Connect to share and comment

After two decades of relative peace, security experts caution that internet warfare is all but imminent. GlobalPost examines the skirmishes, defenses, and the "calamitous" threat that a small group of hackers could pose to American cities.


Meet Zhang. He hacks for Beijing.

Hacking may be a threat "akin to a nuclear bomb." But the Chinese behind most attacks see it as a dull office job.

target is information: weapon designs, chemical formulas, product blueprints, negotiating strategies, private emails. They feed this information not only to the military or government, but also to Chinese firms that might profit from it. This, in addition to sheer scale, is what makes China’s hackers different. While all governments spy, China’s is unique for the degree to which it systemically raids private companies for industrial advantage.

The other main goal is security and intimidation. Chinese hackers have been found to target law firms, media organizations, and human-rights groups that deal with “sensitive” issues like Tibet, Taiwan and political dissidents.

What sort of life is it?

Those who track them say that for China’s most active groups, hacking is less a secret hobby than a 9-to-5 desk job. The servers used to host malware switch on around 7:00 or 8:00 in the morning, Beijing time, and turn off around 6:00 p.m. During China’s two major holiday weeks, Stewart says, the hacking activity typically ceases.

Like any American office drones, they also have their complaints.

One hacker named Wang whose blog was uncovered by the Los Angeles Times wrote about a litany of grievances. The office was located in one of “the most remote areas of the city.” His boss wanted him to improve his English, but forbade him from reading foreign media. His manager hovered over his shoulder early in the mornings. “Fate has made me feel that I am imprisoned,” he wrote. “I want to escape.” 

And like any white-collar worker, of course, he also slacked off. One day, Wang wrote that he “didn’t do much” and went for a swim in the afternoon. “As far as work goes, if you master it to a degree, as long as you don't get on the wrong side of the boss, it's okay.”

Who are they? 

Perhaps the best authority on this subject is the India-based intelligence researcher who goes by the pseudonym Cyb3rsleuth. While the American firms who track Chinese hackers usually stop at the point of identifying individuals, Cyb3rsleuth goes the extra step in tracking them on social media sites and Internet forums in order to gain a clearer picture of who these hackers are.

To date, he has tracked some 10 individual Chinese hackers, and he shared his insights with Global Post last week.

The one he discovered the most about is Zhang Changhe, 33, whom Cyb3rsleuth describes as an “assistant professor” at the People’s Liberation Army Information Engineering University. Zhang is married with a child, and Cyb3rsleuth has pictures from his blog on QQ, a popular chat site in China.

The images show a man posing with a woman at a pagoda and visiting a pebble beach. In addition to work related to hacking, Zhang also has side businesses selling mobile phones offline and offering to (illicitly) boost businesses' Facebook “likes” and Twitter followers. Zhang describes himself as a Buddhist, and kept a blog where he reflected on how he had broken the precepts of his faith, confessing that he “continuously and shamelessly stole” in the previous year, according to a translation by Bloomberg. 

Connections to academia are a common theme among the exposed hackers. Cyb3sleuth found that another of his targets, named Mei Quang, had co-authored two academic papers in 2007 and 2008 about hacking techniques. Wang, the hacker whose blog the LA Times exposed, also authored academic papers while a student at the PLA Information Engineering University — that is, when he wasn’t watching NBA games or pining for a girlfriend. 

The increasing exposure of Chinese hackers may bring unwanted publicity (Cyb3rsleuth says that several hackers have taken down their profiles after he featured them on his blog), but it’s unclear if there are any real consequences.  

“I am pretty sure my blog is being watched by China,” he says. “I keep getting attachments from unknown people.”  

How do they get into hacking?

Some are drawn by patriotism, others by job listingsand still others by college recruitment. After Mandiant published its February report claiming to expose the PLA’s Shanghai-based cyber-hacking Unit 61398, Chinese netizens found a recruiting ad for the group posted at Zhejiang University’s website. It read:

"The graduate school has received notice that unit 61398 of China's People's Liberation Army (located in Pudong district, Shanghai) seeks to recruit 2003-class computer science graduate students. Students who sign the service contract will receive a 5,000 yuan per year national defence scholarship. After graduation, students will work in the same field within the PLA."

Who are they targeting? 

Well, you could say that just about any company, think tank, university, government agency or non-governmental organization with valuable intellectual property is a potential target. 

More precisely, Adam Meyers, director of intelligence at digital security company CrowdStrike, says that different China-based groups have different targets. The group he calls SamuraiPanda infiltrates banking, aerospace, and chemical companies based in other Asian countries. The AnchorPanda group aims for maritime targets close to the PLA Navy’s South Sea Fleet, and for American or European companies with valuable maritime technology. NumberedPanda goes after time-sensitive intelligence, such as information on Japan’s Fukushima cleanup operations. 

In its most recent report on threats, Dell SecureWorks found that an American defense contractor and energy company were attacked, along with a major university involved in military research. The amount of data lost is unknown.

What can be done? 

Private companies can do plenty to boost their defenses, but when it comes to deterring Chinese hackers entirely, Joe Stewart says, “I’m not optimistic.” As long as America’s companies have more advanced technology, there will be someone — whether government-sponsored or privately hired — who will try to steal it. 

But that doesn’t mean hacking targets are helpless; they just need to get savvier. In a recent report, Stewart underscored how important for hacking victims to speak out: “As an Internet community, we must make a collaborative effort to share information with their colleagues as a collective measure against attacks,” he wrote. “If we don’t, then we will surely see continued success by these highly organized and motivated APT [i.e. Chinese espionage] hacker groups.”