Jan 17 2008

Why Jumper is the BEST!

This was posted by Jumper today, but obviously deserves a place other than just in the comments!   Jumper, this is…no words…just floored:

This reminds me of some comments I have collected from blogs. I’m pretty sure these are all from the same Taiwanese person:

From theregister.co.uk:

There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)

ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.

Through incidents handling and investigation with law enforcements,

we found some evidences to prove the china hackers (targeted attack/ spearing phishing)

were come from government (military,intelligent dept and public security).

We have inspect the tools, from the begining trojaned e-mail, backdoor, and realy tools in the way stations.

At first, using Microsoft word (*.doc) file with exploit, to drop backdoors or download spyware from other way stations.

And the backdoor connect back to way station, when hacker came from China (fixed IP or ADSL) to remote controlling victims.

What they want is to collect the contact list files (outlook, MSN …) to build a huge database about relationships for future use,

from the contact list, hackers can send a ‘well-make’ trojaned mail to the others in the contact list, then victims

will trust the e-mail’s subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the lastest

documents in all file types. Even steal your mail account to have a copy of your mail boxes.

From the official document shows, the cyber operation was directly sponsored or supported by General Staff Department Sec. Four. And the evidences shows they:

(1) Organized: have principle, formal check-in/out time,

in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,

then, depends on group, have night team, to hack foreign countries.

(2) the Tools. not common seen in public Internet .

some hacker groups using the same military produced/purchased hacking tools.

(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.

the story is on going everyday!

From Taosecurity:

Charlie Chen said…
Since 2003 Sept, we have found first big scale intrusion event, the victim
is the National Police Agency, attacked by at least 2 groups of china hackers,
from HuBei and JianSu.

2003 Oct. Military Missile Plan Leakage.
2004 Jan, Executive Yuan 300+ PC compromised.
2004 Apr. Fake Official Dept. E-mail with Trojan found
2004 Sep. Ministry of Foreign Affairs and embassy compromised.
2004 Nov. DPP compromised.
2005 May. Big scale: Gov, High-Tech,on-line banking, Science Park(200+ companies compromised)
2005 Jul. Ministry of Foreign Affairs again.
2005 Sep. National Security council compromised.
2005 Nov. Military Central Command compromised.
2006 Mar. Legislative Yaun, Reporters compromised.
2007 Apr. Military Operation plan leakage due to USB data collect backdoor.

There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)
ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.

What they want is to collect the contact list files (outlook, MSN …) to build a huge database about relationships for future use,
from the contact list, hackers can send a ‘well-make’ trojaned mail to the others in the contact list, then victims
will trust the e-mail’s subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the lastest
documents in all file types. Even steal your mail account to have a copy of your mail boxes.

(1) Organized: have principle, formal check-in/out time,
in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,
then, depends on group, have night team, to hack foreign countries.

(2) the Tools. not common seen in public Internet .
some hacker groups using the same military produced/purchased hacking tools.

(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.

the story is on going everyday!

From spyblog.org.uk:

Internet Espionage: The China Cyber Army

Since 2003 Sept, we have found first big scale intrusion event, the victim
is the National Police Agency, attacked by at least 2 groups of china hackers,
from HuBei and JianSu.

2003 Oct. Taiwan Military Missile Plan Leakage.
2004 Jan, Executive Yuan 300+ PC compromised.
2004 Apr. Fake Official Dept. E-mail with Trojan found
2004 Sep. Ministry of Foreign Affairs and embassy compromised.
2004 Nov. DPP compromised.
2005 May. Big scale: Gov, High-Tech,on-line banking, Science Park(200+ companies compromised)
2005 Jul. Ministry of Foreign Affairs again.
2005 Sep. National Security council compromised.
2005 Nov. Military Central Command compromised.
2006 Mar. Legislative Yaun, Reporters compromised.
2007 Apr. Military Operation plan leakage due to USB data collect backdoor.

There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)
ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.

Through incidents handling and investigation with law enforcements,
we found some evidences to prove the china hackers (targeted attack/ spearing phishing)
were come from government (military,intelligent dept and public security).

We have inspect the tools, from the begining trojaned e-mail, backdoor, and realy tools in the way stations.
At first, using Microsoft word (*.doc) file with exploit, to drop backdoors or download spyware from other way stations.
And the backdoor connect back to way station, when hacker came from China (fixed IP or ADSL) to remote controlling victims.

What they want is to collect the contact list files (outlook, MSN …) to build a huge database about relationships for future use,
from the contact list, hackers can send a ‘well-make’ trojaned mail to the others in the contact list, then victims
will trust the e-mail’s subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the lastest
documents in all file types. Even steal your mail account to have a copy of your mail boxes.

From the official document shows, the cyber operation was directly sponsored or supported by General Staff Department Sec. Four. And the evidences shows they:

(1) Organized: have principle, formal check-in/out time,
in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,
then, depends on group, have night team, to hack foreign countries.

(2) the Tools. not common seen in public Internet .
some hacker groups using the same military produced/purchased hacking tools.

(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.

the story is on going everyday!

Next Time.. we will announce who they are.

@ Charlie Chen – interesting, but you need much more than just an IP address apparently from a particular fixed IP or ADSL range allocation to prove official People’s Liberation Army involvement.

How do you tell that these are not “zombie” infected machine, controlled from somewhere else on the internet, by amateurs, by criminals or by other intelligence agencies ?

Taking a break for lunch, could simply be due to the infected PC going into power saving standby mode, when the ignorant user goes to lunch, unaware of what his PC is really doing in the background

Why have Taiwanese government systems been so vulnerable, for such a long time ?

Did you pass on the details of the email trojans etc. to the anti-virus and anti-spyware companies, so that the rest of the world might have some measure of protection against them, or are they still being kept secret ?

From Time-blog.com:

Posted by Charlie Chen
September 9, 2007
Internet Espionage: The China Cyber Army

Since 2003 Spet, we have found first big scale intrusion event, the victim
is the National Police Agency, attacked by at least 2 groups of china hackers,
from HuBei and JianSu.

2003 Oct. Taiwan Military Missile Plan Leakage.
2004 Jan, Executive Yuan 300+ PC compromised.
2004 Apr. Fake Official Dept. E-mail with Trojan found
2004 Sep. Ministry of Foreign Affairs and embassy compromised.
2004 Nov. DPP compromised.
2005 May. Big scale: Gov, High-Tech,on-line banking, Science Park(200+ companies compromised)
2005 Jul. Ministry of Foreign Affairs again.
2005 Sep. National Security council compromised.
2005 Nov. Military Central Command compromised.
2006 Mar. Legislative Yaun, Reporters compromised.
2007 Apr. Military Operation plan leakage due to USB data collect backdoor.

Posted by Charlie Chen
September 10, 2007
There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)
ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.

What they want is to collect the contact list files (outlook, MSN …) to build a huge database about relationships for future use,from the contact list, hackers can send a ‘well-make’ trojaned mail to the others in the contact list, then victims will trust the e-mail’s subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the lastest documents in all file types. Even steal your mail account to have a copy of your mail boxes.

(1) Organized: have principle, formal check-in/out time,
in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,then, depends on group, have night team, to hack foreign countries.

(2) the Tools. not common seen in public Internet .
some hacker groups using the same military produced/purchased hacking tools.

(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.

the story is on going everyday!

4 responses so far

4 Responses to “Why Jumper is the BEST!”

  1. jumperon 17 Jan 2008 at 11:13 pm

    I would very much like to talk to Charlie Chen. He never leaves any identifying details so that I can contact him though.

  2. Heikeon 18 Jan 2008 at 7:04 am

    Jumper,

    This should help in your quest. Would love to get your thoughts.

    http://spaces.icgpartners.com/index2.asp?category=&eventdate=1/8/2008

  3. jumperon 18 Jan 2008 at 7:47 am

    This is grand. Thanks.

  4. [...] thread was first brought to my attention by Jumper who has been collecting postings from an individual in Taiwan named Charlie Chen [...]