Ensconced in a single room, their laundry hung out to dry next to the window-sill behind their spartan desks, the young men might have been college students, preparing for an exam. In some senses, they were. Tan Dailin—‘Wicked Rose’ to his online friends—had dropped out of the Sichuan University of Science and Engineering; most of those in the room were fellow-students. That modest workspace in Sichuan’s Zigong, though was also the improbable incubator for what researchers Ken Dunham and Jim Melnick have called a “significant global threat”, its members waging an unprecedented campaign of blackmail, spying and sabotage.
Last month, researchers at Boston-based Recorded Futures revealed that a cyber-espionage ring it calls RedEcho had been targeted Indian power infrastructure as the crisis along the Line of Actual Control began to escalate in the summer of 2020. Following these revelations, fresh concerns emerged on cyber-espionage targeting Indian vaccine research and production.
The government has said it detected the power-sector attacks in November 2020 and succeeded in ensuring no actual damage was caused. There are good reasons to fear, though, that similar intrusions have hurt India in the past—and better-than-even odds they will do so again.
The determined that this summer’s cyber-attacks used technologies first created by APT41, a group that emerged from the efforts of the Zingong hackers who got together in 2006. Indictments filed by the United States Federal Bureau of Investigations help understand how the group grew—and why its successors still flourish.
What is Chengdu404?
From their one-room tenement, the hacker network in Zigong graduated to the antiseptic, blue-and-white offices a company that called itself Chengdu404. The cyber-security company claimed to specialise in providing network security tools, data analytics and mobile phone forensics. Its star product, called SonarX, allowed these clients to harvest and analyse gargantuan amounts of open-source data, from sources like social media posts.
élite team that would come to known as APT41—among them, Jiang ‘Blackfox’ Lizhi, Qian ‘Squall’ Chuan, Fu ‘StandNY’ Qiang, as well as independent hackers like Zhang Haoran and Tan ‘Wicked Rose’ Dailin—in fact, spent much of their time creating tools that would let them steal information from computers across the world. In some cases, APT41 demanded ransoms to return the data; in others, they sold their digital treasure to customers.
The hackers intruded into the computer systems of more than 100 companies in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam. In one case, they hacked a non-profit organisation dedicated to combating global poverty.
Working with Malaysian nationals Wong Ong Hua and Ling Yang Ching, APT41 also targeted the video game industry in the United States, France, Japan, Singapore, and South Korea. In addition to stealing items that could be resold to gamers, like points and powers, these networks engaged in what has become known as ‘cryptojacking’—using compromised systems to mine cryptocurrencies like Bitcoin.
Like many of its counterparts, Chengdu404 advertised that it worked with “public security, military and military enterprises”. Chengdu404’s website also proclaimed that the company was driven by “patriotic spirit”.
Exactly what that meant is clear from the conversation between Blackfox and a hired hacker, which took place in 2012. The project he’d been handed, the hacker said, involved doing things that might attract the attention of China’s national police; if that happened, he couldn’t even “get out of Sichuan”. The answer, Blackfox replied, was not to “touch domestic stuff anymore”. Chengdu404, he went on, had excellent ties to China’s intelligence services, which would provide protection except in the unlikely event “something very big happens”.
The company’s success, Blackfox explained, “was the classic example of maintaining low-key”.
FBI investigators determined that APT41 “compromised foreign government computer networks in India and Vietnam, and targeted, but did not compromise, government computer networks in the United Kingdom”. There are no ongoing criminal proceedings in India relating to this attack, though; its specific target has never been revealed.
What is China doing about the FBI charges?
Perhaps unsurprisingly, Beijing has shown no interest in acting on the FBI’s indictments; China flatly denies it supports hackers. In addition to APT41, there are now multiple networks conducting similar operations: Tonto Team, Icefog, KeyBoy, Tick and, of course, Red Echo.
Ever since the rise of organised human societies, leaders have attempted to steal each others’ secrets; sabotage, blackmail and subversion aren’t exactly unfamiliar to intelligence services, either. In this sense, the cyber world is no different from the real world. As the world has grown increasingly networked, cyber-espionage—mining the computers of adversaries for technology and information—has become increasingly attractive.
So, too have forms of cyber-warfare, ranging from low-grade strikes intended to merely signal the ability cause greater harm, to the outright destruction of critical infrastructure, like the Stuxnet attack on Iranian nuclear centrifuges in 2010.
“Ascending states”, the scholar Magnus Hjortdal has noted, “have much to gain from an offensive and aggressive cyber-capability”. “The Chinese cyber deterrence is a strategically intelligent solution that is quite cheap, compared to a full-scale conventional military”.
The United States also runs large-scale cyber-operations against both allies and adversaries. In 2011 alone, documents leaked by National Security Agency defector Edward Snowden revealed, it carried out 231 offensive operations, targeting China, Iran, North Korea and Russia. The scale of United States capabilities is known to have significantly expanded since. Indeed, even evidence mounts on China’s state-sponsored hacking, Beijing has complained of increasing targeting by its adversaries—likely with good reason.
Large investments are being made by several key states in expanding their cyber-operations capabilities. North Korea, today, is estimated to run a state-funded network of up to 6,000 full-time hackers, hand-picked for training at premier institutions like the Kim Il-Sung University, Kim Chaek University of Technology, and the Command Automation University.
North Korean hackers were discovered to have been stealing Indian nuclear secrets in 2019. Those hackers targeted laptops held by former Bhabha Atomic Research Centre chief Anil Kakodkar and former Atomic Energy Regulatory Board head SA Bhardwaj. The North Korean team conducted digital surveillance which determined only these two laptops had access to both the internet and to highly-guarded internal systems. They used a plausible scientific paper to hide the sophisticated D-Track malware, developed exclusively by the Lazarus ring.
The Chinese plans
Expert Zi Yang has reported that China plans to set up at least four world-class cybersecurity institutions to meet its growing offensive and defensive needs. “While recruiting normally happens at college-freshmen lecture halls or hacking competitions”, Zi wrote, “some institutions including Xidian University have expanded their scouting network to secondary schools in search of promising candidates
India isn’t innocent in these arts. Last year, internet safety firm Trend Micro identified multiple attacks on military and government targets in China, Pakistan, Nepal and Bangladesh by an Indian hacking network it called Sidewinder, which phished for targets’ login credentials. The RedEcho report claims Sidewinder targeted the Chinese government and military entities as tensions escalated in Ladakh—mirroring that country’s cyber-espionage efforts.
The vulnerabilities of computer networks aren’t exactly news. In 1994, teenage music student Richard ‘Datastream Cowboy’ Pryce, successfully broke into hundreds of computers, including those at the United States’ Griffiths Air Force base, the National Aeronautics and Space Administration and the Korean Atomic Research Institute. In 1998, two California schoolchildren succeeded in penetrating United States Department of Defence computer networks.
Even though New Delhi has sought to expand both it's defensive and offensive capabilities over the years, though, progress has been patchy. Few private-sector corporations, and even fewer government bodies, have been willing to make the expensive investments in technology and employee awareness needed to secure themselves. Large swathes of technology talent from the country, moreover, end up overseas, as the result of the anaemic ecosystem to sustain their work at home. There’s also a shortage of the language-specialists and analysts needed to make sense of data gathered through cyber-espionage operations.
Last week’s revelations on India’s power-sector vulnerabilities, though, should be a wake-up call. Greater partnership between India’s private sector and the government on building the capacities needed will be critical.