MI5 Sounds Alarm on Internet Spying from China

Someone in MI5 is pissed off at China:

In an unprecedented alert, the Director-General of MI5 sent a confidential letter to 300 chief executives and security chiefs at banks, accountants and legal firms this week warning them that they were under attack from "Chinese state organisations."


Firms known to have been compromised recently by Chinese attacks are one of Europe's largest engineering companies and a large oil company, The Times has learnt. Another source familiar with the MI5 warning said, however, that known attacks had not been limited to large firms based in the City of London. Law firms and other businesses in the regions that deal even with only small parts of Chinese-linked deals are being probed as potential weak spots, he said.

A security expert who has also seen the letter said that among the techniques used by Chinese groups were "custom Trojans", software designed to hack into the network of a particular firm and feed back confidential data. The MI5 letter includes a list of known "signatures" that can be used to identify Chinese Trojans and a list of internet addresses known to have been used to launch attacks.

A big study gave warning this week that Government and military computer systems in Britain are coming under sustained attack from China and other countries. It followed a report presented to the US Congress last month describing Chinese espionage in the US as so extensive that it represented "the single greatest risk to the security of American technologies."

EDITED TO ADD (12/13): The Onion comments.

EDITED TO ADD (12/14): At first, I thought that someone in MI5 was pissed off at China. But now I think that someone in MI5 was pissed that he wasn't getting any budget.

Posted on December 4, 2007 at 12:34 PM • 36 Comments


John EllisDecember 4, 2007 12:59 PM

Jesus! If the director general of MI5 is so stupid as to think that he can send out a 'confidential' email to 300 business people and it remain confidential we really are screwed.

I supposed the questions that arise in my mind are

How do you know that the email came from MI5?

Why the secrecy? Surely the point is to get people to improve their security. Don't you want a lot of publicity?

ShaneDecember 4, 2007 1:05 PM

@John Ellis

"Why the secrecy?"

My guess is that it is a *HUGE* deal to publicly accuse the largest nation in the world of government sponsored digital espionage.

Mihai CrivetiDecember 4, 2007 1:14 PM

Makes you wonder how MI5 figured out there was an attack going on when the companies themselves failed to notice anything. I mean, that's what Intrusion Detection systems, rootkit revealers, antivirus software an so on is for.

And how exactly does one use a "custom trojan" to break into a system? The whole point behind trojans is... some has to let you in (knowingly or not).

Does the E-mail itself contain some form of digital signature btw?

And what's all this then:
"Ian Brown, of Oxford University, one of the report’s authors, said that attacks traced back to China have been found attempting to crack Whitehall passwords"

I mean, I get thousands of SSH brute force cracking attempts from all over the world, including China. It's pretty much norm as long as you leave SSH on port 22 or don't use port knocking / firewalling / whatever to block them. Not to mention the automated attacks on webpages, usually looking for some poorly written PHP application.

Isn't this really just an overrated press response all to happy to point the finger at China for ratings sake?

neduDecember 4, 2007 1:25 PM

Related news from last week...

"America already is in a cyber war, analyst says" (27 Nov 2007)

"'We are currently in a cyber war and war is going on today,' Palowitch said in a talk at Georgetown University's Center for Peace and Security Studies. He credited Gen. James (Hoss) Cartwright, vice chairman of the Joint Chiefs of Staff, with that assessment but said he agrees with it."

(Via Spaf).

coderpunkDecember 4, 2007 1:28 PM

Example Scenario:

Attackers create a low-bandwidth, low visibility trojan exploit for Quicktime. They then send this to know and guessed emails within the target company. You know 'See Fred drunk at last year's christmas party'. Some of the targets fall for it and play the video, which is just spam. They delete and think nothing of it.

Bingo, they now have multiple Trojans inside the company, slowly trickling out confidential documents and possibly even trying to exploit other systems on the LAN.

