Return to

August 25, 2011
Notes from the Pentagon

Chinese computer hackers, some linked to the military, engaged in an aggressive international campaign of electronic espionage through the Internet from 2003 through at least 2009, according to documents obtained by Inside the Ring.

The electronic spying campaign targeted large amounts of data and information from U.S. government and private sector networks, as well as from the French and German governments, other states and international organizations.a The documents, labeled “secret,” provide some of the first details to be made public on Chinese cyberspying and reveal a U.S. government program to monitor and halt the activity that was code-named “Byzantine Hades.”

A State Department cable dated April 2, 2009, states that Byzantine Hades activity appeared linked to the Chinese military in Chengdu. The cable was a department Diplomatic Security Bureau report that discussed the findings of Canadian security researchers, who dubbed the worldwide Chinese intrusions “GhostNet.”

The researchers identified four Internet domains that “were involved in Byzantine Hades intrusion activity in 2006,” the cable says.

“Subsequent analysis of registration information also leads to a tenuous connection between these hostile domains and the People’s Liberation Army [PLA] Chengdu Military Region First Technical Reconnaissance Bureau [TRB].”

The disclosure is the first official U.S. government report linking global computer hacking to China's military.

According to the cable, a Chengdu hacker named Chen Xingpeng was linked to the PLA Technical Reconnaissance Bureau, which also is called the Military Unit Cover Designator 78006.

The cable says there was no official link between Byzantine Hades spying and the PLA reconnaissance bureau, but noted “much of the intrusion activity traced to Chengdu is similar in tactics, techniques, and procedures to BH activity attributed to other PLA [Technical Reconnaissance Bureaus].”

The link between Mr. Chen and the Chinese military “further emphasizes the idea that this clandestine ‘cyber-spying’ network may in fact be a state-sponsored intelligence-gathering operation,” the cable says.

The documents were first disclosed by the Reuters news agency.

Further signs of China’s Byzantine Hades activities surfaced in the past two weeks in a report by the McAfee computer security firm, which dubbed unidentified computer intrusions in more than 71 networks “Shady Rat.”

The McAfee report did not name China in the computer attacks, but other experts said all indications pointed to Beijing’s involvement and methods similar to those used in the government’s Byzantine Hades intelligence.

A Nov. 5, 2008, State Department cable disclosing international talks in Berlin on cyber-espionage also provide new details of Byzantine Hades computer strikes.

Byzantine Hades is “a cover term for a series of related computer network intrusions with a believed nexus to China, [that] has affected U.S. and foreign governments as well as cleared defense contractors since at least 2003,” the cable states.

German intelligence officials, according to the cable, said “these efforts are conducted for the purpose of espionage and present a significant threat to German interests.”

“Targets cover a broad range of [German government] activities including the military, the economy, science and technology, commercial interests, diplomatic efforts, and research and development,” the cable says, further quoting the officials as saying the “espionage-focused activity” increases before negotiations between German and Chinese officials.

State Department diplomatic security officials said Chinese electronic “infiltrations” generally are carried out through the use of “socially engineered email messages crafted to appear authentic and specifically targeted to individuals of interest.”

“These messages normally contain an attachment or embedded link which is used to deliver malicious software (malware) onto the victim computer,” the cable said.

Chinese spies often use software variants of older malware because “they remain effective and are not generally detected by the majority of anti-virus solutions currently used,” the cable says, noting “a clear increase in the scope and sophistication of these activities over time.”

Like the Germans, French intelligence also reported that they had observed “nearly identical” cyber-espionage emanating from China that breached computers of high-level French officials.

“The French claimed to have been victims of specific technical monitoring facilitated through computer network operations,” the cable said. “The representatives indicated that believed Chinese actors had gained access to the computers of several high-level French officials, activating microphones and Web cameras for the purpose of eavesdropping.” The cable concludes its section on Byzantine Hades by noting that the problems appear “global” and had affected numerous nations. In January, then-Defense Secretary Robert M. Gates sought to engage China's military in talks on Chinese cyber-activities but was rebuffed. China’s government routinely denies it engages in any cyberspying or cyberwarfare activity.

A third cable from December 2008 also discusses likely Chinese cyber-attacks on computers at the International Monetary Fund and World Bank in November 2008. It states that reports at the time indicated China was seeking “sensitive … information” about the two financial institutions.

The December cable says “Byzantine Hades, a series of related computer-network intrusions with a believed nexus to the PRC, has affected U.S. and foreign government systems as well as those systems belonging to international organizations, such as human rights organizations.”

A fourth cable from March 2009 says that a part of the Chinese spying operation code-named Byzantine Anchor had identified a key spy as Chinese hacker Yinan Peng, leader of a hacker group called Javaphile, that computer security experts say is suspected of carrying out the recent major hacking against Google and other U.S. corporations.

According to the cable, “an email message originating from a known [Byzantine Anchor] IP address was sent to Javaphile’s leader.” The cable says the same IP has been identified in incidents affecting the Pentagon and Department of State.

Byzantine Anchor hackers “since late 2003 … have targeted and compromised [U.S. government] and cleared defense contractor computer networks in attempts to conduct computer network exploitation (CNE),” this cable says.

“Numerous sensitive reports have identified an apparent relationship between the Chinese hacker group Javaphile and [Byzantine Anchor] intrusion activity based on overlapping characteristics,” the cable says.

In addition to Internet Protocol addresses that linked Byzantine Anchor to Javaphile, both hacking activities employ an identical customized “command and control tool” called eRACS, it states.

According to the cable, Chinese hackers on July 30, 2008, used a pirated computer inside the Pentagon to download and install the eRACS tool. A week later, State Department networks also were compromised by attacks emanating from the same malicious IP address as the Pentagon attack. “Though the Intelligence Community has long suspected affiliation between the Javaphile hacker organization and [Byzantine Anchor], the recent discovery of Peng’s receipt of correspondence from a known hostile IP presents a more significant basis for this hypothesis,” the fourth cable states.

David Letterman on Monday poked fun at the al Qaeda terrorist who posted a death threat on a website calling for an assassin to cut out the comedian’s tongue.

On CBS’ “Late Night,” Mr. Letterman cracked wise about the threat, disclosed in this space last week, telling viewers and his live audience that they were his “human shield” against the threat.

The comedian used the incident to take on his rival, Jay Leno. “State Department authorities are looking into this,” Mr. Letterman quipped. “They’re not taking this lightly. There’s an electronic trail there … but everybody knows it’s Leno.”

Mr. Letterman then read a list of “Top Ten Thoughts That Went Through My Mind After Hearing the Threat.” They included: “Someone wants to silence me? Get in line,” and “Nothing says summer fun like a death threat.”

The list included: “Some people get Emmy nominations; some people get death threats,” and “And here I thought nobody watched the show.”

Return to