Computer hackers linked to the Chinese government used two Chinese telecom companies and the Baidu search engine to mount mass data disruption attacks on American websites involved in circumventing Beijing’s censors.
According to a confidential FBI Flash alert sent to U.S. companies on Thursday, investigators determined with high confidence that since the middle of March Internet traffic entering China was used in a data-denial attack against two websites involved in defeating Chinese-based web censorship. The traffic was "manipulated to create cyber attacks directed at U.S.-based websites," the notice said.
"Analysis by the U.S. government indicated that Internet traffic which originated outside China, was intercepted and modified to make unsuspecting users send repeated requests to U.S.-based websites," the report said.
"The malicious activity occurred on China’s backbone Internet infrastructure, and temporarily disrupted all operations on the U.S.-based websites," the notice said.
Investigators analyzing the attacks discovered that malicious software was injected into the web browsers of unsuspecting computer users "as traffic transited China Unicom or China Telecom networks and at the same points in these routes that censor traffic for the Chinese government."
China Unicom and China Telecom are both state-owned telecommunications companies under control of the Chinese Ministry of Information Industry.
The involvement of the two companies is an indication of Chinese government involvement in the hacking technique known as a "man-in-the-middle" cyber attack, the FBI said.
"The location of the [man-in-the-middle] system on backbone networks operating censorship equipment indicates that the [man-in-the-middle] attack could not have occurred without some level of cooperation by the administrators of these systems," the FBI said.
The diversion of Internet traffic was part of a sophisticated but common method of cyber attack known as a Distributed Denial of Service (DDoS) strike—the use of networked, hijacked computers to flood websites with data requests that overwhelm the sites and disrupt or shut down their operations.
The alert did not identify the U.S. websites hit in the cyber attack.
However, the Wall Street Journal reported March 29 that a software company involved in helping Chinese users evade Beijing’s censorship was attacked in a DDoS attack linked to China. The San Francisco-based coding website called GitHub, Inc. was targeted and security analysts said the company was picked because of its involvement in circumventing Chinese web censors.
Security analysts identified the Chinese search engine involved in the attacks, that began March 26, as Baidu, a key part of the effort to direct mass digital strikes at two GitHub-hosted web pages. GitHub was facilitating access to Internet pages blocked by the Chinese government, including one operated by Greatfire.org, and the New York Times’ Chinese language website.
Baidu, considered to be a Chinese version of Google, is widely used by some of China’s several hundred million Internet users. The company denied involvement in the DDoS attacks in March, the Journal reported.
According to the FBI alert, the March DDoS attacks involved what cyber security experts call a "man in the middle" attack where hackers inject malicious software in the form of a doctored Javascript—software used to control web browsers—into large numbers of computer users’ web browsers.
The malware allowed the cyber attackers to take control of large numbers of computers for the DDoS attacks.
Man-in-the-middle attacks allow remote hackers to interrupt and exploit communications between computer servers and clients—the basic communication exchange used on the Internet for such activities as sending email or viewing websites.
According to the FBI alert, the hackers in the March attack targeted computer users who browsed Chinese websites and then randomly hijacked a percentage of legitimate software requests before those communications could reach the Chinese server. The hackers then returned a malicious Javascript to the user.
"The malicious Javascript would direct the unsuspecting user’s browsers to make repeated requests to targeted U.S.-based websites," the FBI said.
An FBI spokeswoman declined to comment on the alert.
The FBI urged American companies and computer users to use sophisticated security measures, such as transport layer security and other public key encryption, to protect traffic that passes through unsecure networks, like those in China.
The security techniques also should be updated to ensure that the most recent, secure versions are used.
Additional mitigation efforts can be obtained by American companies from the FBI’s Cywatch program at cywatch@ic.fbi.gov. The FBI also urged anyone affected by the attacks to contact one of the FBI’s field offices.
Disclosure of the Chinese government hacking comes as the Pentagon this week released a new cyber strategy.
A report on the strategy identified China as among four adversaries that have invested significantly in cyber warfare capabilities that "target the U.S. homeland and damage U.S. interests."
"Russia and China have developed advanced cyber capabilities and strategies," the report said.
"China steals intellectual property from global businesses to benefit Chinese companies and undercut U.S. competitiveness."
Defense Secretary Ash Carter said during a speech in California on April 23 that the cyber threat from nations like China and Russia "is increasing in severity and sophistication."
In Beijing, Chinese Defense Ministry spokesman Sr. Col. Geng Yansheng, criticized the new Pentagon strategy’s reference to the Chinese cyber threat.
"We are firmly opposed to the groundless accusations against China made in the report," Geng said. "China has been gravely threatened by hacker attacks and is firmly opposed to all kinds of hacking activities in the cyber space."
"We are opposed to cyber warfare in any form and cyber arms race, and we hope the cyber space will not be turned into another battlefield," he added. "We urge the U.S., which has strong cyber capabilities, to play an exemplary role and do more for enhancing cyber security, promoting common security and mutual trust in cyber space, rather than seeking absolute security for itself."