China is publicly blaming US intelligence agencies for a late July cyber attack on the Wuhan Earthquake Monitoring Center, claiming that they left evidence behind in the form of unique and complex malware.
A senior engineer for China’s National Computer Virus Emergency Response Center (CVERC) said that the attackers were planting malware backdoors into systems that gather seismic intensity data. In addition to attempting to identify underground structures, the spokesperson claimed that the attackers might have been creating a pathway for future cyber attacks to “fuel social panic.” This comes just weeks after anonymous US officials accused hackers backed by Chinese intelligence of installing malware “kill switches” in the utility systems that support military bases.
Cyber war of words ramps up as US intelligence agencies blamed for Wuhan attack
It has become common for Western governments and leading cybersecurity firms to link hackers working with Chinese intelligence agencies to data breaches. China generally makes statements of denial and vague allusions to US-based hackers doing the same thing, but it is much less common for it to link foreign state-backed actors to specific cyber attacks.
That appears to be changing as tensions ratchet up over Taiwan and other territory and trade issues. The attribution of the Wuhan cyber attack was followed by an announcement from Chinese authorities that a “highly secretive global reconnaissance system” run by US intelligence agencies would be exposed. This was accompanied by claims that the US has launched attacks on critical infrastructure in violation of international law.
This follows a late July report published in the New York Times, which cited a number of anonymous US officials in claiming that China has planted malware throughout military systems that is intended to disable them in the event of a direct military conflict between the two countries. The officials said that the US has been hunting down and removing this malware for over a year now, but that it is likely that the hackers still have access to utility systems and that any Taiwan conflict might be accompanied by stateside outages.
Du Zhenhua, a senior CVERC engineer, said that the cyber attack in Wuhan could have damaged a regional earthquake monitoring system and that general panic might have been caused by false reports or by failure to detect an actual seismic event. Neither CVERC nor Chinese officials commented on whether the US intelligence agencies actually attempted to cause damage during the attack or interfered with recorded data.
There is little real international law or formal agreement on cyber espionage, and it is an open secret that nearly all nations do it to each other (and in some cases to allies, or in spite of pledges and pacts). The general attitude has been to do little more than make denouncements in the media in the interest of not escalating to real-world military conflict over relatively minor cyber attacks, but nations have been forced to rethink their boundaries with the increasing instances of attacks on critical infrastructure. Given that it could not demonstrate actual damage to the earthquake monitoring systems, China’s claim of violation of international law is spurious.
This is also likely the reason for CVERC tacking on speculation about the US intelligence agencies fishing for information on potential underground military facilities. Seismic data can be used for a variety of purposes, including detecting weapons system or nuclear tests.
Hacking programs threaten to escalate from spying to exchanges of cyber attacks
China’s foreign ministry has promoted its upcoming report on US intelligence agencies as “objective and professional,” and called US accusations of cyber attacks a “smear campaign.” Security and antivirus companies 360 Total Security and Anity Labs appear to be involved in the report.
Open accusations of this nature from China are relatively rare, but not entirely unheard of. In May of this year, CVERC published a report accusing the US of being an “empire of hacking,” but provided little in the way of new information and mostly reiterated material from the 2017 “Vault 7” leaks published by Wikipedia. In September 2022, the Chinese government made a more direct accusation of an NSA cyber attack on Northwestern Polytechnical University. However, the US has designated it as a military university involved in warfare research and thus a legitimate target of espionage for intelligence agencies.
Accusations made by the likes of Microsoft and Crowdstrike on the US side are usually accompanied by at least some sort of collection of evidence that points to established state-backed actors. China claims that it has the sort of custom malware that is used as an identifier in these cases, but has yet to present it for more general scrutiny by cybersecurity professionals.