WHO IS BEHIND CHINA'S INTERNET ATTACKS
Many security experts who study China believe the government is being fed information by a loose and shadowy network that includes the hacker community, organized crime and other parts of government, including security agencies and the People's Liberation Army (PLA). “The sheer amount of energy and resources the Chinese government has thrown at this is enormous,” says Lhadon Tethong, director of the Canada-based Tibet Action Institute. [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
Greg Walton, an independent cyber security researcher based in Britain, believes the attacks are the work of groups of players. He points to Chongqing, where there is a concentration of internet espionage control and command centers, as an example. “Chongqing is interesting in that it's like a nexus of organized crime, the party, a big computer-hacking scene and all sorts of PLA installations,” he says. “It's a combination of many forces that do these attacks. It's not a secret that the data is ending up with the state. Any other explanation is improbable.”
Experts say the spying is highly organized and professional, with some hackers working in shifts, even making note of when targets are having lunch or taking breaks. It is also likely that many hackers are working independently and some targets are being compromised by more than one malware group, says Nart Villeneuve, a researcher at the Information Warfare Monitor (IWM), whose members include the Citizen Lab, Munk School of Global Affairs, the University of Toronto and the SecDev Group, a security consultancy based in Canada.
Walton says patriotic hackers are probably selling information to the government, providing it with “another layer of deniability”. Since 2009, IWM has published two reports on cyber-espionage networks: “Tracking GhostNet: Investigating a Cyber Espionage Network” and “Shadows in the Cloud: An investigation into cyber espionage 2.0.”
A Few Hacker Teams Do Most China-based Data Theft
In December 2011 AP reported: “As few as 12 different Chinese groups, largely backed or directed by the government there, commit the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts. [Source: Lolita Baldor, Associated Press, December 12, 2011]
Sketched out by analysts who have worked with U.S. companies and the government on computer intrusions, the details illuminate recent claims by American intelligence officials about the escalating cyber threat emanating from China. And the widening expanse of targets, coupled with the expensive and sensitive technologies they are losing, is putting increased pressure on the U.S. to take a much harder stand against the communist giant.
Cyberattacks originating in China have been a problem for years, but until a decade or so ago analysts said the probes focused mainly on the U.S. government — a generally acknowledged intelligence gathering activity similar to Americans and Russians spying on each other during the Cold War. But in the last 10 to 15 years, the attacks have gradually broadened to target defense companies, then other critical industries, including energy and finance.
Ghosnet
GhostNet is the name investigators have given to a network of more than 1,200 compromised computers in 103 countries, including foreign affairs ministries, embassies, international organizations, news organizations and a computer in the headquarters of Nato. The network's command and control center appears to be on Hainan Island, home of the Lingshui signals intelligence facility and the Third Department of the PLA. [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
In September and October 2008, IWM investigated alleged cyber espionage on the computer systems in various offices related to the work of the Tibet government in exile and other Tibetan groups. These included the Office of His Holiness the Dalai Lama, in Dharamsala, India, organizations in the United States, Britain, France, Belgium and Switzerland, and the office of Drewla, an NGO which runs an online outreach project that uses young Chinese-speaking Tibetans to talk with people in the mainland about the situation in Tibet.
The GhostNet report said some 70 per cent of the control servers behind the attacks on Tibetan organizations were located on IP addresses assigned to the mainland. The team traced the attacks to hackers apparently in Chengdu, which is also the location of one of the PLA's technical reconnaissance bureaus charged with signals intelligence collection. Researchers said one hacker, who used the cyber name “lost33', had attended the University of Electronic Science and Technology of China, which publishes manuals on hacking and offers courses on network attack and defense security.
The authors said an anomaly was detected when analyzing traffic from the offices of the Tibet government in exile: computers in Dharamsala were checking in with a command and control server situated in Chongqing, a city with a high concentration of gangs said to have ties to the government and which have extended their traditional criminal activities to include cyber crime.
While Walton admits no direct link to the central government has been detected, he does not seem to have any doubts about who is behind the attacks. “Some people shy away from saying it's the state,” he says, “but there's a growing body of evidence. My own feeling is that sooner or later someone will be able to prove it.”
