The Dark Visitor

Introduction: Rambling thoughts

There is an old military expression that says, “Amateurs study strategy,  professionals study logistics.” Logistics is the ability to drive the train, to make sure that the troops have the capability to accomplish the strategy.  What are the logistics behind a Chinese hacker attack?

1) Computers

2) Personnel

3) Transportation (Access to the internet)

3) Knowledge

4) Malware (Trojans, Viruses….etc)

5) Programs (Scanners, Dictionary attack tools…etc)

6) Money

7) More?

There is also a formula for determining threat analysis:

1) Intent:  Without the intent to do harm, the threat assessment is considered minimal.  Friends and allies are considered extremely low-level threats even if they have the capability to cause great destruction.  Capability without intent lowers the risk factor considerably.

Clearly, Chinese hackers have demonstrated intent in the form of nationalism and monetary gain. CHECK

2) Capability:  Does an adversary have the means to carry out the threat?  While the enemy may wish to do you great harm, without capability it means little.

With a number of governments scrambling to secure and/or repair their information systems, there is little doubt Chinese hacker have the capability. CHECK

3) Motivation:  The determination to carry out and sustain the attack.

Motivation started in the form of nationalism but quickly turned to cash.  Either way, the motivation to continue and sustain attacks is still present and shows no sign of decreasing.  CHECK

So, what binds these rambling thoughts?  Money, money money!  Without the financing to support their logistics, operations come to a standstill.  Pull out logistics and you lose capability, leaving only intent.

Final random thought: A reporter once asked Willy Sutton, a bank robber, why he robbed banks?

“Because that’s where the money is”

-Willy Sutton, Bank Robber

And Now, back to your regularly scheduled program:

From Chinanews.com, the Wuxi court has found a gang of six Chinese hackers guilty of running phony websites designed to steal the passwords of online gamers.  In less than half a year, the crew had earned over one million yuan (USD 146,000).

In July of 2007, the defendant, Mr. Ma, learned of a method to hijack domain name servers in order steal account names and passwords from online gamers.  He then asked his co-conspirator, Mr. Peng, to write the hijacking program.

In August and September of last year, Mr Ma brought four other members into the gang and together they developed a scheme to get rich.  In order to carry out the crime, the group invested 22,000 yuan (USD 3,200) in a computer, server and room rental.

Peng’s program was used to capture the domain name servers in ten provinces and cities such as Jiangsu Province, Liaoning Province, Shanghai, Chongqing…etc.  After a user register for the website, they would automatically be redirected to the gang’s forged website.

The gang members were sentenced from 1-4 years for the crime.

iDefense 2009 Cyber Threats and Trends via Earthtimes:

Additionally, cyber warfare has become a reality in today’s political climate, and several regions are seeing a rise in politically and financially motivated activities. According to VeriSign iDefense, Russian hackers are the most effective group when it comes to cyber fraud, while Chinese hackers utilize amateur hacking groups for low-level espionage operations.

Very informative article from Cyber Crime Updates on Chinese InfoTech espionage:

BANGALORE: A few months ago, a major Bangalore-based infotech company lost out on a $8 million contract. The company was expecting a business delegation to visit India before signing the contract, but 15 days before the date set for the deal, the meeting was abruptly called off.

The same team went to China instead. When the Indian firm investigated the matter, it discovered a gaping hole in its security. The computers of several of its top executives had been compromised by Chinese hackers and privileged information leaked to a Chinese competitor, who walked away with the deal by quoting a lesser price.

Chinese hackers are targeting French Embassy websites all around the world to protest President Nicolas Sarkozy’s visit with the Dalai Lama.

According to hack4.com, featured in CNN documentary on Chinese hackers, the following French Embassy websites were successfully defaced:

法驻美国大使馆:http://www.ambafrance-us.org/
法驻英国大使馆:http://www.ambafrance-uk.org/
法驻中国大使馆:http://www.ambafrance-cn.org/（最新消息，已经恢复正常） (Repaired)
法驻加拿大使馆:http://www.ambafrance-ca.org/

Visiting all of the above websites shows that either they were not defaced or have been repaired since the attack. Hack4.com points out that the following websites have not been hit, suggesting they are future targets:

法驻日本大使馆:http://www.ambafrance-jp.org/
法驻冰岛大使馆:http://www.ambafrance-is.org/

Hack4.com’s gives this screenshot of the reported hacked website(s) (Deleted):

UPDATE: Better screenshots of the defaced French Embassy websites from 7747.net:

(Sorry guys, just updated to WordPress 2.7 and having a few problems.  Can’t seem to get the screenshot to enlarge when you click on it.  The three defaced websites are the US, UK and Canada.)

