Titan Rain

There seems to be a well-organized Chinese military hacking effort against the U.S. military. The U.S. code name for the effort is "Titan Rain." The news reports are spotty, and more than a little sensationalist, but I know people involved in this investigation -- the attackers are very well-organized.

Posted on December 13, 2005 at 4:39 PM • 72 Comments

Comments

YoanDecember 13, 2005 5:16 PM

Also, North Korea is known to have such a program, but there simply isn't as much public information floating around about it.

AGDecember 13, 2005 5:26 PM

Little surprise there.

So, are we marking our calendars?
First noticed start of Sino-US Internet War December 2005.

Roy OwensDecember 13, 2005 5:44 PM

Are these attacks against the same DoD that (generally) mandates Microsoft PCs for desktops, and prohibits Macs or other brands of Unix?

They seem to be inviting attacks.

Pat CahalanDecember 13, 2005 6:14 PM

> In the attacks, Paller said, the perpetrators "were in and out with no keystroke
> errors and left no fingerprints, and created a backdoor in less than 30 minutes.
> How can this be done by anyone other than a military organization?"

Most intrusions aren't that clean, but that doesn't mean they're military.

Koray CanDecember 13, 2005 6:18 PM

@ Milan
Hey, you never know what you're missing out on until you hack into some military computers ;) Maybe they're looking for WMD's...
This reminds me of the KGB-supported German attacks in the 80's. (http://www.amazon.com/gp/product/0743411463/qid=1134519468/sr=8-1/ref=pd_bbs_1/102-0666860-9028924?n=507846&s=books&v=glance)

kashmarekDecember 13, 2005 6:18 PM

Breaking news: on NBC tonight they report that the Pentagon is once again spying on Americans that protest the war activities, similar to the 60s. It would seem the Department of Defense is too busy looking at Americans to be watching out for foreign invaders.

alanDecember 13, 2005 7:02 PM

>> In the attacks, Paller said, the perpetrators "were in and out with no
>> keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes.
>> How can this be done by anyone other than a military organization?"

>Most intrusions aren't that clean, but that doesn't mean they're military.

What about if they were using a script?
No keystroke errors, quick.
I agree that just because someone knows what they are doing, it does
not mean they are military.

RSDecember 13, 2005 8:25 PM

... but if we can't trust the communists, who can we trust?

Of course they're spying on us! Let's just hope we're better at spying on them.

Pat CahalanDecember 13, 2005 9:29 PM

@ Alan

> What about if they were using a script?
No keystroke errors, quick.

No keystroke errors, but very often script attacks leave fingerprints, because people run the script attack against machines that are only partially vulnerable to the script.

Scripted attacks work great as a class break, but it's tough to do cleanly unless you do a lot of recon on your target cluster, so that your script is tuned appropriately.

Bill McGonigleDecember 13, 2005 11:37 PM

I don't know what North Korea's Internet connectivity looks like, but if I were in the business (for profit) of penetrating systems and selling state secrets I'd look to base my attacks from a country with no motive to curb my activities.

I also see no reason for the Pentagon not to blackhole North Korea's netblocks at the router. Let them into the State Department and call it a day.

KevinDecember 14, 2005 1:57 AM

Not to don a bit of a tinfoil hat here, but isn't the fact that the US is being open and direct about what should be a diplomatic nighmare more than a little weird here? I mean, one would expect this to stay inside the ranks of secret cleared folk, but they seem to be trying their damndest to make sure everyone knows about it.

Maybe they figure the best way to stop it is shame the Chinese government into cutting it out, or if they're not doing it, find the people in their country who are. That, or they make for convenient accusations for future trade/diplomatic negotiations. Or they're really hard up for good-news stories and the thwarting of this attempt (not that we'd know how many made it throough) counts as decent PR.

dlgDecember 14, 2005 3:38 AM

@Kevin

No tinfoil hat needed for that. If the attack was serious enough to actually be counted as an attack, people would not go around telling the media about it. Personally, I think it is about PR. Good PR for the DoD has been a bit rare lately.

Moshe YudkowskyDecember 14, 2005 4:50 AM

I'll have to take your word for it. The facts cited in the article don't support the contention that it's military ("who else but.." is a very odd-sounding opinion).

I discount the TIme magazine report; I have precisely zero trust in anything they write, based on bitter past experience.

Gustavo BittencourtDecember 14, 2005 6:29 AM

This note remember me about the US control over DNS system. US can make much more damage to China only removing the "cn" domain in root servers than 1 billion of Chinese crackers attacking US.

