Chinese Hackers Stole Diplomatic Cables, Report Says. Here’s How They Did It
Chinese hackers have reportedly compromised a network used by European Union countries to relay diplomatic messages, allowing the intruders to spy on sensitive correspondence about everything from foreign policy to trade to weapons. The intrusion into the EU network, known as COREU, was part of a coordinated cyber-espionage campaign that also breached more than 100 organizations, including the United Nations, various ministries of foreign affairs, labor unions, and think tanks, according to Area 1, a cybersecurity firm based in Redwood City, Calif.
In a report published on Wednesday, Area 1 said hackers infiltrated computer systems belonging to the Ministry of Foreign Affairs of Cyprus, and then used that foothold to gain access to the COREU network which they looted for classified messages of other countries. The spies swiped thousands of diplomatic cables relating to subjects such as nuclear proliferation, arms control, human rights, regional diplomatic talks, and other international matters.
“The Council Secretariat is aware of allegations regarding a potential leak of sensitive information and is actively investigating the issue,” a spokesperson at the press office for the European Council told Fortune in an email. The spokesperson said the office “does not comment on allegations nor on matters relating to operational security,” and added that the council “takes the security of its facilities, including its IT systems, extremely seriously.”
In the stolen cables, whose contents were reported by the New York Times, European diplomats fret about matters like President Trump’s conduct towards China and, in one case, describe a meeting between Trump and Russian President Vladimir Putin as “successful (at least for Putin).”
The United Nations and the AFL-CIO were separately pillaged as part of the same espionage campaign that targeted COREU, Area 1 said in its report. The authors pointed to logs of activity on affected computers and other technical details to make the case these organizations had fallen victim to a single ongoing spy operation.
Farhan Haq, deputy spokesperson for the Secretary-General of the UN, said the organization “has no information” about the alleged breach. “When cyberattacks and attempted intrusions occur they are generally only reported internally, and for most incidents the United Nations does not have sufficient information to conclusively attribute such attacks,” he said.
Josh Goldstein, communications director for the AFL-CIO, said the union was “aware of a previous breach in security protocols.” But he downplayed the situation, insisting that “we were able to fix the vulnerability that was used and verify that no data was compromised.” Officials from Cyprus declined to comment.
The statements jar against information contained in the Area 1 report, which purports to show evidence of data copied and lifted from internal networks.
Oren Falkowitz, Area 1’s CEO and cofounder, told Fortune that his team, aided by its global network of sensors, detected the intrusion into the European diplomatic cable network in late November. The team then investigated the breach and traced its perpetrators’ activity to a string of breaches dating as far back as April 2015.
A former National Security Agency and U.S. Cyber Command officer, Falkowitz said he alerted United States authorities, including the Federal Bureau of Investigation, about his team’s findings on Dec. 10.
Falkowitz and his team said they have attributed the breaches to China’s Strategic Support Force, a hacker unit of the People’s Liberation Army. He said the attackers’ technology and tradecraft, some of which is detailed in the report, matched Beijing’s style.
“Our attribution of this campaign is based on extensive technical analysis and over a decade of experience countering Chinese cyber operations,” said Blake Darche, chief security officer and cofounder of Area 1, who formerly worked at the U.S. National Security Agency.
Press officers for the Chinese embassy in Washington, D.C., did not respond to emails seeking comment.
The attacks all followed the same template.
Each used standard phishing methods to steal the login credentials of network administrators and senior staff of the affected organizations, Falkowitz said. The hackers then probed the victims’ machines, moved across their networks, and implanted a malicious software program, called PlugX, which establishes a so-called backdoor.
While on the machines, the hackers were able to explore file directories, log keystrokes, capture screenshots, and grab reams of data. In the COREU breach, Area 1 said the intruders stole communications pertaining to European Council working parties and committee reports on the EU’s relations with Asia and other regions, as well as documents concerning security and military technologies.
In the AFL-CIO breach, the looters got their hands on documents from top officers of the union, including legal counsels, Area 1 said. They also nabbed backups of password files which at least one staffer stored using 1Password, a popular password management application.
The hackers then “zipped” the files, compressing their size, added a password protections, and disguised the resulting documents with innocuous sounding-names, like “infos.txt.” Sometimes the attackers would break down these files into smaller batches, presumably to sneak the data off networks while raising fewer flags.
The hackers removed the data by sending them to public cloud services, such as Google Drive. The spies attempted to erase their tracks, but Area 1 said it was able to observe and map out their activity. The company has shared in its report technical indicators associated with the breaches so that other organizations can check to see whether they were similarly targeted.
The hackers continued to have access to the COREU network as recently as last week, Falkowitz said.
The strategic goals of the recent wave of cyberattacks are not clear, in part because they appear directed at such a broad range of entities, including think tanks, unions and government ministries. Falkowitz points to stolen files related to the proposed Trans Pacific Partnership to speculate that China was in part seeking intelligence about global trade negotiations—a sensitive topic for the Trump Administration, and a key instrument of geo-political power.
The hacking may also have been spurred by general opportunism. According to Adam Segal, a cybersecurity expert at the Council on Foreign Relations, China regards cyber-space as incredibly important for achieving three goals: economic growth, controlling information and military advantage. In this context, the hackers may have been seeking to monitor their targets in hopes of gathering any useful information rather than to obtain specific trade files.
If Area 1’s attribution is correct, the attacks underscore Chinese hackers’ success in rummaging through cyberspace—and also how poorly its targets have fared in deflecting them. This failure to defend can be chalked up in part to the complexity of guarding networks, especially those at bureaucratic and multi-pronged institutions like the European Union.
“IT security remains a nightmare within the EU, not only because of the technical challenge of harmonizing 28 IT security systems, but also because of the incentive countries have to leak confidential documents to non-EU allies,” said Federica Bicchi, a professor at the London School of Economics, who has published a history of the COREU network.
The failure to rebuff this latest round of hacks is also notable given China’s prior track record. In 2012, U.S. lawmakers decried “a furious wave of cyberespionage” aimed at think tanks, and warned that sensitive academic and diplomatic data was being stolen.
Meanwhile, U.S. discussions with China on the cyber front have regressed since former President Obama and Chinese President Xi Jinping reached a bilateral agreement in 2015. That pact reportedly led to a downturn in hacking incidents from China, but only a temporary one.
Past cyberattacks by China have triggered retaliatory measures by the U.S., including sanctions and the filing of criminal charges against individual hackers. It’s unclear, however, whether the incidents directed at the EU and the AFL-CIO will prompt similar measures by the U.S. or by European governments.
According to Segal, many of the organizations described in the Area 1 report—including governments and think tanks—would be considered to be fair game under the norms of spycraft, and that other countries conduct similar operations. It is only when China’s hackers seek to plunder companies for economic gain that the U.S. has reacted in a forceful public fashion, he added.
China’s success at breaching COREU, the UN, the AFL-CIO, and the other organizations nonetheless raises questions about whether anything can be done to stop such cyberattacks. According to Falkowitz, any response must begin by recognizing the attacks are not particularly sophisticated. Rather, he says, they rely on a cookie cutter approach that involves repeatedly probing the target with phishing emails until someone clicks on a booby-trapped link to let the hackers in.
Cyberattacks are more like “cogs in an assembly line” than they are “individual snowflakes,” Falkowitz said. “From a technical perspective, it’s rather boring, to be honest, but the impact is super, super high.”