Print 26 comment(s) - last by dsx724.. on Apr 11 at 12:16 PM

Chinese hackers stole information from a variety of parties. While the attacks related to rivals or enemies of the government, the Chinese government claims not to have been involved and says its investigating the incident.  (Source: LIFE)

The attacks originated from the Southern China city of Chengdu.  (Source: CJ Report)
Report authors say Chinese government is cooperating to investigate the situation

Cybersecurity researchers at the University of Toronto's Munk School of Global Affairs claim to have discovered a massive campaign of cyberespionage carried out by members of China's underground hacking rings.  The campaign zeroed in on high profile targets in India, including Tibetan exiles and the Indian Defense Ministry.  

The attackers used attacks on social networking, blogging, and email services, such as Twitter, Google Groups, and Yahoo Mail to gain access to individual computers, forcing them to communicate with attack servers in China.  The authors of the study "Shadows in the Clouds" say that the underworld cybercriminals likely stole information to try to make a profit and may have passed information on to the Chinese government.

The information stolen from the Indian military includes secret assessments of the security situation in northeastern states bordering Tibet, Bangladesh and Myanmar, as well as insurgencies by Maoists.

On the surface, the Chinese government has pledged a thorough investigation in response to the incident.  Describes Nart Villeneuve at the University of Toronto, "We did not find any hard evidence that links these attacks to the Chinese government.  We've actually had very healthy co-operation with the Chinese computer emergency response team, who are actively working to understand what we've uncovered and have indicated they will work to deal with this ... It's been a very encouraging development."

A Chinese foreign ministry spokesperson stated, "[Chinese] policy is very clear. We resolutely oppose all internet crime, including hacking."

It seems more than mere coincidence, though, that the attacks targeted Tibet's government in exile and Dalai Lama, whom China views as enemies.  Last year the Tibetans were hit by a much larger attack, which the University of Toronto researchers dubbed "GhostNet".  Describes Munk School's Ron Diebert, "The social media clouds of cyberspace we rely upon today have a dark, hidden core, There is a vast subterranean ecosystem to cyberspace within which criminal and espionage networks thrive."

University of Toronto researchers say that most antivirus programs are currently ineffective in preventing attacks on social networks or email services, which were a major source of these compromises.  The researchers suggest stripping attachments from all external email and instead transferring files over a secure channel like SFTP.

The recent attacks affect the U.S. too as the attackers stole private data from visa-seekers to the Indian embassy in Afghanistan and the Indian and Pakistani embassies in the United States.

According to researchers, the IP's used in part of the attacks were traced to Chongqing, a large city in southwest China, while addresses in the nearby city of Chengdu were used to control Yahoo Mail accounts used in the attacks.  Graduates of the University of Electronic Science and Technology of China reportedly owned some of the servers used in the attacks and may have masterminded the entire scheme.

China has been rather friendly to India of late, trying to leverage the issue of global warming to align the south Asian nation against the U.S.  India and China are the world's most populous countries, each with over a billion people.  They also are fast becoming world superpowers in research and industry.  With that growth has come clashes, both between each other and between the world's current economic leader, the United States.  

China and India's relationship has been damaged by the Chinese occupation of Tibet, a small province that borders India.  India and the U.S. have also taken issue to China's censorship policies and with the fact that China does little to stop hackers from attacking foreigners, and in some cases its own citizens.  As many of these attacks target political or economic rivals of the government, there seems to be government involvement in some cases, even if there's no evidence to explicitly prove that the government is supporting the cyberintrusions.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: The Picture of the City
By dsx724 on 4/7/2010 9:29:36 AM , Rating: -1
Considering that 90% of Chinese computers are infested with malware, the attacks could have been launched from anywhere in the world. Its astounding they can pin point the victims and perpetrators so rapidly. Sounds like more warmongering.

RE: The Picture of the City
By Aloonatic on 4/7/2010 9:53:24 AM , Rating: 2
Apparently we know that the Chinese can make one of these attacks with only 45 minutes notice.

It's true, a Chinese taxi driver told me so.

RE: The Picture of the City
By Yeah on 4/7/2010 10:03:04 AM , Rating: 4
I am sorry but your an idiot if you think the US 'white hat' community cannot determine where attacks are originating from. Not to mention if you get multiple ISP's to share information, its even easier to locate where the 'attack' is coming from. Even if there IS malware installed on their pc's, it works both ways.

RE: The Picture of the City
By dsx724 on 4/7/10, Rating: -1
RE: The Picture of the City
By ekv on 4/8/2010 12:45:56 AM , Rating: 3
unless you set up a trap
Which, if you read the report [Shadows in the Cloud], is what they did.

How long have the Chinese been cultivating the capability for "independent" hackers to operate with impunity while being essentially proxies for the PRC? It took the team who wrote "Shadows..." a year to investigate. Their "fusion methodology" has been in development for nearly 10 years. They were able to exfiltrate stolen data -- which I find mind-boggling. Suggesting that they not only traced the attack back to origin but recovered stolen data (from multiple victims).

