Chinese Hackers Are Getting Dangerously Good at English

And they're coming to an inbox near you.

The New York Times' announcement in January that Chinese hackers had compromised its computers, stolen employee passwords, and wormed around its network for four months made for a chilling read to those of us concerned about press safety and digital security. But the paper's latest installment, based on a report released by computer security firm Mandiant, lays out even more spectacular and serious possibilities that China's military has stolen information from companies "involved in the critical infrastructure of the United States -- its electrical power grid, gas lines and waterworks."

An alarmed American public may wonder whether it's time to push the panic button, but in many respects, this is old news to those in the digital security industry. Chinese hackers have been tracked and traced before. Experts with a dismal view assume everything's hacked, until proven otherwise.

"There's a saying in the security industry," says Eva Galperin of the Electronic Frontier Foundation, an Internet advocacy group. "Everybody is 'owned' all the time. These attacks are constant."

Mandiant's report is the result of years spent tracking a Shanghai-based hacking team dubbed the "Comment Crew," also known as APT1. The company's investigators even managed to pinpoint the hackers' work space: a Shanghai building owned by Unit 61398 of the People's Liberation Army. Mandiant says it has observed some 140 attacks by Comment Crew since 2006.

While the corporate and governmental attacks described by Mandiant and the attacks against New York Times reporters are separate cases executed by different hacking groups, the digital trail leads back to the same location: China.

Galperin has the solution. "If organizations are concerned about security, and they want to know what the one thing is that they can do -- they can teach their users not to click on these links or open these attachments," she says.

The problem is, Chinese hackers are getting dangerously good at tricking users into clicking on what are known as "phishing emails" -- messages with links or attachments that seem innocuous, but actually dump spyware on recipients' computers. One of the secrets? Language skills. Over the course of my five years in China, hackers targeting foreign correspondents became more advanced, upgrading from early phishing attempts using haphazard "Chinglish" to more convincing and polished English.

In one case in 2012, an email appeared to have come from organizers of the Boao Forum, a China-run meeting modeled after Switzerland's World Economic Forum. The English text, grammatically perfect, was copied and pasted from legitimate emails sent by Ogilvy, the international PR firm. It made for a much more convincing phishing attempt from the days when we would receive one-liners that read: "China's environmental topic. The latest news."

Mandiant's report observes the same developing sophistication: "They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China -- before beginning the cycle again. They employ good English -- with acceptable slang -- in their socially engineered emails."

Opening the Boao attachment would have shown a sign-up sheet for journalists interested in attending the event. The actual payload would take place in the background, installing a rare "Trojan" that would send information stolen from the computer to a server located in Chongqing, China. The recipient would have never known he or she had been compromised.

Some phishing emails were bespoke. To my knowledge, I was the only recipient in August 2011 of an email that took advantage of the CVE-2010-3333 vulnerability, a flaw in Microsoft Word's codebase. The message, in Chinese, concerned a July 2011 high-speed rail crash in the city of Wenzhou, a story I had covered and complemented with prolific live-tweeting. The message discussed comments from press freedom organization Reporters Without Borders concerning media access to the crash site. The hackers would have had to know I understood Chinese and would have put in some time to research recent stories I'd worked on. A few other journalists received custom phishing attempts during this period, each email message different but all taking advantage of the same exploit.

Mandiant's report underscores how difficult it is these days to spot a hacker. "The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples' names -- names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel -- and uses these accounts to send the emails."

The irony in this brave new world of the digital frontier is that we need to return to old technologies. If you want to check an attachment's safety, pick up the phone and call the sender. Even writing back with email might not work. Mandiant describes how in one instance, the hacker responded to a query by confirming the attachment ("It's legit," the email read). Email back … and you may well start chatting with the very person who is trying to deceive you.

Keeping an eye out for suspicious file extensions no longer works, either. The primitive days of mysterious and suspicious .exe, .rar, and .zip attachments have been replaced by attachments with reassuring but false file formats. The hackers from Unit 61398 "even went to the trouble of turning the executable's icon to an Adobe symbol to complete the ruse," Mandiant notes.

