By F. Michael Maloof
WASHINGTON – A major Chinese telecommunications company has been boasting how it was able to hack into U.S. and international telecommunications networks and intercept what it suggested was "malicious" data.
Advertisement - story continues below
The claim was made at a conference held in Dubai in February by officials with the Chinese firm Huawei Technologies Co. Ltd., and left specialists who attended the seminar alarmed.
They told WND that's because while Huawei may consider the data "malicious," the act of intercepting and extracting data means the Chinese company also could steal sensitive information or even alter the function of computer systems where the company's products are installed.
Huawei, which is tied to the Chinese People's Liberation Army, displayed in a PowerPoint-type presentation that it had capabilities in "in-depth traffic analysis to enhance network control," which a source to WND who attended the conference said meant that it could intercept data and collect it.
The event was the Intelligence Supportive Systems World Middle East and African Law Enforcement, Intelligence and Homeland Security conference in the United Arab Emirates earlier this year.
Advertisement - story continues below
There, sources report, Huawei readily admitted that it was undertaking such data interception and collection.
The ISS conference is an annual gathering of Middle East and African law enforcement, intelligence and homeland security telecom operators responsible for "lawful interception, electronic investigations and network intelligence gathering," according to the ISS agenda. A similar event is scheduled from March 4-6, 2013, also in Dubai.
In its presentation, Huawei said that it had this capability using a particular technology called Deep Packet Inspection, or DPI.
DPI is the key technology in high capacity data interception and mining, according to the WND source who asked not to be named but attended the Huawei briefing.
WND has obtained a copy of Huawei's DPI briefing.
Advertisement - story continues below
While Huawei's presentation of its DPI capability was meant to show how it protected Huawei-equipped networks by detecting malicious code, sources said that the very same technology "can be very effectively used to conduct widespread industrial espionage and breach national telecommunications security."
Huawei reportedly has operations in some 140 countries and serves 45 of the world's 50 largest telecom operators. It is the second largest supplier of mobile telecommunications infrastructure equipment in the world after Ericsson. It also has a subsidiary in the United States, located in Herndon, Va.
The magnitude of its operations worldwide has alarmed national security specialists who say that Huawei's covert capability to remotely access communications technology sold to the United States and other Western countries could disable a country's telecommunications infrastructure before a military engagement.
The Chinese government through the company's "electronic backdoors" of telecommunications networks has the ability to exploit networks to steal technology and trade secrets or even to sabotage electronic devices, according to various sources.
Advertisement - story continues below
With this capability, China would be in a position to sabotage critical U.S. weapons systems and sensitive cyber sites, all of which could include intelligence or systems used by defense contractors doing work on behalf of the Department of Defense or the U.S. intelligence community.
Experts say that DPI generally is a restricted technology because it is so pervasive. It operates at what experts call "line speeds" of up to multiples of 10 gigabytes per second and can "read" every packet in a data stream.
"Once you have access to every piece of data in a data stream," the WND source said, "you can do literally anything with it. You can copy it, you can restrict it, you can control it – all at line speed – without any degradation of the signal.
"The challenge really is dealing with the volume of traffic in high speed links but, with advanced software, folks managing DPI appliances in networks have the capability of using advanced techniques such as protocol identification to strip out the stuff they want," the source added. "When I say 'strip out,' in the Chinese sense, I mean intercept and copy."
Huawei's DPI presentation also referred to detecting and controlling "illegal applications" and referred to "VPNs" as an example.
VPNs are a traditional way that users can bypass content security measures and provide secure access to corporate and government networks.
The Huawei DPI presentation also referred to identifying and restricting URLs, or uniform resource locators, in which it can see and control everything that a computer user looks at online.
While the DPI brief referred to "porn, illegal, violent (sic) and gambling" as URLs that Huawei can block, the source said the company was "very clearly using that capability" for its own activities and, once the technology is deployed, these applications can be remotely accessed.
"So, a network that (Huawei) monitors potentially without the carrier's knowledge in South America, Malaysia, Indonesia, Saudi Arabia, Botswana or even Virginia can be remotely and surreptitiously monitored and potentially controlled," the source said.
Huawei also referred to the mundane term "traffic mirroring," which the source said is "plain and simple data interception."
Because Huawei is involved in mirroring – intercepting data – the source added if the Chinese company can routinely do such mirroring remotely, then any network that contains Huawei equipment by extension would be capable of this activity.
In this regard, the source said he and his company were tasked with doing a major network assessment for a country's telecommunications system.
During that assessment, the source said, there was inadvertently discovered "undocumented administrator accounts" in all of the Huawei core network routers.
When equipment is shipped, the source said, it comes with default passwords and these are usually changed to unique company standards.
As part of source's "assessment procedure," the source checked and ran a non-standard routine to identify all of the user accounts and that was "how we inadvertently discovered the second and undocumented administrator accounts and took 'screen shots' to record their existence."
When they went back to look at them again, "they all mysteriously disappeared – with no trace in the router logs as to how it happened," referring to going back to examine the undocumented administrator accounts.
Rather than a "simple network security issue," the source said he and his security consultant team began to realize that "this was much more of a national security issue."
The source said that the undocumented administrator accounts had been "mysteriously erased, we suspected remotely, as nothing was showing in the router logs to indicate how it happened or that they ever existed in the first place."
He said that Huawei has special teams of Chinese engineers who fly in, often in chartered jets, when a network experiences "certain technical problems" but the network equipment never is allowed to be examined or fixed locally.
The source said that such technology also could be used to intercept communications in intercontinental undersea cables deployed at 3,000 meters (9,843 feet) under the sea.
