The Dark Visitor

This is a very interesting read by John J. Tkacik on Chinese cyber attacks that runs counter to many of my arguments.  The PDF document titled Trojan Dragon: China’s Cyber Threat is 12 pages but well worth checking out.

Genesis of China’s Cyberwarfare

In the 1990s, China’s Ministry of Public Security (MPS), which manages the country’s police services, pioneered the art of state control of cyberspace by partnering with foreign network systems firms to monitor information flows via the Internet. By 1998, according to an insider’s account of China’s Internet development, the MPS and its subordinate bureaus found that their resources for monitoring the Internet had been overwhelmed by the sheer volume of Internet traffic—which by 1998 had not yet reached 1 million users in China.

Keep reading…

First, a very big thank you to reader Copper, who first pointed out that there was a BIG button right over the article on Chinese hacker Xiao Chen that said…VIDEO! And, if you watch said video…it gives Xiao Chen’s webiste.

Here is the 1st screenshot from the CNN video, notice the links section at the botttom that I have circled in red.  The first link is to Hacker World (hack4.com) 黑客天下 and the second is to Hackbase.com.  It is typical for Chinese hackers to list their own website first in the links section.

UPDATE: Sorry, I was unclear in the paragraph above, Xiao Chen only owns 
hack4.com. Hackbase.com was listed just to show similarity in the websites.

Now look at this screen shot from hack4.com. There are a couple of differences but clearly the same website:

Next image from the  CNN video gives the Chinese 黑客天下, Hacker World or hack4.com:

Now take a look at this graphic from CNN in the left corner of the page:

and this one from hack4.com…

Finally, this one from CNN and you really had to be watching for it:

In the CNN interview, Xiao Chen claimed to have 10,000 registered members.
From the hack4.com website, they list the number of registered members as 9,746…pretty darn close:

This was more than likely a message to the rest of the Red Hacker Alliance that we do not hack inside China or there will be consequences.  According to the video, it wasn’t just money that Heikeba was after but fame played a large part as well.  The downfall seems to have come when they decided to break into banks inside of China and steal from Chinese citizens.  That my friends is a no-no!

Also, it is not nice to attach Trojans to music and picture downloads.

This is the part I’m not completely clear on and if someone who has better ears than I do can provide clarification it would be really appreciated.  The police discovered that the site was spread out across 15 cities inside of China. Here is the difficult part, they found records on the site dealing with New York, London and Paris and something about logging into the sites at the same time which seemed impossible or only slightly possible.  There is some discussion of time-zones and logging into them at the same time.

Difficult to tell if they are saying Heikeba was responsible for hacking into
websites in these cities.  Hopefully, we can get a little help here.

Of interest to Dark Visitor readers is item number three in the SANS list:

Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing

One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.

The open-source information we have so far about this type of well-resourced [Chinese] cyber espionage is anecdotal and positive attribution hasn’t been possible.  Our only sources are the Rolls-Royce information (very detailed) and Charlie Chen.  The information that we have from DoD sources is very limited on detail and a lot of readers are inclined to dismiss it because attribution by IP address only is pretty unreliable.  I think there is a lot more going on behind the scenes than IP geolocation.  Consider the information that has been exfiltrated.  Consider the methods that were used to harvest email addresses to use for social engineering.  Consider the tools that were used and then you have a much better picture.  Let’s face it, script kiddies aren’t interested in Naval Order of Battle in the Taiwan Straight.  Also, script kiddies aren’t after specific information from the world’s largest research based pharmaceutical company. Update:  I neglected to reference another attack with some good details:  SANS ISC covered the spear-phishing attack on 30 members of Fa1un G0ng which is banned in the PRC.

UPDATE: Jumper adds the following on this post:

I doubt that the mystery poster is Charlie Chung-Ping Chen. Charlie Chung-Ping Chen researches processors. It is certainly possible that he made the transition during his four year absence from the web but I think it is a stretch. At any rate, he hasn’t responded to Gordon. I assume Gordon contacted him by his university email and his status at the university is listed as “leave of absence”.

I tried to find out more about the powerpoint and didn’t have much luck. There isn’t any intro slide and the person who posted the presentation hasn’t posted anything else. It is very amusing that the poster’s handle is Deep Throat.

This thread was first brought to my attention by Jumper who has been collecting postings from an individual in Taiwan named Charlie Chen who is fairly elusive.  The same theme runs through all of Chen’s postings concerning a PRC government run organization of eight Chinese hacker groups dedicated to cyber espionage.

Did a little checking and came across an article by Gordon Housworth who is just as curious about the mystery poster as Jumper.  Gordon did a ton of research and from what I can tell has a good handle on the identity of our mystery man.  He was also able to locate a 26-frame slide show associated with Mr. Chen.

  You can see the international pressure beginning to mount on Beijing in regards to Chinese hackers.  The US. France, Germany, Japan…and the now the Brits have made it a part of their rounds to complain to Beijing.  Prime Minister Gordon Brown will use his upcoming visit to China to protest the recent
intrusions.  Beijing will soon have to do something to reign in their patriotic youth.  While it is true that other nations have their share of hackers, Chinese hackers seem to be doing their best to get noticed at the highest seats of power.  This might be grea for personal reputation but a lousy long-term strategy.  Read Chinese hackers really upset one Prime Minister.

Saw this article and had some reservations about posting it for a couple of reasons.  1) The title is Chinese Cyberwarfare which this most certainly is not.  You can classify them as cyber attacks, intrusions or whatever but this does not even come close to cyberwarfare.  2) This paragraph:

China’s information warfare expertise likely stems from a group that refers to itself as the “Red Hackers Alliance.” The Alliance operates as a government- or party-backed organization that specializes in network security, software development and patriotic hacker training.

The Red Hacker Alliance does not operate as government or even party backed organization. I will have an article published in Iosphere magazine in the next couple of months that refutes this entire idea.  Am I saying that the Chinese do not have a cyber militia or branch of the PLA that deals with hacking?  No, of course they do.  The US has a branch
of the military dedicated to cyber operation too.  However, the Red Hacker Alliance is not a part of the government or
the military. Will the alliance stay a civilian organization?  I don’t think so but that is for another day.

Didn’t mean to come down so hard on the article, it really is a pretty good summary of some of the 2007 Chinese hacker
attacks.  2007, Chinese hacker year in review.

    First, let me start you off with a little background on the Gray Pigeon Trojan here.  Great stuff, they even upset their own people enough to force them to stop production.  A good thing too because that program was turning up in a lot of government systems, like here for example.

   However, just like every 80’s horror movie, the thing just refuses to die.  So,  the announcement posted on 2 Dec 07, at hx99.net (previous link removed, page taken down by hx99.net) saying they were making a come back didn’t come as too much of a shock.

   The old disbandment message dated 21 March 07 is still  on the front page of the Gray Pigeon website (why does the one pigeon look like a hummingbird…who knows.):

   Just as promised, their fresh postings on 18 and 22 Nov 07 promise a revival of the site.   The posting on 22 Nov 07 could use some IT input on the screenshots.

The text is too much for my Chinese but maybe some of you IT guys could provide some insight.

Small section from my book on the UK attack that took place in 2005:

Knowing the types of malicious programs developed and used by certain hacker groups can assist us in pinpointing the source of attacks. Just as traditional criminals develop modus operandi, so do cyber criminals. They will favor one set of techniques and tools over others and just as in traditional law enforcement, these techniques can be used to identify the individuals or groups responsible for the crime. While not foolproof, profiling of groups such as the Red Hacker Alliance may offer additional clues as to their involvement in cases of fraud or theft of sensitive materials.

In June of 2005, the National Infrastructure Security Co-ordination Centre (NISCC) released a report detailing Trojan e-mail attacks targeting United Kingdom “government and companies.” The briefing noted that the attacks were coming from the “Far-East” and Trojans used in the attack included Gray Pigeon and Nethief. Chinese hackers have taken credit for the creation of both of these two Trojan programs. Mark Sunner, the Chief Technical Officer for MessageLabs, said:

MessageLabs can confirm that the source of the IP addresses originates in China. But there’s a much bigger and broader problem here. The ‘China’ word is not meaningless but it doesn’t mean they are the perpetrators.

Other experts were also skeptical that the IP addresses alone proved the attacks were coming from China. However, on 23 October 2005, Hackbase.com posted a story about the attacks on the British government and the speculation that the attacks were coming from the Far East. The article was apparently taken from the foreign press and translated into Chinese. The comments in response to the article from members of Hackbase, while not conclusive, are very suggestive:

41444: Awesome, I am very moved!! My thanks to the elder hackers, I hope you all can attack the US

Real Cow X: I want to express my sincere sympathy to the English government! ! ! ! Many thanks to the elder hackers

Well done!!: The English government has become the target of a Trojan e-mail attack!!!

By applying the hacker profile to this case, the evidence points very strongly to Chinese fingerprints present at the crime scene. The attack perpetrated against the UK government had: IP addresses that originated from China; used a backdoor to gain entrance to the computers, one of the preferred methods of the Red Hacker Alliance; and used both Gray Pigeon and Nethief, two of their favorite tools. In addition, members within the organization, when reading about the attack, expressed their admiration for the “elder hackers” who they seem to credit for the attack’s success.

        UPDATED: One of the projects I have been thinking about putting together is a calendar showing dates and events of possible future Chinese hacker attacks.

Take this example; it should have been fairly easy to identify the Olympic Games as a catalyst for Chinese hacker attacks. China views the 2008 Olympics as its coming-out party. It should not come as a huge surprise that patriotic Chinese hackers would target their competitor’s websites for information collection. Oh, by the way, if you think only our English cousins are going to be attacked over the Olympics, you are sadly mistaken. Care to guess if this information was disseminated to other countries, warning them of possible Chinese intrusions…

        I can guarantee that in March of 2008, the Taiwanese will suffer attacks from mainland hackers. Why? They will hold national elections and the anti-independence, pro-unification crowd will have to make themselves known. Oil and natural gas corporations, if the attacks aren’t happening right now, they are coming. The Japanese, sorry, you guys are pretty much on your own; probably not a date on the calendar that won’t correspond to some grievance. The point being, there are indicators we can use to make a reasonable guess on dates of attack.

Chinese hackers going after banks isn’t exactly unusual but the fact that the director-general of MI5 saw fit to send out a general letter of warning is out of the norm.  To me, it suggests that at that time (April), it was considered an imminent and wide-spread threat.  Also, it doesn’t warn the banks to double lock the vaults, it identifies the target as “commercially sensitive information”.