A coalition of security researchers has identified a Chinese cyberespionage group that appears to be the most sophisticated of any publicly known Chinese hacker unit and targets not only U.S. and Western government agencies but also dissidents inside and outside China.
News of the state-sponsored hacker group dubbed Axiom comes a week before Secretary of State John F. Kerry and two weeks before President Obama are due to arrive in Beijing for a series of high-level talks, including on the issue of cybersecurity.
In a report to be issued Tuesday, the researchers said Axiom is going after intelligence benefiting Chinese domestic and international policies — an across-the-waterfront approach that combines commercial cyberespionage, foreign intelligence and counterintelligence with the monitoring of dissidents.
Axiom’s work, the FBI said in an industry alert this month, is more sophisticated than that of Unit 61398, a People’s Liberation Army hacker unit that was highlighted in a report last year. Five of the unit’s members were indicted this year by a U.S. grand jury. The researchers concur with the FBI’s conclusion, noting that, unlike Unit 61398, Axiom is focused on spying on dissidents as well as on industrial espionage and theft of intellectual property.
“Axiom’s activities appear to be supported by a nation state to steal trade secrets and to target dissidents, pro-democracy organizations and governments,” said Peter LaMontagne, chief executive of Novetta Solutions, a Northern Virginia cybersecurity firm that heads the coalition. “These are the most sophisticated cyberespionage tactics we’ve seen out of China.”
Chinese Embassy spokesman Geng Shuang said in an e-mail that “judging from past experience, these kinds of reports or allegations are usually fictitious.” He repeated Beijing’s position that Chinese law prohibits cybercrime and that the government “has done whatever it can to combat such activities.”
Senior Obama administration officials have over the past year and a half publicly called on China to halt its practice of stealing U.S. commercial secrets to benefit its own industries. China, especially in the wake of disclosures last year of widespread U.S. government surveillance by former National Security Agency contractor Edward Snowden, has pushed back, arguing that it is the United States that needs reining in.
Geng said in his e-mail: “China is a victim of these kinds of attacks, according to the Snowden revelations.” Following the PLA indictments in May, Beijing pulled out of bilateral talks aimed at easing tensions in cyberspace.
In recent weeks, the research consortium has detected Axiom malicious software on at least 43,000 computers around the world belonging to law enforcement and other government agencies, journalists, telecommunication and energy firms, and human rights and pro-democracy groups.
The group said there also are indications that Axiom may be behind a high-profile cyberattack on Google, announced in 2010, which compromised the tech giant’s source code and targeted Chinese dissidents using Gmail.
At least one Chinese-language computer in the United States was targeted, the report said, without specifying to whom the computer belonged.
Novetta senior technical director Andre Ludwig also said Axiom is seeking to hack personnel management agencies to obtain the personal data of people who have access to classified information that it can use for future targeting.
Axiom has been active for at least six years and employs techniques that make it stand out from other hacker groups, the researchers said. For one thing, it is highly skilled at burying malware within legitimate computer traffic so that a company or agency analyst who is studying traffic logs cannot detect it, Ludwig said.
The malware, called Hikit, can create multiple points of presence — what Ludwig called “breadcrumbs” inside the network to help Axiom move around and steal data, all without arousing suspicion.
Axiom also appears to have a “maintenance cycle” in which it periodically switches out malware, Ludwig said. “They have an advanced playbook,” he said.
Unlike the security firm Mandiant, which reported on Unit 61398, the researchers were unable to identify the locations in China where Axiom operates from or identify its members. Axiom’s members, Ludwig said, are better at covering their tracks than those of Unit 61398. They did not, for example, keep e-mail accounts or have an online presence that could be traced back to them.
China military expert Mark Stokes said it was “not surprising” to find that Unit 61398 was not as sophisticated as Axiom. That unit is part of the second bureau of the PLA’s Third Department, which is the rough equivalent of the NSA. “Cyber seems a really small part of second bureau’s broader mission, which is signals intelligence,” said Stokes, executive director of Project 2049 Institute, an Arlington think tank. “There are other parts of 3 PLA that reasonably could be expected to have a much more dedicated cyber mission.”
Some security experts said the report carries valuable remediation advice not often seen in such reports. The researchers created custom “signatures,” ways to detect Axiom malware in users’ computers. This is the sort of data more traditionally exchanged in private intelligence-sharing groups, the experts said.
“This is the beginning of what will hopefully be a long line of industry-coordinated efforts to expose these threat groups, and to do so without having to use law enforcement, to help corporations and governments around the world combat” hackers, said Stephen Ward, senior director of iSight Partners, another coalition member. “This is a big first step.”
Other coalition members include Microsoft, Bit9, Cisco, FireEye, F-Secure, Symantec, Tenable, ThreatConnect, ThreatTrack Security, Volexity and threat researchers who did not wish to be identified.