"I don't have any secrets," Rose Tang says, defiantly. Ms. Tang survived the Tiananmen Square massacre as a 20-year-old college student, and she continues to be outspoken against the Chinese government. But she still found it unnerving when Google contacted her recently to say someone else had tried to access her Gmail account.
"It's psychological warfare," says Tang, who now lives in New York City, and blames elements within the Chinese government for attempting to hack her e-mail. "It's a very uneasy feeling, that you do not know if and when Big Brother is watching you and when and how he is going to punish you."
Cybersecurity has been a major focus during President Xi Jinping's visit this week to the US. Indeed, the Chinese government, military, and business entities have been the chief suspects in a string of recent hacks, including the massive Office of Personnel Management breach. On Friday at the White House, President Obama and President Xi jointly announced they've come to an agreement that neither country would intentionally back cyberespionage for the purpose of stealing trade secrets.
But even though China's suspected hacks on US businesses have received the most attention, many US-based organizations that focus on Chinese issues such as human rights also say they are under near constant digital assault. And while the attacks can be difficult to trace with certainty, they say all signs point to the Chinese government.
"There's always something, all the time,” Nathan Freitas explains. Mr. Freitas founded the Guardian Project, which creates secure mobile phone applications for journalists and activists working in high-risk situations – including many organizations focused on human rights in China.
The Guardian Project is under regular attack, according to Freitas – everything from “spear phishing” e-mails that purport to be from a legitimate source but contain malware to Distributed Denial of Service (DDoS) attacks that attempt to overload web servers with malicious traffic. Large DDoS attacks usually only happen around major events such as a software update, Freitas says. But the most damaging attacks come in phony e-mails.
These so-called “spear phishing” e-mails can be incredibly sophisticated, but they’re based on decades-old social engineering techniques. The goal is to get a target to trust an e-mail and its contents so they click on a link or open an attachment. Once they do, the e-mail installs software on the target system that can give hackers near total control. From there, an attacker can alter files, delete information or simply surveil passively.
The sheer volume of phishing e-mails received by many nongovernmental organizations that do work in China means that many are automated, according to Engin Kirda, director of Northeastern University’s Information Assurance Institute. He was part of a team of researchers that uncovered long-running spear-phishing attacks aimed at the World Uyghur Congress – a group that advocates self-determination for China’s Uyghur minority. The researchers examined more than 1,000 emails sent between 2009 and 2013.
Automated phishing e-mails go out to a range of targets the hackers are interested in, according to Mr. Kirda. Once someone accidentally clicks a link or opens an attachment, the malware connects back to a command and control server and starts populating a database. From there, it’s available whenever the attackers need it. With such easy automation and cheap storage, attackers have every incentive to compromise as many targets as possible.
"Collecting the information today is cheap, it's fast, you can come up with ways of storing it and looking at the data efficiently.... So I don't think it's a big issue for them," Kirda says. "They're more interested in just collecting it, because at some point it might be useful for them."
Spear phishing is an especially successful attacks method against NGOs, according to Freitas, because the nature of their work means that their leaders must be publicly visible and accessible.
As executive director of the NGO Human Rights in China, Sharon Hom is well acquainted with hacking attempts. "Spear phishing, targeted malware attacks delivered through social engineering vectors, DDoS attacks on our website – we have experienced all of them,” Ms. Hom says.
Still, she is especially concerned by attacks on developers like the Guardian Project. Organizations like hers rely on developers to provide them with secure, trusted software. If hackers compromise those apps, Hom says, it could have ripple effects well beyond a single target or group.
The increasing sophistication of the cyberattacks hitting her organization is also troubling, she said. It's part of what she describes as a broader crackdown on civil society organizations. Indeed, Mr. Xi’s National Security Commission recently proposed a law that experts say would severely hamper foreign and domestic NGOs and endanger human rights workers.
"I think it's important to put cyberattacks within the broader focus that, across the board right now, everyone is facing increased pressure and tighter controls," Hom explains.
At a policy speech in Seattle on Tuesday, Xi addressed criticisms over China’s alleged cyberattacks and the new NGO law head-on.
"The international community should, on the basis of mutual respect and mutual trust, work together to build a peaceful, secure, open, and cooperative cyberspace,” Xi told the crowd of businesspeople and dignitaries, after flatly denying US accusations that his government engages in commercial espionage.
Moments later, Xi said China “recognizes the positive role played by foreign nonprofit organizations."
It is difficult to trace cyberattacks on activists and NGOs directly to the Chinese government. "One of the biggest issues in this domain is that there is no scientific way of doing attack attribution," explains Kirda, the computer scientist at Northeastern University.
Still, circumstantial evidence is piling up. In June, the University of Toronto’s Citizen Lab published details of strikingly similar attacks against Tibetan NGOs and pro-democracy groups in Hong Kong. Security researchers at FireEye have also documented similar attacks aimed at both Taiwanese government officials and a Tibetan academic. And cyberattacks on Gmail accounts belonging to human-rights advocates in China, the US, and Europe helped prompt Google to pull Google.cn and stop censoring its search results in 2010.
Lhadon Tethong is trying to stem that tide. The organization she directs, Tibet Action Institute, runs digital security training for Tibetan communities in India and works to raise awareness about digital hygiene practices. The group’s “Detach from Attachments” campaign encourages Tibet activists not to open unexpected email attachments, and to use alternatives like Google Drive or Dropbox when possible.
It’s a message formed out of the Tibetan community’s decade of experience with targeted spear phishing attacks. But Ms. Tethong is convinced anyone can learn and apply these security practices.
“In the digital security world, there's a lot of gloom and doom and a lot of people who want to spin the story as, 'There's nothing you can do to protect yourself. If the hackers want to get at you, they'll find a way.'” Tethong says. “We reject that idea. There are a lot of really simple human behaviors and basic tactics that people can employ to make themselves safer online.”