The Dark Visitor

Chinese hacker issues warning

Skytalk’s hack of Taiwanese web site

The evening of 18 March 2000 would see another wave of offensive attacks against the Taiwanese following the election of pro-independence presidential candidate Chen Shuibian. A hacker calling himself Sky Talk left the following message:

“Sky Talk here. I’m from Zhejiang, but I am working outside of the province. My monthly salary is 800 Renmenbi (RMB). I’m not poor, and not rich. I wear warm clothes and eat well enough. I’m a normal person, one of the common herd, of no social standing at all. I didn’t even go to high school! Altering the pages of a few Taiwanese web sites was done completely out of rage! If you want to split up China, I think every Chinese person feels just like me when it comes to this attitude! You’re attacking our web sites in China, and last night there was even a ‘cute’ so-called ‘hacker’ who was interested in the HTTPD of my personal computer. Ha ha…his IP address was (address deleted). You can see that I don’t need to explain the intensity of your attack on me! Let me give a warning! I have stopped cracking Taiwanese host computers, but when I heard about your counterattacks and the destruction of several Chinese web sites, my patience has limits. Last night I entered your host computers for National Defense. I’d planned to do a deltree/y c:\, but then I thought that this might start a hacker war! Considering that this would benefit no one, I exited Telnet and closed the port, and may have closed port 80 at the same time (I’m terrible at this! : )) I’m putting up a gallery! I hope that you can leave this dispute behind!!”

The Beginning of China Eagle Union

In April of 2000, Wan Tao joined sina.com’s Naval and Merchant Ships Forum with the online name of China Eagle in response to a posting by a person named Bailing who called for the establishment of a China Eagle club. Between the 19th and 21st of May, he made postings about the delay tactics used by advocates of Taiwanese independence and organized the “Anti-Taiwanese Movement of China Eagle Union.” In September, he participated in China’s first network security hobbyist conference at the Dragon Spring Hotel in Beijing and gave a speech called “Building Hacker Culture with Chinese Characteristics,” that was said to have defined the goals and direction of the Chinese hacker culture. The Chinawill web site was redesigned in October of 2000, and the members of the China Eagle Union finally had “a home online.” In December, Wan Tao attended the “Network Era Patriotism Discussion” held in Nanjing.

China Eagle defacement of “Taiwan Independence Party” web site

Continue Reading »

UPDATE 1 Dec 2007: Developing…where are they now.

Javaphile Defacement of Taiwan’s Lite-On Corporation

The group Javaphile was established in September 2000 by two Chinese hackers going by the online names of Coolswallow and blhuang (Liang Huang). All members of the group were said to be students of Jiaotong University in Shanghai. The group was later joined by thomasyuan who specialized in Unix programming. Initially the group was merely for Java language enthusiasts as the name implies. This attracted few members, since the Java language had only just been introduced to the country. Coolswallow joined the Red Hacker Alliance following the 2001 collision between the US reconnaissance aircraft and the PRC fighter. Coolswallow and thomasyuan would later initiate a program to reorganize the group into a hacker web site. Some notoriety was gained by the group in 2002 for the defacement of Lite-On, a Taiwanese IT company. Continue Reading »

黑客 or 红客?

    The organization of Chinese hackers is often referred to as the Honker Union of China by most open-source reporting to include the Chinese themselves. This report will instead refer to the organization as the “Red Hacker Alliance” as it is in the author’s opinion, truer to the original Chinese. Hopefully, this will not cause confusion for those readers who are familiar with the subject matter and accustomed to seeing the organization referred to as the Honker Union of China. There are three main reasons for this shift away from the term Honker:

1) The term Honker has little or no meaning in the English language. It can refer to a person who honks a horn; a slang term for the nose; or a goose. None of these definitions apply. Furthermore, it fails to provide the average Western reader with the undertones contained in the Chinese characters. Continue Reading »

From Nationalism to Commercialism

    The headlines in most major papers that cover Chinese hackers paint them as ethereal beings, invisible, coming from nowhere, invading, attacking, and then returning to their void. Media reports are filled with “Chinese hackers” involvement in one type of exploit or another, speculations about government affiliation, and the types of online crimes they have committed. What they fail to provide is background on just who comprises this secretive organization. Certainly, these spirits from a land as unfathomable as China must be impossible to locate, much less study.

    The reality turns out to be considerably less mysterious and much more mundane. Chinese hackers are incredibly easy to find and provide more information about themselves than anyone reading the news could imagine. The problem is not a lack of information but an overabundance of it. The Red Hacker Alliance is producing thousands of internal documents just waiting to be translated and studied. No special computer skills are required and you do not need the ability to detect and track an intruder over countless Internet connections or jumps between satellites. It doesn’t require a government clearance with access to classified documents. The information has been sitting in the open since the very founding of the organization and it is this very information we will use to examine their history, structure, exploits, political agenda, and possible government affiliations.

    While not an unbroken historic timeline, we will trace the birth of Chinese hackers on the Internet from a purely nationalistic organization, to their current situation that is rapidly expanding into commercialization and criminal activity. Before looking directly at the history of the Chinese Red Hacker Alliance, it is perhaps vital that we have an understanding of China’s past and how it affects its population’s current psyche in order to get greater insight into why these groups are so much more nationalistic than their Western counterparts. Continue Reading »

    Meet Lion (true name Lin Yong), a Chinese hacker who at the age of 22, established the Honker Union of China in 2000. At that time, he had only a little over one year of Internet experience. After leading his faction in many cyber conflicts, he would disband his organization in 2004. He was also responsible for coining the word “Honker” as a term to identify the group to Westerners. So, where is he today? Couldn’t find him on World of Warcraft like his buddy Goodwell but I did check out a few links on his old blog and it looks like he was still working at XSec (We are Red Hat) as late as December of 2006. Lion also used the online name of nop, that I believe stands for “no operation” in computer programmer ease. In this screenshot (modified to fit better), we can see nop’s posts on the site:

    The documentary below was posted on Youku (Chinese Youtube) in May of 2007. It is a CCTV 10 documentary that features Wan Tao, the leader of China Eagle, covering the history of the Red Hacker Alliance. The clip is 36 minutes long, so I’m not going to translate it but I did want to post it to show an example of what we can learn using open source information. All of the history that he talks about here is covered in my book but it is interesting to note how open they are about the subject. You can see just about all the defacements seen in the video at the my Flickr site located on the left in the navigation buttons.

    If you are just interested in seeing an honest to goodness famous Chinese hacker, Wan Tao begins speaking at 2 minutes 24 seconds into the video and then throughout. Warning, it loads really slow. One of the other reasons I don’t want to spend a lot of time translating.

Goodwell

The Green Army was founded by a Shanghai hacker going by the online name of Goodwell, it was reported to have had a membership of around 3,000 people from Shanghai, Beijing, and Shijiazhuang. The other four key members of the group went by the pseudonyms Rocky , Dspman (HeHe), Solo, and LittleFish. It also attracted others, considered to be part of China’s first generation hackers, the likes of Xie Zhaoxia, Brother Peng, PP (Peng Quan), Tian Xing (Cheng Weishan), IceWater (Huang Lei), and Little Rong. The group disbanded in 2000 and its rise and fall was described as “confusing” by insiders who consider it one of the enduring symbols of the Chinese hacker movement. The Green Army is said to have hacked “uncountable foreign web sites.” Indeed, many of China’s top hackers were past members of this group.

So, where is he now you ask? Apparently he is spending quite a bit of time playing World of Warcraft and doing a bang up job. In an interview with wow.duoban.com, Goodwell was congratulated for his world record breaking move from level 60 to 70 in under 24 hours. There were some details in the article about how he achieved this feat but it had a bunch of World of Warcraft stuff I don’t understand…but he did it…without hacking…he said. During the interview,which was conducted in September of 2007, he intruduced himself as the founder of the Green Army Hacker Organization Goodwell (Real name Gong Wei).

Screen name: Silver Dragon

Real name: Goodwell (Gong Wei)

Occupation: Hunter

Faction: Tribe

Server: 7th Region? An Geluo

Guild: Green Base

Apparently, there were some problems when his guild (over 2,000 players) was located on the 5th Region server (Unsure of the the translation for servers as regions) for moving up too quickly in ranking. So, they changed their name from the Chinese for Green Army Corps to the English word Greenbase. He Just can’t seem to let go of the old days…and that should scare you WOW players.