A joint report from China’s National Computer Virus Emergency Response Centre (CVERC) and cybersecurity firm 360 accuses the US Central Intelligence Agency (CIA) of aggressively hacking China and other countries with advanced cyber weapons, with the goal of fomenting “color revolutions” to install more friendly governments.
The claims come not long after document leaks by a US airman indicated that US intelligence is spying on the internal communications of its allies, including South Korea and Ukraine. The report claims that Chinese researchers have captured an assortment of trojans and malware used by the CIA and that the agency makes use of botnets and zero-days to attack targets around the world.
China claims to have captured CIA cyber weapons
The report claims that the CIA has built a global network of these cyber weapons since 2015, fielding “zombie botnets” and planting “stepping stones” for attacks around the world. The primary goal is what it calls “peaceful evolution” or the formation and support of popular revolutions aimed at regime change in target countries, a charge that is often levied at the US by rivals such as China and Russia.
In terms of specifics, the report points to a tool called “Riot” meant to keep anti-government forces in communication when the internet is not available or is heavily monitored. It calls this a “variable WiFi” tool, presumably some sort of localized mesh network, though there appears to be little to no other public information about this tool to shed more light on the claims. The report also claims that the CIA has tools for monitoring internet communications on foreign soil during rallies and parades, and that it provides encrypted network communication services to protesters in Middle East nations.
Much of the information about offensive cyber weapons seems to be based on previous material released by Wikileaks in 2017. The “Vault 7” files consisted of leaked internal CIA documents spanning from 2013 to 2016, provided to Wikileaks by a software engineer for the agency’s developer network. The files documented classified CIA tools used for compromising the firmware password protection of Apple devices, obfuscation of agency malware to conceal the source, attacks used to compromise Windows systems and specific web browsers, and a tool called “Weeping Angel” capable of putting certain early smart TV models into a false power-off mode in which cameras and microphones can continue to operate, among numerous other items.
The report also alleges that the CIA has been involved in the attempted overthrow of at least 50 governments, though this appears to be a claim that spans the entire history of the agency rather than a recent development. China and other world governments that are hostile to the US have been known to make the claim of covert involvement by the US and its intelligence partners in color revolutions, using the agency’s documented history of involvement in foreign coups and election meddling in its earliest years as a basis of authenticity.
CVERC claims reflect reports on China’s own advanced persistent threat groups
The CVERC report sounds much like the regular threat analysis updates that come from cybersecurity firms like Mandiant and Crowdstrike, and may be a direct response to these bulletins. China is thought to field dozens of APT groups that use similar cyber weapons and engage in a variety of missions around the world, and recent warnings have indicated that these teams are developing an assortment of new capabilities (to include direct targeting of satellites in a bid for space and communications superiority).
For a long time there has been a conspicuous absence of Western APT groups from the lists maintained by these security firms. Western nations do not really deny using similar cyber weapons against their rivals (and on occasion their allies, as leaks have revealed) but draw a distinction in that they claim to not engage in the assortment of illegal activities against civilian targets that the documented APT groups partake of. There are odd occasions of a US-linked APT group being mentioned by security firms, however, such as Symantec’s description of the “Longhorn” team observed to be using the techniques outlined in the Vault 7 documents in at least 16 countries. Russia-based Kaspersky also appears to be less shy about naming and shaming teams thought to be affiliated with Western governments, such as the NSA-linked “Equation” group thought to be active since at least 2001.
This is also not the first time China has accused the CIA of large-scale hacking. In 2020 there was a very similar incident in which the Chinese Foreign Ministry and domestic security firm Qihoo claimed that the CIA had been deploying cyber weapons indiscriminately in the country for 11 years and had targeted airlines, internet service providers and gas companies among others.