Bruce SchneierDecember 14, 2005 8:36 AM

"I'll have to take your word for it. The facts cited in the article don't support the contention that it's military ('who else but..' is a very odd-sounding opinion)."

There's not a lot of facts out in public; much of the investigation is classified. I believe the people I know who have been involved in the case. It's much more organized than even the news articles imply, and there is no doubt that this is state sponsored.

"I discount the TIme magazine report; I have precisely zero trust in anything they write, based on bitter past experience."

It's quite impossible that a publication gets everything wrong, unless they deliberately set out to do so (see The National Enquirer). The Time article is pretty good, although I don't think you have to pay whatever they're charging to read it. Remember, there's no partisan politics in this story, so there's no need to close your ears and sing "la la la la" because someone is reporting something you don't like.

AnonyDecember 14, 2005 9:38 AM

Actually, if I may add - fuck military. China currently is the haven of nice, open machines to use for attacks (like good old cisco routers, where nobody will even notice any kind of introdusion afterwards) in an area that is pretty safe that it will not
a) share any usefull logs + tracer is far far away (and add a few more silent hops - woilaa),
b) is not exactly capable to monitor anything despite the widespread impression,
c) is not particulary interested in doing this.
---
Up to now.
Since now, thanks to DoD claims China has an interesting and pretty undeniable PR issue on their hands, they will just have to start to think about this, even if the actual hacker was sitting in NY, just across the exchange.

SteveDecember 14, 2005 10:57 AM

I heard a couple of reports on this on NPR's "Morning Edition" earlier this week (12/12 and 12/13 2005)

http://www.npr.org/templates/story/story.php?...
http://www.npr.org/templates/story/story.php?...

on this subject. While certainly no operating system is invulnerable to attack, I did find it more than passing strange that the "M-word" was not uttered once during either piece.

Or, perhaps more accurately, three "M-words" -- "Monoculture", "Monopoly", and "Microsoft".

jammitDecember 14, 2005 11:17 AM

I'm sure the lions share is state sponsored by China. The last thing the Chineese gub'mnt want is their people to get untampered info from the outside world. Just like here in the USSA. This doesn't surprise me. I'm not surprised there aren't more attacks from other countries, but assume they use China as a hopping point (not to rub salt in it, but China doesn't have the best servers out there, and everything is being filtered through just a few machines). We are a nice, fat, tempting target. I'm more worried about actual breaches than hack attempts, although it's only a matter of time until an attack actually works. What is our damage control policy, other than cover up and blaming the democrats? What's the best way to stop a hemorrhage?

omDecember 14, 2005 12:17 PM

My guess to all these kind of reports is: this is more like lab test observing than defending. US can do far more damage to all other countries combined than to be hacked.

LindusDecember 14, 2005 2:30 PM

Hm, the question is how they know the attack "originate" in China... As we all know a set of telnet or ssh commands or tunneling through other systems can make the perp reside just about anywhere.
And I am sure paying some ISP in GuangDong to keep a box available doesn't have to be too expensive. The connection cost however is another question...

nirDecember 14, 2005 2:33 PM

C'mon, info about the chinese military trying to whoop the US's ass via the net wouldn't be made public if it were that serious. Probably some geek out there who got bored from top ramen.

ChrisDecember 14, 2005 2:59 PM

Wasn't there something a few weeks back about the Chinese military developing technology whose sole purpose was for battling aircraft carriers? The only country utilizing Aircraft carriers being the US...

This is not too surprising.

jamDecember 14, 2005 3:05 PM

"What are they trying to achieve?"

Well, they appparently got some software from Redstone. That would enshrine some (otherwise unwritten) doctrine. If you think you might fight someone's armed forces sometime in the future it's a good idea to know how they think. The articles didn't say what, if anything, they got from DISA and NOSC.

I don't know how useful the software really is without its data. The data will be on classified computers. It's a fairly safe bet they haven't hacked into SIPRNet (I don't say that one can't hack into SIPRNet, just that one can't do it from mainland China).

There is a point of view in the US military that "cyberwarfare" is unimportant. I remember one officer referring to it as Weapons of Mass Irritation. It's possible that this story is coming out as a result of internal DoD disagreeements.

AndrewDecember 14, 2005 3:08 PM

Sorry... "No keystroke errors and no fingerprints"??? How would they know whether keystroke errors were made or not if there were no traces of the attack?

Arash PartowDecember 14, 2005 3:16 PM

What if this is a double play by people inside America, trying to make their activities look
like they're come from inside China, and being made by the chinese military.

Its just a theory, but its also just as likely a scenario as the one Bruce is pushing. The
evidence implies both situations equally.

Arash Partow
________________________________________________________
Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net

Richard Steven HackDecember 14, 2005 3:20 PM

I have several problems with this report, not that I doubt SANS honesty or competence.

First is the comment that the Pentagon doesn't know of any successful penetration of one of their secure networks. This on the face of it means they've missed a successful penetration, because NOTHING is THAT secure. And once you've penetrated a secure system, how long does it take to compromise the rest?

Second, why assume that a bunch of guys are sitting in China using SSH? If I were the Chinese government, I would have plenty of guys physically in the US trying real physical ways of penetrating the security of the systems here - like blackbag jobs involving installing sophisticated electronic monitoring tools directly on computer networks to make it easier for the overseas guys.

I mean, it's not like there aren't scores of thousands of recent immigrants from Taiwan, China and elsewhere hanging around the San Francisco Bay Area and elsewhere that they couldn't slip a few agents in. And security at military installations, as SEAL Richard Marcinko proved with his "Red Cell" exploits, is a joke - his team compromised just about every high security area in the US military, including Air Force One, Camp David, the Groton nuclear sub base, and Tomahawk nuclear cruise missle weapons lockers. It would hardly be a massive project to compromise some military computers on a base somewhere or the Autodin phone system.

Third, who says the Chinese aren't bribing or blackmailing US civilian workers with the necessary clearances? When a Filipino worker can extract classified documents from Dick Cheney's very office as well as extracting documents from a military computer system elsewhere (assuming, as some suggest, that he wasn't actually working for Cheney in a covert attempt to undermine the President of the Phillipines), I find it hard to believe that the Chinese can't do the same.

And again, once your security is hosed in one place, it's pretty much hosed everywhere.

In that light, these attacks might be seen more as tests of the level of successful penetration than actual penetration attempts themselves.

In which case, one has to wonder whether the Pentagon is viewing them with sufficient alarm.

BaffledDecember 14, 2005 3:31 PM

I'm a bit baffled by the whole thing. The articles cited are much more than a little sensational. In my opinion the articles are just short of the rantings of survivalists and conspiracy theorists. I'm also scratching my head when I try to determine the motivation of the Chinese military. Are they planning to launch an attack on the single largest benefactor and trade partner of their nation? It doesn't seem to make sense, China's threat to the United States is massive from an economic standpoint but, doesn't loom very large from a military standpoint.

I am more suspicious of spammers and other organized criminals utilizing automated penetration tools than I would be of the Chinese military. Automated tools offer a far more likely answer to the meticulous and consistent nature of the attacks.

All of the articles lack critical details that may be helpful/essential for those of us that do not operate systems for the DoD. Details like, what types of attacks, against what types of systems, would help a lot. Are these ssh brute force attacks or are they buffer overflows in IIS being exploited?

jayzelDecember 14, 2005 3:46 PM

Replaying intrusion logs from the different layers can immediately display characteristics of whether an automated or manual attack is being mounted, by closely examining timing, which may indicate repetitive tactile keyboard user behavior (the time it takes for a finger/hand/palm/forearm to transition from a 'p' to a 'SPACE' to a 'Q', etc). I forget what that region of forensics refers to, but its a legitimate area of investigation.

Interesting aside: imagine being like those Morse Code intercepters working with Bletchley who had nicknames for the Germans, describing their 'hand', or Morse Code technique, only now in the next millenium you are a forensic investigator with intrusion detection logs, and you notice that there is a similar delay between the 'p', the 'SPACE' and the 'Q'... you notice that these delays only happen on Tuesdays from 8-9 PST from this certain netblock to this certain series of servers you are investigating. You nickname your friend 'pQ'.

Moving on, I reckon that even if a series of packets were coming from -different netblocks- for each similarly related attack (like a web attack via port 80, for example, using the same attempt to breach a database), one could still determine via timing whether or not the attack was automated or manual.
In the event of single character conversations (telnet, anyone?) it would be very obvious by examining the timing between characters and character sequences, much like the old school intercepters mentioned above.

jayzel@gmail.com

I am just sayin...

skepticDecember 14, 2005 3:49 PM

Dont be surprised if this is all concocted by the US government to justify an invasion of China in months or years to come...won't be the first time the gov't made up a problem only to solve it with an attack...

davroDecember 14, 2005 3:58 PM

Where is the empirical information.
How can anyone take the media seriously all they publish is lurid material in order to gain public attention.

IMHO Its just those pesky aliens having a laugh with quantum entanglement and "spooky action at a distance."

