The Dark Visitor

  You can see the international pressure beginning to mount on Beijing in regards to Chinese hackers.  The US. France, Germany, Japan…and the now the Brits have made it a part of their rounds to complain to Beijing.  Prime Minister Gordon Brown will use his upcoming visit to China to protest the recent
intrusions.  Beijing will soon have to do something to reign in their patriotic youth.  While it is true that other nations have their share of hackers, Chinese hackers seem to be doing their best to get noticed at the highest seats of power.  This might be grea for personal reputation but a lousy long-term strategy.  Read Chinese hackers really upset one Prime Minister.

Saw this article and had some reservations about posting it for a couple of reasons.  1) The title is Chinese Cyberwarfare which this most certainly is not.  You can classify them as cyber attacks, intrusions or whatever but this does not even come close to cyberwarfare.  2) This paragraph:

China’s information warfare expertise likely stems from a group that refers to itself as the “Red Hackers Alliance.” The Alliance operates as a government- or party-backed organization that specializes in network security, software development and patriotic hacker training.

The Red Hacker Alliance does not operate as government or even party backed organization. I will have an article published in Iosphere magazine in the next couple of months that refutes this entire idea.  Am I saying that the Chinese do not have a cyber militia or branch of the PLA that deals with hacking?  No, of course they do.  The US has a branch
of the military dedicated to cyber operation too.  However, the Red Hacker Alliance is not a part of the government or
the military. Will the alliance stay a civilian organization?  I don’t think so but that is for another day.

Didn’t mean to come down so hard on the article, it really is a pretty good summary of some of the 2007 Chinese hacker
attacks.  2007, Chinese hacker year in review.

    First, let me start you off with a little background on the Gray Pigeon Trojan here.  Great stuff, they even upset their own people enough to force them to stop production.  A good thing too because that program was turning up in a lot of government systems, like here for example.

   However, just like every 80′s horror movie, the thing just refuses to die.  So,  the announcement posted on 2 Dec 07, at hx99.net (previous link removed, page taken down by hx99.net) saying they were making a come back didn’t come as too much of a shock.

   The old disbandment message dated 21 March 07 is still  on the front page of the Gray Pigeon website (why does the one pigeon look like a hummingbird…who knows.):

   Just as promised, their fresh postings on 18 and 22 Nov 07 promise a revival of the site.   The posting on 22 Nov 07 could use some IT input on the screenshots.

The text is too much for my Chinese but maybe some of you IT guys could provide some insight.

Small section from my book on the UK attack that took place in 2005:

Knowing the types of malicious programs developed and used by certain hacker groups can assist us in pinpointing the source of attacks. Just as traditional criminals develop modus operandi, so do cyber criminals. They will favor one set of techniques and tools over others and just as in traditional law enforcement, these techniques can be used to identify the individuals or groups responsible for the crime. While not foolproof, profiling of groups such as the Red Hacker Alliance may offer additional clues as to their involvement in cases of fraud or theft of sensitive materials.

In June of 2005, the National Infrastructure Security Co-ordination Centre (NISCC) released a report detailing Trojan e-mail attacks targeting United Kingdom “government and companies.” The briefing noted that the attacks were coming from the “Far-East” and Trojans used in the attack included Gray Pigeon and Nethief. Chinese hackers have taken credit for the creation of both of these two Trojan programs. Mark Sunner, the Chief Technical Officer for MessageLabs, said:

MessageLabs can confirm that the source of the IP addresses originates in China. But there’s a much bigger and broader problem here. The ‘China’ word is not meaningless but it doesn’t mean they are the perpetrators.

Other experts were also skeptical that the IP addresses alone proved the attacks were coming from China. However, on 23 October 2005, Hackbase.com posted a story about the attacks on the British government and the speculation that the attacks were coming from the Far East. The article was apparently taken from the foreign press and translated into Chinese. The comments in response to the article from members of Hackbase, while not conclusive, are very suggestive:

41444: Awesome, I am very moved!! My thanks to the elder hackers, I hope you all can attack the US

Real Cow X: I want to express my sincere sympathy to the English government! ! ! ! Many thanks to the elder hackers

Well done!!: The English government has become the target of a Trojan e-mail attack!!!

By applying the hacker profile to this case, the evidence points very strongly to Chinese fingerprints present at the crime scene. The attack perpetrated against the UK government had: IP addresses that originated from China; used a backdoor to gain entrance to the computers, one of the preferred methods of the Red Hacker Alliance; and used both Gray Pigeon and Nethief, two of their favorite tools. In addition, members within the organization, when reading about the attack, expressed their admiration for the “elder hackers” who they seem to credit for the attack’s success.

        UPDATED: One of the projects I have been thinking about putting together is a calendar showing dates and events of possible future Chinese hacker attacks.

Take this example; it should have been fairly easy to identify the Olympic Games as a catalyst for Chinese hacker attacks. China views the 2008 Olympics as its coming-out party. It should not come as a huge surprise that patriotic Chinese hackers would target their competitor’s websites for information collection. Oh, by the way, if you think only our English cousins are going to be attacked over the Olympics, you are sadly mistaken. Care to guess if this information was disseminated to other countries, warning them of possible Chinese intrusions…

        I can guarantee that in March of 2008, the Taiwanese will suffer attacks from mainland hackers. Why? They will hold national elections and the anti-independence, pro-unification crowd will have to make themselves known. Oil and natural gas corporations, if the attacks aren’t happening right now, they are coming. The Japanese, sorry, you guys are pretty much on your own; probably not a date on the calendar that won’t correspond to some grievance. The point being, there are indicators we can use to make a reasonable guess on dates of attack.

Chinese hackers going after banks isn’t exactly unusual but the fact that the director-general of MI5 saw fit to send out a general letter of warning is out of the norm.  To me, it suggests that at that time (April), it was considered an imminent and wide-spread threat.  Also, it doesn’t warn the banks to double lock the vaults, it identifies the target as “commercially sensitive information”.