seen from United States

seen from United States
seen from China
seen from Netherlands

seen from Portugal
seen from Italy
seen from Malaysia
seen from China

seen from Hong Kong SAR China
seen from Australia

seen from Singapore

seen from Singapore
seen from Kazakhstan
seen from United States
seen from United States
seen from United States
seen from Angola
seen from United States
seen from Libya
seen from China
U.S. Case Offers Glimpse Into China’s Hacker Army
By Edward Wong, NY Times, May 22, 2014
BEIJING--One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot.”
Another, Sun Kailiang, also known as Jack Sun, grew up in wealthy Pei County in eastern China, the home of a peasant who founded the ancient Han dynasty and was idolized by Mao.
They and three others were indicted by the United States Justice Department this week, charged with being part of a Chinese military unit that has hacked the computers of prominent American companies to steal commercial secrets, presumably for the benefit of Chinese companies.
Much about them remains murky. But Chinese websites, as well as interviews with cybersecurity experts and former hackers inside and outside China, reveal some common traits among those and other hackers, and show that China’s hacking culture is a complex mosaic of shifting motivations, employers and allegiances.
Many hackers working directly for the Chinese government are men in their 20s and 30s who have been trained at universities run by the People’s Liberation Army and are employed by the state in myriad ways. Those working directly for the military usually follow a 9-to-5 weekday schedule and are not well paid, experts and former hackers said. Some military and government employees moonlight as mercenaries and do more hacking on their own time, selling their skills to state-owned and private companies. Some belong to the same online social networking groups.
“There are many types of relationships,” said Adam Segal, a China and cybersecurity scholar at the Council on Foreign Relations in New York. “Some P.L.A. hackers offer their services under contract to state-owned enterprises. For some critical technologies, it is possible that P.L.A. hackers are tasked with attacks on specific foreign companies.”
The Obama administration makes a distinction between hacking to protect national security, which it calls fair play, and hacking to obtain trade secrets that would give an edge to corporations, which it says is illegal. China and other nations accuse the United States of being the biggest perpetrator of both kinds of espionage.
In the indictments, unsealed on Monday, the United States accused Mr. Wang, Mr. Sun and three others of working in the Chinese Army’s Unit 61398, which a report last year by Mandiant, a cybersecurity company in Alexandria, Va., said operated out of a 12-story white tower on the outskirts of Shanghai. That unit is now the most infamous of China’s suspected hacking groups, and the Western cybersecurity industry variously calls it the Comment Crew, the Shanghai Group and APT1.
Some members are active on Chinese social media. Mr. Wang, Mr. Sun and another of the men indicted, Wen Xinyu, are part of a group on QQ, a social networking and messaging tool, that calls itself “Poor Folks Fed by Public Funds,” according to an Internet search.
The group, which has 24 members, also includes Mei Qiang, a hacking suspect named in the Mandiant report whose alias is SuperHard. Another member, Xu Yaoling, has the same name as someone from the P.L.A. University of Science and Technology, a military institution in Nanjing, who has written papers on hacking and cybersecurity.
Mr. Wang posted messages on an official Chinese military forum in 2004 under the alias Green Field. He called himself a “military enthusiast” and asked in one thread, “Does our military have the capabilities to fight against American troops?” His forum profile listed an English name, Jack Wang, and an email address; messages sent this week to that address went unanswered. He has been known to leave a signature, “ug,” on malware he has created.
The Comment Crew is not the only big player in China, where hacking is as common in the corporate and criminal worlds as in the government. It is even promoted at trade shows, in classrooms and on Internet forums.
Western cybersecurity experts usually focus on hackers with state ties. FireEye, a cybersecurity company in Milpitas, Calif., that bought Mandiant in January, is tracking at least 25 “active Chinese-based threat groups,” of which 22 support the state in some way, said Darien Kindlund, the company’s manager of threat intelligence. At least five appear to be tied directly to one or more military groups, Mr. Kindlund said, adding that this was a conservative estimate.
Joe Stewart, a cybersecurity expert at Dell SecureWorks, said that as of last year, the Comment Crew and a unit he called the Beijing Group were using “the lion’s share” of 25,000 suspicious online domains he had been tracking. The Beijing Group, he said, used a dedicated block of I.P. addresses that could be traced to the Chinese capital and to the network of China Unicom, one of the three biggest state-owned Internet telecommunications companies.
“There’s espionage activity coming out of that,” Mr. Stewart said, though he added that he had seen no evidence of the Beijing Group’s working with China Unicom or any other state entity.
A man who answered a China Unicom spokesman’s cellphone declined to comment.
The targets pursued by the Comment Crew and the Beijing Group overlap--both go after foreign corporations and government agencies, for example--but the Beijing unit also takes aim at “activist types,” Mr. Stewart said, including ethnic Tibetan and Uighur exile groups. The two units are responsible for creating most of the world’s 300 known families of malware, he added.
Western cybersecurity experts saw a surge of online espionage attacks on corporations starting in late 2006. Before that, attacks had been aimed mostly at government agencies or contractors. The experts said much of the initial wave of corporate espionage was traced to China, and specifically to the Comment Crew. About a year later, the Beijing Group appeared on the scene.
A smaller unit, the Kunming Group, whose attacks have been traced to I.P. addresses in Kunming, the capital of Yunnan Province, seemed focused on targets in Vietnam, Mr. Stewart said. It deployed malware and so-called spear phishing attacks that tried to entice victims to click on messages and links in Vietnamese.
It is unclear exactly what the Kunming Group sought to achieve, but tensions between China and Vietnam have been rising in recent years over territorial disputes in the South China Sea. China moved an oil rig near Vietnam this month, an action Vietnam has protested. Vietnam is also working with foreign oil companies to drill and explore in that sea.
Though the Obama administration has focused on exposing corporate espionage, hackers suspected of working for the Chinese government have breached a wide range of foreign government agencies, cybersecurity experts say.
For example, FireEye said it had observed spying attacks on Taiwanese government agencies and on a professor in India who held pro-Tibet views. The company called the attackers the Shiqiang Gang. A mainland Chinese group also carried out attacks on Japanese government agencies and companies last September by putting commands on Japanese news media websites that would infect users.
Fine Line Seen in U.S. Spying on Companies
By David E. Sanger, NY Times, May 20, 2014
WASHINGTON--The National Security Agency has never said what it was seeking when it invaded the computers of Petrobras, Brazil’s huge national oil company, but angry Brazilians have guesses: the company’s troves of data on Brazil’s offshore oil reserves, or perhaps its plans for allocating licenses for exploration to foreign companies.
Nor has the N.S.A. said what it intended when it got deep into the computer systems of China Telecom, one of the largest providers of mobile phone and Internet services in Chinese cities. But documents released by Edward J. Snowden, the former agency contractor now in exile in Russia, leave little doubt that the main goal was to learn about Chinese military units, whose members cannot resist texting on commercial networks.
The agency’s interest in Huawei, the giant Chinese maker of Internet switching equipment, and Pacnet, the Hong Kong-based operator of undersea fiber optic cables, is more obvious: Once inside those companies’ proprietary technology, the N.S.A. would have access to millions of daily conversations and emails that never touch American shores.
Then there is Joaquín Almunia, the antitrust commissioner of the European Commission. He runs no company, but has punished many, including Microsoft and Intel, and just reached a tentative accord with Google that will greatly change how it operates in Europe.
In each of these cases, American officials insist, when speaking off the record, that the United States was never acting on behalf of specific American companies. But the government does not deny it routinely spies to advance American economic advantage, which is part of its broad definition of how it protects American national security. In short, the officials say, while the N.S.A. cannot spy on Airbus and give the results to Boeing, it is free to spy on European or Asian trade negotiators and use the results to help American trade officials--and, by extension, the American industries and workers they are trying to bolster.
Now, every one of the examples of N.S.A. spying on corporations around the world is becoming Exhibit A in China’s argument that by indicting five members of the People’s Liberation Army, the Obama administration is giving new meaning to capitalistic hypocrisy. In the Chinese view, the United States has designed its own system of rules about what constitutes “legal” spying and what is illegal.
That definition, the Chinese contend, is intended to benefit an American economy built around the sanctity of intellectual property belonging to private firms. And, in their mind, it is also designed to give the N.S.A. the broadest possible rights to intercept phone calls or email messages of state-owned companies from China to Saudi Arabia, or even private firms that are involved in activities the United States considers vital to its national security, with no regard to local laws. The N.S.A. says it observes American law around the globe, but admits that local laws are no obstacle to its operations.
“China demands that the U.S. give it a clear explanation of its cybertheft, bugging and monitoring activities, and immediately stop such activity,” the Chinese Defense Ministry said in a statement released on Tuesday.
Petrobras is a case in point. In the American view, Brazilian energy policy is made inside the state-run company, which is indistinguishable from the government. Thus, under the same rationale that the United States intercepted the phone calls of the country’s president, Dilma Rousseff, it had the authority, as a collector of foreign intelligence, to delve inside the company. Ms. Rousseff, denouncing the N.S.A. at the United Nations last September, said that the agency’s activities amounted to “a breach of international law and an affront” to Brazil’s sovereignty.
In fact, state-run oil companies are a fascination to the N.S.A. just as American high-tech firms are a Chinese obsession. State oil companies in Saudi Arabia, Africa, Iran and Mexico have often been intelligence targets for the United States. American officials say that digging inside corporations for insights into economic policy is different from actually stealing corporate secrets.
But in the case of Mr. Almunia, the stream of data intercepted by the N.S.A. was most likely highly company-specific. Mr. Almunia was dealing with antitrust issues involving Apple, Motorola Mobility, Intel and Microsoft.
American officials sometimes dig into corporations because they are suspected to be witting or unwitting suppliers of technology to the North Koreans or the Iranians. Siemens, the German telecommunications firm, was the chief supplier of the factory controllers that ran the centrifuges in Iran’s main nuclear enrichment plant at Natanz. The Stuxnet computer worm, designed by the United States and Israel, was designed to attack Siemens equipment--and it has never been clear whether the company knew that its machines were under American and Israeli attack. But in that case, American officials could argue that national security, not corporate competitiveness, was the goal.
In contrast, when Unit 61398 went after Westinghouse and Alcoa, it was to steal trade secrets and strategies to enter the Chinese market.
But other elements of the indictment, some outside experts say, could give the Chinese the opportunity to turn the rationale of the Justice Department against its own government. Some of the supposed Chinese online espionage against the United Steelworkers union and a solar energy firm, SolarWorld, appeared intended to gain intelligence about trade complaints.
Jack Goldsmith, a Harvard law professor who served in the Justice Department under the George W. Bush administration, wrote on the Lawfare blog on Tuesday that that “sounds a lot like the kind of cybersnooping on firms that the United States does.”
With Spy Charges, U.S. Draws a Line That Few Others Recognize
By David E. Sanger, NY Times, May 19, 2014
WASHINGTON--By indicting members of the People’s Liberation Army’s most famous cyberwarfare operation--called Unit 61398 but known among hackers as the “Comment Crew”--the Obama administration has turned to the criminal justice system to reinforce its argument that there is a major difference between spying for national security purposes, something the United States does daily, and the commercial, for-profit espionage carried out by China’s military.
The Chinese argue that the distinction is an American artifact, devised for commercial advantage. They believe that looking for business secrets is part of the fabric of national security, especially for a rising economic powerhouse. And while American officials are loath to admit it, Washington’s view has relatively few advocates around the world. The French, for example, were notorious for conducting state-backed corporate espionage long before the Chinese mastered the form. And if they choose, Chinese leaders has ample opportunity to retaliate by making life even harder for American companies.
Attorney General Eric H. Holder Jr. repeated the we-don’t-spy-for-corporate-America argument Monday morning as he unsealed an indictment that included allegations that Unit 61398 had stolen trade secrets for nuclear power plants that would save Chinese firms years of design work, as well as information from inside an American solar energy company that was pursuing a trade complaint against its Chinese competitors.
“The alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States,” Mr. Holder said. “This is a tactic that the U.S. government categorically denounces. As President Obama has said on numerous occasions, we do not collect intelligence to provide a competitive advantage to U.S. companies, or U.S. commercial sectors.”
There is little doubt, based on the evidence published last year, that the Comment Crew’s targets include companies that compete directly with state-owned Chinese enterprises that fund the People’s Liberation Army and often line the pockets of its leaders. But they are hardly the only targets of Chinese espionage: The office of the secretary of defense, the firms building the new Joint Strike Fighter, the Council on Foreign Relations, the Aspen Institute and The New York Times have all been targets of Chinese hacking units, for different reasons.
But the United States is limited in the complaints it can make because it has targeted similar institutions in China--for equally murky reasons. So when Mr. Obama raised the issue with Xi Jinping, the Chinese president, he focused only on commercial espionage, arguing it is far more pernicious to use the intelligence instruments of the state for a business advantage. The United States may do all it can to learn about China’s nuclear arsenal, or Beijing’s intentions in its territorial disputes with Japan, but it does not, he says, steal from China Telecom to help AT&T.
Prosecutors focused on the most clear-cut commercial cases, perhaps because the United States believes the cases will bolster the president’s central argument, that there is something sacred about intellectual property.
“This is not something they pulled out of their back pocket,” said Kevin Mandia, whose company, the Mandiant division of FireEye, compiled the first public report about Unit 61398 last year. “This was a logical escalation of the pressure.”
But it was also an effort to regain the high ground the United States lost last year after the revelations made by Edward J. Snowden, the former National Security Agency contractor. The documents he revealed suggested that the clear line Mr. Obama talks about when discussing Chinese cyberpractices is often blurry.
Even before Mr. Snowden walked out of the Hawaii facilities of the N.S.A. with a trove of documents, it was clear that the United States was not above economic espionage, as long as it was not for the direct benefit of specific companies.
For example, the United States spies regularly for economic advantage when the goal is to support trade talks; when the Clinton administration was locked in a high-stakes negotiation in the 1990s to reach an accord with Japan, it bugged the Japanese negotiator’s limousine. At the time, the chief beneficiaries would have been the Big Three auto companies and a smattering of parts suppliers. It is also widely believed to be using intelligence in support of trade negotiations underway with European and Asian trading partners. But in the view of a succession of Democratic and Republican administrations, that is fair game.
Companies can also be targets. Documents released by Mr. Snowden showed that the American government pried deep into the servers of Huawei, one of China’s most successful Internet and communications companies. The documents made clear that the N.S.A. was seeking to learn whether the company was a front for the People’s Liberation Army and whether it was interested in spying on American firms. But there was a second purpose: to get inside Huawei’s systems and use them to spy on countries that buy the company’s equipment.
Huawei officials said they failed to understand how that differed meaningfully from what the United States has accused the Chinese of doing.
But such reasoning is rejected by the intelligence community. “I welcome this indictment because it has our government rejecting the false equivalence between us and the Chinese,” said Michael V. Hayden, a former director of both the N.S.A. and the Central Intelligence Agency. “It’s a risky course of action,” he added, “but prior to this we were in stasis.”
It is risky because the Chinese have already declared that they are shutting down, at least for now, the modest talks between the two countries on norms of behavior on the Internet.
Those conversations were already fraught. Last month, Defense Secretary Chuck Hagel went to Beijing to argue for a new channel of communication between the United States and China on cyberstrategy. American officials had already given the Chinese an overview of American cybersecurity, emphasizing that the N.S.A. did not take what it collects and hand it to Apple or Microsoft or Google.
The hope was that it would prompt the Chinese to give Washington a similar briefing about the People’s Liberation Army units that are believed to be behind the attacks on American corporations and government networks. So far, the Chinese have not reciprocated.
Instead, they have denied that the P.L.A. conducts cyberoperations. When The Times published an article early last year about Unit 61398, in which it detailed some of the group’s operations, there were furious denials from Beijing. For a few weeks, the unit went quiet.
Then it came back--operating from different servers, but often against the same American industrial targets.
Chinese University – possible involvement in cyberattacks against the US
It is not surprising that even the students in China are putting their knowledge on the table for conceiving major cyberattack plans. The Jiaotong School of Information Security Engineering (SISE) based in the country’s capital seems to have sort of close link to the People’s Liberation Army Unit 61398. The two sides have partnered up [...]
The post Chinese University – possible involvement in cyberattacks against the US appeared first on SecurEncrypt - HIPAA/HITECH File Encryption Software.
via SecurEncrypt http://bit.ly/ZrV5Hv
The Great Cyberscare
By Thomas Rid, Foreign Policy, March 13, 2013 The White House likes a bit of threat. In his State of the Union address, Barack Obama wanted to nudge Congress yet again into passing meaningful legislation. The president emphasized that America's enemies are "seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems." After two failed attempts to pass a cybersecurity act in the past two years, he added swiftly: "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." Fair enough. A bit of threat to prompt needed action is one thing. Fear-mongering is something else: counterproductive. Yet too many a participant in the cybersecurity debate reckons that puffery pays off.
The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the tone by warning again and again of an impending "cyber Pearl Harbor." Just before he left the Pentagon, the Defense Science Board delivered a remarkable report, Resilient Military Systems and the Advanced Cyber Threat. The paper seemed obsessed with making yet more drastic historical comparisons: "The cyber threat is serious," the task force wrote, "with potential consequences similar to the nuclear threat of the Cold War." The manifestations of an all-out nuclear war would be different from cyberattack, the Pentagon scientists helpfully acknowledged. But then they added, gravely, that "in the end, the existential impact on the United States is the same."
A reminder is in order: The world has yet to witness a single casualty, let alone fatality, as a result of a computer attack. Such statements are a plain insult to survivors of Hiroshima. Some sections of the Pentagon document offer such eye-wateringly shoddy analysis that they would not have passed as an MA dissertation in a self-respecting political science department. But in the current debate it seemed to make sense. After all a bit of fear helps to claim--or keep--scarce resources when austerity and cutting seems out-of-control. The report recommended allocating the stout sum of $2.5 billion for its top two priorities alone, protecting nuclear weapons against cyberattacks and determining the mix of weapons necessary to punish all-out cyber-aggressors.
Then there are private computer security companies. Such firms, naturally, are keen to pocket some of the government's money earmarked for cybersecurity. And hype is the means to that end. Mandiant's much-noted report linking a coordinated and coherent campaign of espionage attacks dubbed Advanced Persistent Threat 1, or "APT1," to a unit of the Chinese military is a case in point: The firm offered far more details on attributing attacks to the Chinese than the intelligence community has ever done, and the company should be commended for making the report public. But instead of using cocky and over-confident language, Mandiant's analysts should have used Words of Estimative Probability, as professional intelligence analysts would have done.
An example is the report's conclusion, which describes APT1's work: "Although they control systems in dozens of countries, their attacks originate from four large networks in Shanghai--two of which are allocated directly to the Pudong New Area," the report found. Unit 61398 of the People's Liberation Army is also in Pudong. Therefore, Mandiant's computer security specialists concluded, the two were identical: "Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1." But the report conspicuously does not mention that Pudong is not a small neighborhood ("right outside of Unit 61398's gates") but in fact a vast city landscape twice the size of Chicago. Mandiant's report was useful and many attacks indeed originate in China. But the company should have been more careful in its overall assessment of the available evidence, as the computer security expert Jeffrey Carr and others have pointed out. The firm made it too easy for Beijing to dismiss the report. My class in cybersecurity at King's College London started poking holes into the report after 15 minutes of red-teaming it--the New York Times didn't.
Which leads to the next point: The media want to sell copy through threat inflation. "In Cyberspace, New Cold War," the headline writers at the Times intoned in late February. "The U.S. is not ready for a cyberwar," shrieked the Washington Post earlier this week. Instead of calling out the above-mentioned Pentagon report, the paper actually published two supportive articles on it and pointed out that a major offensive cyber capability now seemed essential "in a world awash in cyber-espionage, theft and disruption." The Post should have reminded its readers that the only military-style cyberattack that has actually created physical damage--Stuxnet--was actually executed by the United States government. The Times, likewise, should have asked tough questions and pointed to some of the evidential problems in the Mandiant report; instead, it published what appeared like an elegant press release for the firm. On issues of cybersecurity, the nation's fiercest watchdogs too often look like hand-tame puppies eager to lap up stories from private firms as well as anonymous sources in the security establishment.
Finally, the intelligence community tags along with the hype because the NSA and CIA are still traumatized by missing 9/11. Missing a "cyber 9/11" would be truly catastrophic for America's spies, so erring on the side of caution seems the rational choice. Yes, Director of National Intelligence James Clapper's recent testimony was more nuanced than reported and toned down the threat of a very serious cyberattack. But at the same time America's top spies are not as forthcoming with more detailed information as they could be. We know that the intelligence community, especially in the United States, has far better information, better sources, better expertise, and better analysts than private companies like Symantec, McAfee, and Kaspersky Lab. But for a number of reasons they keep their findings and their analysis classified. This means that the quality of the public debate suffers, as experts as well as journalists have no choice but to rely on industry reports of sometimes questionable quality or anonymous informants whose veracity is hard to assess.
The tragedy is that Obama actually has it right: Something needs to be done, urgently. But Washington's high-octane mix of profiteering, protectiveness, and politics is sadly counterproductive for four reasons:
First, the hype actually makes it harder to focus on crucial engineering details. Security standards in industrial control systems and SCADA networks--the networks that control stuff that physically moves around, from trains to gas to elevators--are shockingly low. The so-called Programmable Logic Controllers widely used in critical infrastructure are designed to be safe and reliable in tough factory-floor conditions and harsh weather, not secure against outside attack. This year's S4-conference in Miami Beach, organized by the small and specialized security outfit Digital Bond, again showcased how vulnerable these systems are. But Washington is too busy screaming havoc and too ill-informed to do something meaningful about concrete engineering issues. Just sharing information, as the inspector general of the Department of Homeland Security recommended in a report last month, is useful but it will not deliver security. Connecting critical infrastructure that was never designed to be linked to the Internet is also not the root of the problem--the built-in security flaws and fragility of these systems needs to be fixed, as Digital Bond's Dale Peterson pointed out last week in response to the timid DHS report. The political dynamic behind this logic is clear: The more is declared critical, the harder it becomes to act on the really critical.
Second, the hype clouds badly needed visibility. A fascinating project at Free University Berlin has produced a vulnerability map. The map uses publicly available data from Shodan, the Google for control system hackers, and adds a layer of information crawled from the web to geo-locate the systems that often should not be connected to the Internet in the first place. Red dots on the map show those systems. The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project's founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already. The U.S. government's attention-absorbing emphasis on offensive capabilities means it has very little visibility into what this vulnerability map would actually look like.
Third, sabotage and espionage are rather different things--technically as well as politically. SCADA systems are highly specific kit, often old and patched together over years, if not decades. That means these systems are highly specific targets, not generic ones. Affecting critical operations requires reprogramming these systems, not just disrupting them; the goal is modifying output parameters in a subtle way that serves the saboteur's purpose. With Stuxnet, the U.S. government provided the--so far--most extreme and best-documented case study. The operation showed that successful sabotage that goes beyond just deleting data is far more difficult than successful espionage: It requires testing and fine-tuning an attack over many iterations in a lab environment, as well as acquiring highly specific and hard-to-get target intelligence. Stealing large volumes of intellectual property from a commercial competitor, by contrast, is a technically rather different operation--there is little to no valuable IP hidden inside control systems. To put it bluntly: China and others have a high commercial incentive to steal stuff, but they have no commercial incentive to break stuff. All threats are not created equal. What's needed is nuance, surgical precision, differentiation, and sober analysis--not funk, flap, and fluster.
Finally, hype favors the offense over the defense. The offense is already sexier than the defense. Many software engineers who consider a career in public administration want to head north to the dark cubicle at Fort Meade, not bore themselves in the Department of Homeland Security--if they are not working happily in the Googleplex on bouncing rubber balls already. If the NSA sucks up most of the available talent and skill and puts it to work on the offense, the defense will continue to suffer. By overstating the threat, and by lumping separate issues into one big bad problem, the administration also inadvertently increases the resistance of powerful business interests against a regulatory over-reaction.
As President Obama mentioned in his State of the Union address, if we look back years from now and wonder why we did nothing in the face of real threats, the answer may be straightforward: too much bark, not enough bite.
China hacker's angst opens a window onto cyber-espionage
By Barbara Demick, Los Angeles Times, March 12, 2013 BEIJING--For a 25-year-old computer whiz enlisted in a People's Liberation Army hacking unit, life was all about low pay, drudgery and social isolation.
Nothing at all like the unkempt hackers of popular imagination, the young man wore a military uniform at work in Shanghai. He lived in a dorm where meals often consisted of instant ramen noodles. The workday ran from 8 a.m. to 5:30 p.m., although hackers were often required to work late into the evening.
With no money and little free time, he found solace on the Internet. He shopped, chatted with friends and courted a girlfriend. He watched movie and television shows. He drew particular inspiration from the Fox series "Prison Break," and borrowed its name for his blog.
The blog provides a rare peek into the secretive hacking establishment of the Chinese military, which employs thousands of people in what is believed to be by far the world's largest institutionalized hacking operation.
Concern about computer security has risen sharply in recent weeks. Top U.S. intelligence officials said Tuesday that attacks and espionage now pose a greater potential danger than Al Qaeda and other militant organizations. The computers of more than 30 journalists and executives of Western news organizations in China, including the New York Times and the Wall Street Journal, have been hacked.
Mandiant Corp., a U.S. computer security firm based in Alexandria, Va., said in a report last month that it had traced an epidemic of attacks on dozens of U.S. and Canadian companies to an office building in Shanghai occupied by an espionage unit of the People's Liberation Army.
Richard Bejtlich, Mandiant's security chief, said posts written by the blogger, who called himself "Rocy Bird," provided the most detailed first-person account known to date of life inside the hacking establishment. Although the blog was discontinued four years ago, the techniques described in it remain the same. "It is relevant," said Bejtlich. "Things have not changed that much."
The hacker, whose real family name is Wang, posted some 625 entries between 2006 and 2009. "Fate has made me feel that I am imprisoned," he wrote in his first entry on Sina.com. "I want to escape."
Los Angeles Times reporters tracked down Wang and his blog through an email address that was listed on a published 2006 paper about hacking. A coauthor of the paper was Mei Qiang, identified by Mandiant as a key hacker who operated under the alias "Super Hard" in Unit 61398.
One of many Chinese military units linked to hacking, Unit 61398 falls under the People's Liberation Army's General Staff 3rd Department, 2nd Bureau, which is roughly equivalent to the U.S. National Security Agency.
The PLA recruits computer scientists, mathematicians and linguists from China's top universities for its Internet espionage programs. Not unlike in the U.S., students can continue their education for free in return for their enlistment in military service.
Wang earned his master's degree in Internet security at age 25 at the Information Engineering University, run by the PLA in Zhengzhou, Henan province.
Immediately after graduating in 2006, he was enlisted in a hacking operation in Shanghai.
In the blog, Wang did not disclose which unit he worked for, but he made it clear that he was wearing a uniform and carrying a military badge. He described his building as being far from the Shanghai city center, one of his many complaints.
"What I can't understand is why all the work units are located in the most remote areas of the city," Wang wrote in an entry in 2007. "I really don't get what those old guys are thinking in the beginning. They should at least take us young people into consideration. How can passionate young people like us handle a prison-like environment like this?"
One of his first tasks was to improve on a Trojan virus known as Back Orifice 2000, which is designed to remotely hijack a computer system to steal information.
In July 2007, he boasted that his virus had successfully escaped detection by three leading detection programs made by McAfee, Symantec and Trend Micro, but that it didn't get past a fourth, Kaspersky. He also described another assignment: write a virus that would detect any USB storage device attached to a computer and copy its files. The virus was a success and Wang's boss was pleased.
"If we're lucky enough, we might be able to complete this year's target and earn a year-end bonus for everyone," Wang wrote with enthusiasm.
Otherwise, Wang poured out his unhappiness. The hackers were required to speak English, the international language of technology, as well as an essential for phishing attacks on mostly U.S. targets. But when Wang tried to hone his English skills by reading magazines such as the Economist and Harvard Business Review, his boss rebuked him for reading too much foreign press.
"The boss doesn't understand. I'll have to be more careful," he complained. Wang was also unhappy that supervisors refused to reimburse him for a $1 bus ticket to attend a business conference, while his boss claimed more than $100 for a bottle of liquor.
A high school reunion left Wang feeling discouraged about his paycheck and prospects.
"They all have a bright future. Some of them became lawyers; some went into property business or finance; some wrote programs for a commercial software company. Compared with their handsome monthly income, I even felt ashamed to say hello to them," Wang wrote.
Wang never reflected on the pros and cons of hacking for the Chinese government, but he clearly regretted having enlisted. "My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation," he wrote. With the help of his family, he managed to get out in 2008. He stopped writing the blog a year later.
The period covered in Wang's blog coincides with an upsurge in hacking detected by Mandiant. In a report issued last month, the company said hackers had systematically stolen hundreds of terabytes from 141 organizations, most of them American.
Industries targeted included chemicals, technology, financial services, mining, energy, healthcare, media and international organizations. The data included blueprints, pricing strategies and emails, which are suspected of being given to Chinese state-owned enterprises for competitive advantage.
The Chinese government has repeatedly denied hacking and has said it has been the victim of attacks originating from the United States.
The Great Cyber-Warfare Scam
By Justin Raimondo, Antiwar.com, February 19, 2013 The War Party never sleeps: there are always new variations of war propaganda coming 'round the bend. With the coming of the internet, the latest manufactured "threat" to rear its head is "cyber-warfare," which is now being touted by the Obama administration and its media fan club as the Next Big Scary Thing--but what are the facts?
The first fact we need to integrate into our analysis is that "cyber-security" isn't a science, it's an industry: that is, the entities issuing alarming reports of this lurking threat are for profit companies mainly if not exclusively concerned with selling a product. And while the "threat landscape," as the jargon phrases it, is potentially very diverse, with a number of countries and non-state actors potential combatants, our cyber-warriors have targeted China as the main danger to our cybernetic security--the Yellow Peril of the Internet Age. They're stealing our technology, our secrets, and infiltrating our very homes! This is largely baloney, as Jeffrey Carr, founder of Project Grey Goose and Taia Global, a cyber-security firm, and author of Inside Cyber Warfare, points out:
"[I]t's good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state. When the cyber security industry issues PRC-centric reports like this one without performing any alternative analysis of the collected data, and when the readership of these reports are government and corporate officials without the depth of knowledge to critically analyze what they're reading (i.e., when they trust the report's authors to do the thinking for them), we wind up being in the position that we're in today--easily fooled into looking in one direction when we have an entire threat landscape left unattended. We got into that position because InfoSec vendors have been left alone to define the threat landscape based upon their product offerings. In other words, vendors only tell customers to worry about the threats that their products can protect them from and they only tell them to worry about the actors that they can identify (or think that they can identify). This has resulted in a security awareness [mess] of epic proportions."
The "cyber-threat" from China has been much in the news lately, and any number of self-proclaimed "experts" with a financial stake in hyping this latest bogeyman have been pointing an accusing finger at Beijing whenever some government agency or big corporation discovers cyber-vandals in its domain. The latest is a report issued by a private cyber-security firm, Mandiant, which claims these attacks are occurring under the auspices of the People's Liberation Army (PLA). It is, of course, just a coincidence that this accusation limns a recent National Intelligence Estimate, which--according to the New York Times, itself supposedly victimized by Chinese hackers--"makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like [PLA] Unit 61398."
Yet, as Carr says, the Mandiant report has several analytic flaws. To begin with, the "mission area," i.e. the nature and alleged goal of these intrusions, is supposed to identify China as the culprit because the latest APT (cyber-security jargon for "advanced persistent threat") "steals intellectual property from English-speaking organizations," and that these thefts coincide with the technical requirements of China's current Five-Year Plan.
This kind of "logic" ought to make your BS-detector go haywire, recalling Carr's warning that there's a bad case of perception bias at work here: that's because other nations, and non-state actors such as criminal gangs, also launch cyber-attacks on English-speaking organizations, which in many instances parallel the interests contained in China's Five-Year Plan. Russia, France, Israel, and a number of other countries have advanced cyber-warfare capabilities, and haven't hesitated to use them for purposes of industrial espionage, among other reasons: Eastern European gangsters are also players in this game. Yet there is no mention of these alternatives in the Mandiant report: according to them, it's all about China.
Mandiant claims that because the rash of recent intrusions have involved operations requiring hundreds of operators, that only a nation-state with "military-grade operations" could possibly have carried them out. Yet more than 30 nations are currently running "military-grade" operations, as Carr informs us: why pick on China?
Well, says Mandiant, because the intrusions they analyzed used a Shanghai phone number to register an email account, for one. Yet this proves exactly nothing. Okay then, what about the fact that "two of four network 'home' Shanghai blocs are assigned to the Pudong New Area," where the PLA's Unit 61398 is located? This also proves exactly nothing: the Pudong New Area has over 5 million inhabitants. It is smack dab in the center of China's booming commercial and hi-tech metropolis. Ask yourself how many IP addresses originate from this area. Oh, but one of the "PLA" hackers' "self-identified location is the Pudong New Area." Really? So what? Aside from the demographic information supplied above, one has to wonder if these people really believe everything they see on the Internet is true. C'mon, guys!
The New York Times has been pushing the Yellow Cyber-Peril theme ever since their computer system was hacked, but the question of who exactly was responsible for that intrusion is by no means proved. In a Times piece on the subject--with the rather whiney headline "Hackers in China Attacked The Times for Last 4 Months"--we again come across Mandiant pointing to the Chinese military as the culprit, but their case against the PLA falls apart under the most cursory inspection. For example, Mandiant's "analysis" is based in part on the observation that these alleged Chinese "Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear."
Bull hockey. There are a number of other countries in the same time zone that have active hacker communities. The idea that the timing of these attacks somehow pinpoints "Chinese hackers" associated with the PLA is laughable. As Carr puts it:
"The hackers could have been from anywhere in the world. The time zone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn--all of whom have active hacker populations."
Mandiant--hired by the Times to investigate the intrusion, and currently in negotiations with the New York Times Company over a possible ongoing business relationship--cites the fact that the intrusions supposed originated at some of the "same universities used by the Chinese military to attack U.S. military contractors in the past." Yet there are many universities located in the Jinan area Mandiant homes in on, and geolocation in this instance, as Carr says, "means absolutely nothing." He also raises an important point: if the Chinese military was behind the Times hack, then why would they launch these attacks from a location previously identified with the PLA? That's seems rather too obvious, especially in view of the lengths to which hackers go to cover their tracks. Wouldn't China's Ministry of State Security, their official intelligence agency, be assigned that task? Yet their facilities are located in Beijing, over 200 miles away from Jinan.
Most people are ignorant of the technical details utilized by commercial enterprises like Mandiant to gin up an alleged "threat." One supposedly scary tool used by the "Chinese" hackers is a Remote Access Tool, and we are told that the specific methods used in the past by alleged Chinese hackers are matched to the Times intrusion. This is just plain wrong, however, as Carr explains:
"The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.
"Another tool whose use is often blamed on Chinese hackers is the 'xKungFoo script.' Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese."
This is simple logic: you don't have to be a cyberwarfare "expert" to realize there are many possibilities when it comes to identifying the people behind the methods. If you've already decided who is the perpetrator, however, then Mandiant's accusations directed at Beijing fit neatly into the available "evidence." That's how confirmation bias works.
The major piece of "evidence" supposedly pointing to the Chinese government is the timing of the intrusion: just as research for a Times story on the financial dealings of a top Chinese government official, Wen JaiBo, was "nearing completion." According to the Times, the hackers gained access to email accounts belonging to Shanghai bureau chief David Barboza, author of the Wen expose, as well as Jim Yardley, bureau chief covering South Asia. Yet the Wen connection is contradicted in the very next paragraph of the Times's own account, which says:
"'Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,' said Jill Abramson, executive editor of The Times."
So what's the connection to the Wen story? In addition, Yardley had nothing to do with the Wen story, and yet his email was also breached, along with the passwords of 53 employees who are not in the Times newsroom. So what does this add up to? A big fat zero, as far as evidence of China's involvement is concerned. China is merely the go-to cyber-villain of the moment, and this is certainly true where Mandiant is concerned.
The same kind of dicey "evidence" is being used to accuse Iran--you saw this coming, didn't you? Again, the tech-ignorant New York Times is in the lead, with a story echoing the claims of US officials that Tehran was behind the recent cyber-attacks launched against several American banks. You can almost hear the spooky music in the first two paragraphs of the piece, by Nicole Perlroth and Quentin Hardy, which gives an account of how the hackers slowed down and disabled banking sites, and then goes on to say:
"There was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas."
Godzilla's on the loose! And it's an Iranian Godzilla! Yikes!
"The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.
"'There is no doubt within the U.S. government that Iran is behind these attacks,' said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington."
The skill required to carry out these attacks was minimal. As Roel Schouwenberg, senior researcher at Kaspersky Labs, put it:
"We can confirm that the attacks being reported are happening; however, the malware being used, known as ItsOKNoProblemBro, is far from sophisticated. It's really rather simple. It's also only one part of the puzzle but it seems to be effective, which is all that matters to the attackers. Going strictly by the publicly known technical details, we don't see enough evidence that would categorize this operation as something only a nation-state sponsored actor could pull off."
More "evidence" offered in support of the "Iran-did-it" theory is that these attacks did not garner any information: no data systems were breached. It was, in short, pure cyber-malice directed at American banks. If this is supposed to somehow prove the Iranians are the culprits, then it is weak tea indeed: because there are any number of groups who hate American bankers, including, I would venture, the vast majority of the American people. These DDOS attacks seem more like the sort of thing we might expect from a group like "Anonymous" than from a state actor such as Iran.
Of course, the paucity of evidence didn't stop Sen. Joe Lieberman from declaring:
"I don't believe these were just hackers who were skilled enough to cause disruption of the websites. I think this was done by Iran … and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."
As is the case with Iran's alleged nuclear weapons program, which our own spooks have said does not presently exist, the technical details are obscure to most of us, and therefore this realm is given over to "experts," both real and imagined. To Sen. Lieberman and all too many in the media, it's just a matter of picking and choosing your "experts," and making the "facts" fit your preconceived notions.
Aside from ginning up conflict with the War Party's chosen targets, the whole cyber-war scare-mongering campaign, whether the alleged "threat" is said to be emanating from China, Iran, or wherever, is also very convenient for proponents of Internet regulation who want to install back doors on every web site, and every software system, so the feds can "trace" these alleged "cyber-terrorists." It is, in short, a scam, part and parcel of a political campaign to rein in the wild and wooly--and largely unregulated--Internet, and make it more amenable to the interests of our wise rulers.
The mystification of science, and the culture of "expertise," has greatly aided the War Party in their propaganda efforts. Instead of making up stories about babies being bayoneted in their cribs--although there is still some of that--we are given mind-numbingly technical explanations that point to purported acts of "cyber-terrorism" carried out by China, Iran, or the villain-of-the-moment. Except that the supposed "evidence" turns out to be based on non-credible assumptions and faulty technical analysis.
Remember, we've been through this sort of thing before: all the "intelligence" supposedly pointed to the irrefutable "fact" that Iraq possessed "weapons of mass destruction," which it was about to launch against its neighbors. That turned out to be a lie. Much of this baloney came wrapped up in impressive-sounding technical jargon, and was validated by the media's chosen "experts."
Has anybody learned anything from that experience? I'm thinking in particular of the members of the Fourth Estate, otherwise known as "journalists." The answer, unfortunately, seems to be no.