The Dark Visitor

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.

This is a very interesting read by John J. Tkacik on Chinese cyber attacks that runs counter to many of my arguments.  The PDF document titled Trojan Dragon: China’s Cyber Threat is 12 pages but well worth checking out.

Genesis of China’s Cyberwarfare

In the 1990s, China’s Ministry of Public Security (MPS), which manages the country’s police services, pioneered the art of state control of cyberspace by partnering with foreign network systems firms to monitor information flows via the Internet. By 1998, according to an insider’s account of China’s Internet development, the MPS and its subordinate bureaus found that their resources for monitoring the Internet had been overwhelmed by the sheer volume of Internet traffic—which by 1998 had not yet reached 1 million users in China.

Keep reading…

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(’cnn’);

setInterval(”e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

Danwei reporting that Chinese hackers are celebrating a successful hack on a portion of the CNN website with screen shots of their trophy:

The top picture is screen grab that shows the current state of the website. The second image shows the hacked web page and the slogans left by the hackers, both in English and Chinese.:

The leader of Revenge of the flame has taken down his website and posted a disbandment notice.

!!!We salute our lovable motherland!!!

(graphic posted in the center of this statement does not load)

Revenge of the Flame disbanded

There are actually many ways to be patriotic, we do not want to be impulsive, we should study well, struggle and take great effort to gain knowledge. Only in this way can we develop our motherland and our motherland’s strength. This is all we really wish to see happen.

The Revenge of the Flame has already halted all DDOS attacks, we do not advocate the attack, we advocate diligent study of technology. From this point on, any attack whatsoever, has nothing to do with Revenge of the Flame. If any member of our group, Revenge of the Flame, participates in this type of activity, it is an individual action and has nothing to do with cn_Magistrate or Hackerwolf. Request that everyone make careful deliberations.

(Note: I was under the impression that magistrate hackerwolf was one word, one name but obviously it is two individuals. Here are their blogs; cn_Magistrate and Hackerwolf.)

Currently, everyone on the internet is using the instrument of attack as a means to express their passion and this has already obstructed the motherland’s normal network communications. This is something we do not wish to see happen. Regardless if it is “Revenge of the Flame” or not, we hope that everyone can rationally reflect on this question.

From this moment, the Revenge of the Flame is disbanded!! If there are any notification after this, they will be posted here. We respectfully ask that you pay attention to this page.

Any attack whatsoever, regardless if it is by an individual or an organization, has serious consequences!!!!!!!!!!!!!!!!!!!!!!

The Revenge of the Flame exists no more forever!! We are now a “patriotic study organization” and we will take the flame into our heart! The Revenge of the Flame in our hearts can never be extinguished! We must struggle! We must work! We must turn our strengths into a shining sword spirit (this sentence may have a somewhat different meaning, not sure).

Without a doubt we must study even more, our forum has already been established. This is really our true exchange space.

http://bbs.hacksa.cn

cn_Magistrate
Hackerwolf

20 April 2008

To our lovable motherland, I say I love you!!

Located cn_Magistrate’s blog, the leader of Revenge of the Flame, here is a post from his blog on 18 April 2008:

As always, my thanks for everyone’s strong sense of nationalistic responsibility; once again, the Magistrate is grateful to everyone.

Today is 18 April, we are angry and we shall roar, the annoucement follows:

1. Prior to 8:00 pm on 18 April 2008, we invite everyone on IS (ID number 12570496).  We will have an important matter to pass along.  (This part a little rough on xlation) Please note our compatriots will find a way online, obey directions that have been put in place.
2. Tool download address, considering that there are many normal web users who do not have a high-degree of technical knowledge, we are providing idiot-type (really means for those who don’t know) tools for download. The download address: http://playgood.ys168.com/.  Everyone please pay attention to the group announcements.
3. Everyone please remain disciplined, listen to the directions of each of the group managers.  Pay attention to your own words, deeds and essence.  We are all Chinese!

18 April 2008
cn_Magistrate
Hackerwolf

Graphic Attached to Release by Revenge of the Flame

The Chinese hacker group that has been organizing to attack CNN has been identified as the “Revenge of the Flame.” They recently released a statement calling off the DDoS attack on CNN; however, it may have come too late to stop some of its members from going after the site. CNN has just filed a report stating that they had experienced an attack in an attempt to disrupt their website. For this reason, we will keep the clock up and see what happens tomorrow…it might not be over.

Statement from Revenge of the Flame:

In just three short days, our organization, the Revenge of the Flame, has grown large. First, I want to thank everyone for their strong sense of nationalistic responsibility. However, maybe we were too impetuous. We love our country! We will resist all anti-Chinese influences! However, we must choose the right way to come to the defense of our country, families and ourselves!!! After some core internal discussions, we have decided to temporarily cancel the 19th attack plan! The Revenge of the Flame organization still exists! Later we can be a computer discussion organization, we will study together for the day our country needs us! Our government and military will all mobilize! At that time, we will let those so-called foreign net-forces see! No matter where, China will never lose to them! We also have our net-forces! Perhaps at that time, our Revenge of the Flame will be the main strength! We all love our country! But, we must use sensible methods to defend our honor!

ATTENTION: Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic. At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready. I will repeat it again. At an unspecified date in the near future, we will launch the attack. We are only at present cancelling the attack. We could send out a notice on the day of the attack and have it completed in one day. The attack hasn’t been cancelled; it will be carried out on an unspecified day in the near future. I think everyone understands what we mean.

We hope that even more people with the Chinese national blood will join our actions. Only in unity is there strength. We are not individuals, we are a collective, and we are Chinese.

17 April 2008
Magistrate
Hackwolf
Source: http://www.hacksa.cn

Continue Reading »

UPDATE: It looks like the organizers might be trying to put a stop to the attack due to the number of people who are aware of it. Translating some of it now.
UPDATE to UPDATE While the group may be trying to call off the attack, it might be too late. CNN is now reporting that they have been targeted in an attempt to disrupt their web site.
FINAL UPDATE FOR THIS POST: See the newest release by the group planning attack on CNN here

First, I have added a clock with the Beijing local time because it crossed my mind that some people might be thinking the scheduled attack on CNN is going to take place on US date, time. Nope, Beijing local. So that means it is suppose to take place tomorrow. I will leave the clock up if you want to check back.

Second, many more Chinese sites, not just hacker, starting to call for the DDOS attack on CNN. Also they are starting to solidify their plans. Here are the details from one posting on the Guilin University of Electronic Technology bulletin board:

1. Attack will start on 19 April 2008, at 8:00 pm
2. DDOS attack on www.cnn.com
3. The DDOS attack is going to last over three hours
4. They need a large number of compromised computers to carry out the attack and are requesting everyone’s support in putting to together the number needed

The plan has many more details but unfortunately the language is too technical for me to translate.

Here are additional sites calling for the attack on CNN.

http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx
http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost
http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876

Probably many more out there.

UPDATE: Carl Jongsma, from Computer World, was kind enough to provide us a little press on this breaking situation.

UPDATE: Tried once again to contact CNN and warn them of the scheduled attack. If anyone has a better contact than just their news tip e-mail, please inform them.

UPDATE (APRIL 18 1556GMT; Jumper): Arbor Networks is using their tools to monitor the situation.  Take a look at Jose Nazario’s post here.

UPDATE: Since we have some smart people looking at the blog, I wanted to post below part of the Chinese hackers’ attack plan. This seems to be part of the DDoS call for large numbers of attacking computers. Will supply what I can about the Chinese, though it is possibly wrong. If someone knows what this is referring to please post in the comments and we will move it to the blog:

总群：29332975 (This refers to the total number)
复仇的火焰分群1：10093595 (Revenge of the flame group 1)
复仇的火焰分群2：60087657 (Revenge of the flame group 2)
复仇的火焰分群3：17697381 (Revenge of the flame group 3)
复仇的火焰分群4：52911651 (Revenge of the flame group 4)
复仇的火焰分群5：13283694 (Revenge of the flame group 5)
复仇的火焰分群6：52274747 (Revenge of the flame group 6)
复仇的火焰分群7：13735729 (Revenge of the flame group 7)
复仇的火焰分群8：28556275 (Revenge of the flame group 8 )
复仇的火焰分群9：8333214 (Revenge of the flame group 9)
复仇的火焰分群10：24207831 (Revenge of the flame group 10)
复仇的火焰分群11：18574877 (Revenge of the flame group 11)

UPDATE to UPDATE Jumper figured out that these were probably the QQ numbers for the group leaders of the attack. When I went back and looked at some of the sites calling for the DDoS attack, one did list it as QQ群 or QQ groups.

Anti-CNN has issued a call for the Chinese flag to wave over Europe on 19 April 2008. The call was issued to show opposition to Europe’s stance on the Tibet issue. Anti-CNN has called for all overseas Chinese in Germany, France, England and Holland to appear in a simultaneous protest. Overseas Chinese were asked to have their voices penetrate the European sky. It appears the protests may have been scheduled for April 26th, as the announcement asked for people who had already made plans, to switch them to 19 April. The protests on the 19th are scheduled as follows:

1. 1500-1800hrs, 19 April 2008, at the Bundestag, Platz der Republik, Berlin
2. 1300-1500hrs, 19 April 2008, two routes (from Talie – Hotel de Ville – Bastille) or (Republique – Bastille – Hotel de Ville –Bastille, Paris
3. 1100-1500hrs, 19 April 2008, Downing Street outside of Whitehall, England
4. (No time given) 19 April 2008, Amsterdam, Holland

The protests appear to be well organized, with the coordination of donations, banners, flags, T-shirts…etc. While it is of course impossible to tell how widespread the demonstrations will be, an online keyword search, using Chinese, did produce several hundred hits.

To coincide with the European protests, several Chinese hacker groups are calling for a DDOS attack on the CNN website to begin at 8:00pm on 19 April 2008. While only three websites have openly posted about this attack, my guess is that many more calls are going on behind closed doors.

The first screen shot below calls for an attack similar to the Sino-US hacker war.

Could not get the web page for Tianya to open but it clearly calls for a DDOS attack on the CNN website to begin at 8:00 pm (Beijing time) on 19 April 2008.

Over at Hackbase, Dreamsmaker is also putting out the word for an attack on the CNN website.

The final tidbit of this story comes from a thread discussing the possibility of having demonstrations inside the country to support China’s position on Tibet. It was mentioned that during the anti-Japanese protests of 2005, all the people who passed out leaflets supporting the protests were punished. While some thought it was impossible to hold the demonstrations inside…a commenter calling himself…little stupid told this story:

I was in Beijing during that time, leaflets were everywhere. Although the next day they were all torn down, the schools still had them all over the place. Even the Beijing police supplied free eggs to throw at the Japanese Consulate.

UPDATE: From CNN

“Thank you for contacting CNN. This email is to notify you that your news tip has been received and will be reviewed in a timely manner. You will be contacted if the news tip is valid and we need further information and verification.

We appreciate your news tip and thank you for choosing CNN as your breaking news source.

Sincerely,

CNN Viewer Communications Management
‘CNN, The Most Trusted Name In News’

Wonder if they will check before it all goes black?

On 8 April, the anti-cnn.com website was hacked for unknown reasons. Anti-cnn is a Chinese university student-led website established on 21 March 08, with the stated goal of countering false Western media reports on Tibet:

This website is established to expose the lies and distortions in the western media. The site is maintained by volunteers, who are not associated with any government officials.
We are not against the western media, but against the lies and fabricated stories in the media.
We are not against the western people, but against the prejudice from the western society.

According to Hackbase.com, on 9 April, the founder of the organization was using the power of Sohu.com to seek assistance from technical experts following the hacker attack. The website has received 500,000+ hits and has over 40 moderators handling in excess of 6,000 posts and 5,000 replies daily.

You know, not five minutes ago I was saying I didn’t want to get involved in the politics of this thing…just five minutes ago.

Chinese hackers have been targeting groups such as the free Tibet
movement and Fa1un GOng for years now. Since I have been away for the last couple of days, our good friend Greg was kind enough to send links to some very good information covering the attacks.

From Thomas Claburn at Information Week:

The attacks on mailing lists and online forums contain information related to recent events in Tibet and may appear to come from a trusted person or organization.

A shadow war against organizations supporting Tibetan protesters has erupted in cyberspace, mirroring efforts by Chinese authorities to quell unrest in the Tibet.
More here…

A great article from our friend Maarten Van Horenbeeck:

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

More here…

Brian Krebs at the Washington Post (an excellent investigative reporter):

 Human rights and pro-democracy groups sympathetic to anti-China demonstrators in Tibet are being targeted by sophisticated cyber attacks designed to disrupt their work and steal information on their members and activities.

Alison Reynolds, director of the Tibet Support Network, said organizations affiliated with her group are receiving on average 20 e-mail virus attacks daily. Increasingly, she said, the contents of the messages suggest that someone on one or more of the member groups’ mailing lists has an e-mail account or computer that has already been compromised.

More here…

I’ll be looking into this myself over the next couple of days to see if there is anything worth adding.

I saw this blog (Politically Motivated Computer Crime and Hacktivism) about Tibet supporters recieving email malware in my feed reader today and thought it might be interesting to TDV readers.  The original article is here.

“We are getting virus attacks that are just shameless… claiming to be desperate people inside Tibet. The emails are well-written and emotional, pleading for us to open the images,” she told AFP.

“At the moment we are having to use outside emails because our email accounts are not working, we have to direct everything through our outside emails,” he told AFP.

Hopefully more to follow (looking for malware samples)…