Shiek YerboutiDecember 14, 2005 4:09 PM

So what I am thinking reading this is. How bad is DOD infosec? If these systems had classified data or data worth china stealing. What were they doing connected to a network that was connected to the Internet. Further did they have a good border firewall in place whith tight ACLs. And unless these were 0 day exploits what were vulnerable systems doing on a DOD network at all. They are supposed to know better.

As I recall from personal experience the military does a great deal of training and effort talking about and thinking about proper ways to store classified data. What went wrong here?

Someone previously in this discussion guessed this might be PR to make the DOD look good. How does this make them look good. Not getting owned makes you look god but no one notices the folks that don't get owned.

bexDecember 14, 2005 4:34 PM

CHINA DID IT. THEY HAVE THE MOST TO GAIN.

I dont see why anybody would question why China would do this. I love the tinfoil chappeau as much as the next guy, but the odds are high that China's to blame.

Firstly, read the "Art Of War." Know thy enemy is rule #1, and China has always (tried) to live by that rule. This totally fits their MO, even if they have no current plans of agression.

Secondly, China has been flexing its muscles in Asia recently. Listen to their rhetoric about Vietnam and Mongolia, not to mention Taiwan. Remember a few months back when Japan caught a Chinese nuclear sub in their soverign waters? And who is the world's policeman who would typically check their aggressions (and is currently embroiled in TWO wars)? The USA.

Thirdly, the Chinese government aint a pack of bunny rabbits, people! Read the latest bio on Mao. The man was a sadistic monster worse than Stalin (who was worse than Hitler, remember). He killed 100 million of his own people to stay in power. They dont use water hoses and tear gas to break up demonstrations there... they use tanks, machines guns, and if you're lucky bullwhips. Remember, they are not using these to break up riots, these are for use against peaceful demonstrations.

They have the motivation, the opportunity, the ability, the most to gain, and they've done it before.

If you were a cop, you'd know that's 90% guilty right there. Those odds are better than most of what politicians have on a day-to-day basis to decide policy. Therefore, its time to move on.

The best use of our brain cells now is to figure out how to SOLVE the problem. Not bicker about the 10% chance that China did nothing evil this time.

GabrielDecember 14, 2005 5:56 PM

Are you trying to help promote the hype ? You're a security expert, so
you know damn well that there's absolutely no way to tell if these
attacks are coming from the Chinese military or from highly organized
hacker kids. We both know there are a good number of American and
European hacker groups with remote 0day for win32, unix, cisco, etc and
these people can be VERY organized. There is no reason to speculate
that any particular government is behind these attacks. You're supposed
to be an expert, act like one, don't just go repeating everything you
hear your buddies say ;) [/rant]

BE6-IIDecember 14, 2005 7:58 PM

In the attacks, Paller said, the perpetrators "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?"

Looking at the history of western militairy IT projects I would ask "if it was diciplined, then how could this have been the militairy?". Ofcourse not making typo`s is very common in scripts. If this has any serious scale you would imagene that common operations have been automated. Also worm attacks take seconds from intrusion to back door, does that 30 minutes include scanning for exciting files?

If the story is true that many attacks keep originating from the same subnet then the imidiate idea is that there is no way competent attackers could "live" at that subnet. With millions of infected PC`s out there advertising their vulnerability to whoever they attack at random there are plenty of oppertunities to launder connections. (Was I the only one who, upon reading that this was learned by breaking in to a router in china rememberd James bamfords in "body of secrets" about the NSA interest in cisco routers and the story of anonymous men in black complimenting the guy with the IOS exploits after his blackhat presentation?)

That said, I do think these attacks are done to gather data for Chinese intelligence. (Which doesn`t mean they are behind it, but still) News reports mentioned specificly that non classified weapons manufacturers systems where targetted. Combined with with the alleged large scale of the attacks it would seem someone is sitting on a huge pile of unclassified technical but mostly marketing data on advanced (not good, just advanced) US weapons systems. Frankly, I can`t think of any country that has the manpower to plow through a lot (gigabyes?) of this English language, photo and measurement data looking for the few technical details that are unclassified, but still helpful when cloning or countering these systems. China is famous for its reliance on open source intelligence and paying people for whatever information they offer rather than train agents to do all sorts of cloak and dagger stuff. (Rumours include paying people to collect leaflets at airshows) China has also been trying to modernise many weapon systems, to the point where the EU considering ignoring US opposition and lifting export control rules on China. European weapons manufacturers have been looking into possible IP issues surounding Chinese weapons that look at lot like their western counterparts. A rumour that has made it to western newspapers is that China bought the remains of an unexploded cruise missle from terrorists who where targetted by it in Afghanistan. Kinda makes you wonder what hardware the Chinese do not reverse engineer ;-)

Didn`t a chinese kid from a poor farming area of China head a group of Chinese nationalistic website defacers earlier? They got upset about stuff in japan among other things. What has become of them? If they heard the goverment of the country they are so proud of offers cash for data, any data, what would they do? (IIRC he even did a TV interview offering their help to the Chinese goverment) Has anyone recently seen a nationalistic Chinese defacement?

Chris WDecember 14, 2005 8:14 PM

Is is time to blackhole Chinese routes on the .mil border routers? Or does the US military need to communicate with too many Chinese nationals? Perhaps there can be special air gapped networks for doing that.

-Chris

voxelmanDecember 14, 2005 9:13 PM

My ISP/Telco, a former employer, employs at least 3 Chinese engineers that have access at the deepest level of operations. They are very bright and few if any other people in the organization have the level of knowledge they do about the companies systems. They are perfectly placed to aid and abet any ongoing operations against companies that use this ISP’s services. They also provide consulting services to companies in the area and often are involved in setting up internal networks and security. This is one organization in rural Iowa. I suspect there are many such sleeper cells throughout the country.

meDecember 14, 2005 10:33 PM

The news reports are spotty, and more than a little sensationalist, but I know people involved in this investigation -- the attackers are very well-organized.

a little sensationalist? Seriously, you know people involved in this investigation, whereas I am one. With all the hype I've been fighting to bite my tongue but seriously, here's a few points. I cannot provide proof of anything I say, it would cost me my job and most likely my freedom. I cannot provide any information as to who I work for (I am not DoD), so in essence you can discredit everything I say, and most likely will. The only evidence I can provide is for you to keep your eye on the newspapers and more importantly on congress in the coming months, as this topic will be cropping up there before long.


1) This is not strictly a DoD problem, but rather a US government problem. It's active in at least 3 major departments that I know of, and most likely more than that.

2) This is not the chinese military, its state sponsored to a degree-- but its much much worse. Remember in the 1800's when the US Govt would pay settlers per indian scalp? Yea, its kinda like that. This makes it far worse, as its not just limited to people from china. Imagine thousands/millions/whatever of tried and true blackhats for money. They come at various levels of sophistication as you might guess, but generally they are incredibly poor at what they do.

3) DoD is incompetent, make no doubts about that. This story is being hyped by the leaks to make everyone look better than they are (aka saving face)

4) They leave tons of evidence. Imagine several hundred gigs of network traffic, several hundred megs of various backdoors and malware, and so on and so forth, and yes they do make typos. Even more interesting is that they are typos you would associate with an english keyboard.

5) So far, no classified systems have been compromised (AFAIK), this is due to network topology.

6) By and large, these are not very advanced attacks, this is people clicking on things in email they shouldnt.

7) DoD is totally and utterly incompetent, I cannot emphasize this enough.

So all this stated, what about this makes it so hard to defeat? The sheer number of attacks and tenacity of the attackers. They're not worried about getting caught, even when they know the chase is on, they continue to proceed as normal. Imagine thousands of people all over the world coming from thousands of ip addresses attacking and when they're getting caught in the network, just continuing to go into the network as if they never considered getting arrested/whatever an option.

I really wish I could provide more information, however this is the nature of the beast.

Additionally I wanted to mention that Carpenter is damn lucky not to be in jail, he's not an american hero as some would like to paint him.

BonziSamuriDecember 15, 2005 2:05 AM

A few points worth (re)stating.
-The DoD hacks into China's networks all day long, it is only makes sense for them to hack us back. Hopefully we are better at it than they are.
-The DoD website can be hacked into a gazillion times but that won't do the chinese much good since the site is hosted on Akamai.
-For that matter, how many "high security" networks put their public servers in DMZ or outsource them completely?
-Do you really think the system that links nuke silos to the "nuclear football" comes with a nice web interface using fancy flash animation? Do think it has any connetion what so ever to the Internet?
The government/military secures their networks based on how important/secret they are. So woop-de-do that someone can redirect dod.gov to some porn site and woop-de-do that they stole some software which they could find a better version on SF.net. Some one wake me up when China gets their hands on something that is actually classified.

turquoyzDecember 15, 2005 3:18 AM

The Chinese government has been quite vocal lately about their plans to retake Taiwan & nuke the USA if we try to stop them....I hope someone in leadership positions is traking these threats seriously.

eatddDecember 15, 2005 7:41 AM

@turquoyz
The Chinese government has been quite vocal lately about their plans to retake Taiwan & nuke the USA if we try to stop them....

