation. Foxconn’s position at the heart of the global technology value chain made it an alluring target for potential blackmailers. The company’s 1.4m workers assemble products for the cream of the global technology industry including HP, Dell, Cisco, Acer, IBM, Microsoft and Sony.

And yet, the story of the attack against Foxconn reveals that it is wrong to think of China as a well-oiled, centrally-controlled cyber attack machine. Instead, the case casts a light on the more complex world of opportunistic criminal hackers. Governments and companies must design their defences to resist not only state-sponsored attacks but also threats from half a dozen young men looking to make a quick buck by extorting a multinational. In the Foxconn case, the hackers were out of their depth.

Western governments are still levelling many of their fiercest criticisms against Beijing itself, accusing China of sponsoring aggressive, highly co-ordinated and long-running cyber espionage campaigns against the rest of the world, often in pursuit of corporate and military secrets.

The US this year pledged to get tough on countries believed to sponsor online attacks. Washington’s new cyber strategy came on the heels of a report by Mandiant, a US internet security company, which named a Shanghai-based unit of the Chinese military as the perpetrator of a six-year campaign of attacksagainst 141 companies and other institutions in the US and elsewhere.

By contrast, the beer drinkers from Shenzhen were hardly acting under instruction from senior policy makers in Beijing. They simply believed the Taiwanese company’s fight with a Chinese challenger offered an enticing business opportunity.

When the hackers broke into Foxconn’s emails in the summer of 2008, the company was in a bitter dispute with BYD, a Shenzhen-based battery maker in which Warren Buffett, the billionaire investor, was to buy a 10 per cent stake for US$230m in September the same year.

BYD, which now also makes electric cars, has been struggling recently. Net earnings dropped 94 per cent to Rmb81.4m ($13.2m). But in 2008, the company was expanding so quickly that Foxconn viewed it as a threat. BYD was competing directly with it for the market in handset components. Since 2003, the Taiwanese company has accused its Chinese rival of stealing its intellectual property. BYD denies the charge.

“There is always money to be made when two companies compete that fiercely,” says one Chinese hacker. He added that the plan was to blackmail Foxconn by threatening to make public some of its internal information or selling it to BYD. The hackers focused on the emails of Terry Gou, Foxconn’s founder and chief executive.

The intruders found correspondence in which Mr Gou lobbied top Communist party leaders to move against Wang Chuanfu, founder and chief executive of BYD. “Terry Gou complained that [in the investigation of the IP theft allegations], the authorities were only looking at BYD middle management but argued that Wang Chuanfu was the mastermind,” says one person who saw the email.

The mail included a letter to Jia Qinglin, then a member of the party’s Standing Committee and the most senior politician in charge of Taiwanese affairs. That was when it dawned on the hackers that their find was bigger than they could handle.

“This kind of thing, in China, when it involves national leaders, you better don’t touch it,” says a person close to the hacking group. He adds that as one of China’s largest investors, exporters and employers, Foxconn had “immense clout” with the leadership, and messing with Mr Gou could be dangerous. “They abandoned the plan to extract money from Foxconn,” he says.

The person said the group was reluctant to back down because it had invested considerable time on the attack. The men subsequently tried to interest BYD in internal emails from Foxconn, but that failed as well. According to one person familiar with the exchange, the BYD contact feared a trap set by Foxconn. BYD and Foxconn declined to comment.

The Foxconn case is part of a broader trend. Wan Tao, a former hacker who is now one of China’s foremost internet security experts, says that hacking has become one of the most important instruments in corporate disputes – not just across borders but also among domestic companies, where competition can often be even fiercer.

Experts also believe that most mainstream attacks centre around corporate espionage. “From 2007, the use of Trojans to control computers, steal information and commercial secrets has taken off,” says Du Yuejin, deputy chief engineer at CNCERT, China’s national network emergency response body.

While an attempt – probably led by foreign governments – to hobble Iran’s nuclear programme with the Stuxnet worm has gained widespread media attention, Mr Du argues that the greatest concentration of cyber activity still lurks in the realm of cyber crime and cyber espionage.

Late last year, shockwaves ran through China’s industrial sector when the media reported that Sany, the heavy machinery maker which bought Putzmeister, the German pumpmaker, a few months earlier, had hired hackers to spy on its smaller rival Zoomlion. Sany and Zoomlion declined to comment.

Police in Hunan, the province where Sany was headquartered, confirmed to local media last November that they had arrested three Sany executives in connection with the case. The police declined to give an update.

“Some assessments seek to create the impression that China conducts cyber espionage in a highly organised way with a tight command structure, but that is just not true,” says an official at a US industry association.

He says the military unit portrayed by Mandiant as a spider at the centre of a giant web is just one actor in a thriving but chaotic Chinese hacking ecosystem with many different private and state actors. “One key driver is a set of national policies that call for innovation and the development and acquisition of new technologies. This means there is an incentive for every company and every government institution to get their hands on IP, whatever it takes.”

