On February 4, the U.S. publishing and media company News Corp announced that it was hit with “persistent cyberattack activity.”
The hackers targeted News Corp businesses including The Wall Street Journal, the New York Post and the company’s U.K. news operation, The Wall Street Journal reported, citing an email sent to staff. The hackers gained access to journalists’ email accounts and Google Docs.
Journalists affected by the hack noted the attackers were interested in topics including “issues of importance to Beijing such as Taiwan and China’s Uyghur ethnic group,” the Journal reported. News Corp hired cybersecurity firm Mandiant to help investigate, and Mandiant reported a Chinese connection.
“Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” the Journal quoted David Wong, vice president of incident response at Mandiant, as saying.
On February 7, a Journal reporter asked China’s Foreign Ministry spokesman about Mandiant’s assessment that “the incursion was likely meant to gather intelligence to benefit China’s interest.”
“With regard to what you mentioned about cyberattack, China firmly opposes and combats all forms of cyberattacks. It will never encourage, support or condone cyberattacks. This position has been consistent and clear.”
That is misleading.
Beijing’s exact role in the News Corp attack is unclear. But the Chinese government has been linked to a great deal of malign activity online.
U.S. intelligence and law enforcement concluded that Chinese “state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets.”
A July 2021 report by the U.S. Cybersecurity and Infrastructure Security Agency and others outlined the expansive tactics, techniques and procedures Chinese state-sponsored actors allegedly use to “aggressively target” the United States and its allies.
The report said these cyber operations, whose targets include government industrial assets, semiconductor firms, universities and medical institutions, support China’s long-term goals concerning economic and military development.
However, the July 2021 report did not provide technical details on how the actors that carried out the cyber attacks were linked to the Chinese state.
That report corresponded with the unprecedented decision by the United States, the European Union and others to call out China for a March 2021 cyberattack on Microsoft Exchange email server software and other ransomware attacks.
Microsoft linked that attack to a state-sponsored threat actor called Hafnium. It said Hafnium “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”
In its 2021 Microsoft Digital Defense Report, Microsoft noted that the U.S. government and its allies had attributed, “with a high level of confidence,” the attacks targeting Microsoft "to cyber actors affiliated with China’s civilian intelligence agency, the Ministry of State Security.”
However, Microsoft noted that the statement by the U.S. government and its allies linking the attack to China was “slim on technical details.”
Mandiant, which rose to prominence after documenting the role of the Chinese People’s Liberation Army (PLA) in cyberattacks, has tracked Chinese and other advanced persistent threat (APT) actors for more than a decade. The firm identified more than two dozen APT actors linked to China.
As Polygraph.info and others have reported, Mandiant suspects China-sponsored APT actors UNC2630 and UNC2717 played a role in the Pulse Secure attacks, which targeted “defense, government, and financial organizations around the world.”
The Pulse Secure hacking campaign included the hacking of the Metropolitan Water District of Southern California and the telecommunications company Verizon.
In May 2021, Mandiant said it was tracking 16 malware families it believed were “affiliated with the Chinese government.” Mandiant noted the “compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives as outlined in China’s 14th Five Year Plan.”
Beijing has denied it was behind the Pulse Secure attacks.
The U.S. cybersecurity firm CrowdStrike said in its 2021 Global Threat Report that Chinese adversaries are “one of the most prolific state-sponsored cyber actors on the planet.”
In October 2021, CrowdStrike reported on intrusions targeting the global telecommunications sector called LightBasin.
A senior CrowdStrike official told Reuters the Chinese state had not been implicated in the attack targeting LightBasin, but said it bore the hallmarks of previous Chinese government attacks.
A 2013 Mandiant report provided substantial evidence linking the Chinese state to malign cyber activity. It outlined the activities of APT1, calling it “one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.”
Mandiant concluded that APT1 was “likely government-sponsored,” in part due to its ability to “wage such a long-running and extensive cyber espionage campaign.”
It also found that APT1 shared the same mission, capabilities, resources and physical location as the People’s Liberation Army (PLA)’s Unit 61398, which operates in Shanghai’s Pudong New Area.
Mandiat reported that Unit 61398 was staffed by hundreds, if not thousands of people, and that state-owned China Telecom provided Unit 61398 with “special fiber optic communications infrastructure … in the name of national defense.”
California-based cyber security firm FireEye, which acquired Mandiant in 2013, has also identified several APT actors linked to the Chinese state.
As Polygraph.info has reported, those China-linked APT actors include APT40, four of whose alleged members were charged in a July 19, 2021, U.S. Justice Department indictment with conducting a global computer intrusion campaign.
Another malicious actor, APT31, was accused in several high-profile attacks, including a 2018 breach of the Norwegian government’s technology network and a December 2020 attack on the Finnish parliament’s information systems.
In 2018, the United Kingdom took the unprecedented step of calling out “elements of the Chinese government” for conducting malign cyber activities.
The United Kingdom accused a group called APT10 of acting “on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US.”
The United Kingdom said APT10 “was almost certainly responsible” for Operation Cloud Hopper, in which hackers infiltrated the networks of key industries and government agencies globally to gain access to sensitive information.