Mandiant's report, titled "APT1," refers to "advanced persistent threats" -- hacker groups of an institutional, well-resourced nature. Those who've followed APTs know they're nothing new.

A 2009 investigation by Infowar Monitor, a team of technologists at the University of Toronto and the SecDev Group, a Canadian consultancy, revealed an advanced cyber-spying operation called GhostNet. Researchers traced GhostNet's command-and-control center back to China. Hackers had infiltrated computers across 103 countries, from embassies to the offices of the Dalai Lama. In its report, Infowar Monitor declared GhostNet "capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras." The hackers used polished phishing emails to gain entry to those systems.

What's different with what's happening now is that the scope and target of APTs, bleeding beyond governmental espionage to commercial groups and even to individual reporters, highlight a messier, more complex, and dangerous hacker universe where individuals and institutional players fight with different political, economic, and social agendas.

Even the most advanced technology companies have been hit. In this one month alone, Twitter, Facebook, and Apple all announced their systems had been penetrated by hackers. Bloomberg's latest report says they belong to an Eastern European criminal group. Chinese hackers, while not the sole culprits, pose a bigger geostrategic threat: The same group of hackers targeting a Fortune 500 company may well go after the State Department or a lone activist the next day.

That pattern will likely continue because of one compelling fact: It's affordable. Frank Smyth is founder of Global Journalist Security, an organization working to equip reporters with complete security training, including a digital component. "No one should be surprised, because it doesn't take that much infrastructure. If you have a team of people in a room, you can create a lot of havoc," he says. "That's much cheaper than building a tank or a jet fighter."



Iran Can’t Agree to a Damn Thing

Let's face it: The Islamic Republic is just too dysfunctional to cut a nuclear deal.

During the chaotic days of Iran's Islamic revolution, Ayatollah Ruhollah Khomeini, the country's emerging "supreme leader," assured Iranians that their supposed oppressor, the United States, would not be able to put the hated shah back on his throne. "America can't do a damn thing against us," he inveighed, a winning line that became the uprising's unofficial slogan. It's a catchphrase Iran has deployed time and again since, most recently in a taunting billboard along the Iran-Iraq border and in a banner hung in front of a captured American drone (though hilariously, in the latter case, the hapless banner-makers mistranslated the phrase as "America Can Do No Wrong").

Khomeini's slogan was true enough at the time: There wasn't much U.S. President Jimmy Carter could do to intervene in one of the most stunning uprisings in history. But today, when it comes to Iran's endless nuclear impasse with the West, one might turn the phrase back on the Iranians: The problem, in a nutshell, is that Iran can't agree to a damn thing.

Indeed, the slow pace of nuclear negotiations with Iran are only the beginning of the reasons to be discouraged about resolution of the standoff. More worrying is that political infighting in Tehran is so bad that Iran might not be able to bring itself to accept unilateral U.S. unconditional surrender were it to be offered.

To be sure, eight months between negotiating sessions -- June 18-19, 2012 in Moscow, followed by the upcoming session slated for Feb. 26 in Almaty, Kazakhstan -- is bad news enough. U.N. Secretary-General Ban Ki-moon hit the nail on the head when he warned last week, "We should not give much more time to the Iranians, and we should not waste time. We have seen what happened with [North Korea]. It ended up that they [were] secretly, quietly, without any obligations, without any pressure, making progress" on nuclear weapons.

But the pace of talks is only the beginning of the problem. More important is the political meltdown among the Islamic Republic's leaders. Their problems should help put ours in perspective. Many Americans think Washington faces gridlock from hyperpartisan politics, though in fact Iran is an exception to that rule. Bills about Iran's nuclear program typically enjoy stunning levels of support -- 100 to 0 in the Senate in the December 2011 round of sanctions. In the November 2012 vote on another sanctions round, several senators were absent, so the vote was a cliffhanger 94 to 0.

