Cybersecurity firm Area 1 defends pointing finger at China over European cables hack

The research has reignited a debate about attribution in infosec.
EU sanctions
European Union flags in front of the European Parliament in Brussels. (Getty Images)

Chinese military hackers have used a persistent phishing campaign to steal thousands of European diplomatic cables on sensitive topics ranging from counterterrorism to technology exports, cybersecurity researchers charged Wednesday.

The years-long operation targeted over 100 organizations, including the United Nations and the AFL-CIO, according to Area 1, a California-based cybersecurity company.

The China’s People’s Liberation Army (PLA) was behind the effort, Area 1 said. The company did not list detailed forensic evidence linking the hack to the PLA, drawing criticism from other researchers as to why an attribution was made. But Area 1 defended its work, telling CyberScoop it had plenty of evidence of China’s role in the breach.

A spokesperson for the Chinese embassy in Washington, D.C., did not respond to a request for comment on the allegations. European Union officials said Wednesday that they were investigating the breach.


In an interview with CyberScoop, Area 1 co-founder Blake Darché said the company had solid evidence to attribute the activity to Chinese operatives, some of which was only released privately to Area 1 customers.

“We looked at IP addresses used, domain names registered by the attacker, and we were able to traces those pieces of information to certain geographic locations in China,” said Darché, a former National Security Agency official.

Juan Andres Guerrero-Saade, a researcher at Alphabet’s Chronicle, criticized what he called Area 1’s “unequivocal and unnuanced attribution statement” blaming the PLA for the hacking.

But Darché argued that, in debates over attribution of cyber activity, outside observers will always call for more information that researchers don’t necessarily have to release.


“My customers have access to that information, I don’t have to publicize it,” he said.

The Area 1 report lays out the steps hackers took to gain access to victim networks, including the system that European Union officials use to communicate on foreign policy issues. After breaching the computer network of Cyprus’s Ministry of Foreign Affairs, the attackers used a command to reach a remote server that stored the diplomatic cables, according to the report.

The report describes Chinese government hacking as “technically unremarkable” and persistent rather than sophisticated. “Cyberattacks are more akin to an assembly line than to individual snowflakes,” says the report, which was first revealed in a story published Tuesday by The New York Times.

“This is a very cookie-cutter operation. Nothing is very customized here,” Darché told CyberScoop. “You don’t need custom tooling to cause a lot of damage.”

The attackers did use an implant known as PlugX to move through victim networks. That tool has been popular with Chinese hackers in recent years, though it is not exclusive to them, Darché said.


The New York Times story quotes from some of the 1,100 hacked cables Area 1 gave to the news outlet, leading some cybersecurity specialists to question why these revelations were being made in the press and not privately.

Darché said Area 1 notified victims of the hacking before publicly disclosing the campaign.

“As of very recently, we saw [the hackers] having access to that [EU network], which is why we took action to move people to start to address this problem,” Darché told CyberScoop.

Area 1, he added, gave The Times access to the hacked data in a “controlled environment” simply to provide context on the breach.


The research is a reminder of the scope and ambition of cyber-espionage campaigns, and comes amid mounting U.S. pressure on China for its alleged use of hacking to steal intellectual property.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts