HOME /
TECH
CIA attacks Chinese aerospace organs for over a decade: cybersecurity firm
By Liu Caiyu
Global Times
1583231783000

Photo: IC

Using cyberspace weapons, a hacking organization affiliated with the Central Intelligence Agency (CIA) has been attacking Chinese organs for over a decade, involving aerospace, scientific research institutions and the oil industry.

By tracking and analyzing the leaked "Vault7" cyber weapon disclosed by WikiLeaks in 2017, Chinese tech giant 360 Security Technology had discovered a series of attacks against China's aerospace, scientific research institutions, petroleum industry and large-scale internet by a hacking organization affiliated with the CIA.

Numerous evidence shows that the hacking group, APT-C-39, belongs to the CIA. The hack was traced back to 2008 and was found to have mainly targeted organizations in Beijing, as well as Guangdong and Zhejiang provinces.

The tech company found the CIA backed the hacking group which mainly targeted system developers of China's aerospace and scientific research institutions, which engage in aviation services such as flight control systems, freight information and passenger information services. Hundreds of overseas airlines also fell victim to the hacking group.

360 Security Technology was able to identify the CIA and the Vault7 because of Joshua Adam Schulte, a former CIA employee.

Schulte was born in 1988 in Texas and worked as an intern in the NSA and joined the CIA in 2010.  He was in charge of technology intelligence at CIA's National Clandestine Service (NCS).

As a core member in developing CIA's many hacking tools and cyberspace weapons, Schulte participated in the development of Vault7.

In 2016, Schulte used his administrator rights and backdoors to copy the Vault7 program and gave it to Wikileaks, which published related data in 2017 on its website.

Schulte was arrested and sued in 2018 by the US Department of Justice, and was prosecuted on February 4.

Schulte and these events provided evidence to 360 Security Technology, and the Vault7, the existence of which was confirmed by US prosecutors, became a breakthrough point to confirming that APT-C-39 was affiliated with the CIA.

Photo: Xinhua

According to 360 Security Technology's research, APT-C-39 used many exclusive CIA cyber weapons like Fluxwire and Grasshopper against Chinese targets.

After comparing related code samples and behavior fingerprints, 360 Security Technology was able to confirm that these cyber weapons were the ones described in the Vault7 program.

The research also discovered that most ATP-C-39 technical samples were identical to the ones described in the Vault7 files, including control commands, pdb compile routes and encryption schemes. These are patterns a standardized cyberattack organization would use, so this can also serve as proof that ATP-C-39 is a hacker organization under the CIA.

ATP-C-39 has been using these cyber weapons on Chinese targets before the Vault7 cyber weapon was revealed by Wikileaks in 2017. 360 Security Technology monitored multiple Vault7 attacks on Chinese targets since 2010, which used Vault7's Fluxwire backdoors.

The monitored results showed APT-C-39 has been upgrading the cyber weapon and has been frequently attacking Chinese targets since 2010.

360 Security Technology also found connections between some APT-C-39 cyber weapons and the NSA.

In a cyberattack on a major Chinese internet company in 2011, APT-C-39 used WISTFULTOOL, an attack plugin used by NSA leaked in 2014.

According to alleged CIA documents released by Wikileaks, NSA supported the CIA in developing cyberweapons, which is additional proof that APT-C-39 is related to US intelligence agencies.

The compilation time of the attack sample is in line with US Eastern Time, and their frequent activities showed the hacking group had been operating from the US state of Virginia, where the CIA is located.

The compilation time of malware is a common method for regular research and data. Through the study of the compilation time of malware, we can detect the author's work and schedule, to determine its approximate time zone location, the company said in a statement sent to the Global Times.

All of this evidence points to the fact the APT-C-39 is a US intelligence organization.