China doesn`t seriously considder a first nuclear strike, their balistic missles are kept unarmed and unfueled. The only threatening statement recentely was from a guy at some school way to low in the hiarchy to be involved in nuclear strategy. And it was a private recomendation, not a plan, it was also publicly rejected, loudly. Some Americans did make a fuss about this though.

China has been making some noise becouse they are getting big and wants anyone who might want the same oil they want to know this. (having advanced weapons and a space program will help here) Also they don`t want to own taiwan, they just don`t want it as an example of independance or democracy. (To much of that and they have to crush protestors again) Ofcourse for the treat of invasion to work in itselfs it has to be credible.

The most vocal about "the Chinese threat" have been Americans, specificly the ones who are involved in billion dollar cold war fighting projects that help nothing, nothing at all, against Osama and his many friends and thus are at serious risk of loosing their funding. In this light you should evaluate both the chinese nuclear threat stories and maybe even some titan rain leaks.

And as counterintuitive as it may sound, threatening a first strike *weakens* a deterence since the target of the threat knows that the only way to prevent damage from a first strike reliably is..... striking first. (This is why the US should keep its old nuclear doctrine that doesn`t include "preventive action")

DannyBoythePIPESDecember 15, 2005 3:35 PM

So China may be looking at our networks.

Big F'ing Deal. Sounds like a Wen Ho Lee
bullshit story to me.

Israel has had active spying programs with human assets at the highest level of government and a very sophisticated computer industry with close ties to our military. That is where I would look for
spies.

Traced back to China? Feh, any zombie can mount an attack from anywhere.
No "typo"? Script Kiddie or bot network.

Bruce, stop being a shill for black propaganda dumbass lying whores that run this government of fear.

Bruce SchneierDecember 15, 2005 4:08 PM

"Bruce, stop being a shill for black propaganda dumbass lying whores that run this government of fear."

Do you really think I'm a government shill? Clearly you haven't been reading this blog for long.

Gopi FlahertyDecember 15, 2005 4:52 PM

@Gabriel writes,
"You're a security expert, so you know damn well that there's absolutely no way to tell if these attacks are coming from the Chinese military or from highly organized hacker kids."

China is a repressive police state. People organizing to do things can arouse the suspicions of the police. I don't know the facts, but I think that it would be possible to be fairly certain who's behind something based on the range of computers that they have access to, who runs those systems, and how often you find that they change around based on getting shut out of compromised systems.

GabrielDecember 15, 2005 6:54 PM

>>@Gabriel writes,
"You're a security expert, so you know damn well that there's absolutely no way to tell if these attacks are coming from the Chinese military or from highly organized hacker kids."

>@Gopi writes
China is a repressive police state. People organizing to do things can arouse the suspicions of the police. I don't know the facts, but I think that it would be possible to be fairly certain who's behind something based on the range of computers that they have access to, who runs those systems, and how often you find that they change around based on getting shut out of compromised systems.

-----

I'm sorry but you're only partly correct. I'll explain:

You're correct when you say that China is a repressive police state, but you are incorrect when you say that "it would be possible to be fairly certain who's behind something based on the range of computers that they have access to, who runs those systems, and how often you find that they change around based on getting shut out of compromised systems."

This is just completely not true, when you take into account how modern hackers operate. With a single 0-day an organized hacking group from the US or Europe could easily compromise thousands of systems in any country they wish, especially easy targets like university computers. Once compromised each machine would be added to a peer-to-peer botnet which would be designed to allow the group to monitor, control, and launch attacks from any of the nodes all with complete anonymity. This is relativly trivial to achive, you basicly just build a custom peer to peer network and use well known crypto tecnniques to provide the anonymity.

You can read a much more detailed description of how such a botnet might work here:
http://www.uninformed.org/?v=1&a=4&t=txt

Basicly the point is, there is no way to tell where the hacker group is located without breaking into the group's botnet. The attacking group could be located anywhere in the world all we know is that they are currently using compromised machines in china. Hell the attacking group could even be from within the united states' own government or intel agencies. There is absolutly no way to tell, and so speculating one way or the other should be left for the TV reporters, and real security experts shouldn't engage in such TRIVIAL SPECULATION.

Wouldn't you agree Bruce ?

--Gabriel

meDecember 15, 2005 10:53 PM

What amuses me is that people believe that everyone in the government is stupider than them and is basing their prognosis of the attacks being from china simply because ip's are registered to china.