I respond simply because I remember, but I don't have the damn link handy right now, that recently a major DNS exploit was detected where, IIRC, a Google url was redirected (from all of South America) to a server behind the GFW. Perhaps a coincidence. Or, perhaps another act of Chinese cyber-aggression.

RE: The Picture of the City
By dsx724 on 4/8/2010 12:02:00 PM , Rating: 2
If you read the report, any network engineer or serious hacker will discredit them almost immediately. Most of their "links" are assumptions and correlations they've made and not a raw reflection of the facts they collected. Their methodology is extremely flawed and provides only wishful thinking. If the fusion methodology took 10 years to develop, then they're inept because a junior network engineer can do what they did. They're simply trying to make a paper that will get them on the news (like DT) so that politicians can jump on it and cry foul. If you analyse their results, they manipulated the presentation of data to make it appear cohesive when the data is not. This is warmongering at its best. If all these news report of Chinese government hackers are based on this report, then truth has fallen victim to the fallacy of the masses.

RE: The Picture of the City
By ekv on 4/8/2010 9:14:18 PM , Rating: 2
Are you making a living in the cyber-security field? [I do not consider IT or web-development to be cyber-security, nor should you]. No? Then why would I trust your word over somebody who is making a living in the field? somebody who is doing the research, working with a team, making actionable intelligence based on that research, and satisfying consumer requests [... and still making a living]. Somebody, or somebody's, if you will, who just published a public research report that discusses their forensic techniques.

Your statement tells me you skimmed the report. Your statement says you share Obama's insanely irrational anti-America, anti- free market attitude, for whatever reason. I'm saying there is a pattern of behaviour from the PRC. It is not fear-mongering to make such a statement. It is a proven fact -- just ask Google [and ask them how much it cost business-wise]. A fact that you dismiss as "warmongering". Why would you say that? Do you work for Bing, and so you have a vested interest? I'm saying that the kind of cyberattacks on the US "is difficult at best without some type of state sponsorship." [cf. Report_16Oct2009.pdf]

You have given your opinion, however jejune. In reality, if you analyze their results, you would know
1) "... the technical analysis of exploits and malware samples alone only provides one crucial data set."(p.8)

2)"One of our objectives in this report was to explore the broader ecosystem of malware."(p.13)

3) "Mistakes on the part of the attackers allowed us to view the attackers' list of victims at four command and control locations."(p.26)

4) "Drawing these different scenarios and alternative explanations together, the most plausible explanation, and the one supported by the evidence, is that the Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground."(p.40)

5) "As we document above, blog hosting sites, social networking forums and mail groups were turned into support structures and command and control systems for a malignant enterprise. The very same characteristics of those social networking and cloud platforms which make them so attractive to the legitimate user -- reliability, distribution, redundancy and so forth -- were what attracted our attackers to them in setting up their network." (p.44)
If all these news report of Chinese government hackers are based on this report...
Your statement is simply a deliberately misleading fallacy. All news reports? There are a lot of reports. I collect them. Many different sources. The PRC has been implicated over and over....

For the man whose only tool is a hammer, the whole world looks like a nail.

RE: The Picture of the City
By dsx724 on 4/9/2010 12:17:27 AM , Rating: 1
I'm a network engineer by trade. I know most of the tricks in the networking stack as well as the programming tricks on the end systems. Network security or "cyber security" as you like to call it, is fundamental to network engineering so I am well-versed. If you want me to tear up Shadows in the Cloud and Tracking GhostNet, read below. I was born in China, lived there til I was 7 and raised in the US. I have no vested interest in China other than to defuse these under-educated nationalist flame wars going on in both sides even if its one person at a time. I am also a conservative loving American although you may see that differently.

1) Greg Walton is and has been a China-policy basher before 2000. He has a history in human rights before he became a security consultant and headed much of the evidence gathering in this report from Dalai Lama's offices. This raises flags with regards of credibility.

2) The executive summery and Tracking GhostNET STATES that it has no evidence linking the PRC to the attacks. It states that it identified associations and not a single direct link to the actual attackers. The only circumstantial proof provided in the report that one of the malware distributors is Chinese and a malware server is located in China. Both of these should be expected prerequisites and not exceptions to rule.

3) The report suggests that the Triad which has significant presence in Chongqing is in bed with officials there but it fails to state that Chinese Leadership has been purging corrupt officials and even senior party members linked with the Triad especially in that city. They just arrested a thousand people including a few dozen officials and three billionaires linked with the Triads in 2009. Great connection, but it doesn't hold.

4) The report has very little in the way of relevant factual information regarding the attacks. Much of it is fluff and pretty pictures used to scare people over the seriousness of malware, botnets, hacking, and retaliatory techniques more than a decade old.

