The Government Security Communications Bureau (GCSB) has announced that Chinese hackers were responsible for cyber intrusions against New Zealand managed service providers (MSPs), the telecommunications firms responsible for providing phone, email and internet services and data banking to individual, public agency and corporate consumers. This is surprising only because it confirms what private security analysts and partner intelligence services have been claiming for some time: that the Chinese are engaged in a global campaign of cyber theft of commercial secrets and intellectual property. They do so as part of a strategy to become the world’s dominant information and telecommunications player within 50 years, and they do so by using ostensibly private firms as cover for hacking activities directed by the Chinese Ministry of State Security (MSS).
The GCSB announcement coincided with indictment by the US Justice Department of two Chinese nationals who have been identified as belonging to the Advanced Persistent Threat (APT)-10 Group of MSS hackers operating under the cover of a Chinese-registered firm, Tianjing Huaying Haitai Science and Technology Development Company Ltd. (Huaying Haitai). Huaying Haitai claims to provide network security construction and product development services but has only two registered shareholders, one manager and no web presence (the domain name huayinghaitai.com is registered to the firm but cannot be found on-line, which is particularly odd for an internet security provider). The US has publicly identified Huaying Haitai as the corporate front for ATP-10, and the GCSB has confirmed that ATP-10 was responsible for the New Zealand-targeted cyber intrusions it has detected since early 2017.
The UK simultaneously announced that Chinese hackers had conducted a decade long-campaign of cyber-theft against British commercial entities, while the US identified 75 US-based targets as well as others in 12 other countries (excluding New Zealand). The GCSB announcement is therefore part of a coordinated effort by Western governments to identify Chinese-based cyber-theft campaigns, and follows on similar Australian revelations announced during the 2018 APEC summit a month ago.
The ATP-10 cyber-hacking campaign violates the terms of a 2016 APEC agreement signed by China (and New Zealand) committing member states to not use cyber hacking in order to engage in commercial espionage or intellectual property theft. It violates similar pacts signed with the US and UK in 2015. This means that China is deliberately violating international agreements for commercial gain. It also makes all Chinese-based telecommunications suspect, both in terms of their purported use of so-called digital backdoors built into their products that can be used by Chinese intelligence as well as their duplicitous corporate behaviour when it comes to proprietary information. In effect, Chinese telecommunications are seen as bad corporate actors as well as intelligence fronts by Western countries. This has caused firms such as ZTE and Huawei being excluded from critical infrastructure projects and 5G network upgrades in a number of countries, including, most recently, New Zealand.
The GCSB announcement refers to Chinese hacking in pursuit of cyber theft of sensitive commercial and intellectual property. It does not mention specific targets or refer to cyber-espionage per se.Yet the two are overlapped because of the nature of the targets and means by which they attacked. ATP-10 hacking attacks are aimed at Managed Services Providers (MSPs) who store data for individuals, public agencies and firms. These include large multinational email, internet and phone service providers as well as smaller cloud-based data storage firms.
If ATP-10 and other hackers can penetrate the security defenses of MSPs they can potentially bulk collect, then data mine whatever is digitally stored in the targeted archives. Although the primary interest is commercial in nature, the overlapping nature of data networks, especially in a small country like New Zealand, potentially gives ATP-10 and similar hacking groups access to non-commercial political, diplomatic and military networks.
For example, a home computer or private phone that has been compromised by a cyber hack on a internet service provider (ISP) can become, via the exchange of information between personal and work devices, an unwitting entry point to work networks in the private and public sectors that are not connected to the individual’s ISP. This raises the possibility of incidental or secondary data collection by hackers, which in the case of state organized outfits like ATP-10 may be of as much utility as are the commercial data being targeted in the first instance.
The dilemma posed by the GCSBs announcement is two-fold. First, will the government follow the GCSB lead and denounce the behaviour or will it downplay the severity of the international norms violations and intrusion on sovereignty that the ATP-10 hacking campaign represents? If it does, it sets up a possible diplomatic confrontation with the PRC. If it does not, it exposes a rift between the GCSB and the government when it comes to Chinese misbehaviour.
Neither scenario is welcome but one thing is certain: no response will stop Chinese cyber hacking because it is part of a long-term strategy aimed at achieving global information and telecommunications dominance within fifty years. But one response will certainly encourage it.
- An earlier version of this essay appears on the Radio New Zealand website, December 21, 2018 (https://www.radionz.co.nz/news/on-the-inside/378835/cyber-hacking-comes-to-aotearoa).