Americans are used to thinking of China and Russia as like-minded cyber aggressors toward the United States, but a new report suggests that Chinese hackers might see Vladimir Putin‘s military as a ripe target, too.
Spearphishing attacks steal sensitive information from people’s computers by getting them to click virus-laden links, download infected files, and otherwise unknowingly open their electronic doors to malware.
“China represents great cover for anyone that wants to launch an attack anywhere in the world.”
Proofpoint researchers detected spearphishing emails that used infected Microsoft Word documents and zipped archive files, all of which deployed a remote access trojan called PlugX. The entity that deploys PlugX, which Proofpoint called TA459, is “believed to operate out of China.”
“While the current campaign from this attacker has been active for a couple of months,” the researchers wrote, “there is evidence of activity by this attacker as far back as 2013.”
One of the clues pointing to a Chinese origin is the code that implanted the trojan into the Word documents. Proofpoint said that the script used to build the infected document “appears to have been created with a Chinese language pack version of WinRAR,” the popular archive-unzipping tool.
Despite this and other evidence, however, it is virtually impossible to prove even that the attacks originated in China. This is because hackers outside China frequently use the country’s porous computer networks as staging areas for their operations.
Jeffrey Carr, a cybersecurity expert who founded the security consulting firm Taia Global, said that it would be “incredibly easy” for moderately skilled hackers to “mimic all of the different indicators of compromise that might go into claiming attribution to China.”
“I’ve spoken with Ukrainian hackers that sometimes will use China as a base to attack Russia,” Carr told the Daily Dot, “simply because it’s such good
cover. China represents great cover for anyone that wants to launch an attack anywhere in the world.”
At press time, Proofpoint did not respond to a request for comment about the reliability of the Chinese signatures in the code.
The group’s report did not link the attacks to the Chinese government, and Carr said that it was extremely unlikely that Beijing was involved. Spearphishing is a crude technique that falls far below the level of China’s technical capabilities, he said.
“Whenever you discover something, especially something that’s using a very low-level means of compromise like spearphishing,” Carr said, “to me it just makes more sense to look at it as a non-government-affiliated hacker or group of hackers that’s involved.”
Whoever led the attack was laser-focused on critical Russian infrastructure—an unusual motive for the average cybercriminal.
“A detailed examination of this operation reveals an adversary who demonstrates a keen interest in Russian telecom and military sectors.”
“A detailed examination of this operation reveals an adversary who demonstrates a keen interest in Russian telecom and military sectors, indicative of an actor with geopolitical motives,” Proofpoint said in its report. “The attacker also invests time to research the locale and current events relevant to their targets and then leverages this in their targeting tactics.”
Most of what Americans know about Chinese hacking comes from their attacks on American servers and systems. U.S. officials have privately concluded that Beijing either supported or conducted the attack on the Office of Personnel Management that resulted in the theft of more than 22 million government employee records.
The Obama administration is drafting economic sanctions on Chinese citizens and businesses in retaliation for the OPM hack and other incidents of cyber theft. But the Treasury Department is not expected to levy those sanctions prior to Chinese President Xi Jinping’s visit to the U.S. next week.
Chinese hackers’ apparent interest in Russian military secrets is at odds with the Chinese government’s economic focus in selecting U.S. targets. Beijing has mostly focused on stealing American businesses’ intellectual property to fuel its growing economy, whereas Russia is the nation that traditionally focuses on military and political cyberattacks.
Update 3:28pm CT, Sept. 18: Proofpoint sent the Daily Dot the following statement from Kevin Epstein, its vice president of threat operations.
“Actor attribution is always tricky, but our research shows significant use of Chinese-language tools and the command-and-control goes back to host sites in Chinese-influenced areas. That said, there’s always the possibility that some other group entirely is deliberately trying to implicate the Chinese.”
Illustration by Max Fleishman