Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Rising Squid Populations off the Coast of Rhode Island |
| Daniel Solove on the New FISA Law »
July 14, 2008
Chinese Cyber Attacks
The popular media conception is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated.
There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time.
These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, trying to demonstrate that they're just as good as everyone else. As well as the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites.
The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States.
And the money comes from several sources. The groups sell owned computers, malware services, and data they steal on the black market. They sell hacker tools and videos to others wanting to play. They even sell T-shirts, hats and other merchandise on their Web sites.
This is not to say that the Chinese military ignores the hacker groups within their country. Certainly the Chinese government knows the leaders of the hacker movement and chooses to look the other way. They probably buy stolen intelligence from these hackers. They probably recruit for their own organizations from this self-selecting pool of experienced hacking experts. They certainly learn from the hackers.
And some of the hackers are good. Over the years, they have become more sophisticated in both tools and techniques. They're stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem.
And they discover their own vulnerabilities. Earlier this year, one security company noticed a unique attack against a pro-Tibet organization. That same attack was also used two weeks earlier against a large multinational defense contractor.
They also hoard vulnerabilities. During the 1999 conflict over the two-states theory conflict, in a heated exchange with a group of Taiwanese hackers, one Chinese group threatened to unleash multiple stockpiled worms at once. There was no reason to disbelieve this threat.
If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do more stupid things and generally ignore the political fallout of their actions.
In this regard, they're more like a non-state actor.
So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get their own cybersecurity in order, and I hope they succeed, I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government.
This essay originally appeared on the Discovery Channel website.
EDITED TO ADD (7/18): A slightly longer version of this essay appeared in Information Security magazine as part of a point/counterpoint with Marcus Ranum. His half is here.
Posted on July 14, 2008 at 7:08 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And our government does the exact same thing. This is the perfect way for a government to absolve itself of any responsibility for the hacker's actions. Most of the time they don't even have to pay the hackers - just stroke their egos.
The recent call for hacker attacks on the cult of Scientology was completely the Bush administration's idea. Given a green light, the hackers reacted instantly and did not much think or care about why their activities were being greenlighted.
Unlike the fully tolerated right-wing Unification Church cult, which has pumped millions of dollars into GOP campaign coffers, the Scientologists were about to release a movie (Tom Cruise starring and directing) called "Operation Valkyrie" this June which told the story of the single known assassination attempt on Adolf Hitler. As one might imagine this is a touchy subject when it comes to the Bush administration.
The movie was slated for release last month, but due to financial pressure brought to bear by the hacker attacks, that did not happen. And when it was publicly announced that the movie release was going to be delayed six months (conveniently when Bush is out of office), the call for attacks mysteriously ceased.
There are two issues here, that are frequently conflated, but which are worth separating: hacker (sorry) crime, and hacker espionage.
This article seems to be mostly concerned with crime -- website vandalism, vxism, botnet recruitment and tasking, phishing, ddos blackmail, etc. Certainly China is a big part of the problem here. In the long term, however, as China accumulates more wealth, the number of Chinese victims of this sort of crime is likely to rise, giving the PRC government an incentive to crack down and collaborate with other governments to suppress this new mob.
Insofar as hacker-espionage is concerned, there is not a doubt in my mind that the PRC government has an active program, and in the past few years we have certainly seen a few attacks that seemed to have their fingerprints on them.
But this is what governments do to each other. It's not evil, it's just life. Obviously we should be doing more to protect sensitive systems and information against state espionage over the net. But let's not get all foamy about Chinese Internet espionage. Last I checked, the NSA, the U.S. agency in charge of communications espionage, has a budget somewhere north of $6.0E+09. Does anyone really doubt that some of that money goes into playing these sorts of games against our own adversaries/competitors?
"the Scientologists were about to release a movie (Tom Cruise starring and directing) called 'Operation Valkyrie' this June which told the story of the single known assassination attempt on Adolf Hitler. As one might imagine this is a touchy subject when it comes to the Bush administration."
Okay, I really don't see how the aforementioned assassination attempt on Adolf Hitler is a 'touchy subject' of the Bush Administration. Nor do I see why it would interest the 'church' of Scientology enough to pump millions into a movie production of the 'July 20' attempt. Please, humor me.