Chinese Cyber Espionage Network
Canadian researchers have uncovered an internet spy network, based almost exclusively in China, that has hacked into computers owned by governments and private organizations in 103 countries. The findings follow a 10-month investigation by researchers from the Ottawa-based think tank SecDev Group and the Munk Center for International Studies at the University of Toronto. Once the hackers infiltrated the systems, they installed malware — software that sends and receives data. By doing this, they were able to gain control of the electronic mail server computers of the Dalai Lama’s organization, the group said. The researchers said the spy network, dubbed GhostNet, infiltrated at least 1,295 computers, many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York. “Significantly, close to 30 per cent of the infected computers can be considered high-value and include the ministries of foreign affairs in Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan,” the researchers said. Other compromised computers were discovered at embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan.
Time magazine’s Simon Elegant interviewed a group of hackers in Chengdu, Sichuan believed to be behind some of attacks. The group, known as NCPH (Network Crack Program Hacker), is made up of members who don’t reveal their real names and instead go by online names like Firestarter, Floorsweeper and Plumber. Elegant met them in a Chengdu hotpot restaurant, where they downed large amounts of beer, and described them as “in their early 20s, rail thin with the prison pallor acquired from long nights spent hunched over monitors.”
NCPH was discovered at a military-sponsored hacking competition, with one member earning over $4,000 in prizes, and has a made a name for itself producing hacking programs that can be downloaded free on the Internet. These programs, often referred to a Trojans, allow users to take over other computers and download information on them.
The PLA periodically holds hacking competitions with large cash prizes to discover new talent. Advertisements for the contests are run in local newspapers. Winners are given a month of intense training at provincial command posts, including simulated attacks, advise on designing hacking programs and network-infiltration strategies Pentagon military analyst told the Time of London, “These guys are very good.”
According to two reports by iDefense, a California-bases Internet security firm, the Chengdu group “launched a barrage of attacks against multiple U.S. government agencies...The result of all this activity is that the NCPH group siphoned thousands — if not millions — of unclassified U.S. documents back to China.” The iDefense report concluded that :NCPH was almost certainly was receiving some support from the Chinese armed forces and “more likely hundreds of these groups exist in China.”
Shadow Network and Privateering Model in China
The “Shadows in the Cloud” report, which Walton contributed to, points to the existence of a vibrant hacker community in the mainland “that has been tied to targeted attacks in the past and has been linked, through informal channels, to elements of the Chinese state, although the nature and extent of the connections remains unclear.” [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
The authors allude to a “privateering” model in which the government authorizes citizens to carry out attacks against “enemies of the state”. However, the report referred to research by Scott Henderson, author of “The Dark Visitor: Inside the World of Chinese Hackers”. Henderson wrote that there was disagreement about the exact relationship between hackers and the state, running from “authorize” to “tacit consent” to “tolerate.”
The most plausible explanation, the report said, and the one supported by the evidence, is that the Shadow Network is based in the mainland and run by one or more people with close ties to the country's criminal underworld. The report concluded: “As a result, information that is independently obtained by the Chinese hacker community is likely to find its way to elements within the Chinese state.”
Chinese Malware Attack Via E-Mail
On March 18, 2010, people on the mailing list of Human Rights in China (HRIC) received an e-mail that appeared to be from director Sharon Hom. The subject line’ “Microsoft, Stool Pigeon for the Cops and FBI?” convinced many recipients to take a look at the enclosed attachment.Within seconds the e-mail was flying around cyberspace, with thousands receiving it and passing it on to others.” [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
“But the e-mail was not from Hom. It was a “spear phishing” e-mail that lured recipients to visit a compromised website in Taiwan. Those who clicked on the link unknowingly loaded malware that allowed the attackers to take control of their computers from a server in Jiangsu province.”
In a report on the HRIC attack, Villeneuve wrote that the malware spread via the e-mail was traced to a command and control center in Jiangsu. He said the nature of the compromised entities and the data stolen by the attackers indicated correlations with the mainland's strategic interests. But he concluded that “we were unable to determine any direct connection between these attackers and elements of the Chinese state”.
Fake e-mails also create confusion. A human-rights activist in Hong Kong tells of an e-mail sent out in her name revealing certain information only known to people she worked closely with. “This is their way of saying, "We know who you are and what you're doing,” to make you feel scared,” she says. “Even if people know the e-mail is not from me, the damage is already done. The next time they'll ask if it's really from me.”
HRIC's Hom says: “This is seriously raising security issues for us. It makes every NGO, every journalist, every contact ask if they get an e-mail from me if it's real. As a small NGO we don't have the resources, technical expertise and capacity to guard ourselves against such high-level attacks. It makes it very difficult for us to do our work.”
Internet Impersonation and Social Engineering in China
In 2010, a foreign journalist was conducting a text conversation on Skype with Tsering Woeser, a Beijing-based Tibetan poet and commentator, when the journalist received an article over the internet service. When the suspicious reporter called Tsering Woeser to ask about the file, she was not even home. Someone had hijacked her account and started conversations with 30 of her Skype friends, several of them journalists. They even imitated the way the poet spoke. Some were tricked into downloading malware. This was the second hijacking of her Skype account in two years. [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
Most cyber attacks rely on a tactic known as “social engineering”, manipulating people to get them to provide computer access through trickery, rather than technical hacking. “At the root it's not technology,” Walton says. “The deeper the penetration, the more intelligence they can feed into a social engineering attack. If I look at your computer, I can draft e-mails that you will trust more and more.”
Robbie Barnett, director of the Modern Tibet Studies program at Columbia University, in the United States, says the attackers are getting increasingly sophisticated in their use of social engineering. They use the names of people you know, refer to an incident over the past 48 hours, often with a provocative subject, and may even have the actual sender's real e-mail address. He says no one can be 100 per cent safe, no matter what precautions are taken. “Eventually, they hit a bull's eye,” Barnett says, “They send you a letter from a Tibetan who's just written to you and could easily be sending something to you. Even if you've been careful for years, you could fall for it.”
Typically the target receives an e-mail appearing to be from an acquaintance. Often it mentions some sensational detail that lures the victim into opening a file or visiting a website that opens a backdoor, where malware can be planted.
Control is often maintained through the use of the Chinese Gh0st RAT (remote access tool). These trojans enable nearly unrestricted access to the infected system. The attacker can then carry out surveillance of the attacked computer, pilfer files and e-mails and send data to other computers, and use the infected computer as a platform to launch future attacks against computers around the world.”
“It's all part of a trend that I've been watching for a decade,” says Walton, “pushing surveillance of the population from the network to the desktop...Everything you can do, they can do - it's like they're sitting in front of your computer. They can turn on the webcam, the microphone and access documents. Someone is staring back at you through your webcam. It's Orwellian.”
Disruption of Websites and Attacks on Google
While much of the activity seems focused on gathering intelligence and disruption of operations, in some cases the attacks are more dangerous. In July, the website of Chinese Human Rights Defenders was shut down several times by direct denial of service (DDOS) attacks. In April, the Foreign Correspondents' Club of China was forced to take its website offline temporarily after being repeatedly hit by DDOS attacks. [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
In January, Google announced it had found “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property”. The attack was said to have targeted the Google e-mail accounts of Chinese human-rights activists.
Attacks on Foreign Journalists with Maleware
Journalists have also become a target. In April 2010, Andrew Jacobs, Beijing correspondent for The New York Times, wrote an article detailing how his computer had been hacked and e-mails redirected to an unknown address. Jacobs said scores of foreign reporters in the mainland had experienced similar intrusions. [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
Last September, several foreign news bureaus in Beijing began receiving e-mails from “Pam”, who said she was an economics editor. The e-mails, which were in well-written English and included a list of genuine contact names, detailed a proposed reporting trip. However, when the attached PDF was opened it unleashed malware.
Walton and Villeneuve, who studied the virus, said in a report that the file appeared to be a legitimate document that had been stolen from a compromised computer, which was then modified to include malware and serve as a lure. While they said the malware could not be traced back to the central government, the recipients were Chinese news assistants, whose e-mail addresses were not widely known to the public, but were to the Ministry of Foreign Affairs.
Richard Baum, moderator of Chinapol, an online community of more than 900 China watchers, including journalists, lawyers and analysts, says the group has suffered “a certain amount of leakage” of membership lists and e-mail traffic. Members have also received phishing e-mails. Recently, an e-mail was sent to some members purporting to be the new member e-mail list, which had a malware attachment.
In the HRIC incident, a member of Chinapol sent the e-mail to all its members, some of whom in turn passed it on to their acquaintances. Walton says data was being sent back to a computer in Chongqing within 30 seconds of the malware being accepted.
What's troubling is anti-virus software used by the general public is not always effective in catching these viruses. In the case of the HRIC attack, there was very low anti-virus cover, with only eight out of 42 anti-virus products detecting the file as malware, the investigation found. In the case of the news assistants who downloaded malware, only three of 41 anti-virus products used by VirusTotal, a service that analyses suspicious files and URLs, detected the malicious code embedded in the PDF file.