WonderingDecember 4, 2007 1:28 PM

@ Mihai Criveti

Why would anyone leave SSH running on port 22? Why wouldn't they run it on a different port, say, one above 1024?

Thomas SDecember 4, 2007 1:30 PM

@John @Shane
Yes. Sometimes classification is used to give a statement some degree of official "weight" while avoiding the associated political fallout. In this case, the sender is probably quite happy to have it leaked to the media, so long as China's ambassador officially has nothing to complain about.

Random hackers will be after random data for fun or resale. A Chinese governmental organization would be more focused in its targeting.

The question from a defensive standpoint is which we seem to have in terms of behavior, not it terms of origination. I.E. which threat matrix model explains the attacks that we see.

I trust the MI5 to have somebody able to tell the difference. I don't know enough about British politics and culture to guess if political motivations could have overridden him though.

tk.December 4, 2007 1:44 PM

@Mihai: I'm guessing that an IDS or AV software would be insufficient to pick up a trojan sufficiently customized for its target network. It was probably caught by more behavior-analysis type tools, like HIPS perhaps.

As far as to how they found out: maybe a few diligent network admins got the root of the mysteries in their HIPS log files and, upon finding something new and fishy, forwarded the data on the the authorities. With sufficient data, a pattern would develop.

Mihai CrivetiDecember 4, 2007 1:51 PM

@coderpunk Exploiting a buffer overflow vulnerability and dropping a Trojan as a payload is very much possible, true. What I'm arguing with here is press terminology.

@Wondering some people have other limitations in terms of open ports, clients and so on. But true, people chose to move SSH to a registered port (it virtually stops all brute force attempts). And again, SSH was just an example, and there are services that really can't be moved to another port and kept practical (think SMTP or HTTP). Besides, security through obscurity only stops them from wasting your bandwidth and filling up your logs :-).

@Thomas S oh, I'm sure MI5 has the ability to tell the difference, what I'm saying here: does the press? I'm sure it sounds cool and all that the Chinese army (of hackers) is targeting British and American "installations", but haven't I seen this somewhere before? In a movie? Plot's a little thin (sure, it's plausible, but still, the press presentation lacks credibility).

Mihai CrivetiDecember 4, 2007 2:42 PM

@tk. I assume you mean DefenseWall HIPS? If so, yeah, looks like this also does the job.

What I'm wondering about is why they'd need a MI5 "newsletter" rather then rely on their own security specialists. And to quote wikipedia on the subject: [CITATION NEEDED]. They pretty much repeat the same article all over the news channels, but there's nothing about a digitally signed letter from MI5, just said quotes from it, and no official statement on the subject from any of the parties.

News reporters always tend to blow things out of proportion. Anyone here remember the "cyber-jihad" that was supposed to take place a few weeks ago? :-). (Bruce blogged abut it too). Well, now it's no longer those blasted cyber-terrorists, it's the reds!

Here's something to think upon:

"Earlier this week, China said that it too had been attacked by computer hackers. Meanwhile, other experts say that hackers outside of China may be using the country's many insecure computers and networks to disguise their locations. " - BBC

* * *

And there are ways to prevent this: antivirus and Intrusion Detection Tools can also take a heuristic approach and/or monitor for strange behavior (or something as simple as registry changes). There's also data mining of logs, and there are some pretty advanced tools like Cisco MARS (Cisco Security Monitoring, Analysis and Response System) that go a bit beyond simple signature checking.

Same goes for Rootkit Revealers (see Sysinternals Rookit Revealer and Autoruns - look everything except signed ms entries, HiJack This+ or Strider Ghostbuster on Windows) or rkhunter on UNIX. Other host instrusion detection systems based on checksums like AIDE also help.

Besides, if it is a trojan it still has to find a way to start with the sytem. Either via some autorun, mascarading as a driver or some kind of rootkit (even something as simple as Hacker Defender). Either way, if you know what to look for, they're easy to spot. I've seen a lot of claims of "invisible rootkits", even ones that used Virtualization to hide itself (basically running as a hypervisor process) - like Blue Pill. So far, all have failed to avoid detection.

Even using covert channels it still doesn't seem plausible that the companies didn't catch on. I mean, from what I gather, we're not talking about SOHO here, this is big business, and where money is involved, they find ways to protect their networks.

If it's really true, I find it sad that companies need to rely on secret services "support" to protect their own networks and data. Incidents happen, but not on such a large scale... (and again, U.K. government somehow managed to simply lose tons of confidential data).

AnonymousDecember 4, 2007 3:15 PM


Why would anyone leave SSH running on port 22? Why wouldn't they run it on a different port, say, one above 1024?

Why not. Just turn off password authentication and use secure keys.

Darth ParadoxDecember 4, 2007 3:17 PM

It may well be that the attack wasn't discovered by network countermeasures at all, but was rather the result of human intelligence and infiltration into whatever agency in China is responsible for the attacks. Which is at once scarier (from a computer security point of view) and more reassuring (in that, yes, intelligence and investigation remains more effective than point-of-attack security - just like in terrorism).

Mihai CrivetiDecember 4, 2007 3:26 PM

@Darth Paradox - that would be pretty scary. And again, Occam's Razor slices that one to ribbons: what's more probable? Security professionals doing incident response or Mr. "Bond" uncovering Chinese secrets? I can already seem him posing as a Chinese person :D.
(don't mind the sarcasm, I'm just easily amused).

Maybe there is something to all of this. Or not.

One year ago:
Chinese Hack Naval War College

""Titan Rain",the government code-name for the recent increase in cyber-attacks against US military and defense institutions coming from China."

amalafridaDecember 4, 2007 4:38 PM

Interesting how the article is framed in terms of "the Chinese" . . . as in "the Chinese people" . . . what nasty little yellow people they must be!

Pure propaganda. Some people in China . . . Unnamed sources in China, might work . . . but "the Chinese". Crock of merde.

Security? How about cerebral security? Someone compromised the kernel on this one.

Carlo GrazianiDecember 4, 2007 5:06 PM

This kind of story has come up in the news several times in the last few years, under headings such as "Chinese attacks on Pentagon computers", "Chinese attacks on UK parliament computers", "Chinese attacks on DOE Lab computers", and so on.

When the story resurfaces in the media, it generally doesn't appear to describe a new circumstance. Rather, it has tended to be associated with some recent budgetary maneuver by the securocracy to bring in cyber-security funding from duly frightened legislators.

There is no doubt that China collects intelligence using aggressive network-penetration/malware tactics such as those described in these breathless reports. But anyone who thinks that this distinguishes them in any way from US and other National intelligence collection organizations must think the NSA spends its estimated annual $6E+09 budget on office chairs and paper clips.

Governments spy on each other. The only new thing here is that they are using the Internet and the MS monoculture to do it from a safe distance. Less whining and better security practices would protect corporate/government/private data more effectively. Loud scare-mongering about the Yellow Peril serves purely bureaucratic interests.

pfoggDecember 4, 2007 10:08 PM

@Carlo Graziani: There is no doubt that China collects intelligence using aggressive network-penetration/malware tactics such as those described in these breathless reports. But anyone who thinks that this distinguishes them in any way from US and other National intelligence collection organizations must think the NSA spends its estimated annual $6E+09 budget on office chairs and paper clips.

One issue is that in a state that's nominally still communist, and in practice still thoroughly socialist, 'government operations' and 'business operations' are much more tightly bound than in states of other kinds. In the U.S. and U.K. it's considered scandalously corrupt for government spies to feed illicit information to private businesses, but in China it's probably just patriotic. What would happen if General Motors, General Electric, Microsoft, Google and the NSA were all part of the same organization and operated as a team? In the U.S., it's hard to get the FBI, CIA, NSA, federal bureacracy and local law enforcement to work together, or even talk to each other in a timely fashion, as the 9/11 report pointed out.

