China’s peak security agency has directed a surge in cyber attacks on Australian companies over the past year, breaching an agreement struck between Premier Li Keqiang and former prime minister Malcolm Turnbull not to steal each other’s commercial secrets.
A Fairfax Media/Nine News investigation has confirmed that China’s Ministry of State Security is responsible for what is known in cyber circles as "Operation Cloud Hopper", a wave of attacks detected by Australia and its partners in the Five Eyes intelligence sharing alliance.
A senior Australian government source described China’s activity as "a constant, significant effort to steal our intellectual property".
The cyber theft places intense pressure on the Morrison government to respond either via law enforcement, diplomatic channels or public advocacy, in order to uphold the cyber security pact signed between the two countries only last year.
The US Department of Justice has ramped up its investigation and prosecution of Chinese cyber hackers this year, and over the weekend US Vice-President Mike Pence again accused China of "intellectual property theft" as part of an escalating trade and strategic battle with Beijing.
The Australian Federal Police and Australian Security Intelligence Organisation have stepped up their co-operation to respond to the threat, according to a senior police source, although they are many months behind the US operation.
Without enforcement, there was no effective deterrence, one national security source said.
Other sources said the Australian Signals Directorate had detected attacks against several Western businesses, although the names of the affected firms have not been made public. The ASD works with the other Five Eyes countries – the US, Canada, Britain and New Zealand – on cyber security issues.
A spokesman for the federal government said Australia condemned the cyber-enabled theft of intellectual property for commercial gain from any country.
"The Coalition government has been active in strengthening Australia’s capability to detect and respond to cyber enabled threats and is committed to ensuring businesses and the Australian community are resilient to cyber-attacks," the spokesman said.
One major irritation, raised by several police and intelligence officials, was that Australian companies and universities failed to heed repeated warnings to harden their security against both criminals and attacks directed by nation states.
These state actors are called advanced persistent threats because they work over months or years, adapt to defences and often strike the same victim multiple times. One of the most active Chinese adversaries has been dubbed "APT10", while "Cloud Hopper" refers to the technique used by this group as they "hop" from cloud storage services into a company’s IT system.
In this case the Chinese hackers penetrated poorly secured IT service providers, to which Australian firms had outsourced their IT. The targets include cloud storage companies and helpdesk firms in North America and Asia. The initial penetration by the Cloud Hopper team allowed the hackers to enter the IT systems of Australian companies.
Adrian Nish, BAE Systems’ Head of Threat Intelligence, said the APT10/Cloud Hopper attacks had focussed on the mining, engineering and professional service companies.
"It is still active. We have evidence of [Cloud Hopper] again actively compromising managed service providers," he said.
The theft of intellectual property is part of China’s broader industrial policy to match the US’s technological edge by 2025. The theft can shorten the research and development process and potentially give Chinese companies a crucial market edge. They can also acquire sensitive information around pricing and corporate activity.
A national security official said the Turnbull-Li agreement had initially led to a significant reduction in cyber espionage from China. The US experienced a comparable drop-off in attacks after former President Barack Obama struck a similar agreement with Chinese President Xi Jinping in 2015.
A former senior Government official familiar with the cyber security agreement said: "The way these things usually go with the Chinese is they behave themselves for a while before they go back to being bad".
The attacks on Australian firms since the start of this year, including Cloud Hopper activity, showed the bilateral agreement was being ignored, according to officials.
Security officials and cyber experts, including Mike Sentonas a vice-president at US firm CrowdStrike, have linked the Cloud Hopper hackers to the Ministry of State Security.
"We noticed a significant increase in attacks in the first six months of this year. The activity is mainly from China and it's targeting all sectors," he said.
"There’s no doubt the gloves are off."
He said there had been a drop off in China’s global hacking operations after the Xi-Obama deal.
Dr Nish from BAE, who has published the most comprehensive report on Cloud Hopper, said he discovered that attacks on multiple clients appeared to be part of the same campaign of "espionage activity".
"It was clear it was a much bigger campaign," Dr Nish said.
BAE referred it to the UK’s National Cyber Security Centre, who referred it to their Australian counterparts at ASD. While Dr Nish declined to confirm the Cloud Hopper attack was directed by Chinese intelligence services, he said there was "no reason to doubt" those who claimed it was.
He said that while outsourcing IT functions was a sensible business decision, Australian firms needed to ask "tough questions" of managed service providers. Some providers offered cheaper IT services because they scrimped on their own security, effectively allowing a backdoor into their clients' IT systems.
In October, the US Department of Justice provided a case study on Chinese hacking within a 21-page indictment naming the MSS and accusing the MSS and its provincial counterparts of hacking an Australian domain name provider in order to access computer systems at aviation companies in the United States and Europe.
Under direction from the MSS, the hackers are accused of either creating fake domain names or redirecting existing domain names to malicious addresses.
The MSS is headquartered in Beijing but has extensive provincial operations and is regarded by western intelligence services as a sophisticated outfit able to combine human intelligence with the advanced cyber capabilities.
Previously, Unit 61398 of the People’s Liberation Army was viewed as the main vehicle for China’s efforts to steal commercial secrets after being named by cyber security firm Mandiant in 2014.
But since a reorganisation of China’s armed forces in 2015, the PLA cyber units are believed to have refocused on military and political intelligence, leaving commercial espionage to the MSS.
Nick McKenzie is an investigative reporter for The Age. He's won seven Walkley awards and covers politics, business, foreign affairs and defence, human rights issues, the criminal justice system and social affairs.
Angus Grigg writes on News specialising in Asia, World, Trade. Based in our Shanghai newsroom, Angus is a two-time Walkey Award winner with over 15 years experience as a journalist.