Sunday, March 12, 2017

How China's Night Dragon cyber army has infiltrated every corner of Britain:

How China's Night Dragon cyber army has infiltrated every corner of Britain: Forget Edward Snowden... a chilling new book by the BBC's top security expert lays bare the biggest internet hack in history


  • Whistleblower Shawn Carpenter uncovered Chinese cyber-espionage ring
  • Special units of the People's Liberation Army stole secrets from the West
  • Code-named Titan Rain, it is the biggest cyber espionage hack in history
  • Elite group of hackers plundered secrets from 141 companies in the West

Back in May 2004, Shawn Carpenter, a computer intrusion expert at Sandia National Laboratories – which work on the USA's nuclear weapons programme – began investigating a cyber security breach.
He had seen similar attacks on defence giant Lockheed Martin, which controls Sandia. Whoever was behind them was good – grabbing what they wanted in moments and always leaving a backdoor open so they could return.
Carpenter used a technique called 'back-hacking' to pursue the attackers online, all the way through Hong Kong, Taiwan and South Korea where they stashed their stolen files to their source – Guangdong in southern China.
Scroll down for video  
Titan Rain - the biggest cyber espionage campaign in history - allowed China to plunder priceless military and commercial secrets from the West
Titan Rain - the biggest cyber espionage campaign in history - allowed China to plunder priceless military and commercial secrets from the West
Carpenter installed code on the hackers' machine which sent an email every time they were active. Two weeks later, he had 23,000 messages. This was much more than one individual. It was a huge team working all hours.
Carpenter had uncovered Titan Rain – the biggest cyber espionage campaign in history, and part of a programme which allowed China to plunder priceless military and commercial secrets from the West.
Special units of the People's Liberation Army stole secrets ranging from America's stealth bomber blueprints and Coca-Cola's business strategy to British Government briefings and BP geological reports.
Titan Rain's reach was vast. Terabytes of data on the B-2 Spirit stealth bomber and the F-35 Joint Strike Fighter had been stolen from companies including BAE. 
There were at least 500 significant intrusions into the US military. The blueprints for planes, space-based lasers, missile navigation and nuclear submarines had all been stolen. One American said there was not a defence contractor that had not been penetrated.
And it was not just America. An email arrived in the London inbox of a Foreign Office diplomat in October 2003 purporting to come from a Tibetan group campaigning for autonomy from China. An attachment hid a malicious Trojan horse virus that allowed access to parts of the Foreign Office network.
Special units of the People's Liberation Army stole military and commercial secrets from the West
Special units of the People's Liberation Army stole military and commercial secrets from the West
Never revealed before, this was the first serious known intrusion into British Government systems. Officials won't name who they think was responsible, but the email came from Beijing.
The more analysts began to look, the more they found. Britain's cyber security watchdog at the time, the National Infrastructure Security Co-ordination Centre (NISCC), warned in June 2005 that the Government and nearly 300 critical businesses – in defence, telecoms and national security – had been hit. But the Foreign Office forbade it from mentioning China for fear of the diplomatic impact.
At the same time a vast Chinese company – which the US had kept out for fear of espionage – was entering into the heart of Britain's technological infrastructure. Fears that it could be a secret information gateway to Beijing led to a secret centre being set up in Oxfordshire to make sure our network remains secure.
Old-school espionage involved breaking into an office to steal files, but modern spying has adapted. The first step is emailing someone at the target organisation, perhaps posing as a colleague, and tricking them into downloading an attachment that allows hackers into the system.
One specialist will search for likely targets, another remotely copies and removes files to an anonymous electronic 'safe house'. Information is then retrieved by spies in Shanghai, Moscow, Tel Aviv or even Cheltenham, home to GCHQ.
The beauty is that this can be done from the other side of the world – and if you are lucky, no one will ever know you were there.
The most notorious group of cyber-spies was code-named APT1 – investigators found evidence of them in the systems of 141 companies in the English-speaking world.
Once inside, APT1 hackers stayed for an average of 356 days – and in one case roamed for a remarkable four years and ten months.
A new drug or aircraft engine costing millions in research can be siphoned off in a few moments.
Western experts started talking about heavily protected Chinese research institutes and the companies linked to them suddenly making huge leaps forward. US experts point out that China achieved the advanced skill of making a submarine move quietly far faster than the US or Russia.