Here's the kicker, none of the traffic is actually originating (at least from the end points perspective) from china. It originates from everywhere.

meDecember 15, 2005 10:55 PM

(or to phrase it another way, intelligence isnt as one-dimensional as some of you would appear to be)

GabrielDecember 16, 2005 1:38 AM

>@me writes
What amuses me is that people believe that everyone in the government is stupider than them and is basing their prognosis of the attacks being from china simply because ip's are registered to china.

Here's the kicker, none of the traffic is actually originating (at least from the end points perspective) from china. It originates from everywhere.
-------

Well what amuses me is that people in the government or working for the government would waste so much time and energy trying to track down the source of these attacks when they should be spending those resources on software auditing and actually securing the systems that are exposed to the internet.

Also, even if the attacks do at first appear to be comming from "everywhere", but under deep investigation appear to have chinese origin, this could still all be staged. If there's one skill every real hacker knows well it's misdirection.

"A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective" - Sun Tzu

For example if I were a US hacker group, or the NSA and I wanted to break into a certin military system, or test the security of US military systems in general then the illusion that I would try to create would be exactly what you described. I would want to look like I'm a group of attackers operating out of some hostile nation. In order to keep the illusion realistic I would need to make it seem as if I was attempting to hide the source of my traffic so that the US military & friends would have to do at least a little work before comming to the conclusion that I'm actually operating out of the hostile country.

Would such a deception really be that difficult for a somewhat competent hacker group to achieve ? I think not, and I've already explained how it could be acomplished.

The fact is that we will probably never be certin of who is making these attacks. The modern internet can be a very hostile place. It's a place where attackers can easily hide through layer after layer of misdirection. The real story here is about the US military's incompetence when with reguard to securing important network infastructure. Perhaps they should start hiring more real hackers to look at their code instead of trying to grow their own.

--Gabriel

antispinDecember 17, 2005 11:06 AM

“me:��? Great job on your post. I especially appreciate your obvious efforts to create an aura of mystery surrounding who your employer is, and how you are "in the know." Could it be that you work at a secretive three letter agency and are generously (albeit anonymously) imparting jewels of wisdom to all of us ignorant analysts who aren’t as enlightened as you? I think not. The more likely scenario is that you probably work as an analyst for some second-rate government contractor, and have an ego the size of Texas that needs an outlet.

Fact: No person “in the know��? that works at any secretive three letter government agencies would have anything to do with posting on any of these forums – especially a computer security analyst working in counterintelligence and/or intelligence areas that knows that server logs and IP addresses can be obtained with relative ease via National Security Letters. Additionally, you don’t have to be a rocket scientist to predict that Congress will be looking into this matter, and that the press will follow up with reporting.

“…I cannot provide proof of anything I say, it would cost me my job and most likely my freedom.��?

Yes “me…��? At this point, the blog readers are all supposed to feel privileged that you are basically putting your life on the line by posting to this forum; we should feel grateful that you’re taking a huge risk imparting your wisdom to all of us. I’ve worked in this field for a long time. For some reason, our field seems to attract a statistically higher amount of pompous individuals that try to compensate for their incompetence by being extremely arrogant. Yes – this is the nature of the beast, and exactly what makes collaboration and progress for both the government and private sector communities difficult. Unfortunately, I’ve had to work with people like this, and it makes the act of accomplishing even minor tasks a nightmare in a teamwork environment.

Additionally, do you know Shawn Carpenter? Have you ever worked with Carpenter? The characteristics of your comments are typical of the personalities of the “roadblocks��? I have had to tolerate in previous jobs – quick to judge, egotistical and devoid of usefulness. I know Shawn Carpenter, and have worked with him. He is honorable, intelligent and dedicated to his work. He and several other employees he worked with were screwed over several times – this situation wasn’t the first. Coincidentally, each incident involved the reporting of security concerns within Sandia. Furthermore, why would David Szady (the FBI’s Director of Counterintelligence, if you didn’t know) write a favorable letter regarding Carpenter in his reply to Senator Grassley’s office? Everyone has their flaws – Carpenter has had a tough lesson in dealing with the media.

“… Additionally, I wanted to mention that Carpenter is damn lucky not to be in jail, he’s not an american hero as some would like to paint him.��?

You seem disappointed that Carpenter is not in jail, and that he is painted as an “american hero.��? Not only is Carpenter not in jail (as you would prefer), his clearance has been restored and he is working for the government. Carpenter never aspired to be a “hero;��? he just wanted his employer to do something about what he had found. It’s that simple.
You are “in the know��? about all of this and have it all figured out – and you’ve been nice enough to enlighten everyone. Seriously, YOU should be our “hero,��? not this a**hole Carpenter. Besides, all of us know that the Bureau never makes mistakes. Our country needs more people like you to give guidance to all of us morons.

--Antispin

meDecember 17, 2005 2:12 PM

@antispin:

"I know Shawn Carpenter, and have worked with him. He is honorable, intelligent and dedicated to his work. He and several other employees he worked with were screwed over several times – this situation wasn’t the first. Coincidentally, each incident involved the reporting of security concerns within Sandia."

I wouldn't point the finger too hard, you guys had this problem, and failed horribly in your response. In fact, in the years this has been going on, everyone has failed horribly to accomplish very simple tasks; and from the sounds of it, you were one of those failures, congrats!

ACDecember 18, 2005 9:22 PM

Titan Rain = Moonlight Madness + 5~6 years. A couple of sensational news stories, feverish activity in DoD and no real evidence. I suspect a couple of years hence it will be viewed as a misinterpretation.

By the way, if DoD net security is so bad how is it that my presonal web sight has never been attacked by compromised DoD machines but has been attacked by educational machines (including servers). comercial servers (banks, credit unions among others) and of personally computers by the thousands. Just never zombied DoD machines. Maybe they're not as bad a some would have us believe.

DCDecember 19, 2005 10:21 PM

Moonlight Madness? do you mean 'Moonlight Maze' ?

Additionally, what I think was possibly meant was that DoD doesn't do very well at figuring out the why/how, they're response is pretty good as far as identification of the compromise and removing the compromised materials, but the investigation afterwards is pretty bad.

Bruce SchneierDecember 22, 2005 9:19 AM

"Chinese? How do you know it's not the French?"

I don't know the details of the investigation, but I don't think you can know 100%. That sort of false flag misrepresentation is even easier on the Internet than it is in the physical world.

The investigators have a lot of evidence that it is Chinese, but it is possible that all the evidence is faked.

DannyBoythePIPESJanuary 27, 2006 1:23 PM

Sorry to insult but do you think the gov wants to send out this story
with Judith Miller (compromised hack) or a neutral third party expert in security. Your story is weak, sensationalist, etc. which points to being used.

I say look at those that have a proven record of continual spying on the USA, including our own security.

L'SupreemoJanuary 30, 2006 7:06 PM

What a great example of intelligent people behaving like morons. All it takes is the injection of a little politics, and you lose 90 IQ points.
If you people used the same flawed reasoning in your work, the Internet would crash in 10 minutes. Want some examples?
No, I didn't think so......

Chris Mc DonaldFebruary 24, 2006 2:58 PM

My question is why military and DOE organizations, even if their systems are on the "unclassified" Internet, would even allow connections from Chinese router addresses? It would seem a trivial task to block such connections at the router level. Even NASA would seen advised to limit incoming connections to only those systems what it could afford to have compromised.

old ladyMarch 2, 2006 11:46 PM

On my firewall logs. I see that most of the ip addresses trying to get in my port 1026-1029.
thats blocked with my OS. and my router.

MOST come from china. one was actually from japan. one from taiwan, few from malaysia.
all are blocked. BUT not all people. regular ms/mr do this.
what I do know is that dsl from verizon sends out modems with nat's in them.

BUT most people never enable these because most have no clue.

anyway I was worried, but now.
i dunno

march 2. 2006

oh, yes. I do trace them back. once one in china I had only two hops, mine and a direct one in china. scary huh.
but most are 15-20 hops.

meMarch 27, 2006 4:51 PM

@Chris McDonald

Things are not so obvious. Just because the chinese are behind the overall picture, doesn't mean all the painters are sitting on the other side of the great wall. I can say from experience that the attacks come from several thousand IP addresses all over the world.

MBMay 25, 2006 2:13 AM

It's blatantly obvious that "me" is a wannabe secret squirrel... what a boob

Pandova 7 Exe.November 17, 2007 10:02 AM

I belive it is a new type of weapon system, in short a projection system that alters cyberspace using zero point energy, simply put it is a machine that is a mental version of MIND STORM operating in a purely mental state, example Torquorsam Vos. probably TALON tecknology or perhaps...simply a natural hybred...such as MAN WHO WOULD BE KZIN sure it sound a bit out there...but it just may be...huh?

DaveDecember 10, 2007 12:52 PM

"No real evidence?"

Keep in mind that we're talking about highly classified intelligence that may well also have been collected using the SIGINT system, not just forensic intrusion analysis. You don't know what evidence the government does or doesn't have.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..