February 25, 2013 by SPIEGEL Staff
Companies like defense giant EADS or steelmaker ThyssenKrupp have become the targets of hacker attacks from China. The digitial espionage is creating a problem for relations between Berlin and Beijing, but Chancellor Angela Merkel has shied away from taking firm action.
Very few companies in Europe are as strategically important as the European Aeronautic Defense and Space Company (EADS). It makes the Eurofighter jet, drones, spy satellites, and even the carrier rockets for French nuclear weapons.
Not surprisingly, the German government reacted with alarm last year when EADS managers reported that their company, which has its German administrative headquarters near Munich, was attacked by hackers. The EADS computer network contains secret design plans, aerodynamic calculations and cost estimates, as well as correspondence with the governments in Paris and Berlin. Gaining access to the documents would be like hitting the jackpot for a competitor or a foreign intelligence agency.
The company's digital firewalls have been exposed to attacks by hackers for years. But now company officials say there was "a more conspicuous" attack a few months ago, one that seemed so important to EADS managers that they chose to report it to the German government. Officially, EADS is only confirming there was a "standard attack," and insists that no harm was done.
The attack isn't just embarrassing for the company, which operates in an industry in which trust is very important. It also affects German foreign policy, because the attackers were apparently from a country that has reported spectacular growth rates for years: China.
During a visit to Guangzhou during February 2012, German Chancellor Angela Merkel praised China's success, saying it is something "that can be described as a classic win-win situation."
But the chancellor could be wrong.
For some time now, the relationship between China and the West seems to have been producing one winner and many losers. China is routinely the winner, while the losers are from Germany, France and the United States. They are global companies that are eviscerated by Chinese hackers and learn the painful lesson of how quickly sensitive information can end up in the Far East.
Berlin 's Dilemma
The relentless digital attack plunges the German government into a political dilemma. No government can stand back while another country unscrupulously tries to steal its national secrets. It has to protect the core of the government and the know-how of the national economy, sometimes with severe methods, if the diplomatic approach proves ineffective. Berlin should threaten Beijing with serious consequences, like the ones the US government announced last week.
On the other hand, the German government doesn't want to mar relations with one of its most important international partners. China has become Germany's third-largest trading partner and, from Merkel's perspective, is now much more than a large market for German goods and supplier of inexpensive products. Berlin now views the leadership in Beijing as its most important non-Western political partner.
That may explain why Merkel is addressing the Chinese problem abstractly rather than directly. During the high-level government meetings last August, she reminded the Chinese of the importance of "abiding by international rules." When she sent a representative to Beijing in November to tell senior government officials that Germany condemned the cyber espionage, it was done informally and off the record. In the end, Merkel will accept the ongoing espionage attempts as a troublesome plague that Germany simply has to put up with.
When SPIEGEL first exposed the scope of the Chinese attacks five-and-a-half years ago, then-Prime Minister Wen Jiabao asserted that his government would "take decisive steps to prevent hacker attacks."
But the problem has only gotten worse since then.
1,100 Attacks in 2012
Last year, Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution, reported close to 1,100 digital attacks on the German government by foreign intelligence agencies. Most were directed against the Chancellery, the Foreign Ministry and the Economics Ministry. In most cases, the attacks consist of emails with attachments containing a Trojan horse. Security officials noticed that the attacks were especially severe in the run-up to the G-20 summit, targeting members of the German delegation and focusing on fiscal and energy policy. The Green Party has also been targeted before.
In mid-2012, hackers attacked ThyssenKrupp with previously unheard of vehemence. The attempts to infiltrate the steel and defense group's corporate network were "massive" and of "a special quality," say company officials. Internally, the subject was treated as a top-secret issue. The hackers had apparently penetrated so deeply into the company's systems that executives felt it was necessary to notify authorities. ThyssenKrupp told SPIEGEL that the attack had occurred "locally in the United States," and that the company did not know whether and what the intruders may have copied. It did know, however, that the attacks were linked to Internet addresses in China.
Hackers have also apparently targeted pharmaceutical giant Bayer and IBM, although IBM isn't commenting on the alleged attacks. In late 2011, a German high-tech company, the global market leader in its industry, received a call from security officials, who said that they had received information from a friendly intelligence service indicating that large volumes of data had been transferred abroad.
The investigations showed that two packets of data were in fact transmitted in quick succession. The first was apparently a trial run, while the second one was a large packet containing a virtually complete set of company data: development and R&D files, as well as information about suppliers and customers. An external technology service provider had copied the data and apparently sold it to Chinese nationals.