Tom Cruise's movie is just a remake of a German film. It isn't going to break any news or threaten anyone. The story it tells is well-known, and not at all "touchy". And if it were a Scientology production, rather than just a Tom Cruise production, the German government (which considers Scientology a dangerous cult) never would have cooperated with the filmmakers.
Can you cite public sources which back the claims you make in this piece?
Thank you for providing me a laugh for the day.
How naive, Bruce....
Do you really think that targeted "spearphishing" / hacking is done by bored kids looking for fame and glory? Sure, there might be some of that, but those days largely ended in the 90's.
Q: Since Lenovo is building computers, and nobody is overseeing what is on their chips, what problem would there be for them to hack the US Government systems if Lenovo is the US Government's contract computer supplier?
A: None, and nobody would be the wiser until it was too late.
That question is about as alarming as them hacking us, which is not really that alarming at all...
As I am working on a paper on the topic, here is my bibliography for those wishing to further explore the question of Chinese hacking:
Demitri Sevastopulo, Financial Times, ‘Chinese hacked into Pentagon’, http://preview.tinyurl.com/2etwsq
Andrew Leonard, Salon, ‘U.S. Military routinely hacks into Chinese networks,’ http://preview.tinyurl.com/246f9q
Joshua Holland, AlterNet, ‘China Surpasses U.S. in Technological Prowess,’ http://preview.tinyurl.com/3wcbqw
Natalie Pace, Forbes, ‘China Surpasses U.S. in Internet Use,’ http://preview.tinyurl.com/52g3ec
S. Fidler, M. Palmer, Financial Times, ‘MI5 warns banks of Chinese hackers,’ http://preview.tinyurl.com/5w867q
Ellen Messmer, Network World, ‘Encryption restrictions,’ http://preview.tinyurl.com/5br342
Epoch Times, ‘Defecting Chinese agent tells of spy network in Canada,’ http://preview.tinyurl.com/5b5mx9
Andrei Chang, United Press International, ‘Chinese spies in the West,’ http://preview.tinyurl.com/6fqo76
W. Reid Witliff, Graves, Dougherty, Hearon & Moody, ‘Computer Hacking and Liability Issues,’ http://tinyurl.com/69kyxg
Open Net Initiative, ‘Internet Filtering in China in 2004-2005: A Country Study,’ http://opennet.net/studies/china
Wow, and here, we thought the powers of FUD held little sway.
Thanks Mr. Scientologist for sharing your conspiracy theories. Xenu (or is it Zemu) would be proud.
And thanks, JDW. BTW, please tell us how come non-US companies should accept US-designed CPUs in all of their computers? Are you going to be able to prove that the NSA hasn't installed a backdoor into every Intel and AMD chip at its very design?
Letters from a Chinese Official: Being an Eastern View of Western Civilization
"And as we are not led to interfere with you by the desire to convert you, so are we not driven to do so by the necessities of trade. Economically,
as well as politically, we are sufficient to ourselves. What we consume we produce, and what we produce we consume. We do not require,
and we have not sought, the products of
other nations; and we hold it no less imprudent than unjust to make war on strangers in order to open their markets. A society, we conceive, that is to be politically stable must be economically independent; and we regard an extensive foreign trade as necessarily a source of social demoralization."
Written originally for the English, they touch upon specifically English institutions. Original from Harvard University
Extensive foreign trade has expanded and look at the morals today. War, market turmoil and all the rest of it.
"Not even computers will replace committees, because committees buy computers." Shepherd Mead, 1964
If you point your finger on any of the governments of the largest countries in the world, I would guess you also find some who use information or other gained from hacker groups, one way or another. China is not a special case, US, Russia, India, UK, all of these use hackers to gain support, power or intelligence.
Many times a worm attack, ddos or similar have come just in time to prompt through support for some new legislation that have the goal to reduce our freedom on the internet, or put the media on red alert so that some bloke in the administration can look good by fending off a threat or something.
And you hit the nail on the head why Lenovo laptops are not allowed on any DoD networks (at least any of the ones I work on).
My impression is that pro-Tibet organizations are not anti-China. More that they want China to withdraw from Tibet and permit self determination by the Tibetans. In contrast, the Chinese government seems to focus on demonizing Tibetans who oppose the Beijing government and the Buddhist clergy of Tibet.
Thanks for the thoughtful, insightful piece.
I'm sorry, Bruce, but how do you know any of this?
Obviously a nation as large as China is going to have independent, skilled hacker groups unaffiliated with the government. It simply does not follow from that observation that there is no Chinese government-sponsored hacking operation.
I don't trust everything my government tells me, but I don't trust everything you tell me, either, especially when your support is thin and the government's support is not.
trenchant has a good point. I personally consider Bruce my hero, but as a Marine who works in computer network defense, I have been exposed to a lot that would lead me to believe the Chinese government is supporting this activity. I would sincerely be interested in gaining a better understanding of what is leading Bruce to this conclusion........
A very interesting piece, thank you!
I admin' a server for the Epoch Times - a news media which published a comprehensive history of the Chinese Communist Party (CCP) a few years ago. It started a movement in which 40 million people have quit the CCP. So, of course the Epoch Times is a target. I get hundreds of hacking attempts each day from IP addresses in China.
Perhaps they are attempts from people who have strong nationalist pride! But I am not convinced that "these hacker groups seem not to be working for the Chinese government".
I would like to cite an example where currently in the Chinese area of Flushing, New York City, mobs of up to 600 have been attacking (verbally and physically) the volunteers at the "Quit the CCP Center" since May 17th. From the outside, the pro-CCP mobs appear to be zealous nationalists, however we have a recording of the Chinese Consul General, Peng Keyu, who admitted to encouraging these hate attacks on US soil. We also know that people in the mobs were paid $90 a day.
These mobs initially also "seemed not to be working for the Chinese government"...
We also know from Chinese defectors like Chen Yonglin and Hao Fengjun that the CCP employs thousands of spies around the world.
Given the CCP's insatiable hunger for controlling information both inside and outside of China, and the great lengths and expense that they go through to employ global spies, wouldn't it just
follow that they would exert the same amount of effort and force on the internet?
(Sorry this is so long!)
Even no action is an action. By turning their heads the other way, the Chinese Government supports the hackers. If the hackers are based in China, then China must take responsibility. Thats the way the world works.
Netter Bericht - kann ich nur beistimmen.
Bruce: Your apparent level of certainty is unjustified. Just because some of them are non-state actors (no doubt true), it does not follow that all of them are.
Also, as to whether the US government should blame the Chinese government, this is a bit like any other diplomatic issue where one country has the means, or, if not, a responsibility to develop the means, to control the hostile entities acting against other countries from within its own borders. So even if they are all non-state actors (which I doubt, but I'll grant for the sake of argument), they still should be brought under better control, the US might argue. Whether that can be done in a world of an open Internet is another question, but the main point about why the US may still want to hold China responsible stands.
It's very simple, as more cyber laws come into affect in China, and the CCP cracks down on hacker groups the cyber attacks will die down as these groups are brought under "better control" ie. the CCP centralize the effots of the hackers just as the US jails then employs them. The attacks will become more refined and less known to the public focusing on gaining state secrets, similiar to the efforts of the NSA attacks on other governments.
The US dominates in this area of espionage but as other countries especially developing countries surge ahead we'll see more attacks from them.
On a recent trip to China I had open internet access when not using my portable firewall, but no access when using it. Actually, I had access for a few minutes - but the penetration attempts were legion, and soon I was booted from connectivity. The words of my Chinese collegue said it best, "give them something to look at, and they'll leave you alone".
Mr. Schneier, I believe you have well organized source and I am confident some of the source you are reffering to, but I think it is wrong to deny Chinese official Cyber Warfare team not engaged in these activities. I know one of the origin of the Chinese hackers were using a computer owned by government operated organization through 0088.org. You have also not covered the social engineering techniques used within several attacks, rather or not you are ignoring this fact on purpose. There are several other techniques involved that smells professional and official. Your research is incomplete and misleading. I have several other reasons for possible official Cyber Warfare team involved, but I am not going to discuss it here for security purpose, but I believe you should redo your research.
You make reference in this article to people who actually monitor those networks as being able to verify your contention that these probes actually exist and are not part of someone's fantasy. For the past three years I was one of those people.
Hidden from view behind multiple doors with various badge swipes, PIN codes, and biometric exchanges we sat. The traffic was staggering. Across four government networks we're talking billions of events per week originating from Chinese IP addresses.
In some cases I was suprised that the sheer volume of IP and port walking didn't constitue a DOS attack. In the case of one customer it seemed that within an hour of announcing the IP space we were receiving several hundred thosand Chinese IP originating events per day.
Bottom line Bruce, thanks from the trenches. You hit the nail squarely on the head. This stuff is not a figment of the imagination and is not to be taken lightly. Just ask the Free Tibet folks.
I am a private US citizen. Yesterday evening my computer starting acting extremely unstable. I shut it down and ran my McAfee software checking for viruses. Nothing found. So I dug deeper. I checked my firewall and it was set below medium protection (since I hate to answer the pop up questions). Big mistake.
Once I checked my inbound log I found hundreds of IP addresses and clicked "trace" and one after another they were originating from computers all over China. I am shocked. The level of traffic to my system was astounding. Going back three weeks I found that I had been hit by the same Chinese IP addresses over and over. There were at least 40 different IP address originating there. I found 2 from Mexico and 2 from the UK. I banned every one that I found connected to China or other foreign countries. It is shocking.
So when you folks are reporting on these attacks, please don't fail to mention that they are accessing systems through private PCs all across the nation.
On Sunday afternoon I watched a special report about China's cyber attacks on the US. They interviewed the hackers and went to their hack "computer centers" to show how they were doing it. They explained why they were doing it. The reason the hacker gave was that they are furious at the US for our stance and false reporting on the Tibet issue. They pointed to CNN, ABC, and other news organizations for reporting the story with a negative skew toward China. They also explained that this was a reason for a surge in Chinese patriotism and a great desire to hack our systems in retailiation. During the program and after, for not one second did it ever occur to me that it was me they were using as access!
Needless to say, I just like millions of others watching that documentary never even suspected that I had hackers sitting over my shoulders for weeks at home while I sat and surfed the internet.
As I traced back the dates (and I traced every IP address that I saw in the log) the usage of my system increased substantially over the past two weeks. Prior to that these same hackers had visited my system routinely but not daily or hourly.
The most disturbing thing about all of this, while my computer was on but not connected to the internet Monday, I had traffic. The hackers had been on my system throughout the day while both I and my husband were at work.
Please start talking about personal PCs in your articles. I see government hacking stories in the posts and in the reports I watch, and it never dawned on me that I was a target or a vehicle to a target.
I have upped my firewall to lockdown. Those silly request and question pop ups are not a problem in the world to me now. Spread the word.
On the contrary, I believe China is very capable of having government-sanctioned academies targeted solely at hacking into American networks. Why not? Theirs is a very opportunisitc and amoral regime that will do things the easiest and most cost-effective way no matter the morals.
Nice and somehow convincing (because of your reputation?), but you don't provide any data that isn't vulnerable to "where's the proof?" attack. Selling t-shirts? It's interesting clue, but doesn't mean much. China is keeping it's people in much harder grasp then most of western countries. It's comfortable to mask black cyberops as "private sector's" actions, but... there is no private sector. Cyberpotency (let's say - ability to influence The Net with some power) it's valuable and it's weapon. In China weapon can't be possessed by fellow man...
A frightening article. Most PCs are made in China. How many other brands besides Lenovo feed data to China? Is US military software infested with undetectable sleeping malware programs able to be activated in the event of a US-China confrontation?
And because of the colossal amount of money the US owes China, the US has to keep on the good side of the Chinese government??
Most American companies don't have or need traffic originating in China or Eastern Europe where malicious hackers seem to cluster. Wouldn't it be a reasonable and significant online defense strategy for an American business with an American client base to simply ban all Chinese and Eastern European ip addresses and domains? This may be akin to my putting iron bars and doors on my home -- no defense to a pickaxe through the wall -- but it makes me far less vulnerable than my neighbors.
"Wouldn't it be a reasonable and significant online defense strategy for an American business with an American client base to simply ban all Chinese and Eastern European ip addresses and domains?"
No people keep suggesting this idea as a kind of "Fortress America" idea rather like the TSA and "sit in your seats for the last hour of flight"...
From just a business prospective even if you are talking Mon-n-Pop SoHo bussiness then it's not a viable option in many cases.
Even the more senior and staid US Government Dept's have been surprised at just how reliant US business (at all levels) is dependent on these "economicaly developing areas".
And from an ICT Security point of view it's a compleate non starter.
"This may be akin to my putting iron bars and doors on my home"
Is actually more like putting chains on the fire exits in a night club / entertainment venu, just to stop people inside letting others in for free.
The reason is because,
"but it makes me far less vulnerable than my neighbors."
Has no meaning on the Internet.
People are still mistakenly thinking the "distance vector" has meaning to either the Internet or the Cyber-naredowells [*].
It does not there is no tangable (physical) world constraint on the intagable "information" aspect of the Internet (currently). That is it's the same "zero cost" to all physical places, after you've paid your connection fee.
Thus "all the world" is on your Cyber-doorstop one way or another, and in many many cases inside your own computer is just a part of somebody elses intangable world (Malware / bot-net / etc etc).
Your Cyber-naredowell knows it is not wise to use their own resources for carrying out their unlawfull or questionable activites, thus they will use "staging posts". These are other peoples machines including your own they or other cyber-naredowells have subverted (or "owned") and turned into relays (or "zombies") in bot-nets or obsfication chains etc to hide behind.
Thus you could well be attacked by your own machine or the one in your childs bedroom, Finance Director et al.
There are three basic issues that people have trouble with when it comes to thinking about the intangable "information world",
1, No distance constraint.
2, No force multiplier constraint.
3, No duplication constraint.
The only distance constraints on intangable information is the tangable world constraints of the "speed of light" and "bandwidth".
However for the Cyber-naredowell this is irrelavant due to "force multipliers", "user agents", "tools" or whatever else you want to call them.
They are just bits and bytes of information that once on a machine get used as instructions by that machine to do work.
As they are usually on somebody elses machine they have "zero-cost" to the Cyber-naredowell. And if they take care to throttle the "tool" back then it will be lost in the machine slack and thus go unnoticed by the machines owner.
Most users have got used to the idear of file copying, thus are aware of what is effectivly "zero-cost" perfect duplication of bits and bytes.
Thus as the Cyber-naredowell well knows, every thing is just just unseen bit's and bytes to the everyday user. The only fees the user pays is one of connection to "always on broadband" and the electricity of an "always on machine".
For most everyday users these days they have so many free CPU cycles they will not notice 10-20% being used by others, Nor will they see 50% or more of their hard drive disapear into hidden files placed there by others. Nor will they see low bandwidth covert communications made by others.
Thus your everyday user remains blissfully unaware that their machine is doing more work for Cyber-naredowells than for them...
And if you think there is a way to stop the Cyber-naredowells by monitoring activity or communications forget it zero day exploits and user bad practice mean they will get in one way or another. And once there, will via rootkits etc remain undetected to anything else running under the OS. As for tracing the "command and control" section of a zombie or botnet member forget it, it is way to easy to subvert Google or anyother search engine to do that (and yes I have a proof of concept if anyone doubts it). Likewise with sending information back to the botnet controler.
For the current way that users use their machines the game is over, and the wiley Cyber-naredowell has won. It needs a significant rethink and even more significant action to make it otherwise.
[*] replace with cyber - criminals / terrorists / whatever the next silly politicaly motivated namewright thinks up to scare you out of your underware. Me I prefer the good old fashioned "naredowell" it covers them all in a nicely quaint and thus non threatening way. Look on it as my tiny bit to Bruce's "Refuse to be terrorised" 8)
I've been responsible for over 1000 websites since 1995 and not a one of them has ever had a need for Chinese or Eastern European business. If country-of-origin-despite-hacker-using-proxy was possible, no business I've worked for has ever had a sale or needed business from those countries.
Yes, I'm aware that ne'er-do-wells (the etymology comes from "never do well", see http://en.wiktionary.org/wiki/ne%27er-do-well) use proxies.
Any basic recommendations for the average user? Yeah, I use Windows XP and need to use MS Office for business stuff. Switching to linux would pretty much reduce me to half my productivity due to the tools I'm dependent on.
My rethink is to make c-n-d-w's worry for their physical safety. License bounty hunters to get them, dead or alive. A few high-profile examples and some of the teens attracted to the glamor may consider honest lines of work. There is clearly insufficient disincentive. Weekly stories like http://www.theregister.co.uk/2005/07/26/... would be a good start.
"Moscow's Central administrative district has yet to establish a motive for Kushnir's death, but is treating the case as murder."
Hmm he was bludged to death not exactly easy to be self inflicted or accidental.
And all though he was a right royal pain in the proverbial he was (as far as Russian law and spaming) not doing anything illegal as far as we are aware.
Which makes me wonder what else he was upto I think it's time I droped a friend a line.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.