By Justin Sherman
In 2012, a data theft incident began at the African Union (AU) Headquarters in Addis Ababa, Ethiopia, where information from the AU’s computer systems was allegedly transmitted to servers in China. This continued, at the same time every night, for five years, until it was discovered in January 2017. A year following, in January 2018, French paper Le Monde ran a story on it. That’s when the revelations went public.
The reason this has been cropping up today, amidst the U.S.’ intensifying technological confrontation with China, is that the bulk of the computer systems in the African Union Headquarters were supplied by Chinese telecommunications company Huawei and paid for by the Chinese government. When sensitive data was routed from AU servers back to servers located in Shanghai, it raised many suspicions about the Chinese government’s use of Huawei equipment to spy on foreign activity.
Amidst all of the ongoing controversy around Huawei, 5G, and national security, this incident has cropped back up in discussions about the extent to which the Chinese intelligence services do or could plant backdoors in Huawei systems for espionage purposes. If one is going to use this as reason to suspect Huawei, though, it’s worth better understanding this incident and to what extent this serves as reliable grounds for concern. In this blog, I therefore break down what happened, if there was evidence of backdoors in the Huawei systems used by the AU Headquarters, and what this means for the risks around Huawei and 5G.
On January 26, 2018, Le Monde reported that the headquarters of the African Union — where heads of state and ministers meet biannually to discuss the continent’s major issues — had been hacked. Yet this was not a one-time incident. Like many data breaches, it took the organization years to notice internally, as sensitive data was exfiltrated again and again.
The $200 million headquarters opened in 2012, funded entirely by the Chinese government. Not only had it been called “China’s gift to Africa,” but Xinhua, the state-run Chinese news agency, in fact said at the time that the complex “is not only a new landmark in Addis Ababa but also the latest landmark in the long friendship between China and Africa.” All seemed well.
Yet in January of 2017, a computer scientist at the African Union noticed that AU servers, from midnight to 2am, were sending large volumes of data from the organization to an outside location, Le Monde reported. According to this individual, the AU’s internal secrets were specifically routed to servers in Shanghai. And this data exfiltration wasn’t a one-off operation. It had been occurring every night, at the same time, from January 2012 through January 2017.
The period of time between internal discovery (January 2017) and public disclosure (January 2018) of the data exfiltration is also worth noting. For one, per Le Monde, this was needed time to address the issue: the African Union purchased new servers in the time since discovering the data exfiltration, and apparently refused Chinese government offers to configure them. Officials at the AU additionally bolstered the encryption of their communications. The type of data exfiltrated and/or the way in which the exfiltration occurred clearly indicated something serious to the African Union, such that it didn’t just stop at replacing the tech. Security experts swept the building and additionally discovered (and removed) bugs planted in desks and walls. (It was not specified to whom these bugs belonged, or if that was known, but the implication in the article seems to be linking this to the server spying.)
But the delay between discovery and public disclosure may also underscore some elements of the relationship between the African Union and the Chinese government. Mailyn Fidler, for instance, argued the fact that “the African Union kept the Chinese surveillance secret for a year after discovering it, suggest[s] that African leaders believed such information, if public, could have explosive consequences for their relationship with China.” And this appears to be a risk — after all, Le Monde’s source was not the African Union itself, but “several” unnamed “internal sources” in the organization that leaked this news to the paper.
Upon publication of the article, the Chinese government denied any such incident occurred. China’s ambassador to the African Union called the Le Monde story “ridiculous and preposterous.” Rather than the expose the truth, he said, this publication was intended to put pressure on the relationship between China and Africa. The new AU chairman, meanwhile (who had just taken the position at the beginning of 2018), denied knowledge of any such event. “I don’t think spying is the specialty of the Chinese. We have spies all over the place in this world. But I will not have been worried about being spied on in this building…I would only have wished that in Africa we had got our act together earlier on. We should have been able to build our own building.”
The information reported by Le Monde was shortly thereafter supplemented by other investigatory work. Financial Times reported its own confirmation of the hack a few days after the initial story broke. While the African Union as an organization declined to officially comment on the story, one African diplomat attending an AU summit told Financial Times that “this is not the sort of thing Africans will entertain and take lightly.” That’s when it got interesting.
Danielle Cave from the Australian Strategic Policy Institute highlighted in July 2018 that Huawei had supplied the bulk of the information and communications technology (ICT) in the AU headquarters: primarily, cloud computing infrastructure. As she quoted from Huawei’s website, “The [Huawei] solution deployed all computing and storage resources in the AU’s central data center where it seamlessly connects to the original IT system. Then, Huawei installed Wi-Fi hotspots and provided the industry’s first Thin Clients (TC) customized with Wi-Fi access.” ZTE had also provided some infrastructure, although not as much as Huawei, and Cave wrote that less public information existed on the ZTE-AU relationship.
Amidst recent controversy around the extent to which Huawei may be involved with, complicit in, or susceptible to having to comply with espionage operations run by the Chinese government, this event has reentered the limelight as possible reason for concern.
Was there evidence of backdoors in the Huawei systems?
