Are Chinese Hackers Targeting Canadian IP?

If they are it's par for the course when it comes to Chinese cyber espionage.

May 21 2014, 4:55pm
Members of the Chinese People's Liberation Army march (2013). Image: Times Asi

The American government made headlines for accusing five Chinese hackers of stealing trade secrets, but they’re not the only country in North America falling victim to cyber attacks. Canada's intellectual property is also under assault, perhaps by the same group of hackers; or at least one that's adopted its tactics.

Motherboard obtained documents under an Access to Information Request that shows Industry Canada—the government department housing its high value intellectual property—is a major target for hackers. Who those hackers are still remains ambiguous.

Those records show that in 2012 alone, Canadian officials logged five spear phishing attacks—the known weapon of choice for Chinese agents in infamous Unit 61398. After requesting data on the cyber incidents involving the Canadian Intellectual Properties Office, Motherboard received documents titled “IT Security Cyber Incident Report[s]” which detailed the attacks, albeit with redactions.

“I am forwarding an email that I received this morning,” a Canadian government worker wrote in an August 2012 email to the IT security department. “At first I thought it came from your shop because I get notices frequently that my mailbox is full but when I went into the link it looked very suspicious. Don’t know how many others received this email hoax.” In 2011, suspected Chinese hackers made strikingly similar attacks on Defence Research and Development Canada using the same spear phishing tactics.

That year, CBC news reported the hackers, posing as federal executives, sent emails to departmental staffers deceiving them into providing passwords for access to government networks. Much in the same vein, hackers masquerading as Canadian “IT Security” employees were responsible for the “email hoax,” referred to in the August 2012 attack, in which they made requests to users for suspicious data.

The content of the “email hoax” isn’t available in the records and the incident description is completely redacted. The same report says the “Possible Phishing Attempt” effected 74 government clients.

In another report from July 2012, 275 government systems were said to be affected in a “Possible Phishing Attempt” with the “Operational” network zone targeted. Although the incident description is heavily redacted, a Canadian IT Security Officer refers to “a copy of [the] email” he put in his report, which is likely a similar phishing email example forwarded to him from targets.

“We definitely know from a countermeasure point of view that the Chinese are by far the greatest threat we’re currently facing"

All of the email redactions cite Section 16(2)(c) of the Access to Information Act, which stipulates that a government institution can refuse to disclose records if it shows the, “vulnerability of particular buildings or other structures or systems, including computer or communication systems.”

At least three other spear phishing attempts were provided in these reports. One of the attacks in October 2012 involved Canada Post and an unnamed “Airline Company” in an "Email Phishing Campaign." Another incident report from November 2012 says "IT was advised of a Possible Phishing attempt," adding "Suspected email was entitled" with the title redacted. 

Chinese hackers are known to target valuable intellectual property they share with corporate entities back home. And American government and corporate entities report similar spear phishing attacks from the same Chinese hackers wanted in the US. 

Michel Juneau-Katsuya, a former CSIS intelligence officer and Asia-Pacific Chief, says the attacks have all the hallmarks of Chinese spies.

“It is their weapon of choice. It is their strategy of choice,” he said.

“They will try to bring the person who received the email to open the attachment. In the attachment there’s a designed malware to take control of the computer.”

After that Juneau-Katsuya said the hackers get remote access to the network and the computer becomes a “ghost” for the hackers from abroad, siphoning intel off of the government system. 

“We know that specific unit, 61398, is extremely efficient in doing [phishing] worldwide,” he says.

While cyberattacks could come from various hostiles, Juneau-Katsuya says China is at the top of the list with its aggressive cyber espionage program. “We definitely know from a countermeasure point of view that the Chinese are by far the greatest threat we’re currently facing… So I wouldn’t be surprised [if these attacks] were from China.”

Ultimately, Junea-Katsuya says Canada and its allies are in an “economic war, an open confrontation” with the Chinese. “In just about every cybersecurity report on China based cyber espionage, including our Ghostnet and Shadows in the Cloud reports, IP and economic intelligence is directly targeted,” said Professor Ron Deibert, a cybersecurity expert with the Citizen Lab.

He likens Chinese cyber espionage to a “splatter paint party.” The hackers, he says, are interested “in any intelligence they can derive from all sectors of society, and no country is immune.”

“As an advanced industrialized country with a major industrial and resource base, Canadian assets would be targeted,” he said.

When asked if the source of the recent hacking attacks were Chinese in origin, the Canadian government didn't deny it. Instead, Industry Canada spokesperson Stefanie Power says "as a general practice, for security reasons," they will not discuss details of any cyber incidents with the media. 

"The Government of Canada is continuously working to enhance cyber security in Canada by identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians," Power added.