U.S. Government Computers Attacked from China

From the Washington Post:

Web sites in China are being used heavily to target computer networks in the Defense Department and other U.S. agencies, successfully breaching hundreds of unclassified networks, according to several U.S. officials.

Classified systems have not been compromised, the officials added. But U.S. authorities remain concerned because, as one official said, even seemingly innocuous information, when pulled together from various sources, can yield useful intelligence to an adversary....

"The scope of this thing is surprisingly big," said one of four government officials who spoke separately about the incidents, which stretch back as far as two or three years and have been code-named Titan Rain by U.S. investigators. All officials insisted on anonymity, given the sensitivity of the matter.

Whether the attacks constitute a coordinated Chinese government campaign to penetrate U.S. networks and spy on government databanks has divided U.S. analysts. Some in the Pentagon are said to be convinced of official Chinese involvement; others see the electronic probing as the work of other hackers simply using Chinese networks to disguise the origins of the attacks.

Posted on August 26, 2005 at 7:59 AM • 28 Comments

Comments

RampoAugust 26, 2005 8:27 AM

"Whether the attacks constitute a coordinated Chinese government campaign to penetrate U.S. networks and spy on government databanks has divided U.S. analysts. Some in the Pentagon are said to be convinced of official Chinese involvement; others see the electronic probing as the work of other hackers simply using Chinese networks to disguise the origins of the attacks."

Well yes, the Chinese might be foreigners, but they aren't totally stupid, are they?

Prolly the Canadians, bouncing off Chinese websites.

PhillipAugust 26, 2005 8:40 AM

others see the electronic probing as the work of other hackers simply using Chinese networks to disguise the origins of the attacks


It would seem if this is the case the "official" Chinese Government would be forthcomming in addressing the problem and would help to find/prosecute the offenders. If they do not help find the attackers are they not obstructing justice or taking part in a conspiracy?

tim fininAugust 26, 2005 8:50 AM

How do you use a *web site* to "target computer networks"? The very title of this article was "Hackers Attack Via Chinese Web Sites".

Is this just an example of people conflating the Internet and World Wide Web? That's easy enough to do -- I sometimes find myself saying "web" when "internet" would have been the right term to use.

Or is it that people are exploiting vulnerabilities of Web based systems in China to gain access to the computers which host them which are then used to probe or attack DoD computers.

CarlAugust 26, 2005 9:00 AM

@Tim: I laughed at that too when I started hearing about this on the radio. I'm wondering the same thing. Are the web sites visiting us now? Undoubtedly it boils down to hackers simply having chinese IP addresses. Of course they could be logged in through a series of computers all over the world...

Anyway, every time I've seen that headline it left me a little saddened by the confusion over such a simple idea.

SencerAugust 26, 2005 9:17 AM

It's probably websites that use exploits in browsers to gain access to local files on the computer, or to take full control of the computer.

And before someone asks why anyone would visit them: It's websites hosted in china, not websites in chinese. I doubt many people check in which country a webserver is located before they visit the site.

Chung LeongAugust 26, 2005 9:19 AM

I would think the Chinese spooks are smart enough to route their attacks, say, through Canada.

BritAnalystAugust 26, 2005 9:27 AM

The uk (Mi5) warned about this in April this year, along with public announcements in July. Any IDS analyst worth their salt (and enough material) will have noticed this in 99/00. Most of the 'manual' attacks seemed to be coming from Chinese provinces, Israel, Palistine, and then the wrest of the world in that order. The wrest of the traffic being background noise as we know it today (worms,viruses, other malware, scripted attacked). Anyho. SO, we are suprised, not.

RampoAugust 26, 2005 9:32 AM

@Kevin Davidson:

Could somebody explain to me why this makes sense:

"All officials insisted on anonymity, given the sensitivity of the matter."

Because the story isn't true at all. It's a complete fabrication. By not being named, the officials remain untracable, and blame for the falsehood can fall upon the media, who have become very slack at checking what they publish.

BritAnalystAugust 26, 2005 9:39 AM

UK NISCC Advice with regards to 'focused' attacks.

A series of trojanised email attacks are targeting UK Government and companies.

http://www.niscc.gov.uk/niscc/docs/ttea.pdf

Accurate attribution for the originators of the attacks is extremely difficult, but IP addresses used for sending emails and controlling trojans,
along with email header information, are often linked to the Far-East.

RvnPhnxAugust 26, 2005 9:42 AM

I block 3 whole provinces of China from one of our webservers--the attacks against SMTP, FTP & SSH programs were getting really annoying.

another_bruceAugust 26, 2005 9:48 AM

stories like this annoy me. all the truckling from bush one and bush two to china, letting them into the world trade organization, betraying democratic taiwan to them...then there's the truckling from companies like yahoo and google who are going along with chinese censorship in pursuit of their market, if these companies can block chinese access to uncensored media, why the %$$&*^ can't they block chinese access to our defense department?

Jonas GrumbyAugust 26, 2005 10:58 AM

@Carl:

I think there's a joke in there somewhere: In communist China, websites visit you!

Young CurmudgeonAugust 26, 2005 11:09 AM

The Chinese government probably doesn't need to block US government websites. After all, there's no subversive pro-freedom material there!

jammitAugust 26, 2005 11:14 AM

I really don't believe it's a co-ordinated (or un co-ordinated) attack by the Chinese gub'mnt (tm). If the Chinese were hitting the US, they'd spoof through some other country, or setup a server somewhere else to bounce through. I think it's the Canadians (I'm kidding. I love you guys) using a target of opportunity by bouncing through weak Chinese computers. Think about it for a second, which country pirates windows OS the most? Sorry, I had a target of opportunity to slam Microsoft.

the other GregAugust 26, 2005 12:09 PM

>... code-named Titan Rain ...

Oh, those devilish punsters at the DoD! The US networks being targeted need to be firmed up and brought under control, because right now they're on a "slack rein". So the appropriate response to "Titan Rain" is to "tighten rein".

-- GG

LK3August 26, 2005 1:30 PM

I'm a bit surprised that the analysts are divided as to whether this is the action of the Chinese government or hackers using Chinese networks ... while I suppose you can't rule out incredibly ham-fisted spying by the Chinese, it seems a bit implausible. Consider the recent DOJ report showing that the majority of cybercrimes against US citizens (even those with a purported foreign origin) are pulled off by ...... you guessed it, US citizens:

http://www.privsecblog.com/archives/...

ShuraAugust 26, 2005 3:28 PM

Regarding the claim that no classified systems have been compromised... maybe I'm wrong, but isn't that a "well, duh" issue? I always thought that you can't connect classified systems to the internet, anyway - or, for that matter, any network that doesn't have the necessary clearance. There's a reason why SIPRNET exist, right?

This certainly seems to suggest that it's more of a sensationalist story, or maybe the beginning of a disinformation campaign to "teach" the public how evil "the chinese" are.

FrancoisAugust 26, 2005 5:56 PM

Boundaries between classified and unclassified material shift all the time. Also, any information can be used to leverage a future attack. For example, some air force personnel recently had their identity data stolen. This information was unclassified, but how many of those personnel will earn promotions? Who among them will go into intelligence agencies? Some of that identity information will eventually be classified. It's very possible that some of today's unclassified personal data can leverage a larger attack against classified data in the future.

anonymousAugust 27, 2005 5:09 PM

"others see the electronic probing as the work of other hackers simply using Chinese networks to disguise the origins of the attacks."
i can't be the only person who's used a proxy server located in china to disguise the origin of certain activities (nothing illegal, but things that i wouldn't want to be traced back to me)

RogerAugust 28, 2005 9:50 PM

Anyone who maintains some sort of firewall and regularly checks the logs will notice that China is, indeed, a major source of malicious traffic. Whether this originates from China or is bounced through it I have no idea, but one company I worked for got a big peak in probes in non-Chinese offices when we were setting up a Hong Kong office; all these probes apparently originated from several government owned telecom company backbone routers. So either it came from the PRC govt., was sanctioned by the PRC govt., or their critical govt. infrastructure is seriously "pwned" by people with a close interest in Chinese business affairs... (by the way, none of these probes got through, yay me!)

The claim that Chinese government spooks wouldn't do this is silly; the best way to disguise your point of origin is to blend in with the crowd, and currently a big slice of that is China. Sure, Russia or Florida would do nicely too, but working from your own country gives the added advantage that the chance of getting caught is 0%.

T. DieselAugust 29, 2005 1:43 AM

Of more interest will be finding out how TR did it. From a related article: http://www.time.com/time/nation/article/...

So they were wet and out in 20 minutes with a beacon to repenetrate at a later date.

I'm going to guess these big deal DOD networks are like most major corprate networks and have low hanigng fruit. I'm betting they used off the shelf vulns on these weaknesses and the only difference here was the process. Just like good security good attacks are simple and repetable.

I'm sure we may never know; imagine the DOD having to admit it was hacked by not applying a patch that has been out for six months. Or having a blank SA password on an externally facing SQL box :)

That's the real question here how was it done and how can it be prevented, not who really did it.

search-goodAugust 29, 2005 2:50 PM

I have no idea, but one company I worked for got a big peak in probes in non-Chinese offices when we were setting up a Hong Kong office; all these probes apparently originated from several government owned telecom company backbone routers. http://www.search-good.com So either it came from the PRC govt., was sanctioned by the PRC govt., or their critical govt. infrastructure is seriously "pwned" by people with a close interest in Chinese business affairs...

HavvokAugust 30, 2005 2:31 PM

I want to learn to program in Chinese Code! Then I can break into Chinese computers!

Get a grip.

RogerAugust 30, 2005 7:25 PM

"I want to learn to program in Chinese Code! Then I can break into Chinese computers!"

Actually, it often is possible to tell a programmer's native language from her code, even compiled code. For example if the symbol table isn't stripped (or if it is a scripting language), variable and subroutine names will usually be in a particular language. Even if those sorts of things have been obfued, there may be other clues, eg some library packages are more popular in particular countries because they have better doco in that language.

I have worked with programmers from several non-English speaking countries and frankly it's quite often obvious who wrote which code, no special forensic tricks are required.

NeighborcatSeptember 1, 2005 7:41 PM

In my experience, the best clue that code was originally written in Chinese is that each line has a number before it. The same applies to higher quality Mexican and Italian code. Watch out also for the symbol that looks like a chili pepper. I think it denotes malicious code.

stephen costiganSeptember 6, 2005 10:22 AM

The joke to me is why any computer system that has US confidential or National Security Intrest is connected to the internet in any way! If the Engineers in the US actually think there security standards are hackproof then they deserve to loose data. It just doesnt amke any sense and it sounds like lazy netowrk administratoin.

Dont connect top secret or vital information systems to the Internet.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..