backtop


Print 26 comment(s) - last by dsx724.. on Apr 11 at 12:16 PM


Chinese hackers stole information from a variety of parties. While the attacks related to rivals or enemies of the government, the Chinese government claims not to have been involved and says its investigating the incident.  (Source: LIFE)

The attacks originated from the Southern China city of Chengdu.  (Source: CJ Report)
Report authors say Chinese government is cooperating to investigate the situation

Cybersecurity researchers at the University of Toronto's Munk School of Global Affairs claim to have discovered a massive campaign of cyberespionage carried out by members of China's underground hacking rings.  The campaign zeroed in on high profile targets in India, including Tibetan exiles and the Indian Defense Ministry.  

The attackers used attacks on social networking, blogging, and email services, such as Twitter, Google Groups, and Yahoo Mail to gain access to individual computers, forcing them to communicate with attack servers in China.  The authors of the study "Shadows in the Clouds" say that the underworld cybercriminals likely stole information to try to make a profit and may have passed information on to the Chinese government.

The information stolen from the Indian military includes secret assessments of the security situation in northeastern states bordering Tibet, Bangladesh and Myanmar, as well as insurgencies by Maoists.

On the surface, the Chinese government has pledged a thorough investigation in response to the incident.  Describes Nart Villeneuve at the University of Toronto, "We did not find any hard evidence that links these attacks to the Chinese government.  We've actually had very healthy co-operation with the Chinese computer emergency response team, who are actively working to understand what we've uncovered and have indicated they will work to deal with this ... It's been a very encouraging development."

A Chinese foreign ministry spokesperson stated, "[Chinese] policy is very clear. We resolutely oppose all internet crime, including hacking."

It seems more than mere coincidence, though, that the attacks targeted Tibet's government in exile and Dalai Lama, whom China views as enemies.  Last year the Tibetans were hit by a much larger attack, which the University of Toronto researchers dubbed "GhostNet".  Describes Munk School's Ron Diebert, "The social media clouds of cyberspace we rely upon today have a dark, hidden core, There is a vast subterranean ecosystem to cyberspace within which criminal and espionage networks thrive."

University of Toronto researchers say that most antivirus programs are currently ineffective in preventing attacks on social networks or email services, which were a major source of these compromises.  The researchers suggest stripping attachments from all external email and instead transferring files over a secure channel like SFTP.

The recent attacks affect the U.S. too as the attackers stole private data from visa-seekers to the Indian embassy in Afghanistan and the Indian and Pakistani embassies in the United States.

According to researchers, the IP's used in part of the attacks were traced to Chongqing, a large city in southwest China, while addresses in the nearby city of Chengdu were used to control Yahoo Mail accounts used in the attacks.  Graduates of the University of Electronic Science and Technology of China reportedly owned some of the servers used in the attacks and may have masterminded the entire scheme.

China has been rather friendly to India of late, trying to leverage the issue of global warming to align the south Asian nation against the U.S.  India and China are the world's most populous countries, each with over a billion people.  They also are fast becoming world superpowers in research and industry.  With that growth has come clashes, both between each other and between the world's current economic leader, the United States.  

China and India's relationship has been damaged by the Chinese occupation of Tibet, a small province that borders India.  India and the U.S. have also taken issue to China's censorship policies and with the fact that China does little to stop hackers from attacking foreigners, and in some cases its own citizens.  As many of these attacks target political or economic rivals of the government, there seems to be government involvement in some cases, even if there's no evidence to explicitly prove that the government is supporting the cyberintrusions.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: The Picture of the City
By dsx724 on 4/9/2010 12:17:27 AM , Rating: 1
I'm a network engineer by trade. I know most of the tricks in the networking stack as well as the programming tricks on the end systems. Network security or "cyber security" as you like to call it, is fundamental to network engineering so I am well-versed. If you want me to tear up Shadows in the Cloud and Tracking GhostNet, read below. I was born in China, lived there til I was 7 and raised in the US. I have no vested interest in China other than to defuse these under-educated nationalist flame wars going on in both sides even if its one person at a time. I am also a conservative loving American although you may see that differently.

1) Greg Walton is and has been a China-policy basher before 2000. He has a history in human rights before he became a security consultant and headed much of the evidence gathering in this report from Dalai Lama's offices. This raises flags with regards of credibility.

2) The executive summery and Tracking GhostNET STATES that it has no evidence linking the PRC to the attacks. It states that it identified associations and not a single direct link to the actual attackers. The only circumstantial proof provided in the report that one of the malware distributors is Chinese and a malware server is located in China. Both of these should be expected prerequisites and not exceptions to rule.

3) The report suggests that the Triad which has significant presence in Chongqing is in bed with officials there but it fails to state that Chinese Leadership has been purging corrupt officials and even senior party members linked with the Triad especially in that city. They just arrested a thousand people including a few dozen officials and three billionaires linked with the Triads in 2009. Great connection, but it doesn't hold.

4) The report has very little in the way of relevant factual information regarding the attacks. Much of it is fluff and pretty pictures used to scare people over the seriousness of malware, botnets, hacking, and retaliatory techniques more than a decade old.

