Analysis: Chinese cyberattacks on experts

Defense-related think tanks and contractors, as well as the Pentagon and other U.S. agencies, were the target of repeated computer network intrusions last year apparently originating in China, the Department of Defense said this week.

In its annual report to lawmakers on China's military power, the department said the intrusions "appeared to originate in" China but added, "It is unclear if these intrusions were conducted by, or with the endorsement of" the Chinese government or military.

The report gave few details, but one China expert who works in the private sector told United Press International that in the last 18 months, China scholars who have close links to the U.S. government have been the repeated targets of sophisticated hacking attempts, using malicious software packages called Trojan horses hidden in e-mail attachments.

"Almost every think tank in Washington has dealt with this," said the expert, who did not want to be named because of the ongoing investigations into the intrusions. "I personally have received more than two dozen" such e-mails, which arrive purportedly sent by other China-watchers.

"They would spoof the addresses to make it look like the e-mail was coming from someone I knew and give the attachment a name … designed to catch my attention," said the expert.

The e-mails varied in sophistication. "The vast majority are fairly primitive," said the expert, "littered with 'Chinglish' misspellings" or other obvious errors. But one purporting to come from a U.S. Air Force e-mail account was "very legitimate looking," said the expert, adding, "I would have opened the attachment, but fortunately it was on a subject I wasn't interested in."

If the attachment is opened, the Trojan horse software hidden inside is designed to bury itself deep in the computer's operating system and begin covertly exporting data from the target's calendar, contacts and e-mail folders to an Internet address in China, the expert said.

"This was a comprehensive intelligence-gathering effort by the Chinese, aimed at (China-watchers) with one foot in the government," said the expert. "People who likely have unclassified but still sensitive material on their computers."

At the RAND Corp., a think tank with historic links to the U.S. Air Force, the expert said, the infections were buried so deep that the FBI physically removed some computer hardware.

A statement from RAND Chief Information Officer Woody Stoeger confirmed that the think tank "has faced periodic attacks on our computer systems as have many organizations across the nation."

Stoeger added RAND was "vigilant in guarding against (such) attacks" but declined to comment in any more detail about their nature or where they might have originated from.

Because of the geographically dispersed nature of the Internet and the ability of hackers to launch attacks and intrusion efforts from "slave" computers they have secretly taken control of, attribution has been highlighted as one of the biggest problems for U.S. military planners developing cyberwar strategies.

Nonetheless, defense officials said the language used in the report was the most direct used so far by the administration and had been carefully chosen.

The language in the report had been "coordinated through a multiagency process" involving the National Security Council, the director of national intelligence and the State Department, Pentagon Asian affairs spokesman Maj. Stewart Upton told UPI. He called it "the strongest language yet from the (Department of Defense) about these intrusions."

"While we're not able to definitively label them as the work of the (People's Liberation Army, as the Chinese military calls itself) or the Chinese government, the techniques that are used, the way these intrusions are conducted are certainly very consistent with what you would need if you were going to actually carry out cyberwarfare," Deputy Assistant Secretary of Defense for East Asia David Sedney said Monday at a briefing for reporters.

He added that the intrusions "are certainly the kinds of things that espionage agencies would do," adding that developing cyberwar capacities like the ability to employ Trojan horse software was "consistent with a lot of writings we see from Chinese military and Chinese military theorists."

Sedney said the report was careful to distinguish between intrusions to copy and remove data, "which we know have been happening," and actual attacks to destroy or alter data, "which are things that can happen and can use the (same cyberwar) techniques" and capabilities.

He said the process was different from someone breaking into a house and stealing the furniture. "It's more like if someone went into your house and took a picture and left what was there, but then they went off … with the image of it."

"Large amounts of data have been taken out in these intrusions," he said. "That doesn't mean that that data has been destroyed, but it could have been. It doesn't mean it's been altered, but it could have been."

Some military officials say it is this last possibility -- that U.S. government data could be corrupted or altered without the knowledge of officials entrusted with it -- that troubles them the most about potential cyberconflicts.