Building hiding China’s secrets uncovered
The outside of the "Guangdong Province International Affairs Centre" in the Chinese city of Guangzhou isn't much to look at, but what's going on inside has terrified governments around the world, including our own.
The US Department of Justice is alleging the building and research centre purporting to operate in one of China's biggest cities is really harbouring intelligence officers who are directing and assisting hackers conducting cyber attacks against organisations and individuals in other countries.
It's where an unnamed Ministry of State Security (MSS) officer allegedly helped Li Xiaoyu, 34, break into the emails of a Burmese human rights group, providing him with "zero-day" malware that exploits vulnerabilities unknown to security researchers or the software developer.
Other information obtained by Li's alleged hacks, which targeted dozens of companies, as well as human rights activists, anti-China protesters, and Chinese dissidents over more than 10 years, was also allegedly funnelled back to the MSS officer.
The building allegedly hiding MSS operations looks entirely innocuous from the outside, and the hackers it allegedly supported did a similarly good job of avoiding attention.
Attacks frequently involved techniques like hiding malicious files inside the hidden folder that holds files sent to the Recycle Bin until they're deleted, meaning genuine network users were unlikely to come across them.
They also made good use of a publicly available, tiny, and easily disguised piece of malware known as the China Copper web shell.
China Copper provides remote access to a Windows or Linux server and is only around four kilobytes in size.
The hackers would allegedly give the China Copper shell an innocuous name and hide it on the victim's server, as well as using credential-stealing software to take legitimate employee's login details.
When they found data they liked, they would compress it all into a single file (Roshal Archive Compressed files, or. RAR), and then change the file extension to make it look like something else.
Changing a. RAR to a .jpg could fool anyone who managed to stumble across it in the hidden Recycle Bin folder into thinking it was simply a deleted image and not a compressed trove of company secrets and data.
Li has been charged alongside Dong Jiazhi, 33, for allegedly participating in a decade-long conspiracy to hack computer networks around the world, including in Australia.
It's unlikely they'll face any jail time however, as they are believed to still be in China.
The US and China don't have an extradition treaty but they do have a strained diplomatic relationship that will make neither that enthusiastic about helping the other.
Li and Dong allegedly stole secrets from private companies and funnelled the information to Chinese intelligence, as well as using it to extort the victims for their own personal gain, all from their "PRC government-provided safe-haven in China".
While the recently unsealed indictment of the pair reveals stolen secrets being used to extort victims into coughing up cryptocurrency, the real cause for concern is the involvement of Chinese intelligence.
"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state, here to feed the Chinese Communist party's insatiable hunger for American and other non-Chinese companies' hard-earned intellectual property, including COVID-19 research," the US' assistant attorney general for national security John C. Demers said.
The US has identified 25 victims across more than 10 countries, including Australia, where two organisations were targeted in less than a year.
An unnamed "Australian defence contractor" had 320 gigabytes of data, including source codes, schematics and manuals stolen between April and June of last year.
It appears the hackers managed to access the Confluence cloud network being used by the company.
Confluence is one of several products offered by local tech success story Atlassian.
Atlassian sells software to businesses and provides them with security updates and customer support, but companies have the option of "self-managing", providing their own server hosts and managing the data kept on there, which includes effectively securing it from outside attackers.
The hackers also allegedly targeted an "Australian solar energy engineering concern" in January but it appears that while the network was compromised and spied on, no data was taken.
Last month, Prime Minister Scott Morrison told Australians what the cybersecurity community had been trying to tell them for years: the country is under attack from "cyber actors".
The government announcement was spurred by a warning from spy agencies to prepare for more attacks in the future.
Originally published as Building hiding China's secrets uncovered