[SecurityRatty] tag: tibet

Chinese Cyber Attacks

Mon, 14 Jul 2008 03:08:18 +0000

The popular media conception is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated. There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time. These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, trying to demonstrate that they're just as good as everyone else. As well as the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites. The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States. And the money comes from several sources. The groups sell owned computers, malware services, and data they steal on the black market. They sell hacker tools and videos to others wanting to play. They even sell T-shirts, hats and other merchandise on their Web sites. This is not to say that the Chinese military ignores the hacker groups within their country. Certainly the Chinese government knows the leaders of the hacker movement and chooses to look the other way. They probably buy stolen intelligence from these hackers. They probably recruit for their own organizations from this self-selecting pool of experienced hacking experts. They certainly learn from the hackers. And some of the hackers are good. Over the years, they have become more sophisticated in both tools and techniques. They're stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem. And they discover their own vulnerabilities. Earlier this year, one security company noticed a unique attack against a pro-Tibet organization. That same attack was also used two weeks earlier against a large multinational defense contractor. They also hoard vulnerabilities. During the 1999 conflict over the two-states theory conflict, in a heated exchange with a group of Taiwanese hackers, one Chinese group threatened to unleash multiple stockpiled worms at once. There was no reason to disbelieve this threat. If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do more stupid things and generally ignore the political fallout of their actions. In this regard, they're more like a non-state actor. So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get their own cybersecurity in order, and I hope they succeed, I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government. This essay originally appeared on the Discovery Channel website.

TOP 10 - Hacks, more hacks, Ballmer on Yahoo, OLPC woes

Thu, 24 Apr 2008 20:00:00 +0000

Those nasty JavaScript attacks that besieged thousands of Web sites from January until March started back up again this week, with the hackers setting up shop at a Chinese IP address. Meanwhile, security officials in China expressed worries that computer systems there will be hacked during the Olympics in August, even as hackers went after the CNN site and defaced a sports page with a message that Tibet is part of China, now and forever. Elsewhere, Steve Ballmer said Microsoft is prepared to carry on even if it does not succeed in buying Yahoo, OLPC head Nicholas Negroponte vexed open-source developers with his push to make the XO laptop interface Windows-compatible and a federal court said it's OK for customs agents to spark up our laptops and look over the contents, just because they can.

China worries hackers will strike during Beijing Olympics

Wed, 23 Apr 2008 20:00:00 +0000

While CNN recently faced distributed denial-of-service attacks from Chinese hackers angry about the television network's coverage of a recent Chinese crackdown in Tibet, Chinese security officials remain worried hackers will strike while the Olympic Games are being held in Beijing.

Chinese Hacktivists Waging People's Information Warfare Against CNN

Mon, 21 Apr 2008 22:25:00 +0000

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.

China's CERT Annual Security Report - 2007

Sun, 20 Apr 2008 22:34:07 +0000

Every coin has two sides, and while China has long embraced unrestricted warfare and people's information warfare for conducting cyber espionage, China's networked infrastructure is also under attack, and is logically used as stepping stone to hit others country's infrastructures, thereby contributing to the possibility to engineer cyber warfare tensions.

A week ago, China's CERT released their annual security report (in Chinese for the time being), outlining the local threatscape with data indicating the increasing efficiency applied by Turkish web site defacement groups, in between the logical increases in spam/phishing and malware related incidents. Here's an excerpt from the report :

"According CNCERT / CC monitoring found that in 2007 China's mainland are implanted into the host Trojans alarming increase in the number of IP is 22 times last year, the Trojans have become the largest Internet hazards. Underground black mature industrial chain for the production and the large number of Trojans wide dissemination provides a very convenient conditions, Trojan horses on the Internet led to the proliferation of a lot of personal information and the privacy of data theft, to the personal reputation and cause serious economic losses; In addition, the Trojans also increasingly being used to steal state secrets and secrets of the state and enterprises incalculable losses, the Chinese mainland are implanted into the Trojan Horse computer controlled source, the majority in China's Taiwan region, the phenomenon has been brought to the agency's attention. Zombie network is still the basic network attacks platform means and resources. 2007 CNCERT / CC sampling found to be infected with a zombie monitoring procedures inside and outside the mainframe amounted to 6.23 million, of which China's mainland has 3.62 million IP addresses were implanted zombie mainframe procedures, and more than 10,000 outside the control server to China Host mainland control. Zombie networks primarily be used launch denial of service (DdoS) attacks, send spam, spread malicious code, as well as theft of the infected host of sensitive information, issued by the zombie network flow, distributed DDOS attack is recognized in the world problems not only seriously affect the operation of the Internet business, but also a serious threat to China's Internet infrastructure in the safe operation. 2007 China's Internet domain name registration and the use of quantitative rapid growth, reaching 11.93 million, an annual growth rate of 190.4 percent, while hackers use of domain names has become a major tool. Use of domain names, the attackers could be flexible, hidden website linked to the implementation of large-scale horse zombie network control, network malicious activities such as counterfeiting. Fast-Flux domain names, such as dynamic analysis technologies, resulting in accordance with the IP to the attacks more difficult to trace and block; 2007 domain names which has been in use analytical services for the existence of security flaws, the public domain analysis of the server domain hijacking security incidents, a large number of users without knowing the circumstances of their fishing lure to the site or sites containing malicious code, such incidents very great danger. Therefore, the strengthening of the management of domain names and domain names analytic system's security protection is very important."

6.23 million botnet participating hosts according to their stats, where 3.62 million are Chinese IPs is a great example of how the Chinese Internet infrastructure's getting heavily abused by experienced malware and botnet masters, primarily taking advantage of what's old school social engineering, and outdated malware infection techniques, which undoubtedly will work given China's immature and inexperienced from a security perspective emerging Internet generation.

Getting back to the globalization and efficiency of Turkish web site defacement groups' worldwide web application security audit, indicated in the report, according to China's CERT these are the top 10 defacers, where 7 are well known Turkish ones, and 3 are interestingly Chinese :

sinaritx - 1731 defacements

1923turk - 1417 defacements

the freedom - 1156 defacements

aLpTurkTegin - 1052 defacements

Mor0Ccan Islam Defenders Team - 864 defacements

iskorpitx - 761 defacements

lucifercihan - 525 defacements

It's also interesting to see pro-democratic Chinese hackers attacking homeland networks.

Cyber warfare tensions engineering is only starting to take place, and state sponsored or perhaps even tolerated cyber espionage building capabilities in order for the state to later on acquire the already developed resources and capabilities in a cost-effective manner. However, considering the recent cyber attacks against "Free Tibet" movements, as well as the DDoS attack attempts at CNN due to CNN's coverage of Tibet, Chinese cyber warriors continue demonstrating people's information warfare, and Internet PSYOPs by developing an anti-cnn.com (121.52.208.243) community, with some catchy altered images from the originals broadcasted worldwide, and with a special section to improve China's image across the world.

And logically, there's a PSYOPs centered malware released in the wild, a sample of which is basically embedding links to a non-existent domain, descriptive enough to point to TibetIsAPartOFChina.com :

%\CommonDocuments%\My Music\My Playlists\WWW.cgjSFGrz_TibetIsAPartOFChina.COM

%CommonDocuments%\My Music\WWW.bimStzno_TibetIsAPartOFChina.COM

%CommonDocuments%\My Videos\WWW.kUJs_TibetIsAPartOFChina.COM

%CommonPrograms%\Accessories\Accessibility\WWW.RSulr_TibetIsAPartOFChina.COM

%CommonPrograms%\Accessories\System Tools\WWW.aEGXBl_TibetIsAPartOFChina.COM

Now that's effective digital PSYOPs, isn't it? If you're visionary enough to tolerate the development of underground communities, whereas ensuring their nationalism level remain a priority for anything they do, you end up with a powerful cyber army whose every action perfectly fits with your political and military doctrine, without you even bothering to coordinate their efforts, thereby eliminating the need for a command and control structure.

China's Cyber Espionage Ambitions
Chinese Hackers Attacking U.S Department of Defense Networks
Inside the Chinese Underground Economy
China's Cyber Warriors - Video

Chinese hackers poised for anti-CNN attack over the weekend

Fri, 18 Apr 2008 07:21:19 +0000

An announced denial-of-service attack against CNN is allegedly planned by Chinese hackers incensed over world scrutiny of the crackdown in Tibet.

Chinese hackers poised for anti CNN attack on April 19

Thu, 17 Apr 2008 20:00:00 +0000

Chinese hackers appear to be readying for an attack on the West scheduled for April 19. It appears the basis of the attack is based on the recent, and very public, pro-Tibet coverage in Western media organizations.

Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches

Thu, 10 Apr 2008 18:40:00 +0000

A previously unexplained spike in security patches issued for Microsoft Office in 2006 and 2007 was spurred by sophisticated hack attacks against pro-Tibet organizations and U.S. defense contractors, an insider claims.

Malware Targeted Against Pro-Tibet Groups

Thu, 27 Mar 2008 03:04:25 +0000

My guess is that it's the Chinese government.

Google News, YouTube blocked in China amid Tibet riots

Mon, 17 Mar 2008 10:00:00 +0000

Chinese authorities have blocked Google News and YouTube in China amid protests in Tibet.