The First U.S.-China Cyberwar?

There’s growing coverage of China’s Internet ‘cyberwar’ against the U.S., which seems to have been going on for more than two years with neither side wanting to go public. The U.S. is calling the attack Titan Rain, and as Bruce Schneier points out, the attackers are very well organized. This from AFP:

A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said. The attacks have been traced to the Chinese province of Guangdong, and the techniques used make it appear unlikely to come from any other source than the military, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity. “These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization,” Paller said in a conference call to announced a new cybersecurity education program. In the attacks, Paller said, the perpetrators “were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?”

So what are they after? Paller says they’re after sensitive information, and may have gotten it, including military flight planning software from its Redstone Arsenal. Here’s a bit more detail about how these guys work, from a TIME story quoting Shawn Carpenter, the hacker who uncovered the attacks:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.

More on Carpenter in a Wikipedia entry here, and on his whistleblowing experience here. There’s an interesting piece by SearchSecurity’s Bill Brenner which looks at an August report by LURHQ dissecting the Myfip worm which appears to have been used by Chinese hackers to ferret around and grab PDF files. The worm has been around since August 2004. Later variants looked for Word documents, AutoCAD drawings, templates, Microsoft Database files, etc:

[Joe] Stewart [senior security researcher with Chicago-based security management firm LURHQ Corp] said his team was easily able to trace the source of Myfip and its variants. “They barely make any effort to cover their tracks,” he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the “document collector” hosts, are all based there, mostly in the Tianjin province.

China, according to AFP, yesterday denied its military was involved in hacking:

“We have clear stipulations against hacking. No one can use the internet to engage in illegal activities,” foreign ministry spokesman Qin Gang told a regular briefing on Tuesday. “The Chinese police will deal with hacking and other activities disturbing social order in accordance with law.”

Doesn’t make a lot of sense as a denial. Is he saying no one is doing it? Or no one official? Or that it’s going on and the police will deal with it? Not the first time a Chinese spokesman has uttered something meaningless. But I guess so long as the U.S. doesn’t make any official, public complaint this guerrilla war will remain unacknowledged by both sides. I guess the obvious lesson here is that security is not just against sleazeballs after your money, but after your PDF files too. And don’t think that because you’re not military you’re not affected. If you’re any kind of company you might have something that is valuable in the corporate and government espionage world.

14. December 2005 by jeremy
Categories: datawars, Malware, Phishing, Scams, Security | Tags: , , , , , , , , , , , , , , , , , , , , | 4 comments

Comments (4)

  1. If the Chinese military is pursuing a covert cyberwar, It would be consistent with previous evidence:

    Peter Warshall wrote an essay on the subjcert in one of the final issues of the Whole Earth Review in 2002; under the headline: “A Chinese View on Warfare in the Twenty-First Century” from a recent book by senior Chinese military officers published by the People’s Liberation Army. Warshall writes that the book includes ” “beyond-limits, combined warfare” that developing countries could employ to compensate for their military inferiority vis à vis the United States during high tech war. . . the book gives insights: into what warfare will become, and how… … regards itself and the US. ”

    The Whole Earth article is extremely provocative, and available online here:

    http://www.looksmarthowto.com/p/articles/mi_m0GER/is_2002_Fall/ai_93135759

    The complete book in .pdf form, Unrestricted Warfare (1999, Peoples Liberation Army Literature and Arts Publishing House, Beijing) is also available for download online at

    http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf

    Mike Liebhold
    Senior Researcher
    Institute for the Future
    http://www.iftf.org

  2. I saw the former chief strategist of netscape at the SECTOR conference and he presented on the cyber war threat. I had worked with Kevin Coleman before, but his presentation really impacted me. His inventory of cyber weapons included DEWs, TEDs, and self morphing/self encrypting malicious code. We are in serious trouble. Hackers of the world should unite and hit any country that launches a cyber attack!

  3. I saw the former chief strategist of netscape at the SECTOR conference and he presented on the cyber war threat. I had worked with Kevin Coleman before, but his presentation really impacted me. His inventory of cyber weapons included DEWs, TEDs, and self morphing/self encrypting malicious code. We are in serious trouble. Hackers of the world should unite and hit any country that launches a cyber attack!

  4. For about a year now the former Chief Strategist of Netscape has been warning everyone through his articles that this was a huge threat and actually identified several strategies and tactics that if used would compromise the information infrastructure in the U.S. and globally. Why is it our intelligence services are just waking up to this threat? Why is it throughout history we ignore or dismiss the experts until it is too late! I just did a Google search (Kevin Coleman Cyber Attack) and found over 13,000 references. With that much intelligence we should be much further along in protecting and defending against cyber attacks that we are today!