A new report by the US National Security Agency (NSA), Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) reveals just how difficult, if not impossible it is, to fix cyber vulnerabilities caused by Chinese-supported intrusions. 

It does not offer an alternative to current-day computing networks and is indifferent to Cloud-based networks as being any more secure than wired networks.

The bottom line is that the critical infrastructure, which includes key industries, business, government and military systems, remains hostage to Chinese hacking and represents a major national security danger to the US and its allies, far surpassing the Russian ransomware attacks that also have hit some infrastructure targets.

The report is titled “Chinese State-Sponsored Cyber Operations: Observed TTPs.” 

A key finding of the report is the massive intrusion of Microsoft Exchange servers, which Microsoft advertises as “efficient and secure.” The report makes clear this is not the case.

The Microsoft Exchange server supports Microsoft 365, which includes the Microsoft product line including Office, Skype for Business, PowerPoint, Planner, some Mobile Apps and Outlook email. It is cloud-based. 

On July 6, the US Defense Department canceled a US$10 billion master cloud contract with Microsoft under a program called JEDI (Joint Enterprise Defense Infrastructure). While all public reporting has pointed to a dispute between the government and Amazon, a competitor for the JEDI contract, by July the DOD would have been well aware of Chinese hacking and Microsoft’s vulnerabilities, as the NSA is run by the Defense Department.

TTPs are jargon for “tactics, techniques and procedures” and refers to the different ways China and hackers China hires to carry out attacks on “US and allied political, economic, military, educational and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property and personally identifiable information (PII).

“Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities and medical institutions. These cyber operations support China’s long-term economic and military development objectives.”

The Microsoft Exchange servers were a target. Photo: AFP / Sebastian Kahnert / dpa

China’s ability to respond

The report goes through a long list of ways Chinese-led hackers penetrate US and allied networks, including even tracking what the US and allied cybersecurity community is doing to protect networks in order to circumvent and blunt security efforts.

One of the top techniques is China’s ability to rapidly respond to any report of a new vulnerability. When such a vulnerability is revealed, often first in technical literature and well before patches or other remedial steps can be taken to fix any hole in a networked or stand-alone system, Chinese hackers undertake a mass effort to use knowledge of the unpatched and unrepaired vulnerabilities to go after top targets.

Much of this involves the theft of intellectual property, which includes national security-related new technology or products, commercial and business proprietary information and increasingly medical research data, such as information on new drugs, treatments and vaccines.

Some of the Communist Party elite have ownership of Chinese Pharma companies, largely through their children and grandchildren.

There is no official estimate on how much has actually been stolen from the United States. The author believes that a large part of the US research and development (R&D) budget has been compromised by China. 

One feature of research grants from organizations such as the US Defense Advanced Research Projects Agency (DARPA) is that most of the funds go to work that isn’t classified and where encryption and file protection is more the exception than the rule. 

Anytime US universities or independent researchers carry out sensitive work, most of the time they do so on the margins of the public domain, making cyber protection very difficult if not impossible.

China, according to the report, is also using a variety of attack modes, including the use of ransomware. Chinese-supported hackers use virtual private networks (VPNs) almost in the same way as using “burner” phones to hide their hack operations. 

A VPN gateway. Photo: AFP / Maxim Tumanov / Sputnik

No easy fix

A VPN is an encrypted network that hides the actual user and shields the user from discovery. By regularly changing VPNs, the Chinese hackers make it difficult for security agencies to go after the hack sources.

The most important part of the report, however, is found in Appendix A: “Chinese State-Sponsored Cyber Actors’ Observed Procedures.” It goes into significant detail on at least 41 “procedures” used by Chinese hackers and offers suggestions on how to try and protect against such hacks.

Anyone who reads the full listing and goes over the “Defensive Tactics and Techniques” will immediately recognize that implementing any of them would take a cyber army of sophisticated experts and, in any event, might not work at all.

There is also an Appendix B in the report called “MITRE ATT&CK Framework,” otherwise known as the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK®) framework. The framework is “an open framework and knowledge base of adversary tactics and techniques based on real-world observations.”

Over the years the Pentagon has tried to put into operation comprehensive security measures for its computing assets, but has largely failed to consistently apply measures or even figure out how to authenticate how well security steps have been implemented.

One of the underlying problems is shifting personnel and support contractors. But there also are funding limitations, lack of skilled personnel, indifference and demands to keep networks running even if they are vulnerable because they are needed for urgent military requirements. 

One of the reasons the DOD saw the JEDI contract as of critical importance is it would have consolidated many of the diverse networks into one cloud environment. Unfortunately, no one seems to have considered the vulnerability of a single cloud for surviving a national security disaster, and that was before the extent of Chinese hacks of Microsoft Exchange servers was known.

The US government needs to reconsider its entire approach to network security, but despite an exponential rise in cybercrime and cyber disruptions, the prospect for this happening remains low.