The Dark Visitor

During the Olympics Games, a secret organization was formed by a Chinese hacker named Wang Zi to protect Olympic websites against foreign hackers and while they won’t say, reprisals were probably taken against offenders.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

Best hobby in the world.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

UPDATE: James Tay from Citizen Lab left us a comment.  That’s right, part of the support team for the Ghostnet Report.  God, we really should have cleaned up the place.  Thanks for taking the time to stop by James! (originally I stated he was a contributing author, James has clarified).

UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story.  He has requested we mask his QQ number now that he is in contact and we have complied.  (Never do late night updates.  A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us.  That certainly wasn’t my meaning but that is definitely what it sounded like.  Just wanted to explain the reason for the sudden masking of his contact number.)

First, hats off to the researchers at IWM.  They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.

The Hunt

One aspect skipped over in the GhostNet report were the e-mails associated with the websites, losttemp33@hotmail.com and opanpan@gmail.com.  For the last two days, Jumper and I have been tracking them down to see where they would take us.

Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:

Double-click to fully englarge

We conclude that this is the same person using different e-mail addresses or associates working together.  The domains are registered on the same server and are too close in content to be considered a random coincidence.

The Opanpan e-mail went nowhere, so we concentrated on losttemp33.  A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:

Clicking on the link leads to three programs losttemp33 provided for download.

Next we were able to locate a post from 2005 on Windows hacking:

Notice that the author of this post uses the signature Lost33 in the upper left-hand corner.  Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier.  More importantly, we found a blog under the same name.

This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching.  The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan.  It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33’s personal motto, “The bored soldier swaying on an empty battlefield.”

We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006.  That was when we decided that a person might change their user id but never their motto.  Can’t abandon your motto.

Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:

Lost33 now blogs under the name Damnfootman:

Why are we sure this is the same person as Lost33?  Well, they not only share the same motto but birth date and place of residence as well:

Blog bits of interest

• Lost33 attended the University of Electronic Science and Technology in China.

• He has a link on the website to the Chinese hacker forum for Eviloctal and our dear friend Sunwear.

• Lost33 is also keeping up with friends at Xfocus and NSfocus on garden variety hacker tools.

We have left a couple of posts on Lost33’s blog and are waiting to see if he will respond:

The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.

There were two QQ numbers associated with the opanpan and lost33 email addresses.  We attempted to contact both of them but were rejected.

Summary

While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:

• The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.

• The e-mail address losttemp33@hotmail.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.

• An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.

• The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”

• The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).

Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.

<edit> – A few readers have asked for the QQ number that was redacted.  Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:

According to Kingsoft Anti-Virus, the “Crab Group” is one of China’s top-5 virus dissemination families and responsible for the recent infection of around 30 million computers.

Kingsoft’s 2008 Year-End report reveals that within hacker circles, the majority of money is earned by establishing viral dissemination chains.  While a virus author may earn a salary of one million yuan a year (approx USD 150,000), it was possible for a viral dissemination group to earn ten million yuan (approx USD 1.5 million) yearly.

The Crab Group had gained access to a unidentified trusted server in Guangdong, uploading viruses and trojans on popular websites.  The group had been using the “Cat Ringworm” virus, a.k.a Charging Bull, as their primary dissemination tool and infected around 30 million computers.

For background on the Chinese hacker virus industry chain read here, here, and here.

First, even though Mr. Minnick was kind enough to mention me in this report, he did all of the heavy lifting and investigation.  My VERY limited contribution to his work was simply commenting on things he uncovered.  The equivalent of one person watching someone else work and telling them your opinion of their labor.

Defense News
02/23/09
Chinese IT Firm Accused of Links to Cyberwarfare
By WENDELL MINNICK

TAIPEI — In the past 10 years, Beijing-based Venus Info Tech has become the dominant provider of information technology (IT) network security to the Chinese intelligence and military community.

It also has been accused of providing hacker services that help the Chinese government penetrate foreign government computer networks. Sources also accuse Venus of helping Beijing build the “great firewall of China,” by developing software to monitor and control the domestic Internet.

Finally, Venus has operating agreements with Microsoft and other non-Chinese firms, which Western observers say may help Beijing find vulnerabilities in other governments’ networks.

The firm “is heavily party affiliated and the company personnel go through party indoctrination because they handle state secrets,” said Scott Henderson, author of the book, “The Dark Visitor — Inside the World of Chinese Hackers.”
“I would be very worried about U.S. companies working with this type of organization; [it] gives them too much access.” Venus officials declined requests for an interview.

Continue reading on the Venus story by Wendell Minnick…

UPDATED: My apologies to Mr. Minnick, I didn’t notice he had this story up on his personal blog so I have deleted the full story and left the teaser.  The rest of the story is continued on his blog.  Please click over there.

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place.

-H. L. Mencken

The Chinese hacker website Hackbase has been running a promotion during the holidays trying to bring their number of registered members up to one million.  On 30 January, they announced the achievement of that goal.

The lucky one millionth customer registered under the name Vpn88 and got prizes worth nearly 3,000 yuan.

1. A Hackbase Diamond Membership for one year, valued at 988 yuan
2. A set of seven Hackbase special training classes valued at 1,800 yuan
3. A 4G thumbdrive valued at 80 yuan
4. An honorary Hackbase forum medal
5. 1,000 in Hackbase forum money (?)

I’m a skeptic by nature but there may be some truth to this claim. Hackbase has been around for six years and gets a lot of traffic.

You might even call them a “player“

Introduction: Rambling thoughts

There is an old military expression that says, “Amateurs study strategy,  professionals study logistics.” Logistics is the ability to drive the train, to make sure that the troops have the capability to accomplish the strategy.  What are the logistics behind a Chinese hacker attack?

1) Computers

2) Personnel

3) Transportation (Access to the internet)

3) Knowledge

4) Malware (Trojans, Viruses….etc)

5) Programs (Scanners, Dictionary attack tools…etc)

6) Money

7) More?

There is also a formula for determining threat analysis:

1) Intent:  Without the intent to do harm, the threat assessment is considered minimal.  Friends and allies are considered extremely low-level threats even if they have the capability to cause great destruction.  Capability without intent lowers the risk factor considerably.

Clearly, Chinese hackers have demonstrated intent in the form of nationalism and monetary gain. CHECK

2) Capability:  Does an adversary have the means to carry out the threat?  While the enemy may wish to do you great harm, without capability it means little.

With a number of governments scrambling to secure and/or repair their information systems, there is little doubt Chinese hacker have the capability. CHECK

3) Motivation:  The determination to carry out and sustain the attack.

Motivation started in the form of nationalism but quickly turned to cash.  Either way, the motivation to continue and sustain attacks is still present and shows no sign of decreasing.  CHECK

So, what binds these rambling thoughts?  Money, money money!  Without the financing to support their logistics, operations come to a standstill.  Pull out logistics and you lose capability, leaving only intent.

Final random thought: A reporter once asked Willy Sutton, a bank robber, why he robbed banks?

“Because that’s where the money is”

-Willy Sutton, Bank Robber

And Now, back to your regularly scheduled program:

From Chinanews.com, the Wuxi court has found a gang of six Chinese hackers guilty of running phony websites designed to steal the passwords of online gamers.  In less than half a year, the crew had earned over one million yuan (USD 146,000).

In July of 2007, the defendant, Mr. Ma, learned of a method to hijack domain name servers in order steal account names and passwords from online gamers.  He then asked his co-conspirator, Mr. Peng, to write the hijacking program.

In August and September of last year, Mr Ma brought four other members into the gang and together they developed a scheme to get rich.  In order to carry out the crime, the group invested 22,000 yuan (USD 3,200) in a computer, server and room rental.

Peng’s program was used to capture the domain name servers in ten provinces and cities such as Jiangsu Province, Liaoning Province, Shanghai, Chongqing…etc.  After a user register for the website, they would automatically be redirected to the gang’s forged website.

The gang members were sentenced from 1-4 years for the crime.

iDefense 2009 Cyber Threats and Trends via Earthtimes:

Additionally, cyber warfare has become a reality in today’s political climate, and several regions are seeing a rise in politically and financially motivated activities. According to VeriSign iDefense, Russian hackers are the most effective group when it comes to cyber fraud, while Chinese hackers utilize amateur hacking groups for low-level espionage operations.

Chinese hackers are targeting French Embassy websites all around the world to protest President Nicolas Sarkozy’s visit with the Dalai Lama.

According to hack4.com, featured in CNN documentary on Chinese hackers, the following French Embassy websites were successfully defaced:

法驻美国大使馆:http://www.ambafrance-us.org/
法驻英国大使馆:http://www.ambafrance-uk.org/
法驻中国大使馆:http://www.ambafrance-cn.org/（最新消息，已经恢复正常） (Repaired)
法驻加拿大使馆:http://www.ambafrance-ca.org/

Visiting all of the above websites shows that either they were not defaced or have been repaired since the attack. Hack4.com points out that the following websites have not been hit, suggesting they are future targets:

法驻日本大使馆:http://www.ambafrance-jp.org/
法驻冰岛大使馆:http://www.ambafrance-is.org/

Hack4.com’s gives this screenshot of the reported hacked website(s) (Deleted):

UPDATE: Better screenshots of the defaced French Embassy websites from 7747.net:

(Sorry guys, just updated to Wordpress 2.7 and having a few problems.  Can’t seem to get the screenshot to enlarge when you click on it.  The three defaced websites are the US, UK and Canada.)

UPDATE: Once again, Eastwood has set me straight. Linked the image through the Chinese hacker website and now you should be able to pull up the graphic.