Written by Sean Lyngaas
China is increasingly tolerant of criminal hackers on its soil if they are willing to hack on behalf of the Chinese government, a senior U.S. Justice Department official has alleged.
Recent U.S. indictments of accused Chinese hackers indicate that the country “has become a safe haven for cybercriminals as long as they’re also doing work on behalf of the state,” John Demers, the assistant attorney general for national security, alleged in an interview for CyberTalks, the annual summit produced by Scoop News Group. “That’s very worrisome…because now you’ve got a country that’s giving free rein to criminal hackers.”
It’s an accusation that U.S. government officials and security researchers have frequently leveled against Russia, as well. The blend, though, of criminal and state-sponsored activity in China will make it even more difficult for U.S. companies to defend themselves, Demers said.
A spokesperson for the Chinese Embassy in Washington, D.C., called the allegations “groundless,” adding: “China is a staunch guardian of cyber security and one of the biggest victims of hacking.”
Two U.S. indictments unsealed in September charged five Chinese nationals with conducting computer intrusions for personal profit, but also with hacking students in Taiwan and Hong Kong, actions traditionally associated with state-sponsored activity. One of the men charged allegedly claimed protection from the Ministry of State Security, China’s civilian intelligence agency. That is “similar to what we saw the Russians doing with hackers in the past, that kind of a bargain that they’ll make with these criminal hackers,” Demers said.
While Russia’s cybercriminal underground gets more public attention, there are also forums in China where malicious hackers trade tools and tips. One of the most notable schemes saw Chinese hackers allegedly defraud Facebook users of $4 million by installing malicious software on computers and buying up Facebook advertisements. Facebook said the perpetrators did not appear to have any affiliation with the Chinese state.
The U.S. indictments were revealed about a year after security company FireEye exposed the alleged Chinese state-backed espionage group known as APT41. The FireEye report helped lift the veil on Chinese hackers’ alleged moonlighting, suggesting where espionage might end, and where self-enrichment seemed to begin. U.S. prosecutors invoked the APT41 label in the recent indictment.
Demers also said that Chinese espionage campaigns have been using front companies to try to cover their tracks, a tactic that Iranian hackers also have allegedly used. Three of the men who were recently indicted worked for what was ostensibly a China-based cybersecurity company called Chengdu 404 Network Technology. But behind public statements that they provided security testing for companies, Chengdu 404 employees were allegedly hacking government networks in India and Vietnam using “commercial penetration testing tools,” according to the indictment.
“Attribution is hard and nation-states and obviously criminal hackers will try to make it harder. But it’s still very doable,” Demers said.