Report on Chinese Cyberwarfare Capability

"Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation," prepared for the US-China Economic and Security Review Commission, Northrop Grumman Corporation, October 9, 2009.

I have not read it yet. Post the interesting bits in comments, if there are any.

Posted on October 30, 2009 at 6:04 AM • 21 Comments

Comments

BF SkinnerOctober 30, 2009 7:46 AM

Well there's the bit where an official US study presumedly under contract has NG branding all over it. It's commonly done but I personally despise the practice. If the gov pays for a product it's their's (that is ours, public domain) not the IP of a corporation. While it does make clear who produced the report for analysis of conflict of interest, it mudies up who owns it. What. Is NGC just loaning us the analysis?

Open source/unclassified
Only from sources external to China (they recommend supplementing study from inside PRC)

Something we've been wondering about and they waffled with a humungous caveat...

"Little evidence exists in open sources to establish firm ties between the PLA and China’s hacker community, however, research did uncover limited cases of apparent collaboration between more elite individual hackers and the PRC’s civilian security services."

The BossOctober 30, 2009 8:35 AM

" I have not read it yet. Post the interesting bits in comments, if there are any. "

Toil, toil, my minions!

(joke, joke)

RichardOctober 30, 2009 8:59 AM

From the report, it's hard to find solid and specific data/facts to support the main idea. Mostly the conclusion is from those statement by PLA about their strategic objectives and visions. That's my two cents.

BF SkinnerOctober 30, 2009 10:39 AM

Ok this is interesting.

"blurring the separation that military planners maintained between the hierarchy of “strategy,” “campaign,” and “combat” (or “tactics” in Western usage) so that CNO or EW weapons employed by tactical-sized units can strike strategic targets deep in the adversary’s own territory ..."

I was at a brief by Marcus Ranum where he argued, persuasively I thought, against the use of CNO at the tactical level. The damage caused to civilian (illegal) targets say by shutting down power grids or banks and interference with ongoing intelligence of your own side.

I think the link was vimeo dot com/3519680.

Timmy303October 30, 2009 10:53 AM

"Little evidence exists in open sources to establish firm ties between the the PLA and China's hacker community, however, research did uncover limited cases of apparent collaboration between more elite individual hackers and the PLA civilian security services."

Yeah I bet it did.

Andrew WallaceOctober 30, 2009 11:52 AM

Poor report based on open-source intelligence from main stream media.

The target audience here is joe public and journalists.

The report repeats the not-backed-up claims that China is a cyber threat.

JeremyOctober 30, 2009 12:38 PM

China is definitely a cyber threat. Talk to an IT guy where you work and ask him if he ever sees attacks coming from China. His answer will be most likely be "yes." China has been paying its universities for years to try to hack into American companies/government agencies.

BF SkinnerOctober 30, 2009 1:02 PM

@Andrew Wallace

You consider The PLA Daily, mainstream media? Is there anything you'd like to confess to?

Timmy303October 30, 2009 1:08 PM

"The report repeats the not-backed-up claims that China is a cyber threat."

Heheheheh. Well I could tell you about my background and why I know that China is a threat to our information infrastructure, but there would be no way to verify it and it would really only amount to an argument from authority. Let me put it this way then: having seen what I've seen, and more importantly WHERE I've seen it, I'm sort of shocked that China's flagrant state-sponsored mischief in both corporate and government network hasn't shown up as a heavily-weighted item in trade talks before now, and I'm hopeful about the Hangzhou meetings that start tomorrow.

GregWOctober 30, 2009 1:19 PM

I once was an "IT guy at where I work".

A few years back I discovered an open proxy where I worked (someone got careless) when a server started running out of disk space. Inspecting the logs, it looked like the very first web requests to it came from China.

To this day, I have no way of knowing whether the "attack" was actually from China, or whether others have discovered that Chinese cybersecurity is poor and it's easy to proxy through thereto cover your tracks.

Much of the initial and subsequent traffic looked fairly innocuous from the proxy log (insofar as one can tell of course). The most disconcerting thing was seeing odd rare intermittent web traffic to some root name servers of unknown purpose coming from China. (Why repeated yet rare HTTP traffic to a root nameserver? DNS doesn't go over HTTP...)

There was no financial impact to us, nor signs of clear wrongdoing in the logs, so I never reported it to anyone but I have kind of wondered if I should have.

savanikOctober 30, 2009 1:22 PM

@Jeremy

I work at a hosting company, and we see attacks from China just about every week.. usually on weekends. That said, I don't think it has much to do with the Chinese government.

First, these are very naive brute-force attacks against standard accounts, looking for unsecured servers. This is typical of your average script-kiddie.

Second, we don't have good targets of opportunity for the Chinese government, specifically. We don't have any government servers hosted here, and not a lot of companies that do business in Asia.

Third, there is a wonderful post on Tim Ferris's blog about a cultural notion peculiar to China that roughly translates as, 'If you can trick them, trick them.' This translates into the hacking community as, 'if they're not secure, get into it'. This doesn't require a large push from the government to 'go forth and hack, my minions' - they'll do it on their own, for their own reasons.

Finally, I firmly believe in human laziness, and wouldn't think you'd find government types working over the weekend. :)

I believe that these are just your garden variety hackers, looking to steal credit cards, identities, etc. That's a very different threat than what government agents would be looking for, and one we should be protecting against more vigorously, IMHO.

