China's spies come in from the cold,
how the MSS hacked the world
By Angus Grigg and Nick McKenzie
A group of Chinese government officials had arrived over the weekend to inspect one of Australia's largest security firms.
But rather than simply admiring the artwork and taking in a Powerpoint presentation, they detoured into the firm's data centre, a highly secure room which holds sensitive information about clients, including senior officials and business leaders, and which conducts remote monitoring of dozens of landmark sites around Australia.
Recent indictments filed in US courts show the increasing sophistication of China's operations in exploiting human and technological openings to gather intelligence from other countries. Pixhall / Alamy Stock Photo
According to one Securecorp insider, the government delegation was in the data room for at least half an hour.
"I thought they were mining the data," the insider told AFR Weekend.
More than two years has passed since that incident and the Shanghai-based China Security Co was allowed to complete its $158 million takeover of Securecorp with only the mildest of concerns raised in the Victorian upper house.
But the insider was still sufficiently worried about the incident to have recently contacted AFR Weekend to express his concerns about the visit and the likelihood it was not benign. If mining data did occur, as the insider believes, it could have hoovered up much of the firm's pre-takeover information, including data that may not have survived beyond the corporate transition.
'Protected to the highest standards'
There are also worries Securecorp's ultimate Chinese owner could exploit its ringside seat in Australia. It has 96 CCTV cameras in Melbourne's CBD and security operations at everything from Westfield shopping centres to Glencore mines and the MCG. In addition, there is Securecorp's boast of being a "trusted partner in the defence industry" and its $11.5 million contract with the Australian Electoral Commission, which runs until September next year.
In a statement, Securecorp said it was not unusual for it to have visitors in its control room and these always required approval, while adding the "security of clients' data and information is of the utmost importance".
"Our information systems are protected to the highest standards using both IT and operational controls which are maintained and tested. This was the case before our sale, and remains the case today," the company said.
The worry for the insider, however, was that like all companies that operate on the mainland, China Security Co and its owners are beholden to the Communist Party for their survival and prosperity, in an environment where Beijing is continually seeking to use whatever leverage it can to expand and upgrade its intelligence-gathering capabilities.
Recent indictments filed in US courts show the increasing sophistication of these operations and how they usually involve exploiting both human and technological openings.
These pursuits have usually been led by the Ministry of State Security and, in 2010, foreign intelligence services began to recognise the agency as the leading edge in China's campaign to rapidly upgrade its economy through the theft of intellectual property.
Australia has largely stayed silent on what one intelligence official called "a constant, significant effort to steal our intellectual property" by China. BeeBright
Raid on Rio Tinto
It was the MSS, for example, that led the smash-and-grab raid on Rio Tinto's Shanghai office in 2010 according to state-media reports, seizing laptops and hard drives, and at the same time arresting the company's head of iron-ore trading, Stern Hu, for corruption.
It then used the seized equipment to infiltrate Rio's computer networks in Singapore and Perth to such a degree the networks needed to be taken offline, the ABC's 4 Corners program reported in 2010.
Like the Australian Secret Intelligence Service (ASIS), which is charged with aiding "national economic wellbeing", the MSS has taken the lead in advancing China's economic development.
But the difference, as argued by security officials, is that Australia and its allies focus on traditional intelligence gathering, while the MSS is charged with stealing commercial secrets to speed up China's development.
A former director of the National Security Agency, Keith Alexander, has described the Chinese cyber campaign as the "greatest transfer of wealth in history". Bill Hinton Photography
In more recent years, this harvesting of intellectual property has been done under the guise of antitrust or regulatory investigations, according to a former Australian official who now advises companies operating in China.
Known as the "dawn raid" phenomenon, it involves Chinese authorities using raids on foreign companies to access computer systems and harvest available data.
"Some companies now have a policy of keeping no significant IP in China and ensuring their computers aren't connected to servers which hold meaningful data," the former official said.
Compromised data
Another senior national security official says other companies operate on the assumption that any data held in China will be compromised.
"These companies decide what is really important information and they work to secure that," he said. Other company data is then treated as if it is, or will be, compromised.
Several large Australian mining companies provide their executives with laptops and phones they use only while in China.
These behaviours reflect the new normal in China. It's an operating environment that also throws light on previous investments in Australia by Chinese companies.
For instance, the 2016 acquisition of Securecorp was not subject to approval by the Foreign Investment Review Board as it was valued at less than $261 million. That threshold remains today, but since that time, awareness of IP theft and data hacking has exploded. The head of FIRB, David Irvine, has said he will have a much greater focus on "data protection" in foreign acquisitions.
As The Australian Financial Review has revealed, the MSS has overseen a surge in cyber attacks on Australian companies over the past year in breach of an agreement between Canberra and Beijing to not steal each others' commercial secrets.
In addition, internet traffic heading for Australia was diverted via the mainland over a six-day period last year, in what some experts believe was an attempt to steal data.
The American approach
Australia has largely stayed silent on what one intelligence official called a "constant, significant effort to steal our intellectual property", due to fears of sabotaging the $116 billion trade relationship with Beijing.
In contrast, the US – which is far less dependant on Chinese trade and has much more leverage over Beijing than Australia – has been far less restrained.
A former director of the National Security Agency, Keith Alexander, has described the Chinese cyber campaign as the "greatest transfer of wealth in history".
The current assistant Attorney-General for National Security, John Demers, said the theft of intellectual property was "part of an overall economic policy of developing China at American expense".
"We cannot tolerate a nation stealing our firepower and the fruits of our brainpower. We will not tolerate a nation that reaps what it does not sow," he said on October 10.
Mr Demmers' words followed the US Justice Department charging MSS operatives and members of their team with attempting to steal sophisticated engine technology for civilian aircraft.
The indictment, a rare example of the US seeking to prosecute Chinese operatives for their behaviour, gave an insight into how the MSS operates.
Insight into methods
Over three indictments, officers from the Federal Bureau of Investigation revealed some of the methods used by the MSS.
The indictments showed how the MSS pushed much of its operational responsibilities down to a provincial level, in a similar manner to how the Communist Party does with most government functions.
In this case it was the Province of Jiangsu, outside Shanghai, that was charged with stealing proprietary technology for a "turbofan engine used in commercial jetliners".
Geography was the main determinant. Given the French/US joint venture had a factory in the province, the Jiangsu State Security Department (JSSD), a regional branch of the MSS, was tasked with the job.
According to the indictment, the operation was carried out by two MSS agents, a division director and section chief. They had six hackers at their disposal, who went by names like "Cobain", "Leanov", "Fangshou" (Defence) and "Le Ma" (Happy Mum).
But most worrying for any foreign enterprises operating in China was that the MSS relied heavily on local employees of the French and US company to install malware, used for cyber intrusions and to provide information.
These staff were effectively recruited by the MSS and would have had little choice but to co-operate.
Seizing on mainland mistake
The indictments also reveal while the MSS was careful in its communications outside China, it took few precautions on the mainland.
This was clearly a mistake and the US was able to access text messages, which now form part of the criminal case against the group.
Analysts believe the MSS has been active in this area for much of the past decade, but has been overshadowed by a cyber unit within the People's Liberation Army.
Known as Unit 61398, it was famously outed by security consultant Mandiant in 2014 as the primary group seeking to harvest commercial secrets from multinational companies.
But since Chinese President Xi Jinping restructured the military in 2015, the PLA is believed to have largely retreated from the gathering of commercial secrets.
"The PLA was noisy and kept getting caught," said Peter Mattis, a former counter-intelligence analyst at the CIA.
"Its efforts to steal commercial secrets were also becoming a distraction from its main role in seeking military intelligence."
Huge scale of state-sponsored hacking
That has cleared the field for the MSS, which has been linked by cyber-security firm CrowdStrike to the actors called "advanced persistent threats", as they they work over months or years, adapt to defences and often strike the same victim multiple times.
One of the most active Chinese state-sponsored adversaries has been dubbed "APT10" or "Stone Panda".
It is among 44 named actors out of China, identified by CrowdStrike, compared to 31 from Russia and five from North Korea.
While there are hundreds more that have not been named, as they have not been detected or are not sufficiently active, the list shows the scale of Beijing's state-sponsored hacking effort. When combined with evidence from the indictments, the picture is one of sophisticated technology combining with insiders to harvest some of the world's most valuable intellectual property.
Worryingly for authorities, the indictments deal with tactics that are at least five years old. Since then, officials say, China's willingness to adhere to anti-industrial espionage pacts has declined as its technological capability has improved.
No comments:
Post a Comment
Comments always welcome!