Effect of Internet Attacks
Tsering Woeser says her internet activities are constantly probed. In a recent incident, she received an e-card from dissident writer Yu Jie, which turned out to be a phishing spear. She says that at least once a month a person pretending to be a Tibetan attempts to make contact with her online. [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
“It's caused a lot of problems for me,” says Tsering Woeser, who is often under police surveillance. “First, because of my situation, I can only contact my friends through Skype and e-mail, and now some Tibetan friends are afraid to contact me. I'm getting much less information than before. It's a huge interference...But what I worry about most is that the people who are in contact with me may get into trouble and I won't even know about it.”
Barnett also depends on sources to provide him with news from tightly controlled Tibetan areas. He says he, too, is now receiving far less information than in previous years. “The deterrent effect on people sending information is very effective,” he says. “This is having a massive effect on the limitation of outsiders finding out what's happening in China. A lot of it works by fear, intimidation and self-censorship. People are worried about interception.”
The culture of security in China, he says, means the government only has to go after a few people to have a deterrent effect. “You only have to pick up three people for passing on information and thatwill deter hundreds of thousands of others,” he says. “The system may now be more powerful than us.”
Combating Chinese Cyber Attacks
In the United States there are calls to appoint a “Cybersecurity National Adviser” with the power to disconnect the government and “critical” civilian networks from the Internet in case of national emergency - largely in response to China's perceived intentions and capabilities in cyberwarfare.
In January Secretary of State Hillary Clinton suggested the equivalent of an arms control agreement with China on the issue of network intrusions. Clinton also demanded that the Chinese government conduct a thorough review of the cyber-intrusions.[Source: Ethan Gutmann, World Affairs, May-June 2010]
Attacks are also lodged against Chinese sites. In November 2009, the China Daily reported that a Chinese defense ministry website set up in the summer of 2009 was hit by more than 230 million hacker attacks in its first month of operation, and but nine were successful.
Outwitting Chinese Cyber Attackers
Lhadon Tethong says security experts she's spoken to consider the cyber war “a lost game” but that she takes a different approach - trying to remain one step ahead of the mainland authorities. “We're looking at new technologies that haven't come out yet and how theycan be used in Tibet,” she says. “The Chinese government can control your BlackBerry or laptop, but let's look beyond that, at iPads and Android technology [a mobile-phone operating system developed by Google. You cannot stop it. The force is just too strong.” [Source: Paul Mooeney, South China Morning Post, September 26, 2010]
“We worked with young and innovative technical experts and geeks from the beginning,” she says. “The optimistic part is that the advances in communications technology are happening so quick that the Chinese bureaucracy can't keep up. Saying you can't do this or that because they're too good is just not true.”
She cites the microblogging service Twitter, which the authorities managed to block. Before that, Tibetan activists had found it a useful tool for getting their message across both within and outside the mainland. “You can block one site and another will pop up, and it won't take long before people find it,” she says. “You can try to control it but there's no way to stop it and I think they know that.”
How Chinese Hackers Are Identified
Lolita Baldor of Associated Press wrote: “The aggressive but stealthy attacks, which have stolen billions of dollars in intellectual property and data, often carry distinct signatures allowing U.S. officials to link them to certain hacker teams. Analysts say the U.S. often gives the attackers unique names or numbers, and at times can tell where the hackers are and even who they may be. [Source: Lolita Baldor, Associated Press, December 12, 2011]
Jon Ramsey, head of the counter threat unit at the Atlanta-based Dell SecureWorks, a computer security consulting company, told AP hackers in China have different digital fingerprints, often visible through the computer code they use, or the command and control computers that they use to move their malicious software.
U.S. government officials have been reluctant to tie the attacks directly back to the Chinese government, but analysts and officials quietly say they have tracked enough intrusions to specific locations to be confident they are linked to Beijing — either the government or the military. They add that they can sometimes glean who benefited from a particular stolen technology.
U.S. companies have reported intrusions into their computer networks that originated in China, but U.S. intelligence agencies cannot confirm who specifically is behind them. National Counterintelligence Executive Robert Bryant told Reuters: "To a certain degree that's determined by the sophistication of the attack. If it's a very sophisticated attack we basically assume that either a foreign intelligence service or a government sponsor is somewhere involved." [Source: Tabassum Zakaria, Reuters, November 3, 2011]
One of the analysts said investigations show that the dozen or so Chinese teams appear to get "taskings," or orders, to go after specific technologies or companies within a particular industry. At times, two or more of the teams appear to get the same shopping list and compete to be the first to get them or to pull off the greatest haul. [Baldor, Op. Cit]
Analysts and U.S. officials agree that a majority of the cyberattacks seeking intellectual property or other sensitive or classified data are done by China-based hackers. Many of the cyberattacks stealing credit card or financial information come from Eastern Europe or Russia.
