Jul 14 2008

Bruce Schneier: The Truth About Chinese Hackers

Bruce Schneier

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.


11 responses so far

11 Responses to “Bruce Schneier: The Truth About Chinese Hackers”

  1. Nilson 15 Jul 2008 at 11:11 am

    Whether or not people think “the Chinese government” (usually described as a monolithic entity in these discussions) is behind the attacks is a Rorschach test for people’s attitudes about the Chinese government: if you’re a Sinophobe, you posit that the government is behind the attacks; if you’re a Sinophile, you deny it. But neither opinion is based on actual evidence. Anyone who assumes that the Chinese government is behind the hacks does so on the basis of political prejudice — and nothing more. Then again, anyone who assumes that the Chinese government is NOT behind the hacks, is ALSO doing so on the basis of political prejudice — and nothing more. The only evidence-based conclusion one can reach is that we just don’t know. Anyone who you hear saying otherwise is full of it.

    The fact is that no one really knows whether or not (or, more accurately, how) the Chinese government is involved in the attacks. All people know for sure is that (1) there are shitloads of attacks coming from Chinese servers, some of which involve defacements of “anti-Chinese” sites, some of which are attempting to snoop Western government sites, and most of which are conducting cyberfraud of one sort or another; (2) there is a very large, very active, very public network of Chinese hackers who claim to be motivated by nationalist pride; (3) the Chinese government officially denies any involvement and condemns hacking as a crime.

    Nonetheless, on the basis of that thin knowledge base, “experts” expound all sorts of theories about Chinese government involvement in hacking or lack therefore — none of which are based on any concrete evidence. As I say, it’s prejudice, one way or another, and nothing more.

  2. jumperon 15 Jul 2008 at 12:16 pm

    @Nils -

    Very well stated.

  3. Heikeon 15 Jul 2008 at 3:43 pm

    A lot of this talk goes back to circles of knowledge:

    1) What you know you know
    2) What you know you don’t know
    3) What you don’t know you don’t know

    Of course, we all pretty much live and breathe in circles one and two when trying to evaluate information. That third rung is too difficult for me.

    Unfortunately, the first two circles are also usually much smaller than number three and we can only try to reduce number three as we accumulate knowledge. Some people have the ability to make that leap to the unknown and frankly, I hate them for it. I still think it was crap they knew but refused to tell me! :)

    I would argue that we do have evidence of a NGO organization of Chinese hackers. Furthermore, the PRC has been very open about their creation of cyber forces, so we can probably take that as a given. Evidence exists that outside groups have used Chinese servers for bases/attacks/spam…i.e., the Russian Business Men. Many more knowns but you get the point. This is sort of circle one stuff.

    We can speculate about the nature of the relationship between these groups and who is responsible for what, but it is difficult to come to a consensus (hell, even with circle one stuff). Even though a lot of this is educated guessing, it at least begins to define what we know we don’t know. Circle two.

    The only problem I have is when circle two stuff gets all over my circle one stuff. Circle one has many more requirements than circle two and should be held to a higher standard. If you don’t provide that level of sourcing (argument for another day), then provide disclaimers and caveats.

    Circle three…Uh, Hmmm? A fish.

  4. Heikeon 15 Jul 2008 at 4:01 pm

    Forgot to add that we might be a bit too quick to jump on Bruce here. There is a ton of info to support his claims about the character of “Chinese hackers.”

    Where I see a debate brewing and am just as guilty, is the definition of “Chinese hackers.” I prefer to define them as a civilian organization with many of the traits that Bruce described.

    The problem, as Jumper and Nils rightly point out, is that my defintion is not universal. There is an argument a reasonable person could make that there is another group of “Chinese hackers” working for the gov/mil.

    So, can we find a way to talk about these groups separately?

  5. jumperon 15 Jul 2008 at 7:10 pm


    While I agree with you that there is a ton of info to support Bruce’s claims about the character of Chinese Hackers, I think it is wrong to make a broad generalization about them by lumping all of them into one group. Especially given the title of the article (The Truth About Chinese Hackers).

    I also agree that the problem we are having here might be that we are mislabeling Chinese hackers or misunderstanding the definition. There are a few ways to characterize “Chinese Hackers (we won’t go into bored kids or unskilled script kiddies)”:

    1. Patriotically motivated hackers
    -Defacing websites perceived as anti-PRC or One China
    -Coordinating DDoS attacks on anti-PRC sites

    2. Money motivated hackers
    -Hacking game, bank, cc details
    -Redirecting donations to personal bank accounts
    -Malware oriented revenue (click through, rogue software)

    3. Government sponsored hackers
    -Although the PRC is open about having capabilities, there is no absolute proof that any compromise has been attributed directly to government sponsored hackers

    4. Government tolerated hackers
    -No absolute proof on this either
    -May or may not be providing intelligence to PRC

    OK. One and Two are obviously real. Three almost certainly exists but no outsiders know if they are actively engaging in exploitation and collection activities. Number four is a very common assumption. The line between three and four is vague and in my opinion should be distinguished by accepting compensation in return for intelligence and accepting direction or orders to collect intelligence (both would be three even if they are not formally engaged by the government of the PRC).

    I’m sure there is a lot to add to this but I’d like to hear what our readers think. Again – no outsiders know with certainty what is really going on so let’s not pretend that any of us do. I personally feel that the present situation with cyber attacks on NGOs and foreign governments at least suggest number four if not number three. I feel this way mostly because of the type of information that gets taken from victims and the type of malware that is used to compromise them.

    I hope that I have studied the situation carefully and objectively. I certainly hope that I am not a sinophobe (@Nils).

    I welcome any comments, suggestions or questions from readers.

  6. DNRon 23 Jul 2008 at 10:06 am

    I am an american, and I agree that the media seems to be presenting chinese hackers in a bad light. I think that companies and governments are all too easy to blame IT/corporate policy problems on the chinese hackers – back in my day it was the russians, then it was the middle east, and now its the chinese.
    This is all a part of FUD – Fear, Uncertainy, and Despair. The governments want to dictate just how USA and China will be introduced to each other. The hacker propaganda only serves to make china look like an enemy, rather than a possible ally.
    If hackers are so smart – we should see this as an opportunity to make friendship across the digital divide, and disrupt this government policy of keeping people at war.

  7. Maoon 01 Aug 2008 at 7:19 am

    Anyone who believes in diplomacy contributing to beating the other guy has never finished in first place. Additionally, the media doesn’t know the right “sources” to provide anything clear on this issue. Even if they did, they are going to spin it so they can make better news stories.

    Individuals who have worked extensively with the Chinese or know their culture understands the robot mentality there. It’s definitely something average Americans are not cognizant of. Is it patriotism on their part? Yes. Are there young kids doing it for fame and coolness factor? Yes. Does the Chinese government have a CND and CNO division? Yes. Is the activity limited to just military and government data? Hell no. Are the Chinese the only threat in this regard? No.

    We are focused on the Chinese here but it really extends to the entire globe. All governments are interested in improving their countries GDP. It’s not all about military trade secrets and abilities. Improving the industrial might of a nation is far superior to just knowing what a potential adversary is capable of. If you want to argue that point, read about a war called WWII and what happened after Pearl Harbor was trashed. Adm. Yamamoto made famous statement about the inevitable repercussions.

    Why just know what some can do when you can build a better product or countermeasure based on IP obtained from covert activities? I.E. – hacking, social engineering, open source collecting, placement of insiders (cough, cough, Wen Ho Lee), etc.

    Conversely, anyone who thinks the US doesn’t take part in these types of activities is about as sharp as a marble.

    Look, both sides are poking and probing each other in the digital sense. Independent Chinese hackers are involved and maybe the PRC is allowing it. It’s not like the US can extradite them if they know exactly who is doing it. If you guys in the US don’t like it, start your own counterattack. You are patriots too, right? Just make sure you launch the attacks from inside China.


  8. Heikeon 03 Aug 2008 at 7:50 am

    Going to put aside your assessment that the Chinese have a robotic mentality (I don’t agree) and focus on the industrial argument.

    Here, I concur 100%. While we certainly want to protect government and military information systems, we have to remain cognizant that they exist to serve the citizens of their respective countries. If you are able to bypass those protections without resorting to a force-on-force confrontation, it creates a new paradigm.

    Why strike at the military when you can aim at the means of production? Not talking about shuting down power grids but using information as an advantage to out-manuever your opponent. If I know Exxon’s negotiation proposal for oil exploration in a certain country, it makes my job easier to outbid them on that contract. Competition for resources has been/is going to be something we need to pay particular attention to in cyber security trends.

  9. AnteL0peon 09 Aug 2008 at 8:24 am

    The reason the Chinese government is suspected is because of the level of coordination of the attacks. I previously worked inside DISA here in the US and the attacks on DoD networks coming from Chinese IP space were constant and coordinated. They ran the gamut from constant port scanning to spear phishing attacks to sophisticated vulnerability exploitation and firewall penetration.

    The ability to pull all of that off with the level of coordination that exists means that there is some sort of central organization of it all. The obvious organizing body would seem to be the government/military, but they aren’t the only possibility and I know of no “smoking gun” to prove it is the government.

  10. Heikeon 09 Aug 2008 at 3:44 pm


    I’ve heard that expression “coordinated attacks” from a number of people but I’m still not quite sure what they mean. Would it be possible for you to explain?

    All of the other things like port scanning, spear phishing, vulnerability exploitation and firewall penetration also fit the profile of the civilian hacking group.

    I’m not trying to deny that the government is a possibility, I would find it odd if thay weren’t testing us at the seams. I’ve just never been presented with any hard or cumulative data that points to government involvement.

  11. jumperon 10 Aug 2008 at 4:47 pm

    The important thing to remember here and the point of my post was, as AnteL0pe said, there is no smoking gun and because of that, we should try to remain objective about all of this. No outsiders can say with certainty what is going on except that in the case of .gov/.mil and dissident groups, the volume and sophistication of attacks is not seen elsewhere. This leads a lot of people to assume it is the PLA or state security but nobody knows with any degree of certainty. Even if attribution could be assigned to individuals within the PRC government or its proxy organizations, we still wouldn’t know if the individual was acting out of their own patriotic spirit or if they were doing it under the direction of the government.

    Whenever we talk about PRC government attribution, people always have two things to say:
    1. Geolocation of the IP address isn’t sufficient for attribution because the attacking host could be a compromised machine. We all know this. Nobody working on this subject would ever assume anything based only on network whois results.
    2. The US/UK/AU/EU is doing this also. Well, maybe they are. We at least know about the German trojan incident in Afghanistan. But we don’t know anything about western computer attacks on the PRC. It it is happening, the PRC government isn’t releasing information about it to the public media.

    Attribution is probably the top research question on a lot of people’s minds. Unless we get someone from the inside of the PRC government to admit it, all we can do is guess at this point.