Case Based in China Puts a Face on Persistent Hacking

Case Based in China Puts a Face on Persistent Hacking

SAN FRANCISCO — A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese

university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups.

The attacks were connected to an online alias, to be released on Friday by Trend Micro, a computer security firm with headquarters in Tokyo.

The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have

recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.

“The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

Neither the Chinese embassy in Washington nor the Chinese consulate in New York answered requests for comment.

The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies;

aerospace, energy and engineering companies in Japan; and at least 30 computer systems of Tibetan advocacy groups, according to both the report and interviews with experts connected to the research. The espionage has been going on for at least 10 months and is continuing, the report says.

In the report, the researchers detailed how they had traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name — and from there to an online alias.