Chinese cyberspies targeted US experts on Mideast
WASHINGTON — Middle East experts at major U.S. think tanks were hacked by Chinese cyberspies in recent weeks as events in Iraq began to escalate, according to a cybersecurity firm that works with the institutions.
The group behind the breaches, called "Deep Panda" by security researchers, appears to be affiliated with the Chinese government, said Dmitri Alperovitch, chief technology officer of the firm CrowdStrike. The company, which works with a number of think tanks on a pro bono basis, declined to name which ones have been breached.
Alperovitch said the firm noticed a "radical" shift in Deep Pandas' focus on June 18, the same day witnesses reported that Sunni extremists had seized Iraq's largest oil refinery. The Chinese group has typically focused on senior individuals at think tanks who follow Asia, said Alperovitch. But last month, it suddenly began targeting people with ties to Iraq and Middle East issues.
This latest breach follows a pattern identified by experts of Chinese cyberspies targeting major Washington institutions, including think tanks and law firms. It's rarely clear why Chinese cyberspies hack specific American targets, but experts say there are a few clues to why Deep Panda may have been interested in Middle East experts at think tanks.
China's need for natural resources has skyrocketed along with its economic profile, and the country has increasingly turned to the Middle East to fuel its energy needs. China surpassed the United States as the world's largest net importer of petroleum and other liquid fuels last September, according to the U.S. Energy Information Administration. In Iraq, China is a major oil investor.
"It wouldn't be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq," writes Alperovitch in a post on his company's blog.
Experts say that breaking into organizations like think tanks can give adversaries access to sensitive communications about international strategy — and potentially allow them to use compromised email accounts to get at other targets. A phishing message coming from a trusted acquaintance at a prominent think tank that asks a user to download an attachment is more likely to succeed than a seemingly random email.
"If you can go after these indirect targets that have some of the information, or you can see who they are communicating with, you build up a lot of intelligence," explains Benjamin Johnson, a former National Security Agency employee who now works at the cybersecurity firm Bit9.
The troubling implication of this is that pretty much everyone is a target, he said. "If you have a relationship with anyone who has something valuable in terms of information, you yourself are a target because it might be easier for them to go after you than the target directly," Johnson explains.
"It's similar to when companies are trying to do a merger, and an adversary might go after their law firm or accounting firm where a lot of information might be stored," he added.
Chinese interest in U.S. think tanks is part of a larger information gathering strategy aimed at understanding how Washington works. Chinese officials often assume that think tanks and news outlets are being influenced by the U.S. government the way their Chinese counterparts are by Beijing, experts say.
"The Chinese think that American think tanks are like Chinese think tanks," said James Lewis at the Center for Strategic and International Studies, which has been hacked before. In the midst of the most recent campaign, CSIS staff received an email warning them of phishing attacks, he said.
Alperovitch says the digital signatures of the group behind the attack, Deep Panda, indicate it is affiliated with the Chinese government. "We have attribution details leading us to believe it is operating out of China and traditionally goes after things of interest to Chinese state-owned enterprises and foreign relations information relevant to the Chinese government."
But despite the rise in attacks on think tanks, Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow at the Brookings Institution, says he hasn't seen a lot of major changes in how think tanks respond to security breaches — partially because of the very significant price tag associated with a professional cybersecurity force.
Even after increased awareness of the issue among organizations following widely publicized breaches in recent years, many nonprofit think tanks do not have the resources to fend off cyberattacks, according to experts.
Deep Panda's cyberattacks are notable for their extreme stealth, according to Alperovitch. "The group leverages existing tools on the system and very rarely brings in malicious tools that might be noticed by administrators of that network." Instead, the hackers set up scripts that use existing Windows tools to operate malicious programs that run only in memory — making them almost impossible to detect using traditional forensic methods.
"These are well-funded, motivated teams that are doing whatever they can to get all this information," he said.
The Washington Post contacted a number of think tanks in Washington regarding the breaches; most declined to comment directly on whether they had been hacked.
"The council's IT architecture is a priority, and we continue to do all we can to reduce our vulnerability," a Council on Foreign Relations spokesman told the Post in a statement. "We will not comment on reports of specific incidents."
"Brookings takes security extremely seriously, and we constantly monitor the evolving technology landscape to ensure our systems are as secure as possible," Helen Mohrmann, the Brookings Institution's chief information officer, said in a statement.
A Cato Institute employee who asked to remain anonymous, because he was not authorized to speak on the record, acknowledged the organization was probably being targeted but had not yet identified any breaches. "We have been beefing up security because we are aware of the interest in think tanks and are always mindful of the possibility," he said.
In May, the U.S. government indicted five Chinese military employees on charges related to commercial cyberspying — accusing them of stealing trade secrets and strategic business intelligence from leading steel, nuclear plant and solar power firms.
The Chinese government denied the allegations, calling them "based on fabricated facts" and has consistently disputed that it is engaging in the type of cyber-espionage campaigns that security researchers have identified.