Pierluigi Paganini March 04, 2020

Chinese security firm Qihoo 360 revealed that the US CIA has hacked Chinese organizations in various sectors for the last 11 years.

Chinese security firm Qihoo 360 is accusing that the US Central Intelligence Agency (CIA) of having hacked Chinese organizations for the last 11 years. According to the firm, the US cyber spies are targeting various industry sectors and government agencies.

The Qihoo 360 experts claim that a CIA hacking unit tracked as APT-C-39 has hacked organizations in the aviation, scientific research, oil, technology industries, it also targeted government agencies.

“Qihoo 360 discovered and revealed cyber-attacks by the CIA hacking group (APT-C-39) which lasts for eleven years against China.” reads the report published by the security firm. “Several industry sectors have been targeted including aviation organizations, scientific research institutions, petroleum industry, Internet companies, and government agencies.”

The US-linked hackers targeted the Chinese organizations between September 2008 and June 2019.

The experts claim that US intelligence has stolen classified business information from organizations worldwide for more than a decade, including Chinese companies.

“In fact, long-term and targeted intelligence-gathering with careful strategic deployment and large amount of resource investment are common activities of CIA. We speculate that in the past eleven years of infiltration attacks, CIA may have already grasped the most classified business information of China, even of many other countries in the world,” reads the report published by Qihoo 360.

“It does not even rule out the possibility that now CIA is able to track down the real-time global flight status, passenger information, trade freight and other related information If the guess is true, what unexpected things will CIA do if it has such confidential and important information? Get important figures‘ travel itinerary, and then pose political threats, or military suppression?”

Qihoo 360 was able to link the CIA to the NSA agency, and it identified the CIA former agent Joshua Adam Schulte as a key individual in the CIA operations.

Experts noticed that some of the cyber weapons used by CIA agents belong to the arsenal of the NSA.

Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016. Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged on three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

In November 2018, Joshua Adam Schulte faced new charges included in a new indictment filed in Manhattan federal court, he was charged with the unlawful transmission and attempted unlawful transmission of national defense secrets from prison.

Qihoo 360 said that the former CIA agent served at the National Clandestine Service (NCS) as a Directorate of Sience and Technology (DS&T) Intelligence Officer.

The National Clandestine Service (NCS) or the Directorate of Operations (DO) serves as the clandestine arm of the Central Intelligence Agency (CIA) and the national authority for the coordination, de-confliction, and evaluation of clandestine operations across the Intelligence Community of the United States.

In 2016, Joshua stole the classified documents of Vault 7 and passed them to WikiLeaks, which published the precious dump on Wikileaks in 2017.

On February 4, 2020, at a public hearing in the federal court, the federal prosecutor confirmed that the man was responsible for “the single biggest leak of classified national defense information in the history of CIA.”

Qihoo 360 said that leaked materials they collected reveal that Vault 7 was developed by Joshua and that APT-C -39 a CIA-linked hacking unit.

The Chinese security firm also adds that the APT-C-39 hacking group employed several Vault 7 tools in its operations, including the Fluxwire backdoor, and the Grasshopper malware builder.

Qihoo 360 reported that technical details of most implants used by the APT-C-39 are consistent with the ones described in the Vault 7 dump. Experts added that APT-C-39 used relevant cyber weapons against targets in China before the leak of Vault 7 documents.

The Chinese researchers also discovered that the WISTFULTOOL data plugin was used in an attack against a large Internet company in China in 2011.

Summarizing the evidence collected by the Chinese security firm:

The related evidence is listed below:

• Evidence 1: APT-C-39 uses massive exclusive cyber weapons in the CIA’s Vault 7 project
• Evidence 2: The technical details of most samples of the APT-C-39 are consistent with the ones described in the Vault 7 documents
• Evidence 3: Before the Vault 7 cyber weapon was disclosed by WikiLeaks, the APT-C-39 already used relevant cyber weapons against targets in China
• Evidence 4: Some attack weapons used by the APT-C-39 are associated with the NSA
• Evidence 5: APT-C-39 group’s weapons compilation time is located in the U.S. time zone

Qihoo 360′ findings are consistent with the results of the analysis carried out by other cybersecurity firms, such as Kaspersky and Symantec, that tracked the CIA hacking unit as Lamberts and Longhorn, respectively.

Pierluigi Paganini

(SecurityAffairs – hacking, CIA)

[adrotate banner=”5″]

[adrotate banner=”13″]