A group of cybercriminals has breached and mapped the global banking system, and in a series of attacks has so far stolen $81 million from the central bank of Bangladesh. Experts believe the attacks were done through a vulnerability in the SWIFT banking system, which connects 11,000 financial institutions around the world.
Investigations into the ongoing attacks are still underway, and related attacks on other banks are still being uncovered. Some experts are pinning the attack on hackers from North Korea, since the tools they used share similarities to the November 2014 hack of Sony Pictures Entertainment.
According to an insider with direct knowledge of the recent attacks, however, the culprit behind the digital bank robberies is much larger. The insider requested to remain anonymous due to security concerns, and was able to provide evidence to support his claims.
A screenshot provided to Epoch Times showing the security certificate of a Mexico-owned bank money transfer network being exfiltrated. Hackers can use the certificate to send communications through the company’s networks, which its recipients would automatically validate. (Epoch Times)
A screenshot provided to Epoch Times showing the security certificate of a Mexico-owned bank money transfer network being exfiltrated. Hackers can use the certificate to send communications through the company’s networks, which its recipients would automatically validate. (Epoch Times)
Chinese state hackers identified the initial vulnerability, and used it to infiltrate and infect the global financial system, according to the insider. When their contract ended with the Chinese regime last year, they sold the vulnerability to cybercrime groups on a private marketplace in the darknet in an attempt to thwart detection, he said. The darknet is an alternate internet that is only accessible using specialized software. While the darknet has legitimate uses, criminal groups buy, sell, and conspire on darknet forums.
The Chinese regime runs a large network of hackers under the General Staff Department, Third Department, of its military. These hackers carry out orders from the Chinese regime, and also often run additional operations or sell data on the side for personal financial gain. Epoch Times exposed this system in a previous investigative series.
Read MoreMurder, Money, and Spies Investigative Series
The cybercrime groups who purchased the vulnerability are allegedly those carrying out the current attacks and illegal money transfers.
“The Chinese have already gained permanent access to the target financial networks and exfiltrated all the data they wanted for the contract for their sponsor” the insider said. “Now they have this vulnerability they can continue to monetize, so now they’re selling it to criminal networks.”
Process of the Breach
The code used in the vulnerability pulled from multiple places, which could also mean researchers just looking at the breach from the surface may draw false conclusions. He said some of the code was developed in-house by the Chinese hackers, but they also purchased some of the code from Russian universities.
The insider said the Chinese hackers didn’t sell the vulnerability to any specific cybercrime group either. “They’ll sell one bank to one group,” he said, and noted most of the hackers carrying out the current attacks are comparatively low-skilled. “They’re not coders,” he said. “They just know how to release packages and deploy them.”
The insider was able to provide forensic data and screenshots that support the claims. The insider was also able to provide a list of targeted banks, which he noted is growing, and which includes a long list of banks and financial systems that are connected to a compromised banking partner network—including several in the United States, Latin America, and Asia.
The Chinese state hackers started their attacks on the bank networks as early as 2006, according to the insider, and began uploading malware to the bank networks in 2013.
Read MoreChinese General Says ‘Contain the United States’ by Attacking Its Finances
While the breach of SWIFT has been made public, he said, the Chinese hackers also breached a money transfer network which is run by a Mexico-owned bank based in New Jersey.
“Basically, Mexico’s critical infrastructure is owned by the same APT group,” he said, using “APT” or “advanced persistent threat,” to refer to the Chinese state hackers. “They’re in everything down there,” the insider said, referring to the level of access the Chinese state hackers have gained over critical networks in Mexico.
A post on a cybercrime darknet forum offers access to Mexican government networks, stating the entry is “ideal for cyberspy.” (Screenshot was provided to Epoch Times by an insider)
A post on a cybercrime darknet forum offers access to more than 150,000,000 sensitive files from Mexican government networks, stating “information is complete country.” (Screenshot was provided to Epoch Times by an insider)
A post on a cybercrime darknet forum sells access to “all information” on Mexico, noting it contains a new method to breach networks, and includes “bigs company” in the financial sector. (Screenshot was provided to Epoch Times by an insider)
It wasn’t until around June 2015 that the Chinese state hackers sold the vulnerability to cybercrime organizations, and these organizations immediately used it to begin mapping, testing, and infecting banks and financial systems.
The insider said the hackers exploited a vulnerability in the code used to build web applications named Apache Struts V2. It was vulnerable as early as 2006 and was patched in 2013. He also noted that after gaining access, the hackers have since traversed numerous additional financial networks they’re targeting.
While the Chinese state hackers sold access to the bank networks, the source noted the hackers had been mapping and infecting the global banking system over the last eight years.
When they decided to sell the vulnerability, they did not forfeit their access to the networks. By the time they sold it, the insider said, it had already served its purpose. In other words, the Chinese state hackers still have access to the networks—and not just to a few banks, but instead most of the global banking system.
The insider speculated that the Chinese state hackers are selling the original vulnerability both for profit, and to use the cybercriminal gang as a deliberate distraction from their higher-level breaches. He went on to