Difficulty Combating Chinese Hackers
Lolita Baldor of Associated Press wrote: “It is largely impossible for the U.S. to prosecute hackers in China, since it requires reciprocal agreements between the two countries, and it is always difficult to provide ironclad proof that the hacking came from specific people. [Source: Lolita Baldor, Associated Press, December 12, 2011]
"Industry is already feeling that they are at war," said James Cartwright, a retired Marine general and former vice chairman of the Joint Chiefs of Staff. A recognized expert on cyber issues, Cartwright has come out strongly in favor of increased U.S. efforts to hold China and other countries accountable for the cyberattacks that come from within their borders.
"Right now we have the worst of worlds," said Cartwright. "If you want to attack me you can do it all you want, because I can't do anything about it. It's risk-free, and you're willing to take almost any risk to come after me." The U.S., he said, "needs to say, if you come after me, I'm going to find you, I'm going to do something about it. It will be proportional, but I'm going to do something ... and if you're hiding in a third country, I'm going to tell that country you're there. If they don't stop you from doing it, I'm going to come and get you."
Stepping Up Efforts to Combat Hackers
Cyber experts say companies are frustrated that the government isn't doing enough to pressure China to stop the attacks or go after hackers in that country. Much like during the Cold War with Russia, officials say the U.S. needs to make it clear that there will be repercussions for cyberattacks. [Source: Lolita Baldor, Associated Press, December 12, 2011]
The government "needs to do more to increase the risk," said Jon Ramsey, head of the counter threat unit at the Atlanta-based Dell SecureWorks, a computer security consulting company. "In the private sector we're always on defense. We can't do something about it, but someone has to. There is no deterrent not to attack the U.S."
For the first time, U.S. intelligence officials called out China and Russia last month, saying they are systematically stealing American high-tech data for their own economic gain. The unusually forceful public report seemed to signal a new, more vocal U.S. government campaign against the cyberattacks.
The next step, said Cartwright, must be a full-throated U.S. policy that makes it clear how the U.S. will deal with cyberattacks, including the attackers as well as the nations the attacks are routed through. Once an attack is detected, he said, the U.S. should first go through the State Department to ask the country to stop the attack. If the country refuses, he said, the U.S. will have the right to stop the computer server from sending the attack by whatever means possible while still avoiding any collateral damage.
Chinese Hacker Unmasked
In March 2012, the New York Times reported: A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups. The attacks were connected to an online alias, according to a report to be released by Trend Micro, a computer security firm with headquarters in Tokyo. [Source: Nicole Perlroth, New York Times, March 29, 2012]
The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense. Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.
The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign. “The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”
The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies; aerospace, energy and engineering companies in Japan; and at least 30 computer systems of Tibetan advocacy groups, according to both the report and interviews with experts connected to the research. The espionage has been going on for at least 10 months and is continuing, the report says.
Tracking Down the Unmasked Chinese Hacker
Nicole Perlroth wrote in the New York Times: In the report, the researchers detailed how they had traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name — and from there to an online alias. [Source: Nicole Perlroth, New York Times, March 29, 2012]
The person who used the alias, “scuhkr” — the researchers said in an interview that it could be shorthand for Sichuan University hacker — wrote articles about hacking, which were posted to online hacking forums and, in one case, recruited students to a computer network and defense research program at Sichuan University’s Institute of Information Security in 2005, the report said.
The New York Times traced that alias to Mr. Gu. According to online records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a master’s thesis about computer attacks and prevention strategies. The Times connected Mr. Gu to Tencent first through an online university forum, which listed where students found jobs, and then through a call to Tencent.
Reached at Tencent and asked about the attacks, Mr. Gu said, “I have nothing to say.” Tencent, which is a privately managed and stock market-listed Internet company, did not respond to several later inquiries seeking comment.
Some security researchers suggest that the Chinese government may use people not affiliated with the government in hacking operations — what security professionals call a campaign. For example, earlier this year, Joe Stewart, a security expert at Dell SecureWorks, traced a campaign against the Vietnam government and oil exploration companies to an e-mail address that belonged to an Internet marketer in China.
”It suggested there may be a marketplace for freelance work — that this is not a 9-to-5 work environment,” Mr. Stewart said. “It’s a smart way to do business. If you are a country attacking a foreign government and you don’t want it tied back, it would make sense to outsource the work to actors who can collect the data for you.”