That means that the cases involving Foxconn and Sany/Zoomlion are just the tip of the iceberg in a booming underground cyber economy in China that thrives on stealing real assets such as money from bank accounts and the virtual assets traded by online gamers. They also hijack internet services and sell tools for such attacks. “We estimate that the overall damage to the Chinese economy exceeded Rmb5.36bn, affecting 110.8m Chinese users and 1.1m websites in 2011,” say Gu Lion from TrendMicro and Zhuge Jianwei and Duan Haixin from Tsinghua University, writing in a paper delivered at a University of California workshop last year.

. . .

The main driver of the illicit cyber business is an enormous “talent pool”. China saw the emergence of its first hackers in the late 1990s shortly after the country linked to the world wide web.

Early hackers focused on attacking foreign websites in times of rising tension, such as when the US bombed the Chinese embassy in Belgrade in 1999. Some foreign analysts have focused on the potential of those “patriotic hackers” as a freelance talent reserve for the Chinese military to recruit in its cyber war operations.

However, people in Chinese hacking circles believe those are a tiny minority. Most of these veterans went into the internet security business. Some have set up their own enterprises. The security expert Wan Tao, who also goes by the name Eagle Wan, started off in those early days as a “patriotic hacker”. Others now work for Chinese internet companies such as Qihoo 360 and Tencent.

But the majority of China’s latest generation of hackers operate on their own, much like the group that targeted Foxconn. They offer services to whoever is willing to pay.

“There are many business opportunities for us these days,” says one of the six men involved in that operation. “A while ago there was strong demand for assistance with intelligence in the white goods sector. Now ecommerce works well.”

He claims his business still focuses on domestic markets rather than the cross-border attacks that have captured headlines. Foxconn does not count as a foreign investor because Taiwan is part of China, he argues, parroting the government line.

While China may have one of the world’s most formidable hacking forces in terms of numbers, the country is far behind the US and other western markets when it comes to tracking and fighting cyber crime. In the US the growing tide of network attacks has spawned an industry focused on protection against such threats but that has not been mirrored in China.

The country has no equivalent of Mandiant yet. China’s leading internet security firms such as Kingsoft, Qihoo 360, Inspur, Topsec or Venustech have little or no ambition in investing in forensics, the capability that supports long-term, in-depth analysis of the origin, structure and technical detail of past attacks that is being built by firms such as Symantec or TrendMicro. “Our internet security sector is light years behind the US, partly because there is very little awareness of the problems yet and companies are not willing to pay for such services,” says Tony Yuan, head of Netentsec, a Beijing security company.

That problem is mirrored by a lack of understanding, co-ordination and transparency on the part of the government. A vast array of different Communist party, government and military institutions and semi-official bodies all have roles in managing information security.

But the office in charge of day-to-day information security matters under the State Council, China’s cabinet, was disbanded in 2008. This caused government bodies to compete with each other without a consistent, system for oversight and enforcement.

For Chinese experts, therefore, foreign complaints about hacking attacks originating in their country are far down the priority list. “Those who accuse the Chinese government of cyber attacks lack sincerity,” says Liu Deliang, a cyber law expert from Beijing Normal University. “Cyber crime is the main problem and we should close ranks to fight it.”

Additional reporting by Zhao Tianqi

. . .

A plea for greater international co-operation

China has complained that the rise of cyber warfare between countries is undermining international communication channels vital for an emergency response in the event of network attacks.

The remarks by Du Yuejin, deputy chief engineer of the National Computer Network Emergency Response Team of China, highlight the increasingly politicised climate around cyber security as the US has pledged a tougher response to network attacks and espionage originating in China.

“We people from the CERT [computer emergency response team] community are often confused as to how to co-operate on dealing with incidents – the governments are getting involved more and more but the policy is unclear,” Mr Du told the Financial Times.

He is in a crucial position because national CERT bodies are normally the institutions through which different countries exchange information about network attacks.

When a hacking attack paralysed a number of South Korean broadcasters and banks in March, the authorities in Seoul told the media they had traced the attack to a Chinese IP address, although they corrected themselves a day later to say there had been a mistake.

“This wouldn’t have happened in the past,” Mr Du said. He added that China, Japan and South Korea had a good record in dealing with incidents despite historical and political problems triggering frequent network attacks. “Before, we would notify each other first, try to share information and help each other to handle incidents,” he said.

Mr Du blamed the changes on governments’ growing wariness since the detection in 2010 of Stuxnet, a worm which is believed to have been launched by the US and Israel against Iran’s nuclear programme.

“Since the cyber attack against Iran, namely the Stuxnet incident, governments don’t trust each other as much as before, and trust among CERTs has been damaged too,” he said. “The dispute and misunderstandings among countries will give cyber attackers and terrorists new opportunities.”