Security Analysts Confirm Links Between Beijing Spy Agency and Security Firm

Boyusec carries out intel collection, cyber reconnaissance for MSS

China computer
Getty Images
June 6, 2017

A Chinese cyber security firm carried out a global campaign of cyber espionage and reconnaissance for the Ministry of State Security, Beijing's main civilian spy service, according to security researchers.

The company known as Boyusec, located in Guangzhou near Hong Kong, was traced to large-scale MSS cyber operations to steal corporate and government secrets, and to conduct cyber reconnaissance—preparing foreign networks for cyber attacks in a future conflict.

The company was first exposed as an MSS front by the Washington Free Beacon in November.

Following that report, an anonymous security group or researcher, identified only as "intrusiontruth," reported May 9 that Boyusec is an MSS contractor and two of its officials, Wu Yingzhuo and Dong Hao were linked to Chinese intelligence cyber operations.

Then on May 17, the security firm Recorded Future confirmed that Boyusec is linked to MSS components.

"We believe that they were doing intelligence collection and reconnaissance work since at least 2010," Samantha Dionne, a threat analyst with Recorded Future said in an interview.

"They've targeted a really broad range of companies and government departments," she added, including those in defense industries, telecommunications, advanced technology, and government departments in the United States, Canada, Europe, and Hong Kong.

"They've been conducting a number of operations every year," Dionne said.

Investigations into the MSS cyber operations by both intrusiontruth and Recorded Future were launched after the Free Beacon revealed that the Pentagon had linked Boyusec to the MSS.

An NSA document disclosed by NBC in 2015 revealed that the MSS is one of three main hacking intelligence organizations. The agency identified six known MSS cyber units and 22 suspected MSS hacker groups, along with 28 known or suspected cyber units linked to the People's Liberation Army (PLA) Technical Department known as 3PLA. Together the two agencies were linked to 700 cyber attacks in the United States as of 2015, according to NSA.

According to the Pentagon's annual report on the Chinese military, the MSS is "the main civilian secret intelligence/counterintelligence service."

The spy service is mainly a human intelligence gathering service but in recent years has been very active in conducting cyber attacks to support the Communist government.

"The missions of the MSS are: to protect China’s national security; secure political and social stability; implement the 'National Security Law' and related laws and regulations; protect state secrets; counterintelligence; and investigate organizations or people inside China who personally carry out or direct, support, or aid other people in harming China’s national security," the report said.

Intrusiontruth discovered that Wu and Dong were both shareholders in Boyusec through conducting domain name history searches. The group discovered that the shareholders had been hard coded into some of the malware used in the cyber attacks.

Recorded Future, which uses machine learning for its research, was able to confirm the linkages. The company has alerted the federal government to the discovery but received no feedback, Dionne said.

The company's report on Boyusec identifies two MSS components that are working with Boyusec.   One is the China Information Technology Security Evaluation Center, known as CNITISEC, and an MSS regional office, Guangdong Information Technology Evaluation Center, known as Guangdong ITSEC.

"We have high confidence that it is connected to the MSS specifically," Dionne said of Boyusec.

Security researchers have dubbed Boyusec "APT3"—for advanced persistent threat based on the companies, tools, and tactics used in the cyber attacks.

"We see this as significant because it's the first APT or group that the public sector at least has been able to link explicitly to the Ministry of State Security," Dionne said.

"There have been a lot of reports in the past focused on the PLA, the Chinese military, because attribution there has been a bit more straightforward."

The Justice Department indicted several PLA hackers two years ago.

However, no MSS hackers have faced the same legal action despite intelligence linking the spy service to numerous cyber attacks.

For example, the massive theft of 22 million records on federal workers from the Office of Personnel Management has not been linked by the government to a particular Chinese cyber attacker.

Initial reports indicated the PLA was behind the cyber attack that included the theft of extremely sensitive information used by OPM for background checks on intelligence, security, and law enforcement personnel. Later reports linked the attack to the MSS.

Despite stealing valuable intelligence on nearly the entire federal workforce, data useful in both human spying and cyber spying operations, China has faced no punitive action by the U.S. government.

Chinese cyber intrusions and theft of sensitive data have been massive.

National Security Agency documents made public by renegade contractor Edward Snowden said Chinese cyber attacks have caused serious damage to U.S. national security.

One NSA report said China obtained radar design information on advanced jet fighters along with engine schematics as part of the theft of some 50 many terabytes of stolen data—the equivalent digital information contained in five Library of Congress holdings.

During the 2010s, Chinese hackers have conducted at least 30,000 cyber attacks, including more than 500 "significant intrusions" into Pentagon systems. NSA estimated the damage caused by intrusions cost more than $100 million to rebuild secure networks.

Among the military data stolen were Pacific Command air refueling schedules, Transportation Command logistics data, Air Force officer records, and Navy nuclear submarine and anti-aircraft missile designs.

Dionne said companies and governments need to reevaluate past cyber intrusions that may be linked to the Boyusec hackers.

"We recommend that they reexamine suspected APT3 intrusions in order to reevaluate the risk and the loss associated with the intrusions now that they know that this is the Chinese civilian human intelligence service, and not just any old hacker group," she said.

The new information signals "a whole different level of risk," Dionne added.

The key indicators for the MSS attacks using Boyusec include three hacking tools, including PlugX, Scanbox, and Derusbi.

A cyber security specialist who spoke on condition of anonymity because of the nature of his work said the disclosure about the MSS operations were a good first step.

"The identification is useful in so far as it helps the case that attacks from domains purchased by those gentleman should be attributed to China at the very least," the analyst said. "However, we need better analysis in the public domain."

Published under: China , Cyber Security , PLA