CIA hacking group APT-C-39 has been conducting cyberespionage attacks against Chinese organizations for the past 11 years, according to the Chinese security vendor Qihoo 360. The targets include aviation organizations, scientific research institutions, petroleum industry, Internet companies, and government agencies, the firm says.
According to the report, these cyberattacks were carried out between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang.
"We speculate that in the past eleven years of infiltration attacks, CIA may have already grasped the most classified business information of China, even of many other countries in the world. It does not even rule out the possibility that now CIA is able to track down the real-time global flight status, passenger information, trade freight and other related information," Qihoo 360 said.
The claims made by the cybersecurity firm are based on the connection between the malware (namely Fluxwire backdoor and the Grasshopper malware builder) used in the APT-C-39’s hacking campaigns and the 'Vault 7' hacking tools developed by the CIA. The existence of these tools came to light in 2017 when massive cyber weapon collection named “Vault 7” was made public by courtesy of whistleblower website WikiLeaks, which received the archive from the former CIA employee Joshua Adam Schulte. In 2016, Joshua using his admin privileges stole the classified documents of Vault 7 and gave it to WikiLeaks. In 2018, he was arrested and prosecuted by the U.S. Department of Justice for the Vault 7 leaks.
“Joshua's personal experience and leaked materials provided us with important clues, and the fact that Vault 7 was developed by Joshua and the prosecution on the court all point to the conclusion that APT-C -39 is affiliated with CIA,” the Chinese firm claims.
The researchers also said that “technical details of most of the samples are consistent with the ones in the Vault 7 document, such as control commands, compile pdb paths, encryption schemes,” suggesting that the APT-C-39 group may have ties to the CIA.
Additionally, the firm claims that the group has used the Fluxwire backdoor in the Vault 7 cyber weapon in cyber-attack activities in China in 2010 – long before the Vault 7 leak. Also, APT-C-39 allegedly used NSA-associated hacking tools, such as the WISTFULTOLL attack plugin, which has been used in an attack against a large Internet company in China in 2011.
“At the same time, in the CIA confidential documents uncovered by WikiLeaks, it was confirmed that the NSA assisted the CIA in developing cyber weapons, which is also a side-by-side evidence of the association between the APT-C-39 and U.S. intelligence agencies,” Qihoo says.
“Taken together with the above technical analysis and digital evidence, we have every reason to believe that the APT-C-39 is affiliated with the United States and is involved in the attack spree by U.S. intelligence agencies. In particular, in the course of the investigation and analysis, Qihoo 360 data have shown that the cyber-weapons used by the organization and the cyber weapons described in the CIA Vault 7 project are almost identical. The CIA Vault 7 weapons show from the side that the United States has built the world's largest cyber weapons arsenal. It has not only brought serious threat to the global network security, but also demonstrate the APT organization's high technical capabilities and professional standards,” the firm concluded.