China Accuses U.S. of Hacking Major Encryption Firm, Stealing Sensitive Data

China’s National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) disclosed details of a sophisticated cyberattack against a major Chinese commercial cryptography provider.

The attack, attributed to U.S. intelligence agencies, resulted in significant data theft and demonstrates advanced persistent threat (APT) characteristics with highly targeted objectives focused on cryptographic assets.

Attack Vectors and Infiltration Methodology

The threat actors initially exploited an undisclosed vulnerability in the company’s customer relationship management (CRM) system to establish a foothold within the network infrastructure.

This entry point served as the initial compromise vector, allowing attackers to deploy a specialized Trojan for command and control operations.

The malware implementation bears technical similarities to tools previously linked to U.S. intelligence operations, particularly in its evasion techniques.

The attack methodology mirrors previous incidents documented by CNCERT, where attackers have utilized specialized backdoors and remote access Trojans to establish persistent access.

Similar to the TUTELAGE system documented in intelligence reports, the attackers implemented sophisticated lateral movement techniques to expand their network presence.

A notable aspect of this attack was the operational timing pattern, with peak activity occurring during U.S. working hours, providing temporal evidence supporting attribution.

Data Exfiltration Techniques and Impact Assessment

After establishing control, the threat actors executed a methodical data exfiltration operation utilizing advanced stealth techniques, including frequent IP switching and comprehensive log deletion to avoid detection.

The attackers targeted specific high-value assets within the organization’s infrastructure, methodically moving from the CRM to product management systems and ultimately to the code repository containing proprietary cryptographic implementations.

The impact was substantial, with approximately 950MB of sensitive data compromised, including details of over 600 users, 8,000 customer profiles, and 10,000 contract orders connected to government entities.

More critically, approximately 6.2GB of proprietary cryptographic research and development code was exfiltrated from the organization’s code management system.

This closely resembles techniques documented in the SIGINT ENABLING Project, where cryptographic assets are specifically targeted to undermine security standards.

Attribution Analysis and Strategic Implications

CNCERT’s technical analysis establishes attribution through multiple indicators, including tool signatures consistent with previously identified U.S. intelligence operations.

The attack demonstrates characteristics of state-sponsored cyber espionage, with a specific interest in cryptographic implementations and government-related contracts.

This incident follows a pattern of increasing cyber tensions between China and the U.S., with both countries recently accusing each other of conducting sophisticated cyberattacks against critical infrastructure.

The targeting of encryption technologies parallels previous documented efforts to compromise cryptographic standards, reminiscent of operations like those targeting the Dual_EC_DRBG algorithm.

CNCERT has shared technical indicators of compromise to help organizations worldwide detect and mitigate similar attacks, highlighting the global implications of these sophisticated cyber operations.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates