Apr 21 2008

Anatomy of a Chinese hacker attack

Published by at 8:37 pm under Hacker Organization,US attacks

Even though a major attack did not occur on CNN, there were some lessons learned that we can take away from this event. So what did we learn? Here are some of things I noted:

  1. We can reconstruct a bit of the social side of the attack
  2. There is some evidence about their method of organization for operational tactics
  3. Stockpile of ready made software for novice attackers
  4. Possible reasons the attack was canceled

Social

The first thing we need to do is identify the reason behind the attack. What were the catalysts that led the Chinese hacker community to go after CNN? This would be my list:

  1. CNN report on Chinese hackers is seen as unfair and accusations that parts of the CNN interview were fabricated
  2. CNN makes remarks about the Tibet situation that angers the nation
  3. Anti-CNN’s call for protests provides timing for coordinated effort
  4. Beijing’s call for an apology from CNN may have been seen as tacit support for the attack. Or, at least that there would be no retribution if one did take place. This might be the most important factor of all.
  5. Reliving the glory days of the Sino-US cyber conflicts
  6. Making a name for themselves and building their own Chinese hacker cell. Many of China’s most famous hackers got their start during the early years of conflict with different nations.

Organization

With the decision made to launch an attack, they seem to have decided to use the website that cn_magistrate opened in 2007:

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

The website would be used for a central gathering point, dissemination of information and organization. During this phase, they probably planned their basic attack formation and strategy. Using the QQ charts found on www.hacksa.com, I was able to make this very rough organizational chart:

(Yes, very rough and ugly chart. God I miss my I2 for making charts)

The QQ numbers listed six headquarters units (probably the more experienced hackers), 42 regular groups (actually 44, since he started with zero and may have accidentally listed group 32 twice), and one propaganda unit. For easy math, I took the number of headquarter units and evenly divided the regular units among them as best I could. You will note I put the two group 32′s together and placed the left over regular units into the final formation. The propaganda unit was made as a separate organization, some of the additional units may have belonged with them. Of course, cn_magistrate may have used a completely different configuration but this is the one that made the most sense to me. The chart brings up several questions:

  1. The character 满 to the right of the groups means filled. Why did cn_magistrate skip the additional group 32 and group 33 when bringing the units up to full strength? Groups 37-42 seem logical if you are filling them in as recruits become available. Were the extra group 32 and group 33 special somehow?
  2. Only one of the headquarter units shows it to be full. Were they possibly having trouble getting skilled hackers to join the attack?
  3. How many people did it take to fill up the groups? We can guess that it was more than one, since a QQ number was assigned each of the groups.
  4. What was the function of the propaganda unit? A possible answer is that it was to spread news if the attack turned out to be successful. Useless to have a political attack if no one is aware it happened.

The next thing we are able to tell was the means they used to get recruits to participate in the attack. This was accomplished through posting requests on popular websites and probably through restricted registration areas. Here is a listing of just some of the websites the group posted to:

http://bbs.neteasy.cn/showthread.php?p=984976

http://www.coogo.net/bbs/showtopic-444648.aspx http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost http://www.ipark.cn/bbs/Post.asp?PostID=836336

http://blog.xuite.net/lemon_head/simple/16728332

http://tieba.baidu.com/f?kz=357748876

http://bbs.neteasy.cn/showthread.php?p=984976

http://www.coogo.net/bbs/showtopic-444648.aspx http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost http://www.ipark.cn/bbs/Post.asp?PostID=836336

http://blog.xuite.net/lemon_head/simple/16728332

http://tieba.baidu.com/f?kz=357748876

http://bbs.hackbase.com/viewthread.php?tid=3210548

http://tianya.com

The group used thes sites to request compromised computers and while I can’t locate the posting now, also funds. Was the money donated to be used to rent botnets?

Stockpile

The website http://playgood.ys168.com was used to stock scripted software that could be downloaded by recruits who had little technical ability.

End Game

Finally, the assault was called off and then the organization was disband. Big question, why?

  1. As stated, that too many people were aware of the operation
  2. Unable to fill the units enough to be effective
  3. Just plain worried about the consequences
  4. Beijing sent out an order to shut it down

Please feel free to comment on other things we should have learned from this or where I totally botched this analysis.

2 responses so far

2 Responses to “Anatomy of a Chinese hacker attack”

  1. Heikeon 21 Apr 2008 at 9:14 pm

    Robert,

    Sorry, for some reason the spam filter picked on your comment. Glad you like the site design and we would be happy to have you come by anytime.

    Actually, I can’t take too much credit for the site design, wordpress does the heavy lifting.

  2. Barry Greeneon 22 Apr 2008 at 8:57 pm

    On the guess that “Beijing sent out an order to shut it down,” did anyone see a press comment from officials in Beijing?