Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.

UPDATE: Dominic reminds me that some people might not be as Chinese hacker obsessed as myself and suggests I give some links as to why Withered Rose is important.  Whoops on my part! For some background on rose, read here and here.

As mentioned yesterday and updated today, Withered Rose (Tan Dailin) is back to his old haunts; both mghacker.com and ncph.net websites are up and running again. Just a couple of observations:

1) Rose has done some scrubbing of his personal blog mghacker.com. Had to go to the wayback machine to make sure but you can tell a number of posts have been deleted for some reason by comparing the wayback machine to what is listed on the current blog’s archive. Rose has wiped out everything prior to March of 2007 and selectively edited the months still showing.

2) Not sure why but at least four of the new post on ncph.net are old posts from the mghacker.com blog:

a.

Mghacker 再现社会工程学 (29 Mar 2007)
Ncph 再现社会工程学 (31 May 2008)

b.

Mghacker 3389密码的嗅探 (29 Mar 2007)

Ncph 3389密码的嗅探 (11 May 2008)

c.

Mghacker Rainbow Table 分析 (10 Apr 2007)

Ncph Rainbow Table 分析 (11 May 2008)

d.

Mghacker 获取cuteftp中的ssh密码 (16 May 2007)

Ncph 获取cuteftp中的ssh密码 (11 May 2008)

3) Whois data shows that NCPH.net administrative contact as:

Administrative Contact:
ncph studio
ncph studio ()
si chuan li gong xue yuan
zigong, Sichuan, cn 643000
P: +86.13154663992 F: +86.13154663992

Sichuan Ligong Xueyuan is the Sichuan University of Science and Engineering. Rose founded NCPH while a student at the university. A Chinese hacker going by the name of Rodag, who was also a member of NCPH lists the university as a contact on his blog.

The contact number 86.13154663992, was noted by Jumper in an IRC log:

# jumperon 08 Dec 2007 at 11:04 pm edit this

In the second picture of Rose, he is using a tool called Metasploit on his computer. http://www.metasploit.com.

IDefense has a lot of stuff on NCPH and Rose. There are a couple of archived webcast videos about them on idefense’ website. I did a bunch of searching and found this funny tidbit:

21:41 gila poyo
21:41 you computer is hack by chinese’s hack infall, shit!
21:41 from http://www.chinahonker.com my name is tan dailin
21:41 contact us with QQ 5372453 or
21:41 tel:86+0+13154663992
21:41 my blog :www.mghacker.com or http://www.ncph.net
21:41 ~~~~~~~~~~~~~~~~~~~~~~~~~shit! you are a pig !
21:41 i found this in some machine
21:41 haha
21:41 YOUR COMPUTER IS HACK

It is from an archived IRC log. There isn’t any more context to go off of so I’m not sure who is who in this. Gila poyo is malay but I don’t know what it means.

My guess is the at the two of them are old college buddies.

4) What does this random sampling of information mean? Not much. Just wanted people to be aware that Mr. Rose is back in business and on the internet.

Does anyone remember Poizon B0x from the “Sino-US Hacking War” years ago?

Some Chinese Hacker group thinks Poizon B0x is coming back on a “China Killer” rampage in what they describe as a second round of the Sino-US hacking war.  Here is a gist of a board post from April 20, 2008:

Red Alert:  Beware of the United States hacker organization Poizon B0x coming in again.

No news organizations are reporting this but [rumors] are spreading around the Internet that a new round of the Sino-US hacking war [is coming... and] a May 1/Golden week special youth day counter-offensive [is planned], we hope for a lot of support in the counterattack!

The May 1st date mentioned above is highly significant as it coincides with the anniversary of the EP-3 incident in 2001 and the start of Chinese hacker counter-attacks:

American cracker group PoizonBOx has defaced at least a hundred Chinese websites since April 4 (2001). Chinese hackers are now vowing to retaliate with a planned week-long all-out crack attack on American websites and networks which will start on May 1(2001).

At this point, it is difficult to tell if this is speculation or if it is based on some defacements attributed to Poizon Box.  I can’t seem to find much else to corroborate this post so I’m a bit skeptical about all of this.  I’ll monitor the board and report any news as it comes in.  Any offline comments or questions can go to jumper *at* thedarkvisitor *dot* com.

This article is a bit short on news for TDV readers but it quotes Heike’s alter ego:

China cracks down on insider cyber hacking

If anyone has a link for the Newsweek article mentioned, please post it in a comment.

That was my original title for this article but it has changed, now I consider
her the Keyser Soze (The Usual Suspects) of Chinese hackers.   I have gone through so many websites trying to figure out her past and just who she is that it has become a blur.  She is light, she is dark, she is mean, she is sweet, she is 26, she isn’t nearly that old…etc.  It is as hard to get a handle on her as it is to figure out the correct spelling of Keyser Soze, if that is indeed how it is spelled.  Anyway, I decided to just let you know what is not in contention and cut out all the other noise:

She was a member of the Six Golden Flowers until they broke up.  The line
underneath the picture at the top says:

“Don’t bring up the Six Golden Flowers with me again, I am developing on my own.”

Dark Angel’s Picture from The Six Golden Flowers

She goes by the names Dark Angel (黑暗天使) and Heihaitang (黑海棠).  As always with Chinese hackers, the meat to bone comes with the current website they run.  And, what she is doing now is using her reputation to sell hacker classes…just like every other Chinese hacker of any weight.

She offers 181 individual classes for about US $17 each (no deadline) and a year long structured course of 14 classes at US $170 (internal programs are free of charge).

It is rare to find mention of the role women play in Chinese hacker society, so I was surprised to find a page dedicated to the “Six Golden Flowers.” The text written on the pictures gives a small history of their years in hacking but little else.

Digging a little further showed that in 2007, security media sources inside China named one of the members of the “Six Golden Flowers” as the most active and influential Chinese hacker in the country.

Another member of the group has received a great deal of press and even a video tribute…
Continue Reading »

Chinese waging online spy war - theage.com.au

“I wouldn’t characterise the attempts as necessarily malicious, just routine espionage aimed at getting an advantage,” a Canberra-based intelligence source told The Sunday Age.

Interesting comment…

Combating Enemies Online: State-Sponsored and Terrorist Use of the Internet - The Hawaii Reporter

This is a good overview of cyber attacks in general.  It discusses the attacks on Estonia as well as Titan Rain.  The piece is well-cited and includes a lot of great links.

Saw this article and had some reservations about posting it for a couple of reasons.  1) The title is Chinese Cyberwarfare which this most certainly is not.  You can classify them as cyber attacks, intrusions or whatever but this does not even come close to cyberwarfare.  2) This paragraph:

China’s information warfare expertise likely stems from a group that refers to itself as the “Red Hackers Alliance.” The Alliance operates as a government- or party-backed organization that specializes in network security, software development and patriotic hacker training.

The Red Hacker Alliance does not operate as government or even party backed organization. I will have an article published in Iosphere magazine in the next couple of months that refutes this entire idea.  Am I saying that the Chinese do not have a cyber militia or branch of the PLA that deals with hacking?  No, of course they do.  The US has a branch
of the military dedicated to cyber operation too.  However, the Red Hacker Alliance is not a part of the government or
the military. Will the alliance stay a civilian organization?  I don’t think so but that is for another day.

Didn’t mean to come down so hard on the article, it really is a pretty good summary of some of the 2007 Chinese hacker
attacks.  2007, Chinese hacker year in review.

Proficient Windows Registry + BIOS

I know this has been slow going but…well, the holidays you know.  In the spotlight today:

1. Real Name: Zhang Xinghu (张兴虎)
2. Online Name: Flyingfox
3. Organization: www.54hack.org, www.yl.net.cn
4. Age: Unknown
5. Known Hacks:
6. Summary: Founder of China Youth Hackers Alliance.  In 2004 was a technical security advisor for a police station. Author of Proficient Windows Registry+ BIOS

Added to list of Top Chinese Hackers.

Well possibly…

What happens when two of China’s historic Trojan designers marry? Yes, guy and girl hacker.  My guess is the next generation of Uber Hackers is soon to be born. It was bound to happen eventually, so let me introduce the happy couple:

GLACIER (Groom)

1. Real Name: Huang Xin (黄鑫)
2. Online Name: Glacier (冰河)
3. Organization: www.xfocus.org,
4. Age: 29 (In 2007)
5. Known Hacks: Developed the Glacier Trojan, China’s most popular
6. Summary: Graduated from Xi’an Electronic Sci-Tech University. Married to Chinese female hacker Wollf. In 2006, he was 28 years old and a resident of Guangxi. Godfather of the Chinese Trojan.

WOLLF (Bride)

1. Real Name: Wang Juan (王娟)
2. Online Name: Wollf
3. Organization: Unknown
4. Age: 27 (in 2007)
5. Known Hacks: Developed the Wollf Trojan
6. Summary: Born in Sichuan and has worked in a Hainan Network Comapany. The mother of Chinese Trojans.

Both added to Top Chinese Hackers

中国黑客内战

It is very likely that within the next 2-5 years, a major civil war will erupt between factions within the Chinese Red Hacker Alliance. I’m making this forecast (Analyst love to use this term rather than “predict” because it is easier to fluff off when you are proven dead wrong.) based on the following reasons:

1. The organization has all but lost its nationalistic character and is rapidly shifting/shifted toward one based on profit motive. This has caused the movement to lose much of its cohesion and sense of unity. If there isn’t an event to rekindle their patriotic spirit, the group will splinter.
2. Increased competition between different factions to earn money, attract recruits and sell products is at an all time high. Chinese hackers are reaching a saturation point in their marketing of Trojans, viruses and training courses. This will only add to the tensions already present. Chinese hackers have moved from a circular shaped structure to a pyramid; the scramble to reach the top will do nothing to alleviate these tensions.
3. Internal hacking attacks and threats between different cells have been documented in my book and by the Chinese themselves. The year 2004 saw the first skirmishes in this war and the environment does not seem to have improved. Combine these elements with the youthful age of the alliance and it will cause some members to act in the extreme.

What brought on this sudden prediction? It has been something I have thought on and off again since the beginning of this research. The ideology that holds them together is too difficult to maintain during periods of inactivity. What do you do with young nationalists who have no war to fight, no motherland to defend? They either get bored and move on…or start to eat their own.

A posting on Janker’s website titled “Chinese hackers, what is going on?” makes the observation that, “recently there has been turmoil inside the Chinese hacker security circle.” He sites numerous examples of Chinese hackers attacking each other and is exasperated at the state of the alliance. These examples go from December of 2004 to June of 2005. One commenter, going by the name of Kerberos, actually used the term “civil war” to describe the situation. Another website, even called it the “Hacker Warring States.” A reference to the Chinese Warring States period.

So why did I wait to have my own thoughts reflected in the Chinese Hacker community before making this prediction (sorry, forecast)? I personally think it is wrong to apply “Blue” thinking to explain a “Red” paradigm. What appears logical to us does not always fit neatly into different cultures. Western societies use linear logic while Eastern cultures often apply circular. The dialectic thought process is not always clear or easy to decipher. Fine, I just don’t get ‘em.

孤独剑客

(Lonely Swordsman)

Thanks to the propensity of every organization to have their own wiki, I have finally been able to nail down the two founders of the “Ultra Right-Wing Chinese Hackers Opposed to Japan Alliance”. Yep, a mouthful. The group was established in the year 2000 and played a significant role in both the Sino-Japanese (2000) and Sino-US (2001) cyber conflicts. Here is a little on the group from my book provided by Chu Tianbi:

The year 2000 would bring both highs and lows for the Red Hacker Alliance. From late January to mid-February, a group calling themselves the “Ultra Right-Wing Chinese Hackers Opposed to Japan Alliance” claimed to have attacked some 30 Japanese web sites “belonging to the ministries, the prime minister, parliament, and the state planning agency.” This was in retaliation for what the hackers perceived as a denial of the Nanjing Massacre following the loss of a Japanese court case by Azuma Shiro. Azuma Shiro was a Japanese soldier who maintained a diary during WWII that recounted Japanese atrocities in Nanjing. The diary was published and his former superior immediately sued Shiro for libel. Shiro lost the case and subsequent appeals in 1998 and 2000. Their web site, located at Http://www.bsptt.gx.cn/public/badboy/hack/, posted an open letter to the Japanese government that stated:

“Let it be known that the objective of this alliance is to carry out savage attacks on the small number of Japanese mad-dogs on the net. The alliance is comprised completely of fervent patriotic Chinese net-worms.”

The site provided over 300 Japanese government URLs, the e-mail addresses of over 100 Japanese representatives, and dozens of the most effective hacker attack tools. Furthermore, the site explained how to use these tools to attack Japanese web sites. In an online interview with Computer Journal, a hacker calling himself “ROOT,” admitted that the paralysis of the web sites for the prime minister’s office, the Bureau of Statistics, and the Bureau of Science and Technology were his doing. ROOT complained that the attacks on Japanese web sites occurred because of dissatisfaction with the Japanese government’s far right denial of the historical facts of the Nanjing Massacre:

“I did absolutely everything by myself. The payback for little Japan didn’t require anyone else. I think I’ve done what anyone should have done as a Chinese person, and anyone else would have done this. I hope they connect what I’ve done with what happened in Osaka, giving a warning to the Japanese devils.”

Continue Reading »

This hunt for Coolswallow of Javaphile begins, right here at our website…

On the 1st and 2nd of this month, the site started receiving a lot of traffic from the Shanghai Jiaotong University bulletin board. A poster going by the online name ericool linked to an article (UPDATE: ericool has removed the  link) previously posted here about Javaphile. Ericool said that the information I got about Javaphile was taken from his old website (he is absolutely correct) and since all that info came from Coolswallow’s blog…that means that Ericool is in fact…Coolswallow. A much earlier posting by Ericool in 2002 leaves little room for doubt (note the moniker circled in red at the bottom of the post):

The reasons I have been following Coolswallow, is that he was fairly active during the US and Chinese cyber conflict that occurred over the collision between a US EP-3 reconnaissance aircraft and a Chinese fighter. One of the characteristics that makes Coolswallow standout from the normal Chinese hacker is his scholarly work on Buddhism. It is a theme that has repeated itself throughout his writings and will be the primary cause for some speculation later in this search.

Started running some searches on ericool and found him linked to the Beasts of Burden Society, that is composed of graduate students from Jiaotong University. The society has been putting on a wide variety of academic seminars on various topics for the last two years.

(Image Removed upon request)

For their 2nd anniversary, the lecture was titled “Hacker in a nutshell” and was given by Peng Yinan (彭一楠). According to the press release, Peng Yinan is a security information consultant for the Shanghai Public Security Bureau and a senior hacker. Futhermore, he uses Vajracchedika-Sutra Buddhism to explain the characteristics of hackers. Hmm, suspicious… Here is one of the fliers for the lecture that took place at the Chen Ruiqiu building on the 31st of October, 2007:

Continue Reading »

CAUTION: I usually do not link directly to hacker websites for one reason, I don’t want people getting something nasty uploaded to their machines. This is that don’t try this at home warning. I am going to link directly to Goodwell’s blog but I still do not suggest you follow it unless you are sure you know what you are doing.

Reported several days ago about Goodwell’s online gaming in Worlds of Warcraft and figured that might be the end of it. However, got a visit on the website from isbase.net and decided to see what was up:

Logo for the Green Army Corps

The site’s BBS has a large number of participants; the screenshot below does not even capture the full membership. Only copied out the two columns that show the TOPICS and the number of POSTS to give you an idea of the size:

Scrolled down the BBS a little farther and there was a blog listed for…drum roll…

Continue Reading »

Evolution of the Red Hacker Alliance

Timeline Chart

        Based on available data, it is the author’s opinion that the Red Hacker Alliance first came into existence in 1998. This was the year that ethnic riots in Jakarta, Indonesia served as a catalyst to bring together existing independent hacker elements and fuse them into a cohesive unit under the banner of nationalism. During this time period, previously independent web sites actively formed connecting links with each other and coordinated attacks against Indonesian government web sites to protest the brutal treatment of ethnic Chinese. Sharp Winner’s comments related to the event demonstrate that this is the earliest appearance of the concept and term Red Hacker:

“A group of patriotic youth active on the net engaged in attacks on Indonesian government web sites, under the alias ‘China Redhackers.’ This patriotic action received a great deal of reporting and praise in the domestic and overseas media. The name China Redhackers began here.”

Chu Tianbi’s historical account claims that it was after the 1999 US bombing of the Chinese Embassy in Yugoslavia that created the alliance and when their first web site appeared: Continue Reading »