China syndromeGermany is target of sustained cyberattacks from China

China’s sustained, pervasive, and sophisticated cyber attacks are not limited to U.S. government and commercial networks. Yes, back in the summer of 2007 Chinese prime minister Wen Jiabao told German Chancellor Angela Merkel, during her visit to China, that his government would take “determined” and “forceful” measures to prevent hacker attacks. There were — are — three problems with the Chinese leader’s announced: first, Wen’s concession was not entirely voluntary. Shortly before Merkel’s trip, Spiegel had reported on massive hacker attacks on the German government, which German intelligence officials had traced to servers in various Chinese provinces. Second, most of the cyber attacks from China are not the work of free-lancing hackers, but rather the work of Chinese government operatives. Third, Chinese attacks with malicious software on German computer networks have increased since Wen’s speech.

Spiegel’s John Goetz and Marcel Rosenbach write that the German government is a favorite target of hackers. “We discover attempted attacks on the federal government’s computers on a daily basis,” says Burkhard Even, the head of the counterintelligence division at the Cologne-based Federal Office for the Protection of the Constitution (BfV), Germany’s domestic intelligence agency. Suspicions continue to center on China in a conspicuously large number of cases, such as the suspected cyber-espionage network known as Ghostnet, which was detected by Canadian and British experts and revealed at the end of March. Ghostnet programs had infected at least 1,295 computers in 103 countries. “The Canadian scientists have corroborated our information,” says Even.

Each year, special virus scanners detect about 600 attempts to insert sophisticated spy software into the two central Internet interfaces of IVBB, a computer network that links the computers at the German Chancellery with government ministries in Bonn and Berlin. These and other attempts are evidence of a relentless barrage of increasingly sophisticated cyber attacks, many of which go undetected.

These e-mail messages typically have attachments that serve as door-openers for spies that allow the infected computers to be controlled from afar and for malicious programs to be loaded onto the machines. They are now being sent to selected addressees tailored to specific areas of responsibility. Mid-level bureaucrats are often the targets. An employee at the Federal Ministry of the Interior recently received an e-mail sent — apparently — by another employee in his department. The message was an almost perfect forgery, with a spy program hidden in the attachment. E-mail addresses at the World Health Organization and European Union have also been used to mimic trustworthy senders.

Clues about the hackers can be gleaned from the technical characteristics of an attack, as well as the identities of the target and the subject matter. The aim of the attacks leading up to the chancellor’s trip to China, for example, was to ferret out information about issues Merkel wanted to discuss with representatives of the People’s Republic.

German intelligence also detected a noticeable increase in cyber attacks before meetings between Merkel and the Dalai Lama. The hackers appear to be particularly interested in the Tibet issue. In January 2008 various German officials received an e-mail with an attached document titled: “Analysis of Chinese Government Policy Toward Tibet.” The sender was supposedly a Tibetan organization in the United States. A malicious program was hidden in the analysis.

Hans Elmar Remberg, the deputy head of German domestic intelligence, told Germany’s WDR television network that his agents had determined the attacks were coming “from Chinese sources,” and that he assumed “that government employees, or at least people working on behalf of the government” were behind the attempted espionage. The experts who analyzed Ghostnet also traced most of the hacker’s control servers to China. They added, however, that conclusive proof of Chinese government involvement was lacking. It is difficult to identify culprits on the Internet, because even control servers can be hijacked and operated remotely.

It is clear that the Chinese intelligence agencies and military have engaged in cyber espionage since the late 1990s. China is also home to a community of skilled and patriotic hackers who have staged what amount to campaigns on foreign Internet sites for years. Because China regulates its Internet so strictly — it controls access more than almost any other nation in the world — one can assume the government has at least tolerated hacker activity for a long time.

Perhaps coincidentally, only three days after Ghostnet made headlines, Premier Wen announced that he too had fallen victim to an audacious case of cyber espionage. Attackers from Taiwan, he said, had hacked into a Chinese State Council computer containing drafts of Wen’s government report, the South China Morning Post reported Wednesday. The premier was “beside himself” over the incident, the paper wrote.