First, a quick reminder of important distinctions here: backdoors aren’t normal security vulnerabilities. Backdoors don’t just require the existence of a security flaw, but they also require intent and exploitability. The former, intent, means that the vulnerability exists in the system deliberately; it’s actively placed there so a third party can bypass normal authorization mechanisms for accessing the system. The latter, exploitability, means that there isn’t just a vulnerability in the code that’s sitting there, waiting for somebody to find, but that the actor (a) knows about the vulnerability and (b) has the capability to make use of it.
Together, a deliberately placed vulnerability and the ability to exploit it constitute a backdoor. (If you need more on the differences between vulnerabilities, backdoors, and also bugdoors, read this article my colleague and I wrote on the three, and why conflating them can dangerously mess up one’s risk assessment of the Huawei 5G situation.)
With that distinction in mind — no, there is no evidence of backdoors here, at least publicly. How exactly the data exfiltration occurred remains unknown. Reporting from Le Monde did not provide specifics, and subsequent analyses of this event have remained speculative as to how exactly the hack occurred. Meanwhile, a spokesperson from Huawei recently told the BBC: “If there was a data leak from computers at the AU’s headquarters in Addis that went on for an extended period of time, these data leaks did not originate in technology supplied by Huawei to the AU. What Huawei supplied for the AU project included data centre facilities, but those facilities did not have any storage or data transfer functions.”
Even if one tries to bring in contemporary “evidence” of Huawei backdoors to explain the 2012 AU Headquarters incident, there still actually isn’t any evidence to be presented. The UK’s Huawei Cyber Security Evaluation Center (HCSEC) 2019 report found many vulnerabilities in Huawei systems; the code is full of security holes. But to the earlier point about the need for both intent and exploitability, evidence of vulnerabilities doesn’t equal evidence of backdoors. They’re two different things.
To recap from what my colleague and I wrote on vulnerabilities, backdoors, and bugdoors:
…there exists no public evidence to suggest the known vulnerabilities in Huawei equipment are there to enable backdoors. Of course, just because you haven’t found evidence of intent doesn’t mean there was no intent, or that there’s no evidence to be found. (Think Donald Rumsfeld’s unknown unknowns). But nobody has publicly found evidence of intent yet. Until such time that backdoor or bugdoor evidence is found, then, all we know is that Huawei systems have vulnerabilities.
The same can be said with respect to the data exfiltration from the African Union Headquarters: there exists no public evidence, in any subsequent reporting, to suggest there were in fact backdoors in the Huawei computer systems placed there by Chinese intelligence services.
Le Monde claimed in its original report that backdoors were placed in the Huawei computer systems (des portes numériques dérobées (« backdoors ») qui donnent un accès discret à l’intégralité des échanges et des productions internes de l’organisation). Yet it’s very difficult to distinguish vulnerabilities from backdoors or bugdoors just by looking at the code; human intelligence is often needed to provide evidence of intent. The Le Monde reporting gives no further evidence to this end. As far as I can tell, the claim about backdoors is likely based on allegations from the AU computer scientist — which, barring proof of intent, are likely speculative.
What does this mean for Huawei and 5G?
Despite the current lack of public evidence that backdoors exist in Huawei systems writ large — and the current lack of public evidence that backdoors existed in the African Union Headquarters’ systems — one could argue such evidence is out there. And, recalling unknown unknowns, there very well might be evidence to uncover.
Yet many have pointed out the possibility of no Huawei involvement in the data exfiltration whatsoever, beyond the fact that it supplied the equipment on/through which the incidents occurred. Charles Clancy, a former NSA researcher now at Virginia Tech, recently testified to Congress that “it is unclear that Huawei uniquely enabled this attack, as the People[’]s Liberation Army (PLA) could have put in place advanced persistent threat toolsets without vendor knowledge or cooperation.” It’s also possible the Huawei systems, as the recent UK HCSEC report underscored, were just filled with security vulnerabilities due to poor design — and were thus especially susceptible to being hacked.
As a general comment, we can of course expect multinational organizations to be targets for electronic espionage. Some find this a compelling reason to expect, reasonably, some degree of espionage on the part of the Chinese government. “When you let them build the whole system, of course they are listening in,” one western diplomat told Financial Times of the Chinese government building the AU headquarters. And this point may have held for multiple government intelligence services — for even in this situation, China wasn’t the only one allegedly tapping into communications. Citing documents released by Edward Snowden, Le Monde reported that the UK’s GCHQ had also spied (between 2009 and 2010) on communications from the African Union.
But this is why one’s judgment of whether the incident lends credence to claims of the Chinese government using Huawei to spy comes back to one’s perception of the African Union Headquarters hack in the first place, and one’s general view of the Chinese government.
Is this incident evidence of backdoors in Huawei systems? No. It is evidence of Huawei complicity or involvement in Chinese spying? No. Yet is it reason for suspicion? Perhaps. It depends on your broader calculus around 5G risks. But there’s also just the chance, alongside all this speculation about backdoors and bugdoors, that we’re dealing with the buggy code risk: Huawei code just has a lot of security holes, and Chinese intelligence services are simply exploiting them.
Justin Sherman is a rising senior at Duke University and a cybersecurity policy fellow at New America, where this blog post first appeared.