Discussion of state-sponsored advanced persistent threat (APT) groups tends to focus on Russia, North Korea, Iran, and above all China. FireEye currently lists 10 APT groups as being attributed to China, far more than any other country. Though there have been public examples of the United States engaging in cyber action against other countries, the country is generally left out of the discussion of APT groups. China may be looking to change that, showing a new willingness to “name and shame” US cyber incursions by publicly accusing the Central Intelligence Agency (CIA) of 11 years of cyber espionage.
The accusation is based on prior publicly known information and has little to offer in the way of hard evidence, but is noteworthy as a relatively rare public rebuke of American state-sponsored hackers and for naming an alleged CIA APT group.
America’s alleged cyber espionage
The accusation comes in the form of a report published by Qihoo 360, a Chinese security company whose antivirus and antimalware products are widely used in the country. The report claims that the CIA has targeted a variety of industries that are commonly hit by nation-state hackers: civil aviation, academic research institutions, petroleum industry, information technology and government agencies.
The primary source for these cyber espionage claims appears to be the Vault 7 documents that were leaked in 2017. The report names the accused leaker, Joshua Adam Schulte, as a developer of cyber weapons used against China. Schulte was recently convicted of false statements and contempt of court in the US, but the jury was deadlocked on the more serious charges of leaking information. Schulte worked as a systems engineer for the NSA from 2010 to 2016, and the Vault 7 documents that he allegedly provided to Wikileaks mostly dealt with the agency’s programs for clandestinely compromising various pieces of consumer electronics such as smart devices and vehicles.
The wording of the Qihoo 360 accusation is somewhat confusing. The report cites a specific hacking tool called Vault 7 as “the core cyber weapon” used to attack Chinese companies. This would be a new development; Vault 7 is the name given to the entirety of the document collection, which contained information about a number of different hacking tools but was not the name of any specific tool.
The report then goes on to name and describe the alleged CIA-backed hacking group APT-C-39. There is no previous reference to a group by this name; for several years APT 39 has been used to refer to a cyber espionage group backed by Iran.
Qihoo 360 does not cite any hard evidence for these claims. The primary evidence they provide is a claim that the company compared technical measures such as “control commands, compile pdb paths, (and) encryption schemes” in tools named in the Vault 7 documents (such as Fluxwire and Grasshopper) to “the pattern usually found in standardized attack organizations.” However, as Qihoo 360 appears to have invented APT-C-39 out of whole cloth, there is no verifiable data for anyone else to compare.
How substantial is this report?
The entirety of the report thus basically boils down to “trust us, we ran the numbers and it checks out” on the part of Qihoo 360. It may be an issue with translation, but iffy details (such as referring to “Vault 7” as a specific tool that Schulte developed) make the report sound like rambling nonsense at times.
The details are not really the noteworthy part, however. It is quite possible that this report was primarily intended for a low-information audience that does not really follow cybersecurity and may have only heard names like Schulte’s and Vault 7 in passing. What is noteworthy here is the public accusation of cyber espionage by a United States APT group.
The report’s core contention, that the US government is engaging in cyber espionage targeted at China, is probably not incorrect. It claims some pretty astounding capabilities, the ability to track individual flight passengers in real time and the compromise of “all private business information” among them, but nothing that would be out of reach on at least a more modest scale.
However, there is nothing in this report that can be independently substantiated – one has to take Qihoo 360’s word that not only did this cyber espionage occur, but that APT-C-39 is even a real thing.
It is widely believed that nation states, particularly the US and China, engage in covert cyber espionage against each other all the time. The norms of these engagements have largely been to keep them under wraps and not make direct accusations, however. This announcement from Qihoo may actually be a notification from Beijing that China is escalating to publicly naming US actions; the big question is whether or not those actions actually took place.