The Dark Visitor

Predictive analytics: encompasses a variety of techniques from statistics and data mining that analyze current and historical data to make predictions about future events. (courtesy of the wiki)

Last night I was reading Chinese Cyber Nationalism and this section in Chapter Three on the EP-3 incident (Sino-US Hacker War 2001) got me thinking:

“On 26 April, H.U.C [Honker Union of China] announced on its site that Chinese hackers would wage a seven-day self-defense war against American websites.  The major targets included hundreds of American government and military websites.  The attacking time was set at 9:00 PM on 30 April, when a seven-day Labor Day holiday started in China.”

(emphasis mine)

Even from our own little blog on the Chinese hacker attack on CNN that was scheduled for 8:00 pm on 20 April.  In 2008, 20 April was a non-work day in China.

That’s right! Off days, holidays and late at night are the perfect time to cyber mobilize a massive number of people for a “Cyber People’s War”.

Obvious yes…but then where is my attack table for 2009?

2009 China Public Holidays

Based on a seven-day workweek, China has one of the most confusing holiday and non-work day systems ever.  Bless the good people at CNReview for providing the calendar above and keeping me from suffering a fatal aneurysm.

So green and blue days are danger and yellow safer. Remember, due to time differences between the US and China, attacks would more than likely begin and end a day before those shown on the Chinese calendar.

We aren’t talking about individual or small group attacks that can occur at anytime, just major efforts by a large number of hackers.  People have to work!  “Sure Xiao Wang, I’d love to join the war against whatever your enraged about at the moment but…I’ve gotta be at work then.”

Attacks will also occur early in the morning for the US (approx 5:00 am – 8:00am) given the EST and PST differences with Beijing.  These are normally 12- 13 hours for the East Coast and 15-16 hours for the West Coast, depending on how daylight saving time matches up.  No DST for China, they don’t play.

Hawaii?  Screw Hawaii! I’m freezing to death here.  They can figure out their own times.

Rest of the world, adjust accordingly.

Chinese hackers are targeting French Embassy websites all around the world to protest President Nicolas Sarkozy’s visit with the Dalai Lama.

According to hack4.com, featured in CNN documentary on Chinese hackers, the following French Embassy websites were successfully defaced:

法驻美国大使馆:http://www.ambafrance-us.org/
法驻英国大使馆:http://www.ambafrance-uk.org/
法驻中国大使馆:http://www.ambafrance-cn.org/（最新消息，已经恢复正常） (Repaired)
法驻加拿大使馆:http://www.ambafrance-ca.org/

Visiting all of the above websites shows that either they were not defaced or have been repaired since the attack. Hack4.com points out that the following websites have not been hit, suggesting they are future targets:

法驻日本大使馆:http://www.ambafrance-jp.org/
法驻冰岛大使馆:http://www.ambafrance-is.org/

Hack4.com’s gives this screenshot of the reported hacked website(s) (Deleted):

UPDATE: Better screenshots of the defaced French Embassy websites from 7747.net:

(Sorry guys, just updated to WordPress 2.7 and having a few problems.  Can’t seem to get the screenshot to enlarge when you click on it.  The three defaced websites are the US, UK and Canada.)

UPDATE: Once again, Eastwood has set me straight. Linked the image through the Chinese hacker website and now you should be able to pull up the graphic.

From US New and World Report on Chinese hacker virus exporting information on US military logistics:

This wasn’t the first such cyberattack, and officials said that earlier incarnations of the virus had exported information such as convoy and troop movements here. It was not clear precisely what information, if any, was being pulled from Department of Defense computers by this latest virus, they said.

Officials familiar with the computer attack characterized it as extremely aggressive and said that it originated in China. However, they haven’t been able to determine whether the viruses are part of a covert Chinese government effort or the work of private hackers.

Defense News presents a rather chilling look at the rising threat of Chinese cyber operations and cyber crime targeting US interests to include defense and industry:

Chinese hackers have been able to steal data as diverse as NASA files on the Mars orbiter’s propulsion system, solar panels and fuel tanks, Army helicopter mission planning systems and Air Force flight planning software.

China has been able to break into the U.S. military’s non-classified NIPRNet, which could give it “the potential capability to delay or disrupt U.S. forces without physically engaging them,” the commission says.

And China continues to strengthen its cyber warfare capabilities. “Many individuals are being trained in cyber operations at Chinese military academies,” the commission report says.

Chinese-made cyber hardware is a threat, too. Computer and network components made in China could be implanted with malicious code that can be activated later to steal, manipulate or destroy critical data, the commission says.

A Financial Times article discusses multiple security compromises in the Whitehouse network. Heike blogged already about both President-Elect Obama’s and Senator McCain’s campaign networks were compromised by foreign hackers as well. The network of my precinct committee chairperson is next. From the article:

“For a short period of time, they successfully breach a wall, and then you rebuild the wall . . . it is not as if they have continued access,” said the official. “It is constant cat and mouse on this stuff.”

As usual, the article is slim on technical details and fills in the space with general cybersecurity background. At this point, it may be easier to list the government organizations that haven’t been compromised by Chinese hackers.

This comes from Newsweek via Wired that both presidential candidates websites networks were attacked compromised .  There is a lot of speculation in the original Newsweek article which Wired duly notes:

Oddly, Newsweek reports that officials at the FBI and White House told the Obama camp that the culprit was a “foreign entity” likely seeking information on the two sides’ policy positions to use in negotiations with the next administration, and that the Obama system had not been hacked by its political opponents.

The program seen above is a patch for the Microsoft “black screen of death” and was written by a female Chinese hacker group at the Guangdong Foreign Language, Foreign Trade University (Guangdong Foreign Studies University).

The patch keeps Chinese users, who are running pirated copies of Microsoft Windows, from having to refresh their computer screens every hour when the black screen pops up.

The Chinese hacker program was released on 15 October, five days before Microsoft’s pre-announced plan went into effect (Jumper, is this possible?).  The black screen seems to have been a mere annoyance, designed by Microsoft to encourage people to purchase legal copies of Windows.  It does not effect the computer’s ability to function.

From the comments I have read on a few boards, this does not seem to be one of the programs written to spread malware.

The website for the group that released the patch is here.  The message attached to the download reads as follows:

“Excuse me Bill Gates, this time, I must once again oppose all of you [Microsoft]. I can’t let you introduce chaos into the Chinese system again for no good reason! For many years now, people have stolen Windows and just this year you decide do something about it? That is stupid!!

We are not the military but we have the same mission, to protect the sovereignty of the Chinese network.”

A few interesting comments on the boards you might like to read.  Don’t have the time to translate, so I give you the Google xlations.  No, they aren’t 100% accurate but they will give you the feel of the conversation.

Something to take note of, not all of the Chinese users are onboard with the “hate Microsoft theme.” There are a number of dissenting voices, saying that stealing intellectual property is wrong.  Good for them!

Update (jumper 1543GMT OCT 26):  The site hosting the anti-anti-piracy patch is overloaded:

The cartoon above, from china.com.cn, shows a big hand in the sky with the Microsoft Windows logo holding a sword reading, “Attacking pirated software.” The thief running away at the bottom reads, “Sellers of pirated software.” Of course the guy in the chair is the “innocent” user.  Right.

The article that accompanies the cartoon, suggests that Chinese users might be just as much a victim of software pirates as Microsoft.  Cough.  Since Microsoft is using patch updates to cause the “black screen of death,” it might be better to visit third party sites for patches.  However, warning, hackers are using these types of sites to pass along malware.

No one has asked my opinion on this subject but I’m going to share it with you anyway.  Why? Because I’m in a really bad mood, it’s 4:20 am and I want to vent:

A guy comes to sell you a stolen lawn mower that you know belongs to your neighbor.

How do you know it belongs to your neighbor? It has his name etched right into the damn thing.

How do you know it was stolen? Because you were looking to buy a stolen lawn mower; you weren’t willing to pay full price.

Problem, this is a special lawn mower and will only run properly with fuel from your neighbor (Microsoft updates).   So, when needed, you decide to steal the fuel yourself.

Your neighbor discovers that you are using his stolen lawn mower and have the unmitigated gall to also steal his fuel.  He starts leaving out tainted fuel for you to steal but this screws up “your” lawn mower.  Boy are you pissed.

Yes, it is a horrible analogy.  It’s early…very early.

UPDATE: At least one Chinese user agrees with me, sort of.  His only concession however is to stop stealing the fuel.

Question: How long will it take for Chinese hackers, in a fit of moral outrage, to attack every website associated with Microsoft? 5…4…3…2…

Robert Eringer wrote an article posted to cryptome.org that covered the frequently suggested threat of trojaned chips installed into all manner of equipment made from Chinese parts or assembled in China. Manchurian Microchips is a cool name for them.

“It is there, deep inside your computer, if they decide to call it up,” the security chief of a multinational corporation told The Investigator. “It is capable of providing Chinese intelligence with everything stored on your system — on everyone’s system — from e-mail to documents. I call it Call Home Technology. It doesn’t mean to say they’re sucking data from everyone’s computer today, it means the Chinese think ahead — and they now have the potential to do it when it suits their purposes.”

This is pretty sensational stuff. Of course, we can’t completely discount this as a possibility. At present, the computer attacks on DoD, defense contractors, foreign governments and dissident groups that have been detected and attributed to China have used typical methods like exploits and social engineering. But maybe they are saving this capability for a special occasion.

In June 2007, a Pentagon computer network utilized by the U.S. defense secretary’s office was hacked into — and traced directly back to the Chinese PLA.

The previous statement isn’t entirely accurate. I don’t believe the Pentagon ever claimed to have traced the attack directly back to the PLA. I think everyone involved probably assumed that based on the type of information that was taken from the compromised computers.

The Chinese had specifically targeted Rolls-Royce and Shell Oil.

The attack on Rolls-Royce used social engineering emails with MS Office exploits. The exploits downloaded PC Share 2005. Nothing too sophisticated.

The author points out that all computers today are either assembled in China or manufactured with parts from China. The implication is that potentially all computers could have corrupt supply chains. This is probably far-fetched. If I were a hostile nation that supplies chips to computer manufacturers, I would probably only use it to permanently disable the computers instead of for intelligence collection. I would probably also target networking gear rather than computer workstations and servers. The investment in that capability would be too great to risk loosing to network detection. It would be better to use it as a way to instantly cripple an adversary’s information advantage.

While in Beijing, I went to the Silk Market and decided to purchase one of the many “Rolex” watches on sale.  The girl sitting behind the stall told me that for the low, low price of US $10 she would reluctantly part with this prize possession. Finally, weeping and wailing, she let it go for three bucks and cursed me and all my descendants.  The next day the watch made a weird noise, began to heat up and made a small burn mark on the top of my wrist.  True story… well, there is at least a place called Beijing in China.

For our next story, let’s replace me with Department of Defense and Rolex with microchips.  What could possibly go wrong?

The American military faces a growing threat of potentially fatal equipment failure—and even foreign espionage—because of counterfeit computer components used in warplanes, ships, and communication networks. Fake microchips flow from unruly bazaars in rural China to dubious kitchen-table brokers in the U.S. and into complex weapons. Senior Pentagon officials publicly play down the danger, but government documents, as well as interviews with insiders, suggest possible connections between phony parts and breakdowns.

Counterfeit routers may pose an even greater danger:

Referring to the seizure of more than 400 fake routers so far, Melissa E. Hathaway, head of cyber security in the Office of the Director of National Intelligence, says: “Counterfeit products have been linked to the crash of mission-critical networks, and may also contain hidden ‘back doors’ enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].”

Business Week lays out the who, what, when, where and why …defective Chinese computer components finding their way into US warplanes and ships.