By contrast, Iranian leaders fight about everything, even where vital national security interests are at stake. In many respects, a divided Iran is nothing new. The Islamic Republic has from its beginning been characterized by sharp internal divisions. And that has long influenced debate about policy toward the United States. For at least 20 years, the rule in Iran has been: Whoever is out of power wants talks with the United States, which they know would be popular, while whoever is in power moves haltingly if at all toward talks. Several times, those on the outs became the ins and then quickly shifted position on relations with Washington. When Mohammad Khatami was running for president in 1997, he was all in favor of talks with the Great Satan, but then once in power, he did little if anything and refused to speak clearly on the issue. And so too with President Mahmoud Ahmadinejad: When he was riding high, he only had disdain for the United States, but as he got into trouble at home, he called for talks with Washington.

But now, the situation is much worse than before. It used to be that once Khomeini's successor, Ayatollah Ali Khamenei, spoke, that ended the debate, but no longer. Khamenei no longer enjoys the respect nor commands the power to stop the infighting. No matter how often or bluntly he rejects the idea of negotiations with the United States, other important officials -- most loudly and frequently, Ahmadinejad -- call for such talks.

Khamenei couches his call for obedience as a need for unity and vigilance in the face of the enemy. A typical speech on January 29 warned, "Today the world of Islam is faced with the plot of enemies... We should not fuel the fire of discord by arousing shallow and vulgar feelings. This will burn the fate of nations. It will completely destroy them. It will help the enemies of Islam." Consistent with his longstanding reluctance to publicly weigh in directly on political disputes, Khamenei has usually confined himself to elliptical criticisms, such as his warning in a Feb. 7 speech to Air Force commanders, "The improper conduct which is witnessed in certain areas from certain government officials -- they should end this." He concluded with another strong call for unity.

Admonished by the supreme leader to close ranks, Iranian leaders promptly put on a full display of their bitter enmity. The Majlis, Iran's legislature, called in for questioning Labor Minister Reza Shaikholsislami, a close ally of Ahmadinejad. In response, the Iranian president went to the Majlis for the Feb. 3 debate and insisted on accusing Speaker Ali Larijani and his family (including his brother Sadegh Larijani, head of the judiciary) of corruption, playing a recording he claimed supported the charge. Ruled out of order, Ahmadinejad stormed out. The Majlis then voted Shaikholislami dismissed by a vote of 192 to 56; Ahmadinejad promptly added him to his official delegation leaving for Egypt. Five days after the Majlis brawl, 100 Ahmadinejad supporters pelted Ali Larijani with shoes, disrupting a speech he was trying to give in Qom.

Khamenei was clearly appalled that neither his public admonitions nor his reported firm private orders had been enough to stop the feuding. So he lit into the two sides in a Feb. 16 address, saying, "What is the reason behind impeaching a minister a few months before the end of the life of the government, for a reason that had nothing to do with that minister? ... The head of one branch of power [Ahmadinejad] accused the two other branches of power based on a charge that was not raised or proved in a court...Such acts are against the sharia as well as the law and ethics." Turning to the disputes about corruption, he added, "I expect the officials to enhance their friendship at this time that enemies have intensified their [hostile] behavior. Be together more than before. Control your wild sentiments." He warned that if they did not follow his counsel, there would be grave consequences.

Khamenei was ignored again. Two days after this speech, the Supreme Court -- largely controlled by Sadeq Larijani -- upheld four death sentences against close Ahmadinejad allies in a high-profile corruption case. Neither the president nor his equally conservative, hard-line opponents seem to fear Khamenei or much respect his authority anymore.

By their actions, Iranian leaders are giving the strong impression that they are so preoccupied by their internal differences that they cannot agree on, well, a damn thing. Disunity helps the enemy, Khamenei frequently says. But the world powers negotiating with Iran would be glad to see more unity in Tehran, because a more unified Iranian government would be better able to reach a deal and then implement it. That seems less and less likely. The time is rapidly approaching when the big powers, or at least the United States, need to set out a stark choice for Iran's leaders: Either accept a generous offer to resolve the nuclear impasse or be prepared for the consequences.