 |
|---|
| When President Xi hosted President Putin at the start of the Winter Olympics in February they declared that their countries' bond had "no limits". The Times |
|
China Accused of Hacking Ukraine Days Before Russian Invasion
The Times
April 7, 2022
China staged a huge cyberattack on Ukraine’s military and nuclear facilities in the build-up to Russia’s invasion, according to intelligence memos obtained by The Times.
More than 600 websites belonging to the defence ministry in Kyiv and other institutions suffered thousands of hacking attempts, according to the memos headed “Chinese Attacks on Ukrainian Government, Medical & Education Networks”.
The campaign was co-ordinated by the Chinese government, a source at Ukraine’s security service, the SBU, said.
The source revealed that, in an apparent sign of complicity in the invasion, Chinese attacks started before the end of the Winter Olympics and peaked on February 23, the day before Russian troops and tanks crossed the border.
An SBU colonel said: “China showed they can block our sites at a key moment, but now we have more tools to protect ourselves. Our partners from the US, Britain and the European Union help us a lot.”
The SBU source said China’s attacks sought to infiltrate targets ranging from border defence forces to the national bank and railway authority. They were designed to steal data and explore ways to shut down or disrupt vital defence and civilian infrastructure.
Russian hackers also tried to cripple Ukraine’s computer networks and compromise government websites before invading, but the SBU source said that Chinese attacks could be distinguished by the trademark tools and methods of the cyberwarfare unit of the People’s Liberation Army.
Asked if Britain’s intelligence services were aware of the alleged Chinese hacks, a government spokesman told The Times: “The National Cyber Security Centre is investigating these allegations with our international partners.”
US intelligence sources indicated that the information about a Chinese cyberattack on Ukrainian government facilities before the Russian invasion was accurate. The Chinese embassy did not respond to a request for comment.
Beijing has refused to condemn President Putin for invading Ukraine. Analysts said that China could be punished with western sanctions if it was proven to be supporting the war.
When President Xi hosted Putin at the start of the Beijing Winter Olympics on February 4, the two men signed a joint statement declaring the bonds between the two countries had “no limits” and had “no ‘forbidden’ areas of co-operation’”. Xi denied asking Putin to delay the invasion until after the Olympics.
Soon afterwards, the SBU source said, the Ukrainian government noticed a spike in computer network exploitation (CNE) attacks, which are typically used for reconnaissance and espionage.
The source said it had seen an “increase in activity against our country’s networks in mid-February with active CNE operations being conducted daily”. It peaked on February 23, the day before the invasion, with Russian and Chinese cyberattacks.
The SBU source shared with The Times a series of intelligence memos, thought to be prepared by another country, that lay out the scale and ambition of the hacking. They identified key military targets such as the Ukrainian National Security and Defence Council and the State Border Guard Service, as well as civilian services including the national bank and finance ministry. One memo laid out an attack on Ukraine’s nuclear infrastructure.
“Intrusions that are of particular concern include the CNE campaigns directed at the State Nuclear Regulatory Inspectorate, and the Ukrainian Investigation Website focused on Hazardous Waste,” the memo read. “This particular CNE attack by the Chinese cyberprogram included the launch of thousands of exploits with attempts pointed to at least 20 distinct vulnerabilities.”
The timing appears to confirm that Moscow had already informed Beijing of its invasion plans, cybersecurity experts said. “It sounds like they didn’t care that they were seen — they had an objective to get in and get what they needed as quickly as possible,” Tom Hegel, a senior threat researcher at SentinelOne, a US cybersecurity firm, said.
“It’s abnormal for a CNE-type effort, it stresses the importance of what they knew was coming.”
These incidents would explain a flurry of western diplomacy with Beijing over the past month as Russian bombs and artillery pounded Ukrainian cities, levelling Mariupol and killing thousands of people. Antony Blinken, the US secretary of state, called Wang Yi, his Chinese counterpart, on March 5 to urge Beijing to distance itself from the war.
US rhetoric then hardened, with President Biden warning China during a call with Xi on March 22 of “severe consequences” if it provided material support to Russia.
Yesterday European leaders held a summit with China for the first time in two years, urging Beijing to choose between its western trading partners or its geopolitical ally in the Kremlin. Ursula von der Leyen, president of the European Commission, relayed the bloc’s concerns about Ukraine to Xi.
Experts said there had been an increase in Ukraine’s ability to catalogue and defend itself from cyberattacks in recent few months.
Steve Tsang, director of the Soas China Institute, said: “The number of people China has engaged in cyberoperations is enormous. A lot of them are part of the People’s Liberation Army, which is part of the [Chinese Communist] party.
“We all believe that they have a cyberforce that attacks states. They have been more engaged in getting information rather than shutting people down. If they’re working in Ukraine they’re working in support of Russians. The implications of this would be they are potentially subjected to sanctions.”
Sam Cranny-Evans, an intelligence and surveillance expert at the Royal United Services Institute, a think tank, said: “The attacks suggest a certain level of collusion between Russia and China, which may prompt revised assessments of the nature of the relations between Russia and China, and the willingness of the two nations to support each other in military operations. It may also raise questions about what other support Beijing will provide Russia’s operation in Ukraine, and the potential for this to prolong the conflict.
“At the capability level, it is interesting that the Russian security apparatus involved Chinese actors in this operation; they are typically quite capable and committed considerable resources to the intelligence operation in Ukraine in the lead-up to the conflict. The FSB for instance, had a staff of 200 personnel focused on gathering human intelligence in Ukraine, which included cyberattacks to gather information on the population.”
Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, said: “Credit to the Ukrainian government, I don’t know what they’ve done with [their] computer emergency response team, but they are killing it. It’s very plausible that the US government is helping or that they have other companies on the ground — no one we know has owned up to that yet. There’s something going on there.”
SentinelOne told The Times it had identified a separate, smaller Chinese cyberattack against Ukraine on March 22. Hegel said “confidently” that he had been able to attribute a group linked to the Chinese military by examining “the command and control servers” that the hackers’ malware is connected with, as well as the technique used to deliver it into Ukrainian systems.
Analysts have been perplexed by the failure of hackers to dismantle the technology behind Ukraine’s infrastructure, particularly given the power grid suffered a powerful attack in 2015 and that government websites were compromised in January, five weeks before the invasion began.
The answer lies, at least in part, in the West beefing up support for the country’s defences as US intelligence warned that an invasion was imminent. In October the US sent private Silicon Valley contractors and soldiers from Army Cyber Command to Ukraine to bolster the country’s cyberdefences. They were withdrawn in January as countries pulled diplomatic and military staff out of the country.
A spokesman for the SBU press office said it had not shared any official information with The Times and said that no investigation was under way.
Share your thoughts in the Forum
