the mundane face of evil: Chinese state-sponsored hackers
February 14, 2013 4:38 PM   Subscribe

A new report, the National Intelligence Estimate, released by the US Office of the Director of National Intelligence "represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of [China-based] hacking over the past five years, including energy, finance, information technology, aerospace and automotive." One face of Chinese state-sponsored hackers profiled by Bloomberg Business Week is Zhang Changhe, an instructor at the People's Liberation Army Information Engineering University in Zhengzhou.

Zhang was uncovered by Joe Stewart, Director of Malware Research, Dell SecureWorks Counter Threat Unit Research Team in a February 2012 report titled The Sin Digoo Affair, looking at hacking from one China-based source. An Indian-based security consultant advanced on Stewart's research in blog posts Chinese Threat Actor Part 2, and Chinese Threat Actor Part 3 further developing the case against Zhang.

This is in line with public television coverage of hacking in China from the same institution as detailed by the Epoch Times in Slip-Up in Chinese Military TV Show Reveals More Than Intended.

Security expert Bruce Schneier does not believe that most of these Chinese hackers are connected to the Chinese military, "they're more like a non-state actor."
posted by gen (11 comments total) 10 users marked this as a favorite

Welcome to the Malware-Industrial Complex
- The U.S. government is developing new computer weapons and driving a black market in “zero-day” bugs. The result could be a more dangerous Web for everyone.
posted by gen at 5:11 PM on February 14, 2013

It should be noted that the Epoch Times, an organ of Falun Gong, has an axe to grind with the Chinese government. Bruce Schneier has had interesting things to say about U.S. politicians and media playing the ZOMG CHINESE HACKERS scare card to further pet agendas.

I often wonder if most of these alleged Chinese attacks have much depth to them. Every machine on the internet is being constantly bombarded by script kiddies. For example, from the last few days of my server logs:

Feb 15 01:47:28 hostname sshd[26919]: Failed password for root from port 45347 ssh2

A Chinese IP address. OMG CHINA IS TRYING TO HACK ME! - - [13/Feb/2013:05:51:21 +0000] "GET /vtigercrm/graph.php?current_language=../../../../../../../..//etc/elastix.conf%00&module=Accounts&action HTTP/1.1" 404 344 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0"

Oh shit, Taiwan is attacking me too.

Feb 10 16:45:45 hostname sshd[4523]: Failed password for root from port 47305 ssh2

Et tu, Thailand?!

Feb 11 01:33:42 hostname sshd[6228]: Failed password for invalid user a from port 58493 ssh2

Athens University?!
posted by qxntpqbbbqxl at 7:21 PM on February 14, 2013 [4 favorites]

Am i the only person noting the upswing of news reporting about the evil cybercrime 31337 haxxorz that's been popping up w more frequency lately?
posted by xcasex at 10:00 PM on February 14, 2013

Epoch Times may have a bone to pick with Beijing, but it's not just anti-China news outlets or organizations saying that China is undertaking a huge cyber-espionage effort.

We're emphatically not talking random probing of your firewall. We are talking custom-written malware to exploit zero-day vulnerabilities in common programs. We are talking a huge amount of research to identify who to best target, and how to best trick that target into opening booby-trapped attachments or visiting compromised websites. Or substantial work to plant drive-by installs in commonly used and trusted websites.

Targets are tricked into installing malware that then downloads and installs additional programs to completely take remote control over his/her computer. Not only that, but those programs will escalate privileges and begin to probe the local network, slowly spreading within the target company/organization. We are talking months and months of silently exfiltrating data from compromised systems, including keyboard logs and pictures from the attached webcams, sending massive amounts of data to external command and control servers.

It is the command and control infrastructure from these types of operations that point towards China. Despite obfuscating tricks, the ultimate destination for this data is in China. There are several groups of attackers, all with different MO:s - some of whom only connect to the C&C servers and do work from 8-5 Beijing time during the week - which seems rather odd if they are just some random script kiddies or "Patriotic Hackers."

And the reason that it's been covered a lot more in the news is because people are waking up to this happening, including the media. It's been going on for a long while, but it's been ramping up lately as well. Now finally everyone is taking it seriously, including the U.S. government. That makes news - particularly when those same news organizations suddenly realize that they are a target...
posted by gemmy at 10:10 PM on February 14, 2013 [4 favorites]

It's lucky the US gov isn't doing anything like this, otherwise I wouldn't be sure who has the mundane evil face.
posted by bystander at 11:01 PM on February 14, 2013 [1 favorite]

What's weird to me is not that attackers from China are doing this, it's that (some) are doing it so clumsily and broadly that they're getting detected, and b) their government seems to tolerate these clumsy and broad attacks that both have a diplomatic and an economic cost to China, as well as an opportunity cost (the ham-fisted, detected attacks cause potential targets to be more conscientious about security).
posted by zippy at 12:54 AM on February 15, 2013

The comment from gemmy is spot on about the nature of these attacks and why they need to taken seriously. Spear attacks are quite different from roving scripts. They require someone with talent and patience to succeed.

Any statements about whether it is state-sponsored is mostly speculation though. China isn't going to be stupid enough to set up a Ministry of Hacking or leave a clear trace of this activity pointing to official sources. The only thing one can do is to remain vigilant.

An excellent article on ACM I read this week has a very good summary of the state of phishing attacks. While not directly addressing the threat mentioned here it does touch upon it and gives a good overview. I find particularly the psychological aspects interesting because if you can detect when someone is tapping into your greed, sense of urgency or asking you to trust a known a connection it can help immensely to not be trapped.

Of course, the best protection may be to live a boring life where you are not responsible for any intellectual assets. :)
posted by dgran at 7:20 AM on February 15, 2013

Gemmy is right of course; there are unique and interesting angles to the Chinese hacking. My post above is mostly a reaction to the breathless hysteria that accompanies the way it's reported. Of course there are Chinese hackers playing at industrial and media espionage; this shouldn't really be a surprise to anybody. I'm sure our government is doing the same thing to anybody associated with Wikileaks, and then there's Stuxnet...
posted by qxntpqbbbqxl at 7:27 AM on February 15, 2013

An excellent article on ACM I read this week

...written by MetaFilter's own jasonhong.
posted by Riki tiki at 8:54 AM on February 15, 2013

Exposing One Of China’s Cyber Espionage Units
Report from American computer security company detailing long investigation into Chinese hacking group called here "APT1", the most prolific of at least 20 such groups. Leaves little or no doubt that APT1 is a unit of the Chinese army, active since 2006, primarily engaged in stealing data from US companies in strategic industries (PDF)
posted by the man of twists and turns at 5:40 AM on February 19, 2013

NY Times: China's Army Is Seen As Tied To Hacking Against US
An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.

“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
posted by the man of twists and turns at 6:51 AM on February 19, 2013 [1 favorite]

« Older "Maybe Don’t Talk Shit About Ads If You Make Money...   |   The Black Community cannot afford the luxury of ..... Newer »

This thread has been archived and is closed to new comments