Just because accusations can become overblown doesn't mean there's no problem.

And no, I don't think people need to worry very much about U.S. intelligence organizations systematically breaking into foreign business computers with customized trojan attacks. U.S. investment in intelligence seems to emphasize equipment and research over low-level staffing (e.g. tapping and processing lots of communications with great big computers), and the method China appears to be using involves the exact opposite investment strategy.

Matt from CTDecember 4, 2007 10:26 PM

Darn Carlo, you stole my point :)

Yes, cyber attacks a risk vector.

But considering the success the Russians, Israelis, and others have had in getting moles inside Intelligence agencies...do you really think the average corporation stands much of a chance against a targetted attack?

I worked at an R&D lab once...one of the legends was the day they gathered all the staff in the cafeteria -- except the Site Director (top guy). FBI escorted him out in silver bracelets for industrial espionage, and for diplomatic sake he was served minimal time in the U.S. before being flown back home to South Korea.

I was there in the late 1990s, and even then I was told by multiple managers who came over to the U.S. from Europe that working in the U.S. was a joy compared to the serious and widespread industrial espionage problems they were facing on the continent.

loraxDecember 4, 2007 10:49 PM

Actually, I'm not so worried about the Chinese as I am friendly folk doing silly stuff thinking they are helping out. My bank (big, US national, trillion $ assets class) recently installed security software to make client on-line banking more secure (plaudits here, they are trying). As a part of this, they are using Macromedia flash codes. When I look at the stored settings (partly binary, partly ascii) I find the values "crossdomainAllow" and "allowThirdPartyLSOAccess". Now, I'm not sure what agreements The Bank has with Macromedia about who they can sell these data to. But I am not happy to learn that my Bank is allowing Macromedia to allow third party's access to my account login data (and?).
Or maybe this is the kind of thing the Chinese and others are probing for?

Nomen PublicusDecember 4, 2007 11:26 PM

If the MI5 letter leaked, that's what was intended. Rather than cause a diplomatic incident and piss off the Chinese government, leak a story. Then we get into the "We know, that you know, that we know..." territory.

As for running ssh on a non-standard port, that's just security through obscurity. Use better passwords or switch to using certificates.

RonKDecember 5, 2007 12:58 AM


> ... Communist ... socialist ...
> In the U.S. and U.K. it's considered scandalously corrupt for government spies
> to feed illicit information to private businesses

You seem to be trying to make the point that there is a strong correlation between a nation's political system and its view on sharing government intelligence with private business. To add another data point to the discussion, I would like to point out that France has often been accused/suspected of using its strong laws requiring key disclosure to discover business intelligence and sharing said information with French businesses.

Adam GatesDecember 5, 2007 2:55 AM

China is insane and will be the cause of the most pain for the next 100 years...

The reality of where their HUGE population is going to steer their country be it thru peace or war is going to be the biggest challenge ever.

Colossal SquidDecember 5, 2007 4:31 AM

More unverifiable fear-mongering from the UK security services-hooray!

In any case we don't need Chinese hackers to loot our data, HMRC seem hell-bent on open-sourcing all our personal details.

supersnailDecember 5, 2007 4:35 AM

I doubt if the chinese government is behind this directly.

There are a lot of manufacturing businesses in china who would like to get thier hands on hte latest technoligy and get it to market early, and, make a pile of money.

Whereas copying something developed by someone else is perceived as morally wrong in "the west" this is not the case in the rest of the world. A Chinese, Indian, Russian or Middle Eastern business man would fell no guilt copying someone elses design and making money out of it.

"Intelectual property" as a moral concept is very recent and restricted to a small part of the earths population. Even then large parts of the Western population dont agree with this concept either. You only have to look at the various RIAA court cases and the divided opinions of them.

So get real, if you have valuable research keep it off your normal network.
There is no reason research teams cannot work on a physically separate network.

