The Washington Post reported last week that the Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government, a move described as “an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions.” While this a welcome and encouraging development, it is not the first time Beijing has arrested Chinese hackers in response to pressure from the U.S. government.
Image: Democracynow.org.
The action reported by The Post and other media outlets came shortly before Chinese President Xi Jinping’s state visit to Washington late last month. The hackers arrested had reportedly been identified by U.S. officials as having stolen commercial secrets from U.S. firms to be sold or passed along to Chinese state-run companies.
Although The Post has described this action as unprecedented, U.S. government cybercrime investigators have had success convincing Chinese authorities to take such actions in at least one other case previously.
In a report (PDF) presented to Congress on Feb. 29, 2012, the Office of Inspector General for the National Aeronautics and Space Administration (NASA) noted that a lengthy investigation into the cyber theft of sensitive technical data from its systems culminated in the arrest of a Chinese national in China.
“As a result of an OIG investigation and lengthy international coordination efforts, a
Chinese national was detained in December 2010 by Chinese authorities for violations of
Chinese Administrative Law,” NASA Inspector General Paul K. Martin told a House oversight committee. “This case resulted in the first confirmed detention of a Chinese national for hacking activity targeting U.S. Government agencies. Seven NASA systems, many containing export-restricted technical data, were compromised by the Chinese national.”
Many readers probably would not consider NASA when they think about U.S. federal agencies fighting cybercrime, but in truth NASA investigators have been behind some of the more effective and cutting-edge cybercrime investigations of the past decade. As I noted in my book — Spam Nation: The Inside Story of Organized Cybercrime – From Global Epidemic to Your Front Door — NASA officials were deeply involved in the investigations into both McColo and 3FN, now-defunct Internet Service providers that ultimately were unplugged from the Internet by their Internet peers after it became apparent how much cybercrime activity was emanating from these providers.
In one instance, NASA investigators traveled to Moscow to meet with Russian authorities in the planned arrest of Gugle (pronounced “Google”), a Russian man named Dmitry Nechvolod — one of the world’s top cybercriminals at the time and the co-founder of the Cutwail spam botnet code. Here’s a snippet from Spam Nation in which one of the cybercrime kingpins profiled in the book — a Russian man named Pavel Vrublevsky who employed Gugle to send spam and develop malicious software — actually warned his best henchman in advance that NASA investigators were coming.
“It was late 2010, and Vrublebsky had just called me and was excitedly relaying some intelligence that he’d gleaned from his network of law-enforcement contacts. He’d received word that cybercrime investigators with the U.S. National Aeronautics and Space Administration (NASA) were coming to Moscow to meet with Russian FSB agents. The NASA officials, who have guns and badges and just as much investigative authority as other U.S. law enforcement agencies, were coming to discuss cooperating with Russian authorities over an investigation into Nechvolod.”
“By that time, NASA investigators had connected the dots between Nechvolod and Gugle, and had been building a criminal case against him for allegedly infecting countless NASA computers with [his] malware.”
“The Americans came to Moscow trying to find the Cutwail owner, who goes by the nickname ‘Gugle,’” Vrublevsky told me excitedly and proudly in a phone interview, speaking of a man who was among the top spammers for [him]. “They got his nickname and even his real name correct, but they were never able to catch him. Honestly, I think someone warned him. You know, Brian, the corruption level in Russian law enforcement related to cybercrime is really quite high.”
The NASA OIG report referenced at the top of this story does not state whether the Chinese national arrested for allegedly hacking NASA systems ever stood trial to face the charges. NASA officials did not return calls seeking comment.
Whether this latest series of arrests is in fact a turning point in U.S.-Chinese cyber relations or just a ploy to delay sanctions promised by President Obama is anyone’s guess. As The Post notes, U.S. officials will likely be unconvinced unless those arrested are put on trial.
“Now, administration officials are watching to see if China will follow through with prosecutions,” wrote Ellen Nakashima and Adam Goldman. “A public trial is important not only because that would be consistent with established principles of criminal justice, but because it could discourage other would-be hackers and show that the arrests were not an empty gesture. Administration officials say they are not sure whether the arrests mark a deeper shift in China’s stance — or whether they were a short-term move to avoid getting hit by sanctions.”
According to the White House, at a recent state visit Presidents Xi and Obama agreed to work together to manage their nations’ differences on a number of topics, including cybersecurity. These highlights were taken verbatim from The White House’s own talking points on the subject:
“The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory. Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.”
“The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
“Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace. The two sides also agree to create a senior experts group for further discussions on this topic.”
“The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue. The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States. This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side. As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests. Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.”