The most notorious group of cyber-spies was code-named APT1 – investigators found evidence of them in the systems of 141 companies in the English-speaking world
The Chinese J-20 stealth aircraft arrived around a decade after Chinese hackers compromised a US research facility. And when Coca-Cola was negotiating the multi-billion-dollar purchase of a Chinese company, the APT1 group is believed to have got hold of its negotiating strategy. The bid failed.
A different campaign by a group called Night Dragon targeted BP, Shell and Exxon in search of highly valuable geological data about gas and oil prospects – gold-dust to resource-hungry China.
The language was apocalyptic: 'The greatest transfer of wealth in history' is how Keith Alexander, then-director of America's National Security Agency, described cyber espionage in 2012. Others feared as much as a trillion dollars worth of damage. But by following the data trail left by APT1, investigators tracked them to a door in a down- at-heel part of Shanghai that housed Unit 61398 of the People's Liberation Army. Inside, hundreds worked in a 130,000 sq ft building.
One blog posting by a 25-year-old hacker described a world of long hours, low pay and boredom. He wore a uniform but lived in a dorm and had little time for anything other than work or surfing the internet. 'I want to escape,' he wrote.
GCHQ and the NSA spied on the spies, remotely switching on the webcam of an attacker's computer to see them at work. In 2014, the US Department of Justice took the unprecedented step of charging five members of PLA 61398 with hacking. The FBI issued 'Cyber's Most Wanted' posters featuring photos of the hackers, including one who used the pseudonym UglyGorilla. In a deliberately provocative move, two were pictured in PLA uniform.
Meanwhile, Western companies rarely admit they have been breached. Such an admission would hit the share price straight away, while the actual cost in terms of intellectual property theft may not become apparent for years. By then, directors will almost certainly have moved on, their bonuses intact. But the final cost can be immense.
In 2004, a British employee of the Canadian telecoms giant Nortel became curious about a senior executive downloading documents connected with his work. When he emailed to offer help, the executive replied tersely: 'I don't know what you are talking about.'
Keith Alexander, the then-director of America's National Security Agency, said it was 'the greatest transfer of wealth in history'
Keith Alexander, the then-director of America's National Security Agency, said it was 'the greatest transfer of wealth in history'
Nortel alerted security expert Brian Shields, who found hackers had used the accounts of seven executives in Canada to send more than 1,500 documents to China over the previous six months – with evidence of theft going back to 2000. Shields was already aware of the threat – Nortel had been trying to get into the Chinese market since the 1990s when concerns became immediately apparent. One executive suspected his faxes were being monitored. Others had their luggage searched and laptops examined.
Shields was also part of the Network Security Information Exchange, bringing together governments and the private sector. Lockheed Martin, Boeing, Cisco and British Telecom met the FBI, CIA, NSA and Britain's Centre for the Protection of National Infrastructure (CPNI) in Washington every other month.
Their discussions are classified, but there's little doubt they were dominated by the emergence of a large-scale, sophisticated Chinese threat. Shields reported back to his superiors that the Chinese were stealing everything: research and development, pricing and sales plans, customer information. At the time, Nortel was losing contracts to a new Chinese company, Huawei, which consistently bid 30 per cent less to do the same work.
It is impossible to blame cyber espionage for Nortel's decline and Huawei's rise – the company has come from nowhere to being perhaps the largest telecoms equipment company in the world, doing everything from selling smartphones to laying fibre-optic cables in the ocean.
Shields does not believe Huawei itself was hacking Nortel – he thinks the Chinese state was responsible. Yet the result was the same – Nortel began to fall apart. Shields lost his job to cost-cutting, but not before drafting a 15-page letter to the chief executive: 'I am certain the Chinese are inside Nortel's network,' he wrote. 'They have free rein to take whatever they want and have for a long time… unfair Chinese competition is running this company out of existence.'