Pseudo AnonymousDecember 5, 2007 5:37 AM

I have recently seen government web sites come under sustained attacks, apparently originating in China. We traced these attacks to small companies in China. Whether China is the ultimate source of the attacks, we don't know.

This isn't just business as usual - the activity has leapt up by an order of magnitude or two recently.

derfDecember 5, 2007 8:31 AM

Don't recall the URL, but there was a trojan (probably Chinese) written specifically for the child of the CIO of the Department of Commerce to install on their home PC. The trojan waited specifically for CIO daddy to log in to work via VPN, then captured and passed along the info. When you get to this level of spear-phishing, it will be rather difficult for any current AV solution to deal with, regardless of whether it is up to date.

Behavioral control and/or execution whitelisting sound plausible for stopping this, but they aren't cheap or easy to use yet.

AnonymousDecember 5, 2007 1:39 PM

@pfogg and @RonK
..of course the CIA has NEVER done, or would consider doing, anything of the sort!
Get real. Go check on what part of the CIA mission is...

Adam GatesDecember 6, 2007 3:17 AM

"I doubt if the chinese government is behind this directly."

The government in China does not work like western governments. It is very decentralized with independent enities. For example, the army owns businesses which pay for the army. These businesses are independent of the central government and its control.

Result? You could have different parts of the Chinese government independently attacking your computer network.

DavidDecember 6, 2007 11:04 AM


"Why would anyone leave SSH running on port 22? Why wouldn't they run it on a different port, say, one above 1024?"

I hope the suggestion isn't that SSH is more secure if you pick another port number. Isn't that just security through obscurity, and considering the fact that port scanning is all automated, it wouldn't take long to find your SSH server port number as it does need to respond in a well defined way in order to work.

SamhDecember 6, 2007 6:08 PM

@ David

It is merely obscuring the port number, and does not provide any additional security, but it cuts down on the number of mindless bruteforce attempts.

UNTERDecember 7, 2007 4:11 PM

Ahh, so the Chinese are focusing on low-cost solutions to political and economic intelligence, while the US and the EU use the high cost full surveillance mode?

Anyone who doubts that the NSA data isn't being passed on to high level employees of major corporation is seriously deluded. Wasn't it a decade or so ago that the US was accused of passing on Airbus info to Boeing from Echolon? Do people imagine that the US leadership is stupider or less self-interested than the Chinese leadership?

It's the governments job to help our major economic players. Spying is your patriotic duty!

Pierre E ReipecheepDecember 7, 2007 6:38 PM

China sems to be joining France, which built on Romanian technology, and Russia, which inherited Soviet Matrushka tech philosophies, and their bastard offspring Cuba's Castro brothers.
Isn't it better to train caution than to tut-tut over condemnations?

Peter E RetepDecember 7, 2007 6:44 PM

There seems to be another way of contexting this story:
(1) UK loses 20 odd million persons' priveleged government and financial access data
(2) UKPD demand business encryption keys
(4) UK warns that China is low-teching -relatively - entries into UK business data files.

What was (3)?
Most likely discovering most businesses didn't have or adequately use encryption keys!

Mr Monicle and Top HatDecember 9, 2007 9:56 AM

Of course the USA government with our capitalist system would never collaborate with corporations. That is why we never question what Cheney and the energy companies met about or the deregulation of electricity in California. Nothing happened, move along now.

There is never gov collaboration in the US of A
with business, all is transparent and by the rule of fair law.

The dirty commies on the other hand...

SneakersDecember 15, 2007 2:28 PM

It's worth thinking about the level of resources that governments have at their disposal, when wondering why MI5 might feel it necessary to communicate (if they did) with organizations rather than leave it to their own security pro's - it could be these attacks are in a different league to the norm.
With regard to detection, it may not be the regular arsenal of security products, that provide the answer. I've certainly seen one case where abnormalities in behavior (slightly irregular side effects) that have tipped off the ops staff to call in the security team.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..