Read the full article here

The Chief Information Security Officer (CISO) for a firm that specializes in gaining intelligence on the criminal activities in the darkest corners of the Internet has revealed the existence of private marketplaces run by China’s cyberspies.
Ed Alexander is CISO for the California-based company DBI. In a phone interview, Alexander said these private marketplaces are where many of China’s state-sponsored hackers do their side work and sell stolen data to the highest bidders.
“Their primary allegiance is to China. Their secondary allegiance is to themselves,” said Ed Alexander, Chief Information Security Officer of DBI, in a phone interview.
DBI trains and manages darknet operatives-for-hire, who conduct human intelligence (HUMINT) operations on the Darknet, and Alexander oversees these world’s largest CyberHUMINT teams.
Contrary to reports saying China’s state-run hackers are clumsy and poorly skilled, Alexander said that in the 10 years since his deployment of cyberHUMINT operations, “these are the most sophisticated people I’ve seen.”
Even other nation-state hackers, such as those with the Syrian Electronic Army, he said, “[are] nowhere close to the sophistication of the Chinese.”
The Hidden Internet
There are two sides to the Internet. The part most of us use is called the “Clearnet” or the “Surface Net,” and includes all parts of the Internet that are searchable and readily accessible. The other part of the Internet is the “Deep Web,” which constitutes about 94 percent of the actual Internet and includes all the data that search engines can’t see.
Within the Deep Web, there are hidden websites that can only be accessed using specialized tools, such as The Onion Router (TOR) Web browser. This part of the Internet is called the Darknet, and while it has several benign websites, it is also home to digital black markets such as the “Silk Road,” which sells illegal drugs and firearms.
The part of the Darknet that DBI deals with, however, is deeper still. It gathers intelligence from invite-only and private forums where the real cybercriminal underground conducts its business.
DBI’s approach is in sharp contrast to the new entrant Darknet intelligence start-ups, which only scrape data off the open darknet forums. DBI is the only company offering cyberHUMINT operatives-for-hire, and it is employed by Fortune 500 companies, law enforcement, military, and intelligence agencies worldwide.
Alexander compared the environment on the Darknet to that of a prison gang ecosystem. New people on the Darknet are not seen as being part of the gangs. “They’re just outsiders looking around,” he said, and are always oblivious to the discussions that go on among the organizations running the show.
He said in these communities, DBI sees discussions on which government and business networks are being targeted, which ones have already been breached, and which ones have their data being sold to the highest bidders.
China’s State Hackers
When it comes to the Chinese Darknet, the more public forums are typically used by the less experienced hackers. The marketplaces operated by the state hackers are much more difficult to access.
Alexander said these hackers have told his operatives they’re state sponsored. “They tell us they work for China,” Alexander said.
The Darknet marketplaces used by China’s state hackers use a 3-step, invite-only process for access.
All would-be members need to be proposed by a known member to a site’s admins for approval. Step 2, is to be vouched for by at least 5 known and trusted darknet denizens of echelon status. Finally, every buyer needs to demonstrate they have at least $100,000 of bitcoin in a digital wallet, which the buyer proves they control. Only after passing the vetting process does a new member then get access to shop and interact with other members.
Most of their clients are representatives from nation-states, and Alexander said there are buyers from a surprisingly large number of countries on their markets, including Russia and Iran.
He said the Chinese state hackers will sell to “any country that has enough money to pay them for their services—this is about money,” yet noted they strictly do not sell to representatives from terrorist organizations.
Stolen data for anywhere up to $75,000. Access to a business or government network goes for around $100,000. And if the client wants to hire them to breach a specific target, Alexander said they charge no less than $1 million.
The Chinese hackers run the market as their side business, Alexander said. While breaching networks for their day jobs under the Chinese regime, they’ll often steal additional data they can sell on the black market.
MORE:You’re on File: Exclusive Inside Story on China’s Database of Americans
Chinese state hackers are often viewed as clumsy. During a segment on 60 Minutes in October 2014, FBI Director James Comey said “I liken them a bit to a drunk burglar. They’re kickin’ in the front door, knocking over the vase, while they’re walking out with your television set.”
Information from DBI shows a different picture. The Chinese state hackers breach networks under contract, steal what they were hired to steal, then take anything else they can sell on the side.
He also noted the hackers treat it like a business, noting “they’ll never resell the information.” It seems there is a kind of honor among these thieves.

