China’s largest cyber-security vendor has published today a report accusing the CIA of hacking Chinese companies and government agencies for more than 11 years.
The report, authored by Qihoo 360, claims the CIA hacked targets in China’s aviation industry, scientific research institutions, petroleum industry, Internet companies, and government agencies.
CIA hacking operations took place between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang, Qihoo researchers said.
Qihoo claims that a large part of the CIA’s hacking efforts focused on the civil aviation industry, both in China and in other countries.
The Chinese security firm claims the purpose of this campaign was “long-term and targeted intelligence-gathering” for the purpose of tracking “real-time global flight status, passenger information, trade freight and other related information.”
Report based on Vault 7 leaks
Both malware strains came to light in early 2017 when Wikileaks published the Vault 7 dump, a collection of documentation files detailing the CIA’s arsenal of cyber-weapons.
WikiLeaks claimed it received the files from a CIA insider and whistleblower, later identified as Joshua Schultz — currently under trial in the US.
Weeks after the WikiLeaks Vault 7 revelations, Symantec confirmed that Fluxwire was the Corentry malware that they had been tracking for years.
“Qihoo 360 analysis found that the technical details of most of the samples are consistent with the ones in the Vault 7 document, such as control commands, compile PDB paths, encryption schemes,” the Chinese researchers said — echoing the findings of the Symantec report.
The Chinese researchers also claim they found Fluxwire versions deployed in the wild long before the Vault 7 leaks became public, with detection times matching the now-public Fluxwire changelog.
Furthermore, Qihoo researchers also claim that the malware’s compilation times are consistent with US timezones. Ironically, this is a common technique that US investigators have used to link malware samples back to Chinese hackers many times in the past.
The Qihoo report does not actually bring anything new to the table. Most of the information in the Qihoo report was already public knowledge that was shared and confirmed from different sources more than three years ago.
The only new information included in the Qihoo report is the specific targets that have allegedly been hacked by the CIA in China, information that was not previously known before today’s Qihoo blog post.
Third Chinese vendor to call out the CIA
In its report, Qihoo referenced CIA hacking operations under the codename of APT-C-39. In reports published by other cyber-security vendors, CIA hacking operations are also tracked as Longhorn (Symantec designation) and Lamberts (Kaspersky designation).
Qihoo 360 now becomes the second Chinese security vendor to publicly blame the CIA for hacks inside China in the past six months.
In late September 2019, cyber-security firm Qi An Xin also published a similar report blaming the CIA for hacks against Chinese aviation targets between 2012 and 2017.
Rising researchers did not directly link the group to any particular country, but they nicknamed the hackers “Rattlesnake” after a snake inhabiting the southeastern parts of the United States and some parts of Mexico — in a form of wink-nod attribution.