5) The infected computers from different offices had different malwares that used different communication strategies suggesting that the malware was simply targeting a Chinese audience. They can be pulled from any Chinese website via a browser exploit (from visiting Chinese websites) and is probably not from a direct or targeted network intrusion. The malwares use different action language suggesting that this wasn't an organized effort but rather individual hackers. However, the person that wrote the report suggestively added the action language is "similar" rather than noting its difference.

6) Contrary to the report that suggests Shadow is a sophisticated botnet, it uses off the shelf components typical of malware found domestically in China. The hackers did not go out of their way to really hide the malware and shield it from attack. The fact that the malware beacons often suggest that this wasn't a organized trojan horse operation. This is radically different in scope than what the authors are hinting at.

7) If you look at Malicious Documents and Command and Controls section, the last paragraph is joke. If a piece of malware in 2009 doesn't exploit recent security risks, then wtf is the point? And of course there are rarely tools for recent exploits because tools are for script kiddies.

8) The funny diagrams that supposedly link the command and control structures don't actually link them LOL.

9) The victim analysis section doesn't add up. They found 43 compromised computers with their DNS catchall but only have 7 IP addresses. That means they only found 7 computers and found the rest of the 36 documents on an open file server previous used. That means that the hacker never protected the server from open access of everything they ever hacked(seriously? thats a stretch). Also judging by the number of targets in high security settings, the hacker has nearly perfect targeting technique which conflicts with the earlier assessment of the nature of the malware and the botnet size. There would be thousands of documents full of junk and not just an open directory full of goodies.

At this point, I can reasonably conclude that this report is horseshit to grab the media's attention. I have yet to see a legitimate paper or report that actually provides factual evidence (granted this is hard without Chinese ISP assistance). Most of the stories are news agencies building up on each other to see who can come up with the most outlandish headline yet not be liable. Its a massive he said she said. I hope you see that the only time one should pass judgement is when you know the facts, how it works, and can judge for yourself based on the data.


RE: The Picture of the City
By ekv on 4/10/2010 2:34:35 AM , Rating: 2
Ok, thank you for your analysis of "Shadows in the Cloud." While I don't necessarily agree with your conclusions I appreciate the time you spent.

I do agree that network security is fundamental to network engineering, from programming to protocols to the physical layer itself. However, I believe there is a slight nuance tween network security and cyber-security. I would suggest that cyber-security takes human factors more into account. For example, political structures and initiatives. The PRC does have a formal information warfare strategy called 'Integrated Network Electronic Warfare' that consolidates the offensive mission for both computer network attack and EW under PLA General Staff Department's 4th Dept. (Electronic Countermeasures)"... (p.6, NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved Report_16Oct2009)

Upon reading and reflecting on your post a couple times, I keep asking myself 'what are you looking for?' Perhaps it is a cultural difference in regards to what constitutes factual evidence. For example, if Google says they were hacked and then they pull out of China, what does that say? Google in general is not stupid. So to me it says Google has sufficient evidence to suspect government involvement. Evidence to the point of losing billions of dollars. Now, since I'm not a network engineer I don't ask them to show me the ISP data. So who do I trust? Trust is a term I'm sure you're familiar with 8) I know who I trust and I even know why. Even though I don't trust Google in general, I trust them in this specific instance. What I'm really curious about is, are you ignoring this on purpose? Is this an anomalous data point? what evidence would convince you that indeed a hack took place that was sponsored by the PRC?

Keep in mind that ... "[A]ttribution of cyber penetrations and malicious cyber activity is difficult, and even quite sensitive, because if one describes how attribution is achieved, it tells the intruder how to modify its operations and make them more effective." (p.2, Larry M. Wortzel, China's Approach to Cyber Operations)

For instance, you're 3rd point mentions a thousand people being arrested, but I cannot find any news articles on this event. In general, at this point, I'd have to trust you on that fact, but you haven't provided evidence or a link, etc. Do you see what I'm driving at?


RE: The Picture of the City
By dsx724 on 4/11/2010 12:16:42 PM , Rating: 2
Triad
http://www.atimes.com/atimes/China/KK18Ad01.html

Google pulled out of China not because of external hack. There were internal IP theft issues. Chinese employees of Google were stealing codebase for all of Google products. Google didn't have much market share to lose but it did have a lot to lose in terms of IP and techniques. The only way to remedy this was to shut down all Chinese operations with regards to search. The hacking is just a justification to cover up what we all know about the disregard by Chinese people of IP. Money makes everything possible in China so any competitor can bribe said Google employees for a price to carry out a theft or open a vulnerability. Google deemed this risk or the number of occurrences too high to continue operations in China since government is providing no assistance to prosecute those responsible.

My problem with Shadow is that it is a political piece and not a technical piece. Although clearly there is no link to the government of China, it does a lot in the way of attributing the attacks to the government. I am not a supporter of the government but lay blame where it is due. You can't blame the US government for the actions of the KKK.

Most of these points come from contextual information that are too significant to ignore. Unlike Shadow in the Cloud, I have no political goal in looking at the data and the circumstances surrounding this. Cleverly crafted information lead to the Iraq War on an unfound basis. I would hate our foreign policy to be based on stupid reports like these.


"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki