U.S. network hacking traced to China, Iran
SAN FRANCISCO — Businesses and government agencies in the United States have been targeted in aggressive attacks by Iranian and Chinese hackers who security experts believe have been energized by President Donald Trump’s withdrawal from the Iran nuclear deal last year and his trade conflicts with China.
Recent Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Dozens of corporations and multiple U.S. agencies have been hit, according to seven people briefed on the episodes who were not authorized to discuss them publicly.
The attacks, attributed to Iran by analysts at the National Security Agency and the private security firm FireEye, prompted an emergency order by the Department of Homeland Security during the government shutdown last month.
‘Unofficially’ canceled
The Iranian attacks coincide with a renewed Chinese offensive geared toward stealing trade and military secrets from U.S. military contractors and technology companies, according to nine intelligence officials, private security researchers and lawyers familiar with the attacks who discussed them on the condition of anonymity because of confidentiality agreements.
A summary of an intelligence briefing read to the New York Times said that Boeing, General Electric Aviation and T-Mobile were among the recent targets of Chinese industrial-espionage efforts. The companies all declined to discuss the threats, and it is not clear if any of the hacks were successful. Chinese cyberespionage cooled four years ago after President Barack Obama and President Xi Jinping of China reached a landmark deal to stop hacks meant to steal trade secrets.
But the 2015 agreement appears to have been unofficially canceled amid the continuing trade tension between the United States and China, the intelligence officials and private security researchers said. Chinese hacks have returned to earlier levels, although they are now stealthier and more sophisticated.
“Cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war,” said Joel Brenner, a former leader of U.S. counterintelligence under the director of national intelligence.
Federal agencies and private companies are back to where they were five years ago: battling increasingly sophisticated, government-affiliated hackers from China and Iran who hope to steal trade and military secrets and sow mayhem. And it appears the hackers substantially improved their skills during the lull.
Threats from China and Iran never stopped entirely, but Iranian hackers became much less active after the nuclear deal was signed in 2015. And for about 18 months, intelligence officials concluded, Beijing backed off its 10-year online effort to steal trade secrets.
But Chinese hackers have resumed carrying out commercially motivated attacks, security researchers and data-protection lawyers said.
A priority for the hackers, researchers said, is supporting Beijing’s five-year economic plan, which is meant to make China a leader in artificial intelligence and other cutting-edge technologies.
“Some of the recent intelligence collection has been for military purposes or preparing for some future cyber conflict, but a lot of the recent theft is driven by the demands of the five-year plan and other technology strategies,” said Adam Segal, director of the cyberspace program at the Council on Foreign Relations. “They always intended on coming back.”
Officials at the Chinese Embassy in Washington did not respond to a request for comment.
More careful efforts
Segal and other Chinese security experts said attacks that once would have been conducted by hackers in China’s People’s Liberation Army are now being run by China’s Ministry of State Security.
These hackers are better at covering their tracks. Rather than going at targets directly, they have used a side door of sorts by breaking into the networks of the targets’ suppliers. They have also avoided using malware commonly attributed to China, relying instead on encrypting traffic, erasing server logs and other obfuscation tactics.
The Iranian attacks, which hit more than a halfdozen federal agencies last month, still caught the department off guard.
Instead of hitting victims directly, FireEye researchers said, Iranian hackers have been going after the internet’s core routing system, intercepting traffic between so-called domain name registrars.
Once they intercepted their target’s customer web traffic, they used stolen login credentials to gain access to their victims’ emails.
“They’re taking whole mailboxes of data,” said Benjamin Read, a senior manager of cyberespionage analysis at FireEye.