He said that Huawei Marine, which is rolling out thousands of miles of intercontinental communications cable beneath the seas, complete with deep-sea fiber optic boosters every 50 miles, can very easily conduct covert, DPI surveillance, entirely undetected.
"Embedding these capabilities in any network means…(that) they can then intercept and control those networks in any way they like," the source said. "I am so worried about Chinese cyber warfare threats, their abilities to monitor and remotely shut down international communications networks, including critical infrastructure networks in Western countries."
"Forget just looking for malicious code," he said. "They could just as easily identify encrypted missile launch commands, radar and defense communications, critical infrastructure command and control networks and while they may not be able to necessarily decrypt and control them, being able to block them in networks is almost as effective as a cyber-warfare strategy."
The source also was quick to point out that many critical infrastructure networks are not encrypted and operate openly.
As WND has previously reported, U.S. government agencies seem unprepared to confront the cyber war China apparently is planning against the U.S., even though U.S. government officials and members of Congress have known about this potential for at least four years.
Last March in a report prepared by the U.S. defense aerospace company Northrop Grumman Corp. for the congressional U.S.-China Economic and Security Review Commission, it warned that the Chinese military through its large Chinese telecommunications firms has created an avenue for state-sponsored and state-directed penetrations of supply chains for electronics supporting US. military, government and civilian industry.
"Successful penetration of a supply chain such as that for the telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report said.
"Potential effects include providing an adversary with capabilities to gain covert access and monitoring of sensitive systems, to degrade a system's mission effectiveness, or to insert false information or instructions that could cause premature failure or complete remote control or destruction of the targeted system."
The report, titled "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," said that many of the findings actually came from Chinese source materials including authoritative PLA publications.
The report specifically had singled out Huawei and ZTE Corp. as examples of high technology companies the Chinese government could use to enter remotely into telecommunications systems and computers linked to them to gain undetected access to sensitive data.
"Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict," the congressional report said. "PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these systems with both electronic countermeasure weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict."
The C4ISR infrastructure referred to in the congressional report is command, control, communications, intelligence, surveillance and reconnaissance.
Sources report that the giant telecommunications companies Huawei and ZTE would give the PLA such access.
The problem for the U.S. is that the effects of preemptive penetrations may not be readily detectable until after combat has begun.
"Even if circumstantial evidence points to China as the culprit," the report said, "no policy currently exists to easily determine appropriate response options to a large scale attack on U.S. military or civilian networks in which definitive attribution is lacking. Beijing, understanding this, may seek to exploit this gray area in U.S. policymaking and legal frameworks to create delays in U.S. command decision making."
The report also detailed the potential risks to the U.S. telecommunications supply chain in which hardware is exposed to innumerable points of possible tampering and must rely on rigorous and often expensive testing to ensure that the semiconductors being delivered are trustworthy and will perform properly.
Such components obtained from China through U.S. defense contractors, however, often are untested, raising the high prospect of compromising U.S. systems and being virtually undetectable as to the origin of the defect.
These developments strongly suggest that no policy exists on this growing problem of electronic backdoor espionage at the hands principally of the Chinese, sources say, even though the U.S. government has been aware of the issue for some time.
In 2013 defense budget legislation, a House Armed Service subcommittee recently introduced language to require a search of all U.S. nuclear weapons arsenals and infrastructure to remove products from such Chinese companies as Huawei and ZTE which similarly is under Chinese PLA influence that can introduce electronic backdoors or code for espionage or even sabotage.
Earlier this year Michael Gilmore, Pentagon director of Operational Test and Evaluation, said that the Defense Department's ability to halt cyber attacks has declined such as in using backup files and systems, proper audit logging and effective use of anti-virus tools and software, due primarily to budget cutbacks.
Word about Huawei's capabilities in the remote access of telecommunications systems almost anywhere in the world for purposes of espionage or even electronic sabotage comes on the heels of recent WND revelations that China also has been manufacturing counterfeit components that have made their way into sensitive U.S. weapons systems.
The problem of fake Chinese electronic components, which were installed by defense contractors without prior testing and are operating in U.S. military systems, is far more widespread than originally thought.
Fake electronic components from China have been discovered in thermal weapons sights delivered to the U.S. Army, on mission computers for the Missile Defense Agency's Terminal High Altitude Area Defense, or THAAD, missiles and on military aircraft, including several models of helicopters and he P-8A Poseidon, U.S. Senate investigators revealed.
Suspected fake electronic parts were found in the Forward Looking InfraRed, or FLIR, Systems being used on the Navy’s SH-60-B, which were delivered by Raytheon, which alerted the navy.
Senate investigators tracked some 1,800 cases of suspected counterfeit parts through the supply chain. It found that U.S. defense contractors had purchased many of the critical components from U.S. companies which in turn obtained them from Chinese firms but never subjected them to testing before handing them over to the U.S. military as part of their contract.
U.S. military aircraft affected by counterfeit parts include the SH-60B, AH-64 and CH-46 helicopters, as well as the C-17, C-27J and C-130J cargo aircraft and P-8A Poseidon aircraft.
In one case, the U.S. Air Force had reported that more than 84,000 counterfeit electronic parts had been purchased from Hong Dark which "entered the DOD supply chain and many of these parts have been installed on DOD aircraft," the Senate report said.
Senate investigators said that these counterfeit parts are driving up defense costs, in addition to compromising safety and national security.
And another report said the issue appears to be connected to "unvetted independent distributors who supply electronic parts for critical military applications."
F. Michael Maloof, staff writer for WND's G2Bulletin, is a former senior security policy analyst in the Office of the Secretary of Defense. He can be contacted at [email protected]