Image 01 Image 03

China Using Hackers to Target U.S. Missile Defense in South Korea

China Using Hackers to Target U.S. Missile Defense in South Korea

China says THAAD will compromise its security.

I’ve chronicled China’s opposition to the Terminal High-Altitude Area Defense (THAAD), the U.S. missile-defense system in South Korea. The Chinese government has denied retaliating against the system, but one American cybersecurity firm told The Wall Street Journal that it found evidence that Beijing has used hackers to target THAAD.

The firm FireEye discovered that “two cyberespionage groups that the firm linked to Beijing’s military and intelligence agencies have launched a variety of attacks against South Korea’s government, military, defense companies and a big conglomerate.”

The Hackers

FireEye admitted that Chinese hackers often target South Korea, but their activity has grown since South Korea announced the deployment of THAAD. WSJ continued:

One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. [John] Hultquist, a former senior U.S. intelligence analyst. FireEye believes the other, known as APT10, may be linked to other Chinese military or intelligence units.

The two hacking groups with alleged ties to Beijing have been joined by other so-called hacktivists—patriotic Chinese hackers acting independently of the government and using names like the “Panda Intelligence Bureau” and the “Denounce Lotte Group,” Mr. Hultquist said.

South Korea’s Lotte Group has become a particular focus of Chinese ire after the conglomerate approved a land swap this year that allowed the government to deploy a Thaad battery on a company golf course.

Last month, just after the land swap was approved, a Lotte duty-free shopping website was crippled by a denial-of-service attack, said a company spokeswoman, who added that its Chinese website had been disrupted with a virus in February. She declined to comment on its source.

Hultquist explained to WSJ that the hackers use “web-based intrusions” in order to gain access into the systems. This means they lure “people to click on weaponized email attachments or compromised websites.” In other words, phishing.

Russia’s Kaspersky Lab ZAO also noticed more attacks on South Korea from hackers using malware “developed by Chinese speakers in February.” Park Seong-su, a senior global researcher with the company, said those the firm observed also used “spear-phishing emails armed with malware hidden in documents related to national security.”

South Korea Response

Last month, the South Korean Ministry of Foreign Affairs stated that hackers targeted its website “in a denial-of-service attack-one in which a flood of hacker-directed computers cripple a website-that originated in China.”

The spokesman said that officials took “prompt defensive measure” to make sure the attacks did not cause any harm. Officials have also started an “emergency service system” to fight off the Chinese hackers.

However, the government did not offer more details. The spokesman also did not name the firm the government used to track down the hackers or if the hackers meant to target THAAD.

Previous Attacks

But FireEye said that these hackers have performed other cyberattacks in the past. From WSJ:

FireEye linked Tonto Team to an earlier state-backed Chinese hacking campaign, identified by Tokyo-based cybersecurity firm Trend Micro Inc. in 2012, which focused on South Korea’s government, media and military. Trend Micro declined to comment.

Two cybersecurity reports this month accused APT10 of launching a spate of recent attacks around the globe, including on a prominent U.S. trade lobbying group. One of those reports, jointly published by PricewaterhouseCoopers LLP and British weapons maker BAE Systems, said the Chinese hacker collective has recently grown more sophisticated, using custom-designed malware and accessing its targets’ systems by first hacking into trusted third-party IT service providers.


President Donald Trump’s administration has pushed through the deployment of THAAD for national security reasons. The U.S. and South Korea insist that the system is for protection against North Korea, but China has objected to it. Experts said that China has concerns the countries will use the system “to spy on China’s activities, rather than monitor incoming missiles from North Korea” and it could “undermine its ability to respond to an attack on its own soil.” From WSJ:

In a statement posted on its website Friday, China’s Ministry of Foreign Affairs expressed “strong dissatisfaction” with and “firm opposition” to deploying the missile-defense system, saying the decision had been made without regard for the views of China and other countries in the region.

In the statement, China warned that Thaad would hinder denuclearization on the Korean peninsula and contribute to regional instability, and called on the U.S. and South Korea not to deploy.

Beijing has grown tired of North Korea’s dictator Kim Jong-un, but the country still enjoys the communist kingdom since officials can use it “to keep U.S. power in the region from expanding to its doorstep.”


Donations tax deductible
to the full extent allowed by law.


Close The Fed | April 21, 2017 at 1:41 pm

WHY doesn’t the DoD have it’s own network?

If China is doing this, then NKorea’s nuke’s are a bigger problem than we already thought. This means our defenses, even with the limited technology we have, are of even less use.

Regrettably, that makes dealing with the fatso more urgent.

What a mess. Bill Clinton sent a boy to do a man’s job when he sent Jimmy Carter to negotiate with the Norks.

    Kaitain in reply to Close The Fed. | April 21, 2017 at 2:14 pm

    They do have their own network. The system is built by Lockheed Martin and is designed only for SIPRNet and a few other secured networks. SIPRNet is mostly accessible in what’s called a SCIF (Secure Compartmentalized Information Facility). If you look at the Ballistic Missile Defense System (BMDS) designs, they are restricted to specific communications. I bet most if not all of those THAAD sites are set to passive mode until they detect a missile launch or get a alert which they switch to active.

      Tom Servo in reply to Kaitain. | April 21, 2017 at 4:29 pm

      That makes a lot of sense. The idea that anyone could use the Internet to just call up the THAAD system is ludicrous.

So we’re supposed to believe the DoD uses TCP/IP and what, HTTP protocols?