Mar 21 2009

via securityfocus.com: China more friend than foe, says white hat

Published by at 8:26 am under Uncategorized

Zhao Wei, CEO of Knownsec (aka icbm, formerly with Venustech and McAfee) gave a presentation at the recent Cansecwest security conference.  The presentation was covered by securityfocus.com yesterday.  In the presentation, Mr. Zhao asserts that all of the attacks that are coming from China are the result of its many compromised computers.  Further, any country that wanted to launch a targeted attack on its adversaries could use China as a jumping-off point in order to hide their true origin.

Knownsec Logo

Many people who haven’t been involved in studying targeted attacks would probably agree with this assessment.  There is a lot of malicious traffic coming from China.  It tends to get noticed by organizations that don’t have any business in China.  There is a lot of truth to ICBM’s presentation and it seems likely that Chinese hackers don’t control all of the Chinese bots.

However, it isn’t just the IP address that we have to go on.  In many cases, it is the type of information that the attacker took from the compromised target that indicated their origin.  There are a lot of similarities between attacks on Chinese dissident groups, Defense, government and contractors that warrants a closer look.  Commenters on articles like this usually note that the US, UK, EU are all doing this too.  That may be the case  but there isn’t nearly as much press out there speculating about countries other than China (and Russia).  Well, there is a small bit about Germany at least.

Pic of Zhao Wei from www.issummit.org/2005/speakers.htm

6 responses so far

6 Responses to “via securityfocus.com: China more friend than foe, says white hat”

  1. Ana Ceciliaon 21 Mar 2009 at 9:42 pm

    I understand now, why all those attacks that the Juniper IDPs on the company I used to work detect China as the 90% of attacks. I was wondering why Chinese hackers are so interested in a South American company?

  2. jumperon 22 Mar 2009 at 8:24 am

    Hello Ana, thanks for stopping by.

    For your organization, it may have been just like Zhao Wei presented. The malicious traffic is most likely due to bots so there isn’t any specific interest in the targets that they scan. The bots are looking for exploitable vulnerabilities on ANY system not yours specifically.

    jumper

  3. zhao weion 22 Mar 2009 at 11:40 pm

    Jumper is right, bots just scanning randomly because we have big malware problem at China now.

  4. CBRP1R8on 23 Mar 2009 at 7:25 am

    I can agree with that, we’ve had multiple hits on both ftp and firewalls ports getting hit with scheduled scans coming from Chinese IP’s. But we also do business there, so it’s sometimes tough to know which one to look at and which to not hold suspect with legit traffic. Only good logs and internal tracking helps to determine who’s a good guy and who’s a bad guy.

  5. Lottaon 24 Mar 2009 at 8:43 am

    I think this is probably true for a lot of the malicious traffic coming in to random businesses and home users in the world. The U.S. also looms large as a “source” of attacks, and that is based at least partially on the large numbers of compromised and internet-connected computers in both places.

    But the argument being pushed here rings ironically hollow for those of us who work at companies/organizations that are consistently targeted by Chinese hackers for the information contained on our servers. The attacks – including with very sophisticated social engineering techniques – are relentless and aggressive. Dismissing them as “just” a bunch of unknowing compromised computers really does a disservice to those of us who are trying to raise awareness regarding this issue among our partners and competitors alike.

  6. Heikeon 24 Mar 2009 at 8:36 pm

    Lotta,

    I agree with you that the argument is hollow.

    The reason I get frustrated with all of these assertions, is that very few people provide their data.

    I understand OPSEC but without any foundation…so what?

    Yes, it could be other countries, other people…other planets.

    The reason I started this blog was to get away from theory. Show me what you know.

    However, to be fair…you need to show your hand too.

    Poker rules. :)