Security Experts:

Cyber Attacks Targeted Interests of Billionaire Chinese Dissident

Two Recent Alleged Cyber Attacks Have More to do with Politics Than Cybercrime

Two little-reported but alleged cyber attacks in recent weeks -- one against the Hudson Institute (a politically conserative think tank), and one against legal firm Clark Hill -- seem to revolve around China's campaign against dissident Guo Wengui (aka Miles Kwok) currently resident in New York and seeking political asylum. In both cases the finger has been pointed at China, and in both cases China has denied any involvement.

The first led to the sudden cancellation of a Hudson Institute event scheduled for October 4: A conversation with Guo Wengui. Hudson Institute said it had detected a cyber attack emanating from Shanghai a few days earlier. Hudson spokesman David Tell played down the effect of the DDoS attack, and blamed the event cancellation on poor planning: "The planning just got away from us and we feel bad," he told the Washington Free Beacon.

The second cyber attack apparently led to law firm Clark Hill withdrawing representation from Wengui, after earlier lodging Wengui's asylum claim. Clark Hill has merely confirmed that it no longer represents Wengui; but Wengui has claimed that it follows the law firm being targeted by Chinese hackers.

Wengui is a Chinese property billionaire wanted in China on corruption charges. In turn, he claims that the Chinese government is a kleptocracy. At a press conference Thursday, he produced what he claimed were 'top secret' Chinese government documents showing that China had sent secret agents into the United States. China claims they are forgeries.

In April, China issued an Interpol red notice on Wengui. These are not arrest warrants. Unlike the European Arrest Warrant (EAW) that has validity throughout the European Union (the UK was obligated to arrest Julian Assange in 2010 because of a Swedish EAW), no Interpol country is required to arrest the subject of a red notice -- it is merely a way of telling all Interpol countries that the subject is wanted in the issuing country.

Wengui's wealth has been estimated at $38 billion, earned through property and other investments. Much of his assets in China have been blocked by the government, where he is reportedly being investigated for at least 19 crimes, ranging from kidnapping, fraud, and rape to money laundering.

The whole debacle comes at an interesting point in US/Sino relations. The U.S. is seeking increased Chinese assistance against North Korea -- and there are some signs of mutual cooperation. U.S. Secretary of State Rex Tillerson was in Beijing between September 28 and October 1, meeting with senior Chinese officials. 

At this point, US Cyber Command was still delivering its DDoS attack against North Korea's military spy agency, the Reconnaissance General Bureau (RGB). At the time, the only way into North Korea was through the connection owned by China's China Unicom (Russia has since opened a second connection across the Friendship Bridge between the two countries). Technically, it would be possible for Cyber Command to use this channel without China's knowledge or cooperation. However, the possibility of footprints being left that could trace the attack back to Cyber Command make it unlikely that it was done without China's knowledge.

Similarly, on the scheduled day of the Hudson Institute event with Wengui, a Chinese delegation was in Washington for a high-level law enforcement and cyber security dialogue between the U.S. and China. The alleged attack was raised by U.S. Attorney General Jeff Sessions during a meeting with China’s Public Security Minister Guo Shengkun, and China pledged to cooperate with an investigation. 

The meeting was part of a high level communication channel established between Beijing and Washington following the meeting between President Trump and President Xi Jinping in April. While Trump is keen to get China's cooperation over North Korea, Xi Jinping is keen that nothing rocks the boat too seriously ahead of the 19th Party Congress later this month. Xi Jinping, while being a strict authoritarian, has been engaged in a long-running anti-corruption campaign in China -- although this is thought to be more about strengthening the party's control over the military than about improving civil rights.

On Saturday, the Chinese Ministry of Public Security issued a statement denying any involvement in cyberattacks against the Hudson Institute or Clark Hill. “The Chinese government would like to suggest that the US law enforcement authorities supply China with the detailed information, relevant clues and evidence, so that China could assist in the investigations to identify the real source of such hacking,” the ministry said, adding it would cooperate fully in any investigation.


Related: The Increasing Effect of Geopolitics on Cybersecurity 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.