5) The infected computers from different offices had different malwares that used different communication strategies suggesting that the malware was simply targeting a Chinese audience. They can be pulled from any Chinese website via a browser exploit (from visiting Chinese websites) and is probably not from a direct or targeted network intrusion. The malwares use different action language suggesting that this wasn't an organized effort but rather individual hackers. However, the person that wrote the report suggestively added the action language is "similar" rather than noting its difference.

6) Contrary to the report that suggests Shadow is a sophisticated botnet, it uses off the shelf components typical of malware found domestically in China. The hackers did not go out of their way to really hide the malware and shield it from attack. The fact that the malware beacons often suggest that this wasn't a organized trojan horse operation. This is radically different in scope than what the authors are hinting at.

7) If you look at Malicious Documents and Command and Controls section, the last paragraph is joke. If a piece of malware in 2009 doesn't exploit recent security risks, then wtf is the point? And of course there are rarely tools for recent exploits because tools are for script kiddies.

8) The funny diagrams that supposedly link the command and control structures don't actually link them LOL.

9) The victim analysis section doesn't add up. They found 43 compromised computers with their DNS catchall but only have 7 IP addresses. That means they only found 7 computers and found the rest of the 36 documents on an open file server previous used. That means that the hacker never protected the server from open access of everything they ever hacked(seriously? thats a stretch). Also judging by the number of targets in high security settings, the hacker has nearly perfect targeting technique which conflicts with the earlier assessment of the nature of the malware and the botnet size. There would be thousands of documents full of junk and not just an open directory full of goodies.

At this point, I can reasonably conclude that this report is horseshit to grab the media's attention. I have yet to see a legitimate paper or report that actually provides factual evidence (granted this is hard without Chinese ISP assistance). Most of the stories are news agencies building up on each other to see who can come up with the most outlandish headline yet not be liable. Its a massive he said she said. I hope you see that the only time one should pass judgement is when you know the facts, how it works, and can judge for yourself based on the data.

RE: The Picture of the City
By ekv on 4/10/2010 2:34:35 AM , Rating: 2
Ok, thank you for your analysis of "Shadows in the Cloud." While I don't necessarily agree with your conclusions I appreciate the time you spent.

I do agree that network security is fundamental to network engineering, from programming to protocols to the physical layer itself. However, I believe there is a slight nuance tween network security and cyber-security. I would suggest that cyber-security takes human factors more into account. For example, political structures and initiatives. The PRC does have a formal information warfare strategy called 'Integrated Network Electronic Warfare' that consolidates the offensive mission for both computer network attack and EW under PLA General Staff Department's 4th Dept. (Electronic Countermeasures)"... (p.6, NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved Report_16Oct2009)

Upon reading and reflecting on your post a couple times, I keep asking myself 'what are you looking for?' Perhaps it is a cultural difference in regards to what constitutes factual evidence. For example, if Google says they were hacked and then they pull out of China, what does that say? Google in general is not stupid. So to me it says Google has sufficient evidence to suspect government involvement. Evidence to the point of losing billions of dollars. Now, since I'm not a network engineer I don't ask them to show me the ISP data. So who do I trust? Trust is a term I'm sure you're familiar with 8) I know who I trust and I even know why. Even though I don't trust Google in general, I trust them in this specific instance. What I'm really curious about is, are you ignoring this on purpose? Is this an anomalous data point? what evidence would convince you that indeed a hack took place that was sponsored by the PRC?

Keep in mind that ... "[A]ttribution of cyber penetrations and malicious cyber activity is difficult, and even quite sensitive, because if one describes how attribution is achieved, it tells the intruder how to modify its operations and make them more effective." (p.2, Larry M. Wortzel, China's Approach to Cyber Operations)

For instance, you're 3rd point mentions a thousand people being arrested, but I cannot find any news articles on this event. In general, at this point, I'd have to trust you on that fact, but you haven't provided evidence or a link, etc. Do you see what I'm driving at?

RE: The Picture of the City
By dsx724 on 4/11/2010 12:16:42 PM , Rating: 2

Google pulled out of China not because of external hack. There were internal IP theft issues. Chinese employees of Google were stealing codebase for all of Google products. Google didn't have much market share to lose but it did have a lot to lose in terms of IP and techniques. The only way to remedy this was to shut down all Chinese operations with regards to search. The hacking is just a justification to cover up what we all know about the disregard by Chinese people of IP. Money makes everything possible in China so any competitor can bribe said Google employees for a price to carry out a theft or open a vulnerability. Google deemed this risk or the number of occurrences too high to continue operations in China since government is providing no assistance to prosecute those responsible.

My problem with Shadow is that it is a political piece and not a technical piece. Although clearly there is no link to the government of China, it does a lot in the way of attributing the attacks to the government. I am not a supporter of the government but lay blame where it is due. You can't blame the US government for the actions of the KKK.

Most of these points come from contextual information that are too significant to ignore. Unlike Shadow in the Cloud, I have no political goal in looking at the data and the circumstances surrounding this. Cleverly crafted information lead to the Iraq War on an unfound basis. I would hate our foreign policy to be based on stupid reports like these.

"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki