Archive for the 'Tibet' Category

Jul 19 2009

Leader of Chinese hacker group that planned DDoS attack on CNN identified

In April of 2008, we reported Revenge of the Flame‘s plan to carry out a DDoS attack on the CNN website.  A series of events during that time period enraged the Chinese online community: European nations harshly criticized China’s response to the Tibetan uprising; pro-Tibetan independence protesters in Paris tried to snatch the Olympic torch from the hands of a wheelchair-bound Chinese female athlete; and Jack Cafferty, a CNN commentator, referred to Chinese products as “junk” and called the Chinese government “goons and thugs.”   In response to these insults, Anti-CNN called for overseas Chinese in Europe to wave the Chinese flag and raise their voice to the sky.

In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the  CNN website.  We followed the events as calls went out for Chinese netizens to join the action.  We were there when cn_magistrate called off the attack and disbaned the organization.  Then he vanished…



Cold Case:  Yeah, we keep looking.  Finally located him through a combination of e-mail address, website and online name.   Below are the results of a Whois search we conducted on the associated website during the time of the attack (Notice the website name and e-mail address):

Domain Name:
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email:
Sponsoring Registrar: 北京万网志成科技有限公司
Name Name
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

cnmagistrate2 website letter

The image seen above was taken from cn_magistrate’s current blog showing the old URL,  which was associated with the CNN attack.


This reply from cn_magistrate in the comments section of his blog shows the e-mail address, used to register



He claims to be a Taiwanese citizen…

I’ve written to cn_magistrate and asked if he will talk to us about the incident.  Off topic, did anyone hear the news about Taiwan and the US coming closer to an extradition agreement?  That would be cool.

3 responses so far

Oct 13 2008

Chinese hacker books and the Falun Gong

Published by under Censorship,Tibet,Uncategorized


Book title: Chinese hackers

No doubt, many of you are wondering what to get us for the holidays. Well, worry no more, China’s Xinhua Online Bookstore has you covered.

Checked out their selection on hacking and found a total of 270 books on the subject.  While many of these are just translations from the US and other sources, they did have original manuscripts such as the one above.

Got bored after the first hundred or so titles and a thought hit me, what would happen if I searched for books on the Falun Gong (法轮功)?


Looking for “Taiwanese Independence” and “Free Tibet” simply returned zero hits.

( also kicked me off for Falun Gong search)

NOTE: The thing about holiday gifts was a joke, a JOKE.  Sometimes my online humor doesn’t translate very well and I get e-mails asking if I was serious.

One response so far

Sep 10 2008

Targeted Attacks – “Is Troy Burning?”

Maarten Van Horenbeeck informed us that his recent SANS Fire 2008 presentation on targeted attacks has been released for the public. You can find it at Maarten’s website here.

You may also want to check out another presentation of his titled “Crouching PowerPoint, Hidden Trojan”.

Comments Off

Jul 14 2008

Bruce Schneier: The Truth About Chinese Hackers

Bruce Schneier

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.


11 responses so far

Jun 25 2008

Summary: Chinese cyberwarfare threat by the Heritage Foundation

Published by under Tibet,UK Attacks,US attacks

This is a very interesting read by John J. Tkacik on Chinese cyber attacks that runs counter to many of my arguments.  The PDF document titled Trojan Dragon: China’s Cyber Threat is 12 pages but well worth checking out.

Genesis of China’s Cyberwarfare

In the 1990s, China’s Ministry of Public Security (MPS), which manages the country’s police services, pioneered the art of state control of cyberspace by partnering with foreign network systems firms to monitor information flows via the Internet. By 1998, according to an insider’s account of China’s Internet development, the MPS and its subordinate bureaus found that their resources for monitoring the Internet had been overwhelmed by the sheer volume of Internet traffic—which by 1998 had not yet reached 1 million users in China.

Keep reading…

One response so far

Apr 24 2008

New “Kinda-Lazy” Chinese hacker attack on CNN scheduled for tomorrow. UPDATE x2

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!! :)

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.


Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of, this represents the honor of China over the issue of Tibetan independence. The website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:


var e=document.getElementById(‘cnn’);


//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

4 responses so far

Apr 21 2008

Chinese hackers displaying CNN hack trophy?

Published by under Nationalism,Tibet,US attacks

Danwei reporting that Chinese hackers are celebrating a successful hack on a portion of the CNN website with screen shots of their trophy:

The top picture is screen grab that shows the current state of the website. The second image shows the hacked web page and the slogans left by the hackers, both in English and Chinese.:

Comments Off

Apr 20 2008

Revenge of the Flame disbands, denies all responsibility for attack on CNN…and kills website

The leader of Revenge of the flame has taken down his website and posted a disbandment notice.

!!!We salute our lovable motherland!!!

(graphic posted in the center of this statement does not load)

Revenge of the Flame disbanded

There are actually many ways to be patriotic, we do not want to be impulsive, we should study well, struggle and take great effort to gain knowledge. Only in this way can we develop our motherland and our motherland’s strength. This is all we really wish to see happen.

The Revenge of the Flame has already halted all DDOS attacks, we do not advocate the attack, we advocate diligent study of technology. From this point on, any attack whatsoever, has nothing to do with Revenge of the Flame. If any member of our group, Revenge of the Flame, participates in this type of activity, it is an individual action and has nothing to do with cn_Magistrate or Hackerwolf. Request that everyone make careful deliberations.

(Note: I was under the impression that magistrate hackerwolf was one word, one name but obviously it is two individuals. Here are their blogs; cn_Magistrate and Hackerwolf.)

Currently, everyone on the internet is using the instrument of attack as a means to express their passion and this has already obstructed the motherland’s normal network communications. This is something we do not wish to see happen. Regardless if it is “Revenge of the Flame” or not, we hope that everyone can rationally reflect on this question.

From this moment, the Revenge of the Flame is disbanded!! If there are any notification after this, they will be posted here. We respectfully ask that you pay attention to this page.

Any attack whatsoever, regardless if it is by an individual or an organization, has serious consequences!!!!!!!!!!!!!!!!!!!!!!

The Revenge of the Flame exists no more forever!! We are now a “patriotic study organization” and we will take the flame into our heart! The Revenge of the Flame in our hearts can never be extinguished! We must struggle! We must work! We must turn our strengths into a shining sword spirit (this sentence may have a somewhat different meaning, not sure).

Without a doubt we must study even more, our forum has already been established. This is really our true exchange space.


20 April 2008

To our lovable motherland, I say I love you!!

2 responses so far

Apr 19 2008

More from Revenge of the Flame on CNN attack

Located cn_Magistrate’s blog, the leader of Revenge of the Flame, here is a post from his blog on 18 April 2008:

As always, my thanks for everyone’s strong sense of nationalistic responsibility; once again, the Magistrate is grateful to everyone.

Today is 18 April, we are angry and we shall roar, the annoucement follows:

  1. Prior to 8:00 pm on 18 April 2008, we invite everyone on IS (ID number 12570496).  We will have an important matter to pass along.  (This part a little rough on xlation) Please note our compatriots will find a way online, obey directions that have been put in place.
  2. Tool download address, considering that there are many normal web users who do not have a high-degree of technical knowledge, we are providing idiot-type (really means for those who don’t know) tools for download. The download address:  Everyone please pay attention to the group announcements.
  3. Everyone please remain disciplined, listen to the directions of each of the group managers.  Pay attention to your own words, deeds and essence.  We are all Chinese!

18 April 2008

One response so far

Apr 18 2008

Chinese hacker group identified as “Revenge of the Flame” calls off attack on CNN…too many people know

Graphic Attached to Release

Graphic Attached to Release by Revenge of the Flame

The Chinese hacker group that has been organizing to attack CNN has been identified as the “Revenge of the Flame.” They recently released a statement calling off the DDoS attack on CNN; however, it may have come too late to stop some of its members from going after the site. CNN has just filed a report stating that they had experienced an attack in an attempt to disrupt their website. For this reason, we will keep the clock up and see what happens tomorrow…it might not be over.

Statement from Revenge of the Flame:

In just three short days, our organization, the Revenge of the Flame, has grown large. First, I want to thank everyone for their strong sense of nationalistic responsibility. However, maybe we were too impetuous. We love our country! We will resist all anti-Chinese influences! However, we must choose the right way to come to the defense of our country, families and ourselves!!! After some core internal discussions, we have decided to temporarily cancel the 19th attack plan! The Revenge of the Flame organization still exists! Later we can be a computer discussion organization, we will study together for the day our country needs us! Our government and military will all mobilize! At that time, we will let those so-called foreign net-forces see! No matter where, China will never lose to them! We also have our net-forces! Perhaps at that time, our Revenge of the Flame will be the main strength! We all love our country! But, we must use sensible methods to defend our honor!

ATTENTION: Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic. At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready. I will repeat it again. At an unspecified date in the near future, we will launch the attack. We are only at present cancelling the attack. We could send out a notice on the day of the attack and have it completed in one day. The attack hasn’t been cancelled; it will be carried out on an unspecified day in the near future. I think everyone understands what we mean.

We hope that even more people with the Chinese national blood will join our actions. Only in unity is there strength. We are not individuals, we are a collective, and we are Chinese.

17 April 2008

Continue Reading »

9 responses so far

Next »