OceanLotus: China Hits Back With Its Own Cybersecurity Report

Last week, SkyEye, Qihoo 360’s threat intelligence service, released a report entitled OceanLotus. The report describes the working of an APT (Advanced Persistent Threat) group engaged for at least three years in cyber espionage against Chinese targets, including ocean affairs agencies, the departments in charge of China’s territorial waters, research institutes, and aviation, aeronautics, and shipping companies. Over 90 percent of the infections were in China, most in Beijing and Tianjin. According to SkyEye, the sophistication of OceanLotus suggests that it is a nation-state backed group, though it does not name the country. The report does identify the locations of the IP addresses and command and control servers used in the attacks: Bahamas, United States, Ukraine, Nigeria, Israel and others.

Qihoo clearly is co-opting the language and techniques of the APT reports done by Mandiant, CrowdStrike, and other U.S. cybersecurity companies. The structure of Qihoo’s report is very familiar to anyone who has read an English-language report, though it seems like they missed an opportunity to up with a name in the vein of Putter Panda or Volatile Cedar that implies the nation-state behind the attacks (Elegant Eagle?). The attempt to match the reports of the U.S. companies may be based on marketing and business needs, but it is also in the minds of some Chinese analysts a necessary step in the cybersecurity competition with the United States.

A rather elaborate, flowery article in an unexpected source, Gansu Peasant Daily (甘肃农民报; this could be a reprint from another source, though I have yet to find the original), describes the importance of APT reports to China. The article notes that before OceanLotus, China had never had an APT report that was "up to par." As a result, U.S. companies, and the United States government, could use the reports to go on the offensive:

As long as they have an APT attack report they can read off, even if they’re playing at being hoodlums, they’re doing it rationally and in accord with the law. China has been locked in a closet with grievances it can’t speak out against, with no choice but to swallow them down, suffering in silence.

Now, with OceanLotus, China does not have to be so passive. In fact, it can now push back. The article continues:

From now on, China can pop out this report, confidently face other nations and say: “Look! We’ve been attacked for three years. You always say that we’re conducting attacks. Let’s take this outside and talk it out!”

The Chinese foreign ministry wasted no time in using the report. In the June 2 press conference, Foreign Ministry Spokesperson Hua Chunying responded to a question about OceanLotus by saying that "If what has been reported is true, it proves once again that China is the victim of hacker attacks."

It is easy to write this report off as propaganda, but that would be a mistake. Instead, the United States government and U.S. cybersecurity firms should actively respond to the report. It is an opportunity to engage Beijing and Chinese cybersecurity companies in questions about what standards for public attribution of cyber attacks should be met. It could perhaps begin a process of developing shared terminology, metrics, and understandings that the APT groups in both countries could be defined by and held to account.