China sharpens hacking tools, resources
SAN FRANCISCO >> China’s statesponsored hackers have drastically changed how they operate over the last three years, substituting selectivity for what had been a scattershot approach to their targets and showing a new determination by Beijing to push its surveillance state beyond its borders.
The government has poured considerable resources into the change, which is part of a reorganization of the national People’s Liberation Army that President Xi Jinping initiated in 2016, security researchers and intelligence officials said.
China’s hackers have since built up a new arsenal of techniques, such as elaborate hacks of iPhone and Android software, pushing them beyond email attacks and the other, more basic tactics that they had previously employed.
The primary targets for these more sophisticated attacks: China’s ethnic minorities and their diaspora in other countries, the researchers said. In several instances, hackers targeted the cellphones of a minority known as Uighurs, whose home region, Xinjiang, has been the site of a vast build-out of surveillance tech in recent years.
“The Chinese use their best tools against their own people first because that is who they’re most afraid of,” said James A. Lewis, a former U.S. government official who writes on cybersecurity and espionage for the Center for Strategic Studies in Washington. “Then they turn those tools on foreign targets.”
China’s willingness to extend the reach of its surveillance and censorship was on display after an executive for the National Basketball Association’s Houston Rockets tweeted support for protesters in Hong Kong this month. The response from China was swift, threatening a range of business relationships the NBA had forged in the country.
In August, Facebook and Twitter said they had taken down a large network of Chinese bots that was spreading disinformation around the protests. And in recent weeks, a security firm traced a monthslong attack on Hong Kong media companies to Chinese hackers. Security experts say Chinese hackers are very likely targeting protesters’ phones, but they have yet to publish any evidence.
Some security researchers said the improved abilities of the Chinese hackers had put them on a par with elite Russian cyberunits. And the attacks on cellphones of Uighurs offered a rare glimpse of how some of China’s most advanced hacking tools are now being used to silence or punish critics.
Google researchers who tracked the attacks against iPhones said details about the software flaws that the hackers had preyed on would have been worth tens of millions of dollars on black market sites where information about software vulnerabilities is sold.
On the streets in Xinjiang, huge numbers of high-end surveillance cameras run facial recognition software to identify and track people. Specially designed apps have been used to screen Uighurs’ phones, monitor their communications and register their whereabouts.
Gaining access to the phones of Uighurs who have fled China a diaspora that has grown as many have been locked
away at home would be a logical extension of those total surveillance efforts. Such communities in other countries have long been a concern to Beijing, and many in Xinjiang have been sent to camps because relatives traveled or live abroad.
Chinese police have also made less sophisticated efforts to control Uighurs who have fled, using the chat app WeChat to entice them to return home or to threaten their families.
China’s Ministry of Foreign Affairs did not respond to a request for comment. China has denied past claims that it conducts cyberespionage, adding that it, too, is often a target.
Security researchers recently discovered that the Chinese used National Security Agency hacking tools after apparently discovering an NSA cyberattack on their own systems. And several weeks ago, a Chinese security firm, Qianxin, published an analysis tying the CIA to a hack of China’s aviation industry.
Breaking into iPhones has long been considered the Holy Grail of cyberespionage.
“If you can get inside an iPhone, you have yourself a spy phone,” said John Hultquist, director of intelligence analysis at FireEye, a cybersecurity firm.
The FBI couldn’t do it without help during a showdown with Apple in 2016. The bureau paid more than $1 million to an anonymous third party to hack an iPhone used by a gunman involved in the killing of 14 people in San Bernardino, California.
Google researchers said they had discovered that iPhone vulnerabilities were being exploited to infect visitors to a set of websites. Although Google did not release the names of the targets, Apple said they had been found on about a dozen websites focused on Uighurs.
“You can hit a high school student from Japan who is visiting the site to write a research report, but you are also going to hit Uighurs who
have family members back in China and are supporting the cause,” said Steven Adair, president and founder of the security firm Volexity in Virginia.
The technology news site TechCrunch first reported the Uighur connection. A software update from Apple fixed the flaw.
In recent weeks, security researchers at Volexity uncovered Chinese hacking campaigns that exploited vulnerabilities in Google’s Android software as well. Volexity found that several websites that focused on Uighur issues had been infected with Android malware. It traced the attacks to two Chinese hacking groups.
Because the hacks targeted Android and iPhone users even though Uighurs in Xinjiang don’t commonly use iPhones Adair said he believed that they had been aimed in part at Uighurs living abroad.
“China is expanding their digital surveillance outside their borders,” he said. “It seems like it really is going after the diaspora.”
Another group of researchers, at the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto, recently uncovered an overlapping effort, using some of the same code discovered by Google and Volexity. It attacked the iPhones and Android phones of Tibetans until as recently as May.
Using WhatsApp messages, Chinese hackers posing as New York Times reporters and representatives of Amnesty International and other organizations targeted the private office of the Dalai Lama, members of the Tibetan parliament and Tibetan nongovernmental organizations, among others.
Lobsang Gyatso, the secretary of TibCERT, an organization that works with Tibetan organizations on cybersecurity threats, said the recent attacks were a notable escalation from previous Chinese surveillance attempts.