Read the full article here

An insider in China has revealed to the Epoch Times that he helped build a database that is now being used to handle Americans’ personal information stolen in cyberattacks. 
The FBI revealed on June 4, 2015, that a cyberattack, allegedly from China, stole personal information on close to 21.5 million U.S. federal employees after breaking into the computer files of the Office of Personnel Management (OPM). Subsequent Chinese cyberattacks have also targeted personal data on Americans, including the February 2015 breach of Anthem that stole close to 80 million records.
Speculation began soon after on how the Chinese regime could use the data. A July 2015 report from the Congressional Research Service states “experts in and out of government” suspect the Chinese regime may be building a database on federal employees it could use for espionage.
With a database like this, the Chinese regime can have a systematic roadmap of Americans and their connections, and information it can use to blackmail government employees, recruit insiders as spies, and monitor people who speak out against its policies.
FBI Director James Comey said in a Sept. 10, 2015, hearing on cybersecurity, “There is a significant counterintelligence threat that’s associated” with a nation–state getting hold of the data.
According to the insider, the Chinese Communist Party (CCP) has built the database needed to make use of the massive trove of stolen data. He said that to create the spy database, the CCP brought in a small group of independent software developers from the United States, who worked alongside Chinese security branches to implement the system.
The source requested to have his name withheld, in fear of reprisal from the CCP. Other sources confirmed this man’s identity, and said that he would have access to the kind of information he gave the Epoch Times. In the past, he has provided the Epoch Times with significant information about confidential matters in China that has proven accurate.
(Illustration by Jens Almroth/Epoch Times)
The new system is part of a broader shift in the Chinese regime’s efforts in espionage and social control. With the database, the CCP is now keeping tabs on foreigners in much the same way it has kept tabs on its own citizens, their connections, and their political thoughts.
Chinese spy agencies finished building the system around July 2013. In March 2014, Chinese hackers originally tried, and failed, to breach OPM.
The source said one of the leading organizations involved in the project was the 61 Research Institute, which is one of four known research institutes under the Third Department of the General Staff Department—the branch of the People’s Liberation Army in charge of its military hackers.
The Epoch Times exposed in a previous investigation that the 61 Research Institute is one of the leading organizations behind the CCP’s state-run cyberattacks.
The organization is led by Wang Jianxin, a son of Wang Zheng, who helped establish the CCP’s signals intelligence operations under Mao Zedong.
While the 61 Research Institute’s role in the project ties it to global cyberespionage, the source said many other Chinese domestic security branches were also involved in building the system—including various branches of the police and about six branches of the secret police.
The functions of the spy system, and the departments involved, suggest it will be used not only as a database on foreigners, but also as a system to better monitor Chinese people. The source noted that one of its functions will be to gather information on individuals from all available sources in China, and outside China, that can be used for criminal trials.
“Our intelligence sources corroborate this information,” said Casey Fleming, CEO of BLACKOPS Partners Corporation, which provides cybersecurity intelligence, strategy, and risk reduction to some of the largest companies in the world.
“Our ongoing intelligence gathering shows indication that this database has been in process at least over the last three years—commanded at the highest levels of the Chinese government,” he said in a phone interview.
Big Data Espionage
According to the source, the software used for the database was originally a big data analytics program for smart city measurements, and the CCP altered it for its own uses.

Chinese hackers stole personal information on approxiamtely 21.5 million Americans from the computer files of the U.S. government’s Office of Personnel Management. (Chinamil.com.cn)
What made the software attractive was its powerful functions for gathering information, and showing relationships between data. The source said it was also scalable—enough to hold credentials on every Chinese citizen, and to display everything from their personal data, to data on their family members, relations, and personal background.

The spy database displays data in nodes, which can be displayed by themselves, in relation to other data or events.
The system is capable of ingesting and sorting large amounts of data. The source noted the spy database is even better at this than some open source programs designed for the purpose.
A security service using the system could conduct deep data mining on personal files in the system, to show how individuals relate to one another, even over set timeframes.
The system can also be used to collect data on individuals. The source said it can gather information on people from Chinese security offices, from its own internal database, and from sources abroad, outside the Chinese firewall.
According to the source, getting personal data on foreigners—including Americans—is fairly easy. He said it’s often not necessary for the Chinese regime to use cyberattacks to steal sensitive information.
He said U.S. banks, for example, often hire many people from other countries, and many tech industries do the same. Many of these individuals can be given trusted positions within these companies, and he said it’s not uncommon for some of these individuals to take data out of the companies, and sell it.
It’s not difficult, he said, to create a fairly deep profile on a person using data stolen from just a handful of sources.
The Chinese spy system he helped build, he said, takes this information and organizes it in a form that departments of the Chinese regime can then use—whether it be for industrial espionage, or other purposes.
Fleming said that although the most visible Chinese cyberattacks feeding

Read the full article here