The Dark Visitor

UPDATE: It looks like the organizers might be trying to put a stop to the attack due to the number of people who are aware of it. Translating some of it now.
UPDATE to UPDATE While the group may be trying to call off the attack, it might be too late. CNN is now reporting that they have been targeted in an attempt to disrupt their web site.
FINAL UPDATE FOR THIS POST: See the newest release by the group planning attack on CNN here

First, I have added a clock with the Beijing local time because it crossed my mind that some people might be thinking the scheduled attack on CNN is going to take place on US date, time. Nope, Beijing local. So that means it is suppose to take place tomorrow. I will leave the clock up if you want to check back.

Second, many more Chinese sites, not just hacker, starting to call for the DDOS attack on CNN. Also they are starting to solidify their plans. Here are the details from one posting on the Guilin University of Electronic Technology bulletin board:

1. Attack will start on 19 April 2008, at 8:00 pm
2. DDOS attack on www.cnn.com
3. The DDOS attack is going to last over three hours
4. They need a large number of compromised computers to carry out the attack and are requesting everyone’s support in putting to together the number needed

The plan has many more details but unfortunately the language is too technical for me to translate.

Here are additional sites calling for the attack on CNN.

http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx
http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost
http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876

Probably many more out there.

UPDATE: Carl Jongsma, from Computer World, was kind enough to provide us a little press on this breaking situation.

UPDATE: Tried once again to contact CNN and warn them of the scheduled attack. If anyone has a better contact than just their news tip e-mail, please inform them.

UPDATE (APRIL 18 1556GMT; Jumper): Arbor Networks is using their tools to monitor the situation.  Take a look at Jose Nazario’s post here.

UPDATE: Since we have some smart people looking at the blog, I wanted to post below part of the Chinese hackers’ attack plan. This seems to be part of the DDoS call for large numbers of attacking computers. Will supply what I can about the Chinese, though it is possibly wrong. If someone knows what this is referring to please post in the comments and we will move it to the blog:

总群：29332975 (This refers to the total number)
复仇的火焰分群1：10093595 (Revenge of the flame group 1)
复仇的火焰分群2：60087657 (Revenge of the flame group 2)
复仇的火焰分群3：17697381 (Revenge of the flame group 3)
复仇的火焰分群4：52911651 (Revenge of the flame group 4)
复仇的火焰分群5：13283694 (Revenge of the flame group 5)
复仇的火焰分群6：52274747 (Revenge of the flame group 6)
复仇的火焰分群7：13735729 (Revenge of the flame group 7)
复仇的火焰分群8：28556275 (Revenge of the flame group 8 )
复仇的火焰分群9：8333214 (Revenge of the flame group 9)
复仇的火焰分群10：24207831 (Revenge of the flame group 10)
复仇的火焰分群11：18574877 (Revenge of the flame group 11)

UPDATE to UPDATE Jumper figured out that these were probably the QQ numbers for the group leaders of the attack. When I went back and looked at some of the sites calling for the DDoS attack, one did list it as QQ群 or QQ groups.

Anti-CNN has issued a call for the Chinese flag to wave over Europe on 19 April 2008. The call was issued to show opposition to Europe’s stance on the Tibet issue. Anti-CNN has called for all overseas Chinese in Germany, France, England and Holland to appear in a simultaneous protest. Overseas Chinese were asked to have their voices penetrate the European sky. It appears the protests may have been scheduled for April 26th, as the announcement asked for people who had already made plans, to switch them to 19 April. The protests on the 19th are scheduled as follows:

1. 1500-1800hrs, 19 April 2008, at the Bundestag, Platz der Republik, Berlin
2. 1300-1500hrs, 19 April 2008, two routes (from Talie – Hotel de Ville – Bastille) or (Republique – Bastille – Hotel de Ville –Bastille, Paris
3. 1100-1500hrs, 19 April 2008, Downing Street outside of Whitehall, England
4. (No time given) 19 April 2008, Amsterdam, Holland

The protests appear to be well organized, with the coordination of donations, banners, flags, T-shirts…etc. While it is of course impossible to tell how widespread the demonstrations will be, an online keyword search, using Chinese, did produce several hundred hits.

To coincide with the European protests, several Chinese hacker groups are calling for a DDOS attack on the CNN website to begin at 8:00pm on 19 April 2008. While only three websites have openly posted about this attack, my guess is that many more calls are going on behind closed doors.

The first screen shot below calls for an attack similar to the Sino-US hacker war.

Could not get the web page for Tianya to open but it clearly calls for a DDOS attack on the CNN website to begin at 8:00 pm (Beijing time) on 19 April 2008.

Over at Hackbase, Dreamsmaker is also putting out the word for an attack on the CNN website.

The final tidbit of this story comes from a thread discussing the possibility of having demonstrations inside the country to support China’s position on Tibet. It was mentioned that during the anti-Japanese protests of 2005, all the people who passed out leaflets supporting the protests were punished. While some thought it was impossible to hold the demonstrations inside…a commenter calling himself…little stupid told this story:

I was in Beijing during that time, leaflets were everywhere. Although the next day they were all torn down, the schools still had them all over the place. Even the Beijing police supplied free eggs to throw at the Japanese Consulate.

UPDATE: From CNN

“Thank you for contacting CNN. This email is to notify you that your news tip has been received and will be reviewed in a timely manner. You will be contacted if the news tip is valid and we need further information and verification.

We appreciate your news tip and thank you for choosing CNN as your breaking news source.

Sincerely,

CNN Viewer Communications Management
‘CNN, The Most Trusted Name In News’

Wonder if they will check before it all goes black?

This is a fantastic article by Brian Grow, Keith Epstein and Chi-Chu Tschang on The New E-spionage Threat. The detail of the article and actual investigation are well worth reading.

The Pentagon hadn’t sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the “sender” and “recipient” to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.

Continue reading…

The other part of the article I found interesting was the e-mail link from Wang Baodong, Press Counselor & Spokesperson Of the Chinese Embassy to the United States:

As I told you over phone, I read your questionnaire carefully, and I’m very much concerned about the purpose of your story—if it targets China and is aimed at fanning up a “China cyber threat”, I would strongly suggest that you do not do such stories as this would only serve the purpose of some anti-China forces, and is not conducive to increasing mutual understanding and friendship between the Chinese and American peoples.

More of Wang Baodong’s e-mail…

To me, this suggests that Chinese hackers may be going after what they consider the softer targets (as compared to those of the US military network) of US defense contractors. The e-mail sent to Booz Allen also demonstrates a very sophisticated method of net-reconnaissance and social-engineering.

Update (from jumper):  A good follow-up.

Best article of the year! Time reporters Simon Elegant and Lin Yang’s interview with Withered Rose, the Chinese hacker accused of breaking into the Pentagon.

Suggest that they might hack for cash, and the NCPH crew is outraged. ‘The real hackers are not doing it for a name or money,’ says Fisherman, who sports a small diamond-stud earring. ‘The real hackers keep their heads down, finding network loopholes, write killer programs and live off social security.’

Classic…go read!

Saw this earlier today before they tagged it an attack originating from China and sort of thought they might end up being the culprits. The report by ABC gives some details and it does fit into the emerging pattern of attacks on industry and national infrastructure.  Worth reading, here.