A series of cyberattacks against Western think tanks and nongovernmental organizations appear to be attempts by the Chinese government to gain insight on the military strategies of Western governments, according U.S. cybersecurity firm CrowdStrike.
In a blog post published Wednesday, CrowdStrike said it observed Chinese hackers trying to break into the servers of six different Western organizations in October and November, marking an uptick in cyberattacks originating from China in recent months.
CrowdStrike researcher Adam Kozy writes that in the recent attacks, the “adversaries specifically targeted the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections.”
CrowdStrike Vice President of Intelligence Adam Meyers told CyberScoop that, given the information the attackers appeared to be after, the efforts were likely coordinated by Beijing. A mix of both U.S. and European-based organizations were targeted, said Meyers.
“Based on the information they’re collecting, it’s certainly information that would be of value to the [Peoples’ Republic of China] leadership and the [Peoples’ Liberation Army] leadership,” said Meyers.
CrowdStrike says that the attackers searched for terms such as “china”, “cyber”, “japan”, “korea”, “chinese” and “eager lion” after they had compromised a network. Eager Lion is an annual military exercise the U.S. holds in Jordan with several other allies. Meyers said the appears of these terms suggests the hackers were likely looking for information on how the U.S. coordinates with other governments’ militaries.
“Understanding how does the U.S. integrates and interacts with other militaries in a joint operation capacity is something that you can derive from Eager Lion,” Meyers said. He added that the way in which the attacks were propagated is characteristic of past Chinese cyber espionage operations.
“The tools, the techniques, the infrastructure that they use are consistent with Chinese adversaries that we track and associate with the nation state,” Meyers said. “It’s reflective of someone that’s doing this professionally versus someone that’s doing this as kind of an enthusiast or patriotic hacker.”
Meyers said the consistency and timing of these attempts supported his conclusion of nation-state hacking.
In one particular intrusion attempt, the attackers were repeatedly denied access to a single think tanks’ server for four days in a row. The suspected target stored valuable data about an “ongoing research project.” After continued failure, the attackers finally “signed out and a separate host began conducting a low-volume [distributed denial-of-service] attack on the think tank’s website,” a CrowdStrike blog post reads.
The report noted that the use of a DDoS attack is atypical for an espionage operation, and in this case it seemed to have come out of frustration.
“It looked to them like they were having some degree of success but got cut off. As this was going on, to the operator I think this became frustrating. It seemed like it could have been a retaliatory or retributive attack – that they wanted to disrupt this organization’s website because they were frustrated that they couldn’t get what they needed,” Meyers explained.
Meyers drew a link between the information the hackers sought and recent military exercises China has been conducting in the disputed South China Sea. The country’s air force has been flying military aircraft over the sea and near Taiwan, a state over which the PRC claims sovereignty and previously threatened to take by force should it declare independence.
“In the event that the Chinese did try to take the island of Taiwan by force, if there was to be a response, it would likely involve the U.S. and Japan,” Meyers said.