[The primary targets for these more sophisticated attacks: China’s ethnic minorities and their diaspora in other countries, the researchers said. In several instances, hackers targeted the cellphones of a minority known as Uighurs, whose home region, Xinjiang, has been the site of a vast build-out of surveillance tech in recent years.]
By
Nicole Perlroth, Kate Conger and Paul Mozur
 |
|
Uighur
teenagers on their phones in Kashgar in China’s Xinjiang region. Chinese
hackers
have secretly monitored the cellphones of Uighurs and Tibetans
around
the globe. Credit Gilles Sabrié for The New York Times
|
SAN
FRANCISCO — China’s
state-sponsored hackers have drastically changed how they operate over the last
three years, substituting selectivity for what had been a scattershot approach
to their targets and showing a new determination by Beijing to push its
surveillance state beyond its borders.
The government has poured considerable
resources into the change, which is part of a reorganization of the national
People’s Liberation Army that President Xi Jinping initiated in 2016, security
researchers and intelligence officials said.
China’s hackers have since built up a new
arsenal of techniques, such as elaborate hacks of iPhone and Android software,
pushing them beyond email attacks and the other, more basic tactics that they
had previously employed.
The primary targets for these more
sophisticated attacks: China’s ethnic minorities and their diaspora in other
countries, the researchers said. In several instances, hackers targeted the
cellphones of a minority known as Uighurs, whose home region, Xinjiang, has
been the site of a vast build-out of surveillance tech in recent years.
“The Chinese use their best tools against
their own people first because that is who they’re most afraid of,” said James
A. Lewis, a former United States government official who writes on
cybersecurity and espionage for the Center for Strategic Studies in Washington.
“Then they turn those tools on foreign targets.”
China’s willingness to extend the reach of
its surveillance and censorship was on display after an executive for the
National Basketball Association’s Houston Rockets tweeted support for
protesters in Hong Kong this month. The response from China was swift,
threatening a range of business relationships the N.B.A. had forged in the
country.
In August, Facebook and Twitter said they had
taken down a large network of Chinese bots that was spreading disinformation
around the protests. And in recent weeks, a security firm traced a monthslong
attack on Hong Kong media companies to Chinese hackers. Security experts say
Chinese hackers are very likely targeting protesters’ phones, but they have yet
to publish any evidence.
Some security researchers said the improved
abilities of the Chinese hackers had put them on a par with elite Russian
cyberunits. And the attacks on cellphones of Uighurs offered a rare glimpse of
how some of China’s most advanced hacking tools are now being used to silence
or punish critics.
Google researchers who tracked the attacks
against iPhones said details about the software flaws that the hackers had
preyed on would have been worth tens of millions of dollars on black market
sites where information about software vulnerabilities is sold.
On the streets in Xinjiang, huge numbers of
high-end surveillance cameras run facial recognition software to identify and
track people. Specially designed apps have been used to screen Uighurs’ phones,
monitor their communications and register their whereabouts.
Gaining access to the phones of Uighurs who
have fled China — a diaspora that has grown as many have been locked away at
home — would be a logical extension of those total surveillance efforts. Such
communities in other countries have long been a concern to Beijing, and many in
Xinjiang have been sent to camps because relatives traveled or live abroad.
The Chinese police have also made less
sophisticated efforts to control Uighurs who have fled, using the chat app
WeChat to entice them to return home or to threaten their families.
China’s Ministry of Foreign Affairs did not
respond to a request for comment. China has denied past claims that it conducts
cyberespionage, adding that it, too, is often a target.
Security researchers recently discovered that
the Chinese used National Security Agency hacking tools after apparently
discovering an N.S.A. cyberattack on their own systems. And several weeks ago,
a Chinese security firm, Qianxin, published an analysis tying the Central
Intelligence Agency to a hack of China’s aviation industry.
Breaking into iPhones has long been
considered the Holy Grail of cyberespionage. “If you can get inside an iPhone,
you have yourself a spy phone,” said John Hultquist, director of intelligence
analysis at FireEye, a cybersecurity firm.
The F.B.I. couldn’t do it without help during
a showdown with Apple in 2016. The bureau paid more than $1 million to an
anonymous third party to hack an iPhone used by a gunman involved in the
killing of 14 people in San Bernardino, Calif.
Google researchers said they had discovered
that iPhone vulnerabilities were being exploited to infect visitors to a set of
websites. Although Google did not release the names of the targets, Apple said
they had been found on about a dozen websites focused on Uighurs.
“You can hit a high school student from Japan
who is visiting the site to write a research report, but you are also going to
hit Uighurs who have family members back in China and are supporting the
cause,” said Steven Adair, the president and founder of the security firm
Volexity in Virginia.
The technology news site TechCrunch first
reported the Uighur connection. A software update from Apple fixed the flaw.
In recent weeks, security researchers at
Volexity uncovered Chinese hacking campaigns that exploited vulnerabilities in
Google’s Android software as well. Volexity found that several websites that
focused on Uighur issues had been infected with Android malware. It traced the
attacks to two Chinese hacking groups.
Because the hacks targeted Android and iPhone
users — even though Uighurs in Xinjiang don’t commonly use iPhones — Mr. Adair
said he believed that they had been aimed in part at Uighurs living abroad.
“China is expanding their digital
surveillance outside their borders,” he said. “It seems like it really is going
after the diaspora.”
Another group of researchers, at the Citizen
Lab at the Munk School of Global Affairs & Public Policy at the University
of Toronto, recently uncovered an overlapping effort, using some of the same
code discovered by Google and Volexity. It attacked the iPhones and Android
phones of Tibetans until as recently as May.
Using WhatsApp messages, Chinese hackers
posing as New York Times reporters and representatives of Amnesty International
and other organizations targeted the private office of the Dalai Lama, members
of the Tibetan Parliament and Tibetan nongovernmental organizations, among
others.
Lobsang Gyatso, the secretary of TibCERT, an
organization that works with Tibetan organizations on cybersecurity threats,
said in an interview that the recent attacks were a notable escalation from
previous Chinese surveillance attempts.
For a decade, Chinese hackers blasted
Tibetans with emails containing malicious attachments, Mr. Lobsang said. If
they hacked one person’s computer, they hit everyone in the victim’s address
books, casting as wide a net as possible. But in the last three years, Mr.
Lobsang said, there has been a big shift.
“The recent targeting was something we
haven’t seen in the community before,” he said. “It was a huge shift in
resources. They were targeting mobile phones, and there was a lot more
reconnaissance involved. They had private phone numbers of individuals, even
those that were not online. They knew who they were, where their offices were
located, what they did.”
Adam Meyers, the vice president of
intelligence at CrowdStrike, said these operations were notably more
sophisticated than five years ago, when security firms discovered that Chinese
hackers were targeting the phones of Hong Kong protesters in the so-called
Umbrella Revolution.
At the time, Chinese hackers could break only
into phones that had been “jailbroken,” or altered in some way to allow the
installation of apps not vetted by Apple’s official store. The recent attacks
against the Uighurs broke into up-to-date iPhones without tipping off the
owner.
“In terms of how the Chinese rank threats,
the highest threats are domestic,” Mr. Lewis said. “The No. 1 threat, as the
Chinese see it, is the loss of information control on their own population. But
the United States is firmly No. 2.”
Chinese hackers have also used their improved
skills to attack the computer networks of foreign governments and companies.
They have targeted internet and telecommunications companies and have broken
into the computer networks of foreign tech, chemical, manufacturing and mining
companies. Airbus recently said China had hacked it through a supplier.
In 2016, Mr. Xi consolidated several army
hacking divisions under a new Strategic Support Force, similar to the United
States’ Cyber Command, and moved much of the country’s foreign hacking
operation from the army to the more advanced Ministry of State Security,
China’s main spy agency.
The restructuring coincided with a lull in
Chinese cyberattacks after a 2015 agreement between Mr. Xi and President Barack
Obama to cease cyberespionage operations for commercial gain.
“The deal gave the Chinese the time and space
to focus on professionalizing their cyberespionage capabilities,” Mr. Lewis
said. “We didn’t expect that.”
Chinese officials also cracked down on
moonlighting in moneymaking schemes by its state-sponsored hackers — a
“corruption” issue that Mr. Xi concluded had sometimes compromised the hackers’
identities and tools, according to security researchers.
While China was revamping its operations,
security experts said, it was also clamping down on security research in order
to keep advanced hacking methods in house. The Chinese police recently said
they planned to enforce national laws against unauthorized vulnerability
disclosure, and Chinese researchers were recently banned from competing in
Western hacking conferences.
“They are circling the wagons,” Mr. Hultquist
of FireEye said. “They’ve recognized that they could use these resources to aid
their offensive and defensive cyberoperations.”
Nicole Perlroth and Kate Conger reported from
San Francisco, and Paul Mozur from Shanghai.
