Nov 17 2007
Chinese hacker network
Diagram of the Chinese hacker network produced on I2 Notebook
Discussing network hierarchy is difficult at best and involves speculation on relationships that have not been defined by any known source. Preliminary evidence suggests the network operates on a peer-to-peer basis, without a centralized control mechanism. Experiments with various configurations of the net were unsuccessful in providing a clear-cut top-down structure. Searching through the individual web sites failed to turn up documentation showing a definitive command and control group. There were however hints that a rudimentary one might exist, or a least a deference to the older and larger organizations. These clues came from messages passed between the sites and in training conducted by the better-established organizations for their smaller downlinks. Despite these hints, all indications are that individual sites are maintained and run by separate entities and the aggregate is best defined as a peer-to-peer network.
Diagram of Chinese hacker network hierarchy
Individual groups work in coordination with one another, but they do not act in response to orders from centralized leadership. During times of political conflict, when the alliance wanted to act in concert, they established the Chinese Emergency Conference Centers. But this was a cooperative and temporary collaboration. The individual sites should be viewed as independent cells within the larger organization. However, independence should not be confused with an absence of interaction. The various cells are in contact with one another and pass messages back and forth on a regular basis.
The Numbers Game
The number of people participating in these organizations is another subject that requires conjecture. This study provides only a very rough range of the numbers involved and should not in any way be construed as hard data. Of the 253 sites that were monitored, 90 were found to keep and post online records of the number of people registered with their organization. For example, below we see the number of members claimed by China Black Hawk Union circled in red on 14 May 2005:
The number of members claimed by China Blackhawk Union
One of the mid-sized groups in the Red Hacker Alliance, the 14,358-member assertion should be examined closely. China Black Hawk Union leadership does not mention if these members are currently active or if a portion (maybe a large portion) simply registered and have minimal or no involvement in the group activities. Revisiting the site on 1 September 2005 showed the membership increasing to well over 17,000:
The number of members claimed by China Black Hawk Union on 1 Sep 2005
Visiting each of the 90 sites that kept statistics and then adding up the total number of registered members showed a total of 1,197,769 participants. This presented an extremely large number, one that called into question the credibility of the data. In January of 2006, China Internet Network Information Center released a report that gave the number of Chinese citizens accessing the Internet at 111 million. That would mean that 1% of their online community was made-up of hackers. Fortunately, the web sites had another online tool that provided a better understanding of the actual number of active members. This counter (shown below) gives the current number of people active on the site at a given time. If another person were to log on during this period the counter would move up to 643 and if one of the members logged off the counter would move down. On 1 May 2005, the site ICEHACK furnished their online numbers as 642 and an all time high of online participants as 1,262. Their total claimed membership was 42,969:
By monitoring slightly more than 10% of the sites, at four different times throughout the day, over a one week period, it was determined that on average a site had approximately 2% of its stated membership visiting the site. The monitoring example below shows the numbers given on 11 October 2005 at approximately 11:00 pm in China. The time approximation is based off of survey start-time and the amount of time needed for the site to load (web sites in China are notoriously slow), to record the data from the selected site and move to the next site for collection. Note that the numbers recorded for this date and time were 1.6%, slightly lower than the week’s norm of 2%. To maintain a fair representation of the organization as a whole, sites were selected for monitoring from three categories, those that posted high, medium, and low memberships.
Does this mean that we discount 98% of the claims as exaggerations? No, it would be highly unreasonable to expect every member of the organization to be visiting any given site at the same time. Furthermore, the 2% that were noted at 11:00pm would certainly be a different 2% depending on the time monitored. This does however give us a reasonable number to use as our minimum. The range therefore would be from a minimum of 24,000 to a maximum of around 1.2 million. Even at the minimum end of the scale, this is a large group capable of organizing a variety of activities damaging to governmental and civilian organizations around the globe. It is probable that during times of political strife, these numbers rise dramatically higher and move closer to the upper ranges. Keep in mind that the range of 24,000 to 1.2 million only includes the sites that kept statistics and that the survey is limited in scope. Only 90 out of the 250 sites provided data on online members. This would obviously make both the minimum and maximum figures substantially higher; perhaps even double the range provided.
The alliance is young, it is dynamic, and the numbers it can rally against a problem on any given occasion are enormous. Given the right set of political circumstances, these numbers could swell to over one million. Even though the quality of participants may be highly suspect, the central core of 24,000 regulars should be able to direct them with excellent results.
In discussing more speculative numbers we can extend our minimum by taking the average time spent on the Internet by an individual and extend that over a conservative timeline. If we take the average time spent online by a Chinese user of approximately two and half hours per day, estimate they may use one hour of that on the site where they are a member and the rest for surfing, news, virtual gaming…etc, the hacker web site would change over a new two percent of users eight times in the same number of hours. Eight hours is used as the normal amount of time a person would have in a day after work and sleep. Using the rotating population and doubling it for the lack online statistics of 160 sites and we could be looking at a floating population of some 380,000 hackers that maintain some sort of consistent contact with the organization. Given the difficulty of determining exact numbers, this is very much inline with Taiwanese estimates of 300,000 plus mainland hackers.
One Response to “Chinese hacker network”