Chinese-government linked hackers are using American computer services companies in conducting cyber attacks against private company networks, according to cyber security analysts.
A detailed computer forensic investigation by a major U.S. security firm revealed that three recent cyber attacks were carried out by two Chinese hacker groups known as Deep Panda and Wekby. Both groups appear linked to each other and are part of a Chinese-government run cyber espionage campaign.
The Department of Homeland Security stated in an internal report that cyber espionage targeting the bulk collection of personal data from government and private networks included nine attacks over the past year.
A report on the investigation by the security firm reveals the Chinese groups conducted the attacks using seven computer-hosting companies to target a U.S. air carrier, a European telecommunications company, and a European energy firm.
A copy of the report was obtained by the Washington Free Beacon. The security firm asked not to be named.
The report provides some of the first details on how shadowy Chinese hacking groups conduct their operations while working to thwart U.S. intelligence and law enforcement agencies from tracking their activities.
"It’s like playing whack-a-mole," said an executive at one the companies who voiced frustration at the difficulties of blocking Internet Protocol (IP) addresses used covertly by Chinese hackers on U.S.-hosted domains.
The executive, who spoke on condition of anonymity over concerns of being targeted in a cyber attack, said the problem is not new and has been going on for years. "They are using very, very sophisticated methods," the company official said of the hackers.
Chinese hackers also are suspected in the hack of the Office of Personnel Management that compromised the records of 22.1 million people. The key indicator in the OPM hacking that links the cyber attack to China is the use of Sakula malware, a tool used to penetrate networks and steal large amounts of data.
The use of American computer service companies is part of efforts by sophisticated hackers to cover their tracks and thwart what is called "attribution"—evidence identifying the source of an attack.
Adm. Mike Rogers, commander of the U.S. Cyber Command, said in a speech last month that hackers are taking steps to deceive intelligence agencies. Rogers said identifying hackers is "a bit of a cat and mouse game."
"As you generate and gain more insights on what actors are doing, you watch them try to change what they do in a way to obfuscate how they do it," he said. One tactic is to form new partnerships with other hackers, Rogers noted.
In the recent hacking report, the Chinese also successfully re-used IP addresses that had been blocked years ago after authorities identified them as a source of hacking.
In some cases, the Chinese hackers use Americans as cutouts to set up the domains.
The FBI’s computer crime units frequently contact the companies to cut off the services once the Chinese hackers’ activities are uncovered.
The problem of misusing hosting services is so widespread that many companies now dedicate an entire email account to the problem.
Several of the companies involved in illicit Chinese hacking networks that were contacted referred questions to a dedicated "abuse@…" email address.
The report said forensic analysis "showed that these Chinese actors utilized common infrastructure hosted inside the U.S."
The Chinese hacker infrastructure stretched from China’s southeastern Guangdong Province and implicated service providers Sharktech, Psychz Networks, WebNX/GorillaServers Inc., Quadranet, PEG TECH, Colocrossing.com, and Enzu.
The activities in the cyber strike against the European telecommunication firm were tracked back to Guangdong Province, and a domain known as "discountbok.com" that was hosted by Quadranet/ Shenzhen Yi Yun Network Technology Co. Ltd. The IP address was identified by the company CrowdStrike as a user of the Sakula malware that is a key tool of the Deep Panda hacking group.
The hackers were using a Chinanet network in Guangdong. Chinanet is the main Internet services in China controlled by the state-run China Telecom Corp.
An IP address hosted by PEG TECH was traced to a Chinese hacker identified as "jiangdayou."
"Further research on this actor shows that he is likely based out of Guangdong," the report said.
Another domain, foundationssl.com, is registered to Li ning in Guangzhou Shi, Guangdong province.
And a domain identified as gicp.net, that was used to host several subdomains linked to Deep Panda hackers was registered to a Lin jianliang in Guangdong.
The gicp.net address was found to be hosted by Sharktech, based in Las Vegas.
In several major Chinese cyber attacks described as strategic web compromises, investigators traced the attackers to an IP address owned by China Mobile Communications Corp., operated by Guangdong Mobile Communication Co. Ltd.
The European energy company was hit with the cyber attack that came from the discountbok.com location connected to WeHostWebsites.com, located in Baoan, Shenzen City, Guangdong, and a related provider in Denver.
The cyber attack against the energy firm involved three IP addresses hosted by the company Psychz Networks, located in Los Angeles. The addresses were identified in the past as sources of Deep Panda cyber attacks.
A spokesman for Psychz Networks confirmed the reported IP address was the company’s but said, "we won’t be able to discuss any possible active investigations of our clients."
The cyber attack on the U.S. air carrier was traced to Chinese hackers using IP addresses owned by GorillaServers Inc. and another service at the same address in Los Angeles known as WebNX.
GorrillaServers did not respond to emails seeking comment.
Two IP addresses in the air carrier attack were associated in the past with Deep Panda attacks.
Another two addresses in the airline attack were hosted by Quadranet in Shenzhen and Los Angeles, and also were used by Deep Panda in the past. Quadranet is identified in the report as a subsidiary or partner of the networking company ColoCrossing Inc.
A Quadranet spokesman did not respond to emails seeking comment.
Another company that appears to have be of Chinese origin and to have a U.S. subsidiary is PEG TECH, which investigators say was linked to the air carrier cyber attack. PEG TECH has a San Jose address.
PEG TECH-hosted addresses were also identified in the cyber attack uncovered last year against the U.S. health care provider Anthem. Health care records of some 80 million people were compromised in the Anthem hack.
A PEG TECH spokesman could not be reached for comment.
The European energy company hacking attack was also traced to IPs owned by a hosting service called Enzu, a Nevada-based company. CrowdStrike has tied IP addresses used by Deep Panda to Enzu.
An Enzu spokesman did not respond to emails seeking comment.
FBI spokeswoman Carol Cratty declined to comment on the problem.
"We’re not going to comment on attribution of any purported cyber incidents," said DHS spokesman S.Y. Lee.