CIA/ US government

China's largest cyber-security vendor has published today a report accusing the CIA of hacking Chinese companies and government agencies for more than 11 years.

The report, authored by Qihoo 360, claims the CIA hacked targets in China's aviation industry, scientific research institutions, petroleum industry, Internet companies, and government agencies.

CIA hacking operations took place between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang, Qihoo researchers said.

Image: Qihoo 360

Qihoo claims that a large part of the CIA's hacking efforts focused on the civil aviation industry, both in China and in other countries.

The Chinese security firm claims the purpose of this campaign was "long-term and targeted intelligence-gathering" to track "real-time global flight status, passenger information, trade freight, and other related information."

Also: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)



Report based on Vault 7 leaks

Qihoo says it linked the attacks to the CIA based on the malware used in the intrusions -- namely Fluxwire [1, 2, 3] and Grasshopper [1, 2].

Both malware strains came to light in early 2017 when Wikileaks published the Vault 7 dump, a collection of documentation files detailing the CIA's arsenal of cyber-weapons.

WikiLeaks claimed it received the files from a CIA insider and whistleblower, later identified as Joshua Schultz -- currently under trial in the US.

Weeks after the WikiLeaks Vault 7 revelations, Symantec confirmed that Fluxwire was the Corentry malware that they had been tracking for years.

"Qihoo 360 analysis found that the technical details of most of the samples are consistent with the ones in the Vault 7 document, such as control commands, compile PDB paths, encryption schemes," the Chinese researchers said -- echoing the findings of the Symantec report.

The Chinese researchers also claim they found Fluxwire versions deployed in the wild long before the Vault 7 leaks became public, with detection times matching the now-public Fluxwire changelog.

Image: Qihoo 360

Furthermore, Qihoo researchers also claim that the malware's compilation times are consistent with US timezones. Ironically, this is a common technique that US investigators have used to link malware samples back to Chinese hackers many times in the past.

Image: Qihoo 360

Qihoo 360 takes the Schulte case as opportunity to link cyber-activity to the CIA. Not much new info, except that aviation systems in CHN were targeted.



Big letdown: Attribution is almost exlusively based on Vault7 leak, and compilation timestamps:Did devs ignore CIA guidelines? https://t.co/EvbMODJfmn — Timo Steffens (@Timo_Steffens) March 3, 2020

The Qihoo report does not bring anything new to the table. Most of the information in the Qihoo report was already public knowledge that was shared and confirmed from different sources more than three years ago.

The only new information included in the Qihoo report is the specific targets that have allegedly been hacked by the CIA in China, information that was not previously known before today's Qihoo blog post.

Third Chinese vendor to call out the CIA

In its report, Qihoo referenced CIA hacking operations under the codename of APT-C-39. In reports published by other cyber-security vendors, CIA hacking operations are also tracked as Longhorn (Symantec designation) and Lamberts (Kaspersky designation).

Qihoo 360 now becomes the second Chinese security vendor to publicly blame the CIA for hacks inside China in the past six months.

In late September 2019, cyber-security firm Qi An Xin also published a similar report blaming the CIA for hacks against Chinese aviation targets between 2012 and 2017.

Rising researchers did not directly link the group to any particular country, but they nicknamed the hackers "Rattlesnake" after a snake inhabiting the southeastern parts of the United States and some parts of Mexico -- in a form of wink-nod attribution.

Calling out for retribution

But the Qihoo 360 report might also play a bigger role in the grand scheme of things and signal a change in how the Beijing government deals with the US and its offensive hacking operations.

Shortly after the report went live, news outlets known for being a mouthpiece for the Chinese regime have begun calling for "swift action" against "US institutions, including the CIA, its hacking group and personnel involved in the cyber-attacks."

"Legal and all other possible channels should be considered to remedy the damages the US attacks have imposed on Chinese institutions and the public," wrote today Global Times China.

This call for legal action against the US and CIA officers didn't come out of the blue but looks like the first steps towards retribution.

Last month, the US charged four Chinese military officers for the Equifax hack. Prior to that, the US Department of Justice frequently charged members of Chinese hacking groups, such as:

Three Chinese hackers believed to be part of a Chinese state-sponsored hacking group known as APT3

Two Chinese nationals believed to be part of the APT10 hacking group

A hacker believed to be implicated in the Anthem and OPM hacks

10 hackers (including Chinese intelligence officers) for hacks against a large number of US and European companies

The US' legal strategy for dealing with Chinese hackers has often been criticized by US-based security researchers who used to work for the NSA and other US agencies involved in overseas hacking operations -- and who now work in the private sector.

On many occasions, former NSA hackers have publicly expressed their fear that China will eventually reciprocate against the US with its own set of indictments.

Speaking at security conferences and various government panels, FBI and DOJ officials have responded that they only charged the Chinese hackers who engaged in cyber-crime and the theft of intellectual property, arguing that these actions fall outside the accepted norms of cyber-espionage, usually not the subject of any legal actions.

The Qihoo 360 report, along with the Kaspersky and Symantec reports, did not present any evidence that the CIA had broken the norms of cyber-espionage, which means Beijing might have a hard time charging any CIA officers without looking petty.

On the Qihoo 360 report:

I am much more disappointed than worried. My 8-ball says that Beijing pushed Qihoo to put their name on the line without giving them anything in return.

The result: A lackluster report that reads more like detention homework than enthusiastic research — Stefan Soesanto (@iiyonite) March 4, 2020

Updated at 5:15pm ET to add the last paragraphs on retribution.