Chinese attacks 'Byzantine Candor' penetrated federal agencies, says leaked cable


Cyber espionage by Chinese military-linked hackers, part of a series of attacks code-named "Byzantine Candor," extracted at least 50 megabytes of email messages from a federal agency along with a complete list of that agency's user names and passwords, states a newly-available leaked State Department cable.

The cable is one of 251,287 made available to news organizations by Wikileaks, which is also publishing the cables even as it has struggled the past few days to stay online (this mirror site appears to be stable). For links to all the cables leaked so far pertaining to Chinese hacking, click here (our links go either to The New York Times or FierceGovernmentIT).  

According to the cable, which is labeled SECRET//NOFORN and is dated Nov. 3, 2008, Byzantine Candor has existed since late 2002. Its hackers have compromised multiple systems, including one U.S. commercial Internet service provider, in part through social engineering attacks, the cable states.

According to Air Force Office of Special Investigations findings referenced in the cable, hackers in Shanghai with ties to the Chinese military intelligence penetrated "at least three separate systems" at the U.S. ISP from which they were able to download the email, attachments, usernames and passwords from the unnamed federal agency during a period from April 2008 through Oct. 13, 2008.

Someone with presumably legitimate access to the ISP identified one of the compromised systems on August 14, 2008, when a Byzantine Candor hackers transferred a malicious file named "&" onto it.

Within the United States, the majority of Byzantine Candor targets have been Army systems, although other Defense Department services, as well as the departments of State and Energy and additional federal agencies have also been the subject of those attacks, the cable states.

A U.S. meeting with German domestic intelligence officials between Sept. 29 and Oct. 2, 2008 showed that Chinese hackers use the same attack techniques in Europe as well as the United States, according to the cable. Namely, a socially engineered email appearing to come from a trusted source about a specific topic relevant to the recipient but containing a malware attachment or embedded links to a hostile websites which then causes malicious software to be downloaded onto the recipient's computer.

A State Department SECRET//NOFORN cable from June 18, 2009 details what could be an example of an attempted Chinese social engineering attack. On June 1, during a period that coincided with climate change talks between the United States and China, the State Department's cyber threat analysis division detected an email addressed to five officials within the office of the special envoy for climate change that appeared to come from a National Journal columnist. Attached to the message was a .pdf file titled "China and Climate Change," which harbored malicious code with the Adobe (NASDAQ: ADBE) Collab getIcon() exploit.

The cables also shed more light on the Chinese crackdown on Google (NASDAQ: GOOG), which, if a source referenced in a May 18, 2009 CONFIDENTIAL cable is to be believed, stemmed in part from a member of China's Politburo Standing Committee Googling himself and disliking the results.

According to the source, the official--identified by the Times as Li Changchun--happened to find a link on (Google's now shuttered, officially-sanctioned Chinese language search engine) to, which accepts Chinese language searches and which also doesn't censor the results. The official (i.e., Li) "allegedly entered his own name and found results critical of him," the cable states, adding that he "reportedly believes [] is an 'illegal site.'"  

Another cable marked SECRET from early 2010 quotes a source fingering the Politburo Standing Committee as ultimately responsible for a spate of intrusions into Gmail accounts. The Times again identifies Li as the responsible official, although the newspaper says that the source quoted in the early 2010 cable has since said that Li indeed personally oversaw a campaign against Google's operations in China, but that the source "did know who directed the hacking attack."

A Nov. 7, 2006 CONFIDENTIAL cable also shows the Chinese government attempting to pressure a U.S. deputy chief of mission to get Google to reduce the resolution of sensitive government installations on Google Earth. The diplomat said "he would report the request to Washington, but noted that Google is a private company," the cable states.

For more:
- go to a table with links to copies of all the so far leaked cables pertaining to Chinese hacking

Related Articles:
Amazon backs off Wikileaks hosting while White House says 'structural reforms' are underway
Wikileaks fallout grinds onward
Leaked Wikileaks cables finger Chinese government for Google hack