Sometimes It’s Not China (Though This Is Probably Not the Week To Be Saying It)

This week we’ve had a rash of reporting that suggests the links between the state and Chinese hackers.

Smoking Cursor: First reported in the Epoch Times, and then picked up by the Washington Post and others, a report on CCTV 7 about cyberwar appears to show the PLA conducting an attack on a website connected to the Falun Gong. The attack probably happened several years ago, and there is something funny about the big “attack” button seen in the video (removed from CCTV but available on YouTube) which suggests that maybe it isn’t real. But, despite years of denials from Chinese officials, it maybe as close to a “smoking cursor” as we get, at least in the open source material.

DoD Report on Chinese Military: Not a lot new in the Pentagon’s annual report on the Chinese military in regard to cyber operations, but it does note that the techniques used in exfiltration are similar to those that would be used to “conduct computer network attacks.” This is an important point that drives home how hard it is to figure out intentions in cyberspace. When it sees someone in its network, how does the Pentagon decide what they are there for? How much time do you need to distinguish snooping from the launching of an attack? Certainly makes it harder to have any discussion with China about the rules of cyberwar.

Byzantine Hades: The Washington Times says it has seen a number of leaked cables that trace attacks—code named Byzantine Hades and first reported in Reuters—on the U.S. government and private sector back to the Chinese military in Chengdu. It also has another cable that linked another spying operation to the hacker group Javaphile.

So here we have more data points of varying credibility on the role of the Chinese state in cyberattacks, all suggesting that the United States needs a strategy for dealing with China in cyberspace. But there is one other report that reminds us, despite all of the above, that attribution is still difficult. India’s National Technical Research Organisation (NTRO) has been investigating a series of sophisticated attacks on the ministry of finance and the foreign secretary. China is often blamed in the Indian press for hacking. In the code, the NTRO discovered Chinese characters, which they removed but the malware continued operating. “Obviously this was a red herring meant to mislead us,” said one Indian official. The report goes on to suggest that “an ally in the West” could also be behind that attacks. France, UK, Germany, the U.S.? Last month there was a report that Italian intelligence was targeting the Indian embassy in Moscow.

Sometimes it’s not China, though lots of times it is.