A report produced by the US–China Economic and Security Review Commission suggests that malicious attacks on United States military computer systems increased by 20 per cent in 2008, a figure that is projected to grow by 60 per cent in 2009. Experts attributed much of the increase to attacks originating in China:

“A large body of both circumstantial and forensic evidence strongly indicates Chinese state involvement in such activities,” the commission said in its 367-page report to Congress.

“China’s peacetime computer exploitation efforts are primarily focused on intelligence collection against US targets and Chinese dissident groups abroad.”

“China is changing the way that espionage is being done,” said Carolyn Bartholomew, who chaired the commission.

The report offers an alarming, though perhaps premature, conclusion:

China is likely using its maturing computer network exploitation capability to support intelligence collection against the US Government and industry by conducting a long term, sophisticated, computer network exploitation campaign. The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months.

The attacks raise three main difficulties for investigators. First, although many of the attacks may have been traced to an IP address originating in China, there is often little if any direct evidence connecting an attack to a local state actor, as distinct from a private party or third country. Therefore, given the ease with which IP addresses can be spoofed or attacks redirected through vulnerable systems, pointing the finger at Chinese authorities may be premature. For example, the report notes that many attacks are traceable to ‘black hat’ hackers operating out of jurisdictions with a low enforcement risk (such as China), but concedes that ‘these relationships do not prove any government affiliation’. On the other hand, the scale and targets of attack (predominantly defense engineering data) suggest an operation ‘beyond the capabilities or profile of virtually all organized cybercriminal enterprises and is difficult at best without some type of state-sponsorship’. As to the scale of the operation, consider this passage (at 51):

China … has successfully exfiltrated at least 10 to 20 terabytes of data from US Government networks as of 2007, according to US Air Force estimates and that figure has possibly grown in the past two years, though no figure is publicly available

Second, not all attacks cause visible damage: passive information gathering or preparatory infiltration might go unnoticed for months, given the small amount of data being transferred. A lot of the attacks exploit 0-day vulnerabilities in web browsers and common file viewers, typically uploading a rootkit or other malicious payload for use in subsequent data monitoring. Usually, this doesn’t of itself grant an ability to disable the network, since the target is a user client rather than a server; however, it may give access to sensitive information that can later be used to disable the target network.

Finally, the report suggests that both public and private systems are being targeted, which makes it extremely difficult for government agencies to prevent and detect incidents. Targeted private companies are often defence contractors, with attackers using typical phishing methods of payload-injection. Here’s an example of an attack email sent to US military contractor: