September 20, 2020

Qihoo 360: CIA Hacking Group (APT-C-39) targets the key industries in China over the past 11 years

4 min read

The Qihoo 360 security team recently released a research report stating that the United States Central Intelligence Agency (CIA) has been conducting cyber espionage activities in key industries in China since 2008.

This type of cyber espionage targets a number of key industries in China such as aviation organizations, scientific research institutions, petrochemicals, Internet technology companies and Chinese government agencies.

The security team traced out that this type of cyber espionage started as early as 2008, and lasted 11 years by 2019, and has not stopped such activities so far.

WikiLeaks is an online media founded by Julian Paul Assange. In 2017, WikiLeaks disclosed 8,716 documents obtained from the CIA.

These files contain 156 confidential documents detailing the attack methods, targets, tools and corresponding technical specifications of the CIA hacker organization.

Qihoo 360 analyzed the leaked material and correlated it with the team’s research, and then found targeted attacks against the Chinese aviation industry, scientific research, and government agencies.

These attacks can be traced back to 2008 and lasted for 11 years (September 2008 to June 2019). The targets were distributed in Beijing, Guangdong, and Zhejiang.

The above-targeted attacks were all attributed to APT-C-39, an advanced persistent threat organization related to the United States. APT-C-39 is a hacking group associated with the CIA, which is used to perform a variety of cyber espionage activities worldwide.

The CIA ’s cyberespionage activities in China cover a wide range of areas. Here, Qihoo 360 uses the Chinese civil aviation industry as an example to introduce its security threats.

As related to national security, the relevant information disclosed here is only part of the intelligence data owned by Qihoo. The data includes China’s civil aviation industry and related scientific research institutions.

In the attack against the Chinese aviation industry and scientific research institutions, the Qihoo 360 found that the CIA mainly carried out attacks against system developers in this field.

These developers are mainly engaged in civil aviation information technology-related tasks, such as flight control systems, cargo information systems, settlement and distribution, and passenger information systems.

It is worth noting that the CIA’s target is not just China’s civil aviation industry. The analysis also found that the attack targets commercial airlines in hundreds of countries and regions.

The Qihoo 360 speculated that in the past decades of infiltration attacks, the CIA may have mastered the most confidential business information in China and many other countries in the world.

It doesn’t even rule out that the CIA can now track flight status, departure and passenger information, trade and freight information, and other related information around the world in real-time.

The Qihoo 360 stated that when it comes to the CIA’s key cyber arsenal, it is necessary to first introduce former CIA employee Joshua Adam Schulte.

Joshua had an internship at the National Security Agency and later joined the CIA, mainly serving as the intelligence officer of the Central Intelligence Agency’s Scientific and Technical Intelligence Agency.

Joshua’s proficiency in the design and development of cyber weapons and knowledge of intelligence operations has made Joshua the core developer of many hackers at the CIA.

In 2016 Joshua used his administrative rights to the core computer room and preset backdoors to steal confidential files, which were then shared with WikiLeaks.

Joshua’s personal experience and stolen documents provided researchers with important clues, and multiple evidence suggests that APT-C-39 is directly linked to the CIA.

Joshua was charged by the U.S. court for a number of counts, including the crime of illegally obtaining state intelligence, but is still in custody and the court has yet to make a judgment.

The Qihoo 360 shows the main evidence of APT-C-39’s association with the CIA:

Evidence 1: APT-C-39 uses massive exclusive cyber weapons in the CIA’s Vault 7 project

APT-C-39 has used CIA-exclusive cyber weapons such as Fluxwire, Grasshopper to carry out cyber-attacks against China.

By comparing relevant sample codes, behavioral fingerprints, and other information, the Qihoo 360 can be pretty sure that the cyber weapon used by the group is the cyber weapon described in the Vault 7 leaks.

Evidence 2: The technical details of most samples of the APT-C-39 are consistent with the ones described in the Vault 7 documents

Qihoo 360 analysis found that the technical details of most of the samples are consistent with the ones in the Vault 7 document, such as control commands, compile pdb paths, encryption schemes. These are the pattern usually found in standardized attack organizations, and it is also one of the methods to classify them. Therefore, the group is believed to belong to the CIA-led national hacking group.

Evidence 3: Before the Vault 7 cyber weapon was disclosed by WikiLeaks, the APT-C-39 already used relevant cyber weapons against targets in China

Evidence 4: Some attack weapons used by the APT-C-39 are associated with the NSA

WISTFULTOLL is an attack plugin in the 2014 NSA leaks. In an attack against a large Internet company in China in 2011, the APT-C-39 organization used the WISTFULTOOL plugin on the target. At the same time, in the CIA confidential documents uncovered by WikiLeaks, it was confirmed that the NSA assisted the CIA in developing cyber weapons, which is also a side-by-side evidence of the association between the APT-C-39 and U.S. intelligence agencies.

Evidence 5: APT-C-39 group’s weapons compilation time is located in the U.S. time zone

The compilation time of the captured samples is in line with the North American business working hours.

The compilation time of malware is a common method and statistics in the research of APT group attribution. Through the study of the compilation time of malware, we can find out the developer’s work schedule, so as to know the approximate time zone of his location.

In summary, Qihoo 360 has every reason to believe that the APT-C-39 hacker organization is associated with the United States and participate in cyber attack activities.