It was too late. In January 2009, Nortel – which employed 90,000 worldwide and once made up a third of the value of the Toronto Stock Exchange – filed for bankruptcy.
In Britain, spies faced a new headache within months of the rogue Tibetan email to the Foreign Office in 2003. Huawei was signing a major deal to work with BT and there was confusion in Westminster about what to do. Some warned of the dangers, but it was only after the deal was signed that concerns –reported in this newspaper – grew that China could use Huawei to spy on communications, or hit a 'kill switch' to turn them off completely.
On the third floor of a nondescript office in a business park in Banbury, Oxfordshire, two thick doors costing £30,000 each reveal that it is secured to 'List X' standard – and cleared to contain classified information.
The first door takes you into a room reminiscent of most offices. Behind an everyday reception are a few cubicles where people tap quietly on laptops. But electronic equipment must be stored in lockers, passes swiped, and a PIN entered in order to go through the second door. This inner sanctum is Top Secret: and no one from China is allowed to enter unescorted.
Canadian telecoms giant Nortel contracts to a new Chinese company, Huawei (pictured), which consistently bid 30 per cent less to do the same work
Canadian telecoms giant Nortel contracts to a new Chinese company, Huawei (pictured), which consistently bid 30 per cent less to do the same work
The Cyber Security Evaluation Centre – or The Cell – is paid for by Huawei and is the front line in a global debate over computer security which pits China against America, with Britain in the middle. Fear of espionage has kept Huawei out of America's telecoms infrastructure. This is the place where Britain tries to ensure it has not made a mistake by letting it in.
The inner sanctum is where the telecoms kit Huawei plans to install in Britain is tested: its code analysed and hardware – mobile phone base stations and the like – taken apart, photographed and weighed in a search for modifications.
Further inside, there is a locked steel cage, monitored by CCTV, holding a single computer terminal. This is the company's most precious asset, the source code that runs its equipment. A one-way diode means the encrypted code can flow into the computer to be examined, but not out. A two-man rule operates, so a Chinese employee of the company has one half of the password to decrypt the material, a security-cleared Briton has the other.
Pictures from the CCTV are beamed to Shenzhen, home of Huawei's headquarters, a vast campus in a place that has gone from small border town to a metropolis of 15 million people in a generation.
Its network control centre looks like mission control at Nasa. Dozens of operators watch screens which display the flow of much of the world's communications. Nowhere is the sense more clear that Huawei is everywhere.
'When you walk around the Huawei campus, you are staring into China's future,' wrote one US diplomat. A visiting Western executive had a different thought: 'We're screwed.'
Huawei has always denied espionage and points out that being caught spying would be commercial suicide. The same would apply to hitting a kill switch.
Yet a document called the National Risk Register outlines what could happen to Britain if it did. A section, called 'transition to war', relates to the possibility of China shutting Britain down by switching off all Huawei kit (and it would not necessarily need the connivance of the company to do so). This could take down as much as half the British network for days.
Two years ago, Britain's Intelligence and Security Committee's report on Huawei was overshadowed by Edward Snowden's revelations about Western spying, which has dominated the debate over cyber spying ever since.
In the past few days, however, Washington revealed that the personal records of four million government employees had been stolen. The source of the cyber espionage, they suggested, was China.
  • Intercept: The Secret History of Computers and Spies by Gordon Corera is published by Weidenfeld & Nicolson on June 25, priced £20. 
  • Offer price £16 (20 per cent discount) until June 28, 2015. Order at www.mailbookshop.co.uk – p&p is free on orders over £12.