Seventy Percent of German Companies Under Threat
"Seventy percent of all major German companies are threatened or affected" by cyber attacks, Stefan Kaller, the head of the department in charge of cyber security at the German Interior Ministry, said at the European Police Congress last week. The attacks have become so intense that the otherwise reserved German government is now openly discussing the culprits. "The overwhelming number of attacks on government agencies that are detected in Germany stem from Chinese sources," Kaller said at the meeting. But the Germans still lack definitive proof of who is behind the cyber attacks.
The hackers' tracks lead to three major Chinese cities: Beijing, Shanghai and Guangzhou. And from Germany's perspective, they point to a Unit 61398, which was identified in a report by the US cyber security company Mandiant last week.
In the dossier, which is apparently based on intelligence information, the Washington-based IT firm describes in detail how a unit of the Chinese People's Liberation Army has hacked into 141 companies worldwide since 2006. The trail, according to Mandiant, leads to an inconspicuous 12-story building in Beijing's Pudong district, home to the army's Unit 61398.
Mandiant claims that the elite unit operates at least 937 servers in 13 countries. One of the key Chinese nationals involved has worked under the code name "UglyGorilla" since 2004, while two other hackers use the names "SuperHard" and "Dota." According to Mandiant, the scope of the evidence leaves little doubt that soldiers with Unit 61398 are behind the hacker attacks. The White House, which was notified in advance, privately confirmed the report's conclusions, while the Chinese denied them. "The Chinese military has never supported any hacking activities," said spokesmen for China's Foreign and Defense Ministries, adding that China is in fact "one of the main victims of cyber attacks."
The dossier publicly emphasizes, for the first time, what has long been claimed in intelligence circles: that the power apparatus of the Chinese government is behind at least some of the attacks. Following the report's publication, European ambassadors in Beijing moved the accusations to the top of their agenda. The diplomats agreed that China has become too large and powerful for a single European Union country to tangle with it.
The US government has now defined the attacks as a key issue, and cyber security is now on the agenda of the Strategic Security Dialogue between Beijing and Washington. China's IT espionage is the biggest "transfer of wealth in history," says General Keith Alexander, head of the US military's Cyber Command. The companies that Mandiant claims were the targets of attacks include one with access to more than 60 percent of the oil and natural gas pipelines in North America. "A hacker in China can acquire source code from a software company in Virginia without leaving his or her desk," says US Attorney General Eric Holder.
Last summer, Holder launched a training program for 400 district attorneys to specifically investigate cyber attacks by foreign countries. And last week, Holder presented the government's plan to prevent the theft of intellectual property. Following the Mandiant report, there have been growing calls in the United States for tougher action, including such steps as entry bans for convicted hackers and laws to enhance the options available to companies to fight data theft under civil law. Referring to Beijing, James Lewis of the Center for Strategic and International Studies told the Wall Street Journal: "You've got to keep pushing on them."
Germany Like a Developing Country
Germany is a long way from increasing pressure on the Chinese. In fact, when it comes to cyberspace, Germany sometimes feels like a developing country. When companies like EADS are attacked, it is a question of coincidence as to whether the German government learns of the incidents. The draft of the country's new IT Security Law, which Interior Minister Hans-Peter Friedrich, a member of the conservative Christian Social Union (CSU) unveiled in early February, at least envisions a reporting requirement for companies that are attacked. But there is a strong chance that the ministries involved in the proposed legislation will destroy the draft before the German national election in September.
The government approved a national cyber security strategy two years ago, and Germany's new Cyber Defense Center has been staffed with a dozen officials since then, but it's little more than a government virus scanner. The center lacks authority and clear policies on how the government intends to handle threats originating from the Internet. The federal agencies are "not even capable of appreciably defending themselves against an attack," scoffs a senior executive in the defense industry.
The country's foreign intelligence agency, the BND, has the most experience with cyber attacks. The agency, based near Munich, is also involved in digital espionage and has used Trojans and so-called keyloggers in more than 3,000 cases. BND President Gerhard Schindler wants to combine previously scattered personnel into a single subsection, and the necessary new positions have already been approved. An official from the Chancellery will likely head the new group.
The BND wants its future capabilities to not only include infiltrating an outside computer system. It also intends to develop a sort of digital second-strike capability to shut down the server of a particularly aggressive attacker.
That would be the worst-case scenario.
REPORTED BY RALPH NEUKIRCH, JÖRG SCHMITT, GREGOR PETER SCHMITZ, HOLGER STARK, GERALD TRAUFETTER, BERNHARD ZAND.
Translated from the German by Christopher Sultan