Chinese Hackers Target U.S. University With Government Ties

A prominent American university with ties to the Defense Department and intelligence agencies is the latest target of Chinese hackers.

Last week, the University of Virginia, located in Charlottesville, about a three-hour drive from Washington, D.C., announced that it had suffered an intrusion “originating from China” that led the school to shut down portions of its technology systems and required students and faculty to reset their passwords used for accessing email and other applications hosted on the school’s systems.

But unlike some China-based intrusions that attempt to steal personal information such as Social Security and financial account numbers from large numbers of people, this one targeted two university employees “whose work has a connection to China,” university spokesperson Anthony P. de Bruyn told The Daily Beast.

The attackers “accessed the email accounts” of the employees, he said, without specifying what information they may have stolen. Officials hired noted computer security firm Mandiant to investigate the breach in June, after the school learned from federal authorities that it had been hacked. Mandiant has extensive experience conducting forensic analysis of computer systems that have been overrun by Chinese hackers, some of whom it has linked to the Chinese military and the country’s intelligence apparatus.

De Bruyn didn’t name the employees or identify their positions. But the university has dozens of faculty members in its East Asia Center. And the school has connections to the Defense Department and U.S. intelligence agencies through the UVA Research Park, a 3.7 million-square-foot development whose tenants include big-name government contractors such as Booz Allen Hamilton, Leidos, and Northrop Grumman.

Some firms at the research park work for a large Defense Department installation in Charlottesville less than a mile away. It includes offices for the Defense Intelligence Agency, which is the Pentagon’s primary intelligence organization, as well as the National Ground Intelligence Center, or NGIC, which helps to assess the size and threat of foreign militaries. Companies also work with the university’s engineering school on research into “homeland and cyber security,” according to a university website.

A university spokesman didn’t answer questions about whether anyone working with the research park was affected by the breach.

But in late July, about six weeks after the university discovered that its China experts were being targeted, the Defense Department issued a warning about hackers “affiliated with a known foreign intelligence agency” who were going after academic institutions as well as government contractors.

“In the past three months, this APT actor has penetrated U.S. infrastructure, exfiltrated data, and compromised credentials,” according to the bulletin, a copy of which was obtained by The Daily Beast. The acronym APT is something of a euphemism. It stands for “advanced persistent threat” and is frequently used in government communications to refer to China. The document doesn’t specify what organizations were hit.

The bulletin was sent to government contractors and other organizations cleared to receive information about cyber attacks, which can include academic institutions. It contains technical details on how the hackers are penetrating systems and stealing information. The intruders obtained access credentials that would give them freedom to move around within and among different networks, the bulletin said.

Hackers frequently obtain those credentials by hacking someone’s email account. The intruders send legitimate looking messages to employees that trick them into installing malicious software on their computers, a technique known as spearphishing. That software can record information such as log-ins and passwords.

Chinese hackers aren’t the only ones to employ the technique. Security experts and U.S. officials say that recent intrusions into State Department and White House computers were also the result of spearphishing.

The bulletin warns recipients to take actions to defend both their classified and unclassified networks from the intruders.

Notably, the Defense Department bulletin was sent on the same day as an alert from the FBI that warned of hackers targeting “U.S. Government and commercial industries including aerospace, entertainment/media, healthcare, and telecommunications networks.” The intrusions “resulted in the theft of sensitive U.S. government and business information including bulk personally identifiable information” and “involved infrastructure that emanated from China,” according to the warning, a copy of which was obtained by The Daily Beast.

In a written statement issued late on August 14, the university said there was “no evidence that sensitive research material was accessed.” It’s not clear, however, if the university is aware of when the breach actually began and what may have been compromised before the school and its experts were alerted. The school confirmed the intrusion on June 11, after being notified by unnamed “federal authorities,” according to the statement.

A spokesperson for the FBI, which investigates domestic cyber breaches and has alerted companies and institutions that didn’t know they were hacked, declined to comment.

The university confirmed the China intrusion at a time of heightened anxiety in the U.S. government, as investigators were tracking the source of a massive hack against the Office of Personnel Management to intruders based in China.

In the wake of that breach, which saw the theft of more than 22 million current and government employees’ personal information, the FBI has been warning companies to be on the lookout for Chinese hackers.

Those alerts have been conveyed through private channels, such as bulletins and security warnings, but also publicly.

In July, the FBI’s top counterintelligence officials held a rare on-the-record session with reporters in which they blamed China for an aggressive campaign of stealing U.S. companies’ trade secrets and intellectual property.

The bureau said it’s investigating hundreds of such cases. China’s intelligence services are “as aggressive now as they’ve ever been,” said Assistant Director Randall Coleman, who runs the bureau’s counterintelligence division.

The Obama administration has determined that China was behind the personnel office hack. But officials have decided not to blame the country publicly in order both to avoid revealing sources and methods of intelligence gathering and to head off a diplomatic confrontation. Chinese President Xi Jingping is visiting Washington next month, and while officials have indicated that the White House will privately raise the issue of Chinese hacking, it’s not expected to be addressed by either country’s leaders publicly.

The University of Virginia waited more than two months to publicly identify China, which in and of itself was a rare move. Hacking victims are often reluctant to discuss who they suspect targeted them, lest it encourage more attacks or tip off their adversaries to detection techniques. In this case, the university waited to sound the alarm publicly so that its security experts could track the intruders.

“It was important that the hackers remain unaware of our action to investigate this event and protect against it. If the University had not taken this course of action, the situation could have worsened,” the school said in a statement.