It's hard to exaggerate the importance of the detailed report published Tuesday by security company Mandiant, initially reported by The New York Times, directly connecting between hundreds of cyber-attacks against corporations and organizations in the United States and Unit 61398 of China's People's Liberation Army. The unit is in charge of the Chinese superpower's attacks on computer systems worldwide and this is the first time that a clear connection has been made between a cyber-attack and a sovereign government. Dr. Thomas Rid of Kings College in London, a leading researcher on cyber-warfare said that "the intelligence publicly provided in the Mandiant report may be good enough for the White House to increase its political pressure on China, but at the same time the intelligence is not good enough for China to stop denying they engage in cyber espionage. The problem is that in foreign computer espionage cases, intelligence is not the same as evidence. This is unlikely to change and the Mandiant report is as good as it gets."
So far, only three American companies whose computer networks were hacked by Unit 61398 have been named – soft-drinks giant Coca Cola, the security corporation RSA, and Lockheed Martin, the largest manufacturer of combat aircraft in the western world. But according to the report, at least 140 companies and organizations have been attacked by the Chinese since 2006, including some that control critical energy and water infrastructure.
In recent years, a number of cyber-attacks have gained publicity, including the attack on computer networks and websites in Georgia when it was at war with Russia in 2008 and similar attacks on the Baltic states, also rivals of Russia. In both cases, the source of these attacks was allegedly organized crime groups in the former Soviet Union, no one that can be directly connected to the Kremlin.
The most famous cyber campaign to date has been the viruses directed at Iran's nuclear program, Flame, Gauss and above all Stuxnet, which were reported to have been a result of a joint U.S.-Israel operation but no one has so far been able to prove a link to either government credited with creating and planting these viruses. The same is true regarding the cyber-attack which paralyzed the computers of Saudi oil giant, Aramco, last year and has been blamed by U.S. officials on Iran.
Most of the cyber-attacks reported on the news have been private initiatives, such as that of the Saudi hacker who posted the credit card details of thousands of Israeli citizens on the web last year and the "ops" carried out by the hackers collective Anonymous, which last week posted the details of 600 thousand users of the email service of Israeli website Walla!. Anonymous' latest prank was on Monday hacking into Burger King's twitter account and spreading the false story that the fast-food chain had been bought by McDonalds.
Cyber-attacks have been described by military theorists as "asymmetrical warfare," which is usually the definition of military campaign between nation-states and terror organizations, but they seem now to have become an integral weapon (albeit a secret one) in the official arsenal of organized armies. Despite the sophistication of Unit 61398 chronicled in the Mandiant report, it seems that the Chinese electronic warriors made a cardinal mistake by using their personal Facebook and twitter accounts to launch some of their attacks, allowing analysts to connect them to the Shanghai neighborhood where the unit's base is situated.
One can only hope that in future, when cyber operations are analyzed, they won't be connected to IP addresses in Virginia and slightly north of Tel-Aviv.
The Mandiant report also challenges the Obama Administration at a time when a team of lawyers are preparing a legal framework for cyber-warfare, which will determine when an electronic attack constitutes an act of war. These guidelines will decide in which cases the U.S. will regard itself under attack and affect the ways it will deploy cyber-strikes itself. According to media reports, President Barack Obama gave explicit orders to the CIA to use cyber-weapons against Iran's nuclear program on condition that civilian systems, specifically hospitals, would not be affected. It would be interesting to know what limits the Israeli government has set for the IDF's Intelligence Branch's electronic intelligence Unit 8200.
Cyber warfare can be roughly defined in three categories of attacks. The most prevalent is DDoS (Distributed Denial of Service) in which websites and internet servers are bombarded with immense quantities of information that can force them offline. Many of the Israeli government websites have been the target of DDoS attacks – usually this has caused at most only short offline periods and very little damage if any.
A more sophisticated attack is hacking of the databases of large companies and organizations, in many cases through "phishing" – craftily disguised emails sent to employees in a targeted organization containing malware, or links to other websites, which enable the attacker to penetrate the organization's computer system. This can be done also by planting innocuous-looking links in websites, for example in readers' comments. So far it seems that most of Unit 61398's efforts were focused on phishing. Information gathered from these penetrations can serve a wide range of needs. Anonymous uses it to cause public embarrassment to organizations that the anarchist hackers oppose. But the Chinese have not sought to publicize their finds. The information they stole seems to serve espionage purposes, financial, industrial and military. (In the case of Coca Cola, information was sought during a period when the corporation was trying takeover a Chinese soft-drinks company and in the past there were attempts to obtain the computer codes of Lockheed Martin's stealth fighter, the F-35).
But the greatest concern of governments around the world is the third category – the planting of computer viruses and "logic bombs" in the computer systems that control large factories and critical infrastructure networks (supervisory control and data acquisition – SCADA). The Stuxnet virus planted in Iran's uranium enrichment project was such an attack. The possibility that hackers have planted electronic time-bombs in the software operating electricity and water infrastructure, which can be activated one day from afar paralyzing entire countries, is what keeps security experts up at night. The Mandiant report doesn't provide a conclusive answer as to whether the Chinese have planted such bombs but Unit 61398 certainly seems to have penetrated these infrastructures.
American computer security expert, Dale Peterson, published last week a detailed analysis explaining the relatively simple process of developing and planting malware designed to sabotage SCADA systems. The main difficulty he writes is maintaining secret control of the hidden bomb over years, in order to operate it when the time comes. If the Chinese had indeed succeeded in carrying out such an operation, would that constitute a declaration of war?
Follow me on twitter @AnshelPfeffer
Want to enjoy 'Zen' reading - with no ads and just the article? Subscribe todaySubscribe now