Chinese government operatives allegedly targeted South Africa’s defence and maritime research sectors as part of what the US claims was an international hacking campaign aimed at stealing trade secrets, including about the Ebola virus.

The Chinese embassy in South Africa, however, has pointed a finger back at the US, accusing it of being the most prolific hacker targeting China.

This leaves South Africa in the middle of high-level cyber espionage claims and counter-claims.

The US flagging China is in addition to it announcing last month that Russian government employees had targeted South Africa as part of two massive hacking campaigns that were aimed at disrupting energy companies and critical infrastructure.

DM168 earlier this month reported that the Federal Bureau of Investigation (FBI) had claimed the hacking would enable “the Russian government to disrupt and damage such systems, if it wished”.

The Russian embassy in SA did not respond to DM168 requests for comment.

US is a ‘hacking empire’

In July 2021, the office of public affairs in the US’s justice department alleged there was hacking “focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes”.

The US alleged South Africa’s maritime and defence sectors were targeted.

This week, the Chinese embassy in South Africa, in response to DM168 queries about America’s claims, turned the table on the US, pointing to it as its biggest cyberhacker.

“China is a staunch defender of cybersecurity and also a major victim of hacking. We stand firmly against and crack down on all forms of cyberattacks and crimes,” it said.

“We are opposed to politicising and stigmatising cybersecurity issues, which is not conducive to resolving hacking issues and will only weaken mutual trust between countries and affect normal cooperation in this sphere.”

The embassy then pointed to the US as being its biggest cyberattacker: “The US is the largest source of cyberattacks targeting China. Data show that in 2020, relevant Chinese institutions captured 42 million malicious program samples,” it said.

“Of those originating overseas, 53% are from the US. The US doesn’t even spare its allies in tapping and surveillance.”

The Chinese embassy listed several examples of alleged US hacking involving figures from other countries. “So who is the real Empire of Hacking?” it asked. “In the face of all the facts and data, anyone with an objective and impartial attitude should be able to come to the right conclusion.”

The US’s claims

In terms of its claims against Russia, the US alleged that hacking activities targeting about 135 countries, including South Africa, occurred from July 2012 to November 2017.

This roughly coincides with the period when the Chinese government is also alleged by the US to have targeted an array of countries (between 2011 and 2018).

In 2015, however, the US and China came to an agreement in relation to cybersecurity.

“The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” says a 2015 statement on the White House website.

So, if what the US is alleging about China is true, China broke the agreement. And the reverse is also true if the US hacked China.

In 2016, Wang Xiujun, China’s vice minister of cyberspace administration, referenced South Africa, saying: “We would like to encourage cooperation between Chinese and South African enterprises to push forward the digital development to benefit the people of both countries.”

FBI hunts alleged Chinese hackers

In the China hacking saga, the US’s justice department announced in July last year that the indictment against four accused — Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong — had been unsealed two months earlier. This made some of the documents in the case public.

The four suspects are wanted by the FBI.

“The object of the conspiracy,” the indictment alleged, “was to install malware and hacking tools on protected computers and to leverage such malware and tools to commit unauthorised computer intrusions, all with the goal of stealing information of value from foreign governments, universities, and companies on behalf of the [People’s Republic of China] and its instrumentalities.”

It was alleged that, in November 2017, those behind the campaign had installed malware on a system that a Malaysian political party operated. This was at a time when that party had a role in deciding about a Chinese state-owned enterprise’s bid on a rail contract in Malaysia.

The indictment explained how the hacking allegedly occurred. It said the Hainan Province’s ministry of state security (HSSD) was a provincial intelligence arm of China’s ministry of state security that was “primarily responsible for domestic counterintelligence, non-military foreign intelligence, and aspects of political and domestic security”.

Front company

The indictment alleged that, in 2011, the HSSD had created a front company, Hainan Xiandun Technology Development Co Ltd, described as “a fast-growing high-tech information security company”.

The US, however, believed that the alleged front company employed hackers “who sought to and did steal such data from companies and universities involved in virus and vaccine research of the Ebola virus and maritime research and development.

“Such trade secrets and confidential business included sensitive technologies used for submersibles and autonomous vehicles, speciality chemical formulas, and proprietary genetic-sequencing technology.”

The hackers, the indictment set out, were out to steal data from various governments with the aim of supporting China’s efforts to secure contracts in those targeted countries.

Target countries

“Hainan Xiandun employees, under the direction of HSSD intelligence officers, hacked or attempted to hack dozens of victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom, as well as others,” the indictment said.

It was alleged Xiaoyang, Qingmin and Yunmin directed the activities of the front company, as well as those of computer hackers, among them their co-accused, Shurong.

From December 2015 to January 2016, suspects used a specific email account to send spear-phishing emails — that is, emails targeted towards a specific individual, organisation or business that appear to be from a trusted source — “with embedded malware to multiple defence contractors and companies specialising in maritime research and development based in the United States, United Kingdom, South Africa and Austria”.

This was allegedly repeated between July and August 2016.

The US indictment did not name the targeted companies in South Africa.

It said those involved in the hacking “created online legends, such as fictitious online profiles for the spear-phishing email accounts” to make them look more legitimate.

“The conspirators also used doppelganger domain names, which were created to mimic or resemble the domains of legitimate companies, with the intent of tricking unwitting users into clicking on links, as well as hindering identification of intrusions by victim entities,” the indictment claims.

In one of the more bizarre acts, the accused in January 2018 allegedly “sent stolen trade secrets” to GitHub, a development platform and the world’s largest coding community. The secrets were apparently hidden in an image of a koala bear and in another of former US president Donald Trump.

SA is vulnerable

In both cases where the US alleges South Africa was targeted by hackers, the FBI has announced it is searching for suspects.

Three of the four accused in the case involving Russia — Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov — are wanted.

No South African entity has been named in either of the cases.

It is also not clear if South African entities were successfully hacked or simply targeted.

In November last year, DM168 reported on cyberattacks on government entities that had shown how vulnerable South Africa is to cybercriminals and ransomware assaults.

Among those that had been successfully targeted were Transnet and its division that operates South Africa’s biggest ports.

The identities of the hackers behind the attack were never publicly revealed. DM168

This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Exclusive Books and airport bookstores. For your nearest stockist, please click here.