Barbarian CryptoOctober 30, 2009 2:34 PM

"Chinese CNO operators likely possess the technical sophistication to craft and upload rootkit and covert remote access software, creating deep persistent access to the compromised host and making detection extremely difficult."
- middle of Pg27

I guess they are assembling to deface the Drupal installation on whitehouse.gov.

Nick POctober 30, 2009 11:40 PM

To sum up the last few government briefings, the following has occurred:

1. Chinese geeks started reading Hacking Exposed, Art of Exploitation and sites like Schneier's blog.

2. They pirated copies of Rosetta Stone English Edition for Chinese locals. At this point, they could apply their knowledge to English sites.

3. After several decades of research, the Chinese finally stumbled on tools that automated much of the hacking (i.e. Metasploit and nmap).

4. The grand finale: it's all just Russian criminal gangs and 14 year old Chinese civilians (see above) proxying through Chinese servers, thereby fooling the Cold War-era CIA and NSA net admins into thinking "Hey, Chinese servers = Chinese government = use nukes to retaliate." The big question is how they got through Logic and Reasoning class at Yale with post hoc fallacy like that.

So much insanity, so little time...

Leo TohillOctober 31, 2009 7:03 PM

My notes from reading the doc:

- the chinese hacker community includes many "hacktivists", i.e., pro-government or at least pro-China hackers who attack sites in retaliation for perceived anti-china sentiment or action. There is little evidence that these hackers work with the military, and the Chinese CP has discouraged them from these actions. Still, the mil. probably recruits hackers. (duh)
- there's a lot about the mil. emphasis on development of their C4ISR, but it's pretty boring unless you are a china specialist.
- speaking of boring, there's a lot of repetition, even whole paragraphs.
- content in this doc led me to this posting about how the identity of one ch. hackivist was discovered: http://www.freerepublic.com/focus/chat/2239680/...
- there's a fairly interesting case study of penetration of a US corp by hackers apparently from china. It suggest a sophisticated group, not just hackers.
- There's a 10-year timeline of purported china-origin attacks against others. Pretty impressive.
- suggests that chinese mil. attacks would depend not so much on penetration of secure u.s. mil. nets as a) penetration and disruption of non-secure support infrastructure and b) disruption of public backbone communication channels used by secure mil. nets.

China Strong!November 2, 2009 1:53 PM

> Post the interesting bits in comments, if there are any.

NEW YORK—According to all sources, the People's Republic of China is strong. The nation is united, the military unmatched, the economy vibrant, and the people ever joyful.

Similarly correct sources verified that China has always been triumphant.

In other news, the Chinese government is fair, all-knowing, and wise, propelled by the strength of two billion loyal hands, all pulling together as one under the Great Celestial Bureaucracy high above.

Experts all agreed that there can be no question of this claim, as this claim is the truth.

As of press time, the brute and inexpressive English language could not convey the full magnificence of China, nor its excellence in every arena, nor the protective warmth of the red sun that shines forever on its borders, nor the innumerable glories of its Great Leaders.

New reports also indicate that China will grow stronger yet.


Oh wait, that's from The Onion: http://www.theonion.com/content/news/china_strong

averrosNovember 3, 2009 4:52 AM

I would expect Chinese cyber-warriors to be as inept and incompetent as American and Russian cyberwarriors are.

The biggest secret all these secret agencies have is how deeply helpless and bumbling they are in everything they do (other than begging for money from their equally inept political masters, or course).

To me, this point was driven home by an observation made by one of my dissident friends that the mighty and fearsome Soviet KGB, with over a million people strong force (if all regular informants and their handlers are counted), was tied in knots trying to squelch few dozens of dissidents. Note that this is the organization which previously killed people by millions - and which was above the law.

And we're supposed to be afraid of some Chinese hackers? Well... maybe the mighty US military brimming with billion-dollar toys - but still unable to defeat a bunch for Ayrab terrists with Kalashnikovs should be afraid.

Clive RobinsonNovember 3, 2009 6:15 AM

@ averros,

"...the mighty and fearsome Soviet KGB, ... , was tied in knots trying to squelch few dozens of dissidents."

It was pointed out to me that to "move people" requires "leverage", and that that required a "force and a fulcrum" and with the right fulcrum little or no force was required...

The problem with the WASP nations (US, UK, Auz, NZ, Canada, etc) is many fold but a few are critical,

1, A fragile economic state.
2, A fragile infrestructure.
3, Over dependence on technology.
4, Short sighted and short term view politicos and company officers.
5, A Populas that want's jam today even though the harvest is not in.

Thus the oportunity for finding fulcrums is easy, and little force is required.

The Chinese amongst others historicaly take a political long term view, and their populas plans for the harvest ten years hence without the aid of tools more complex than a hoe. And due to their centuries old feudal systems patronage, stratagy and decite are the norm.

Whilst we are worrying about their cyber warefare capability they are quietly taking economic control of Africa and developing the economies there as a ready market for the Chinese goods, in return for the resources that China needs, including jobs and land for Chinese people, who occupie fulcrum positions within those African nations infrastructure, health and education systems.

To get a crop to feed a nation from a single handfull of seed can be done, all it takes is time and patience which the Chinese understand well.

And as Ghandi proved the force to throw off a perceived oppressor can be gained from the oppressors own ranks.

Over and OverNovember 6, 2009 9:56 AM

So when is NGC going to profile Israel whose parade
of agents penetrating the US military and gov is seemingly endless. Do you think Mossad has not pulled the evil maid (or bellboy) trick on every Vitter type Republican and Foggo-Kerik type appointee?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..