‘Byzantine Hades’ shows China’s cyber chops

Cyber espionage attacks from China are nothing new, but public awareness of the attacks is growing.

A report by news service Reuters published last week warned that Chinese spies, affiliated with the People’s Liberation Army, are stealing massive amounts of data from the systems of Western governments. Information about the nearly decade-long series of attacks, dubbed “Byzantine Hades,” appeared in the U.S. State Department memos leaked by Wikileaks last year. A November 2008 memo pointed to the most recent series of attacks, a subset of the operation referred to as “Byzantine Candor,” as targeted operations against the U.S. government using social engineering and malicious attachments and links in e-mail messages.

“BC actors typically gain access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems,” the memo stated. “The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks.”

Attacks on government agencies and U.S. companies emanating from China are not new. In 2010, Google blamed China for a series of attacks that compromised the U.S. search giant and other companies. While initial reports said that nearly three dozen companies were breached, one intelligence official told Reuters that thousands of companies were targeted by the operation, dubbed Aurora by security firm McAfee.

While the Reuters report argues that China is leading the cyber espionage race, the United States capabilities are largely unknown, says Tim Belcher, chief technology officer for security firm NetWitness.

“To think that we don’t have mature state capabilities, is naive,” Belcher says. “I think where the difference is that most of the rest of the world don’t make the distinction between commercial and government targets. They don’t look at Google as a private company; they look at Google as an extension of the U.S.”

The memos say that attacker linked with the People Liberation Army use compromised systems at Internet service providers from which to launch their attacks. A consensus of U.S. and German intelligence officials indicated that the majority of attacks using so-called spearphishing tactics, using tailored e-mails sent to a single person to increase the chance of compromise.

Over the course of a year, more than 500 targeted attacks hit a variety of German organizations and agencies, according to the November 2008 memo citing the German Federal Office for the Protection of the Constitution. Like targeted attacks against U.S. agencies and non-governmental organizations, the source of the e-mails appeared to be trusted parties and contained information of interest to the recipient, the memo states.

“I think it is certainly escalating,” Belcher says. “Part of it could be that we are detecting more of it. It is dramatically underestimated in terms of how many companies around the world have problems like this — it is now more (have been attacked), then not.”