Area 1, a California-based security company founded by ex-National Security Agency hackers, has come under fire for passing European diplomatic cables allegedly hacked by China on to the New York Times.
The story has confounded many cybersecurity professionals.
Area 1, founded in 2013, says COREU, the European Union’s diplomatic communication network was compromised over a three-year period by “elite” Chinese hackers, with over 1,000 cables stolen.
It claims these were then, confusingly, posted onto an “open internet site” where they were presumably identified by Area 1’s team. It then passed a selection of the cables onto the New York Times. It is unclear if it notified European security authorities first.
Area 1: “It was China”
The move has left some observers stunned – and with plenty of questions. Area 1 attributed the hack to China, but offers no forensic evidence, with the NYT report merely saying that the techniques deployed by hackers “resembled” those of an “elite unit of China’s People’s Liberation Army”.
Yet few “elite” units would post exfiltrated data to an insecure public website.
Christiaan Beek, a senior principle engineer at McAfee described Area 1’s passing on of the cables as “unbelievable, not acceptable and un-ethical”.
Others said they were “slightly staggered”.
It is unbelievable and imho not acceptable and un-ethical.
— Christiaan Beek (@ChristiaanBeek) December 19, 2018
The alleged breach of the EU communication network was reportedly discovered by Area 1 when they uncovered a phishing campaign targeting diplomats in Cyprus that had compromised the state’s national computer systems.
From here the threat actors had access to passwords that gave them full access to the EU’s entire database of diplomatic exchanges.
What the Cables Say
The cables published by the New York Times detail EU officials concerns over the direction the US administration has taken President Trump on an array of polices.
One cable detailed a report on a discussion between EU officials and President Xi Jinping of China in which Xi is quoted as saying that Trump’s “bullying” of the city of Beijing was like a “no-rules freestyle boxing match.”
Another cable has diplomats describe the meeting of Russian Vladimer Putin and Trump as ‘successful’ for Putin. Further cables detail EU officials discussion about Crimea and warnings that it turned into a ‘’Hot zone where nuclear warheads might have already been deployed.’’
Blake Darche of Area 1 told the NYT that: “After over a decade of experience countering Chinese cyberoperations and extensive technical analysis, there is no doubt this campaign is connected to the Chinese government.”
Without forensic evidence, few can challenge the claim. Yet many questioned how the documents came to be posted to an open site, why, how Area 1 obtained them and whether it had informed European security agencies prior to informing the New York Times.
So far, I count a CND failure (EU et al.), a CNO tradecraft failure (operators probably working on behalf of the PRC), a very dubious PR move by a network security firm (Area 1), and an equally dubious journalistic move by the NYT…and its just beginning…
— Bartholomew R Mallio (@bartmallio) December 19, 2018
Computer Business Review has contacted Area 1 for comment.
A spokesperson for the European Union General Secretariat told Computer Business Review: “The Council Secretariat is aware of allegations regarding a potential leak of sensitive information and is actively investigating the issue. The Council Secretariat does not comment on allegations nor on matters relating to operational security. The Council Secretariat takes the security of its facilities, including its IT systems, extremely seriously.”