UPDATE: Once again, Eastwood has set me straight. Linked the image through the Chinese hacker website and now you should be able to pull up the graphic.

Since when is it a good idea to use G-mail for official communications? The Prime Minister says, “never!”

The Prime Minister’s Office (PMO) has instructed its officials not to use Google mail for official communication after Chinese hackers accessed the PMO’s internal networking systems.

The Chinese also hacked the Ministry of External Affairs’ internal communications network, and the National Informatics Centre (NIC) also fell victim to an attack supposedly aimed at the National Security Council.

The Chinese hacked the communication networks of officials and accessed emails used by the officials to communicate policy and decisions to other ministries and sectors of the government. The cyber attacks are believed to have been launched from dial-up internet connections in China. Up to four cyber attacks by Chinese hackers are reported on Indian servers daily.

The NIC traced the IP addresses used for attacking the PMO’s communication networks to China. They found that Google mail or Gmail was the main target of the Chinese hackers. Following this, the PMO has instructed its officers and staff to refrain from using Gmail for official communication.

Chinanews.com is reporting that the official government website of the Jingzhou Municipal Bureau of Commerce has been defaced with the picture of a girl in a bikini.  The article discusses the lack of security in Chinese government websites and speculation on why the website was hacked.

Update from jumper: Please see this article about googling defaced Chinese .gov sites.

Screenshot from Windows 7 Center

From iTWire on leak of Windows 7 build 6956:

The Windows7Center.com site is where I first read of the 6956 build leaking to the Internet.

The site says: “The impossible has been done again and pirates all over the world are busy trying to obtain the more updated build of Windows 7- build 6956.

“Just a day after WinHEC China began, an attendee from the conference managed to slip a Virtual Hard Disk (VHD) image of Windows 7 Build 6956 onto a portable device and upload it via torrent to the world.

“You’d think that Microsoft would have some sort of security enforced to keep this from happening after how hard they’ve been trying to prevent any leaks. The uploader from the PCBeta forum uses the alias Edward_Han, and is seen by the Chinese Windows community as a hero. The community has been referring to him as Edward_Han the hero, and even Master Edward_Han.”

Not every industry is suffering during these tough economic times. One of my favorite Chinese hacker websites is expanding operations and doing a little hiring. In fact, business is so good, they are expanding into the US, Hong Kong, South Korea and the UK.

The salary range is from 30,000-100,000 yuan (USD 4,300 to 14,500 approx) and they are inviting computer and network security personnel from all over the country and the world to join their organization. However, the applicants must work at the Beijing headquarters for a trial-period of three months.

If you make it past the trial period you get to enjoy the same perks as the rest of the staff such as dining together, birthday cakes, free travel, paid holiday, training and end-of-year red envelope (these contain money).

For those who show exceptional skill at their post, arrangements can be made to go to Hong Kong, South Korea, the US and the UK.

They are trying to fill four positions:

1) Training department manager

2) Training department computer lecturer

3) Training department network lecturer

4) Training department security lecturer

The advertisement list all the qualifications for the positions to include education and ages. I will supply these details for anyone who is interested. The applicants will have an online test and need to report for a two day interview.

They also list three different online applications for graduates, non-graduates and interns.

Mine is already filled and let’s hope I snag one of these sweet positions. Hell, they won’t even have to pay reloc

From US New and World Report on Chinese hacker virus exporting information on US military logistics:

This wasn’t the first such cyberattack, and officials said that earlier incarnations of the virus had exported information such as convoy and troop movements here. It was not clear precisely what information, if any, was being pulled from Department of Defense computers by this latest virus, they said.

Officials familiar with the computer attack characterized it as extremely aggressive and said that it originated in China. However, they haven’t been able to determine whether the viruses are part of a covert Chinese government effort or the work of private hackers.

Defense News presents a rather chilling look at the rising threat of Chinese cyber operations and cyber crime targeting US interests to include defense and industry:

Chinese hackers have been able to steal data as diverse as NASA files on the Mars orbiter’s propulsion system, solar panels and fuel tanks, Army helicopter mission planning systems and Air Force flight planning software.

China has been able to break into the U.S. military’s non-classified NIPRNet, which could give it “the potential capability to delay or disrupt U.S. forces without physically engaging them,” the commission says.

And China continues to strengthen its cyber warfare capabilities. “Many individuals are being trained in cyber operations at Chinese military academies,” the commission report says.

Chinese-made cyber hardware is a threat, too. Computer and network components made in China could be implanted with malicious code that can be activated later to steal, manipulate or destroy critical data, the commission says.