Methods Used by the Unmasked Chinese Hacker
Nicole Perlroth wrote in the New York Times: The attacks are technically similar to a spy operation known as the Shadow Network, which since 2009 has targeted the government of India and also pilfered a year’s worth of the Dalai Lama’s personal e-mails. Trend Micro’s researchers found that the command-and-control servers directing the Shadow Network attacks also directed the espionage in its report. [Source: Nicole Perlroth, New York Times, March 29, 2012]
The Shadow Network attacks were believed to be the work of hackers who studied in China’s Sichuan Province at the University of Electronic Science and Technology, another university in Chengdu, that also receives government financing for computer network defense research. The People’s Liberation Army has an online reconnaissance bureau in the city.
The campaign detailed in the Trend Micro report was first documented two weeks ago by Symantec, a security firm based in Mountain View, Calif. It called the operation “Luckycat,” after the login name of one of the other attackers, and issued its own report. But Trend Micro’s report provides far more details. The two firms were unaware that they were both studying the same operation.
Trend Micro’s researchers said they were first tipped off to the campaign three months ago when they received two malware samples from two separate computer attacks — one in Japan and another in Tibet — and found that they were both being directed from the same command-and-control servers. Over the next several months, they traced more than 90 different malware attacks back to those servers.
Each attack began, as is often the case, with an e-mail intended to lure victims into opening an attachment. Indian victims were sent an e-mail about India’s ballistic missile defense program. Tibetan advocates received e-mails about self-immolation or, in one case, a job opening at the Tibet Fund, a nonprofit based in New York City. After Japan’s earthquake and nuclear disaster, victims in Japan received an e-mail about radiation measurements.
Each e-mail contained an attachment that, when clicked, automatically created a backdoor from the victim’s computer to the attackers’ servers. To do this, the hackers exploited security holes in Microsoft Office and Adobe software. Almost immediately, they uploaded a directory of the victims’ machines to their servers. If the files looked enticing, hackers installed a remote-access tool, or rat, which gave them real-time control of their target’s machine. As long as a victim’s computer was connected to the Internet, attackers had the ability to record their keystrokes and passwords, grab screenshots and even crawl from that machine to other computers in the victim’s network.
Trend Micro’s researchers would not identify the names of the victims in the attacks detailed in its report, but said that they had alerted the victims, and that many were working to remediate their systems. A spokesman for India’s Defense Ministry, Sitanshu Kar, said he was not aware of the report or of the attacks it described. At the time the article was written the campaign’s servers were still operating and computers continue to leak information.
”This was not an individual attack that started and stopped,” said Nart Villeneuve, a researcher that helped lead Trend Micro’s efforts. “It’s a continuous campaign that has been going on for a long time. There are constant compromises going on all time. These guys are busy and stay busy.”
Anonymous Hacks Chinese Websites
In April 2012 Al Jazeera reported: Messages by the international hacking group Anonymous went up on a number of Chinese government websites on Thursday to protest internet restrictions. On a Twitter account established in late March, Anonymous China listed the websites it said it had hacked over the last several days. They included government bureaus in several Chinese cities, including in Chengdu, a provincial capital in southwest China.
Some of the sites were still blocked on Thursday, with English-language messages shown on how to circumvent government restrictions. In a message left on one of the hacked Chinese sites,cdcbd.gov.cn, a home page for Chengdu's business district, the hackers expressed anger with the Chinese government for restrictions placed on the internet. "Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall," the message read. "So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you," one of the messages read.
Al Jazeera's Melissa Chan, reporting from Hong Kong, said that the attack was interesting because Anonymous had mostly previously stayed away from attacking Chinese websites. "This is just (Anonymous') second attack (on Chinese websites)," Chan said. "The first one a few months ago had been a corporate attack against a Chinese company and it had exposed corporate fraud. This time, of course, the message was more general about online censorship in China." [Source: Al Jazeera, April 2, 2012]
Chan also pointed out the attacks did not target national websites, but smaller sites for government bureaus and minor cities. "The other interesting thing is that the messages they left were left in English, so then that begs the question of whether they wanted to try to reach out to the Chinese public or not," Chan said. Some websites that Anonymous said it attacked were working Thursday, and government officials denied the sites were ever hacked.
Image Sources: Human Rights Watch
Text Sources: New York Times, Washington Post, Los Angeles Times, Times of London, National Geographic, The New Yorker, Time, Newsweek, Reuters, AP, Lonely Planet Guides, Compton’s Encyclopedia and various books and other publications.
Last updated May 2022