Screenshots of Chinese Hacking Tool

It’s hard to know how serious this really is:

The screenshots appear as B-roll footage in the documentary for six secondsbetween 11:04 and 11:10 minutes—showing custom built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. As of Aug. 22 at 1:30pm EDT, in addition to Youtube, the whole documentary is available on the CCTV website.

The screenshots show the name of the software and the Chinese university that built it, the Electrical Engineering University of China’s People’s Liberation Armydirect evidence that the PLA is involved in coding cyber-attack software directed against a Chinese dissident group.

The software window says “Choose Attack Target.” The computer operator selects an IP address from a listit happens to be 138.26.72.17and then selects a target. Encoded in the software are the words “Falun Gong website list,” showing that attacking Falun Gong websites was built into the software.

A drop-down list of dozens of Falun Gong websites appears. The computer operator chooses Minghui.org, the main website of the Falun Gong spiritual practice.

The IP address 138.26.72.17 belongs to the University of Alabama in Birmingham (UAB), according to an online trace.

The shots then show a big “Attack” button on the bottom left being pushed, before the camera cuts away.

Tags: China, hacking

Posted on August 29, 2011 at 6:20 AM • 22 Comments

Comments

Nick Levay • August 29, 2011 7:03 AM

It must be quite challenging to wage a cyber espionage campaign as vast as China’s without leaks. I imagine that the various groups within China are constantly competing with each other for funds, attention, et cetera. This is most likely a symptom of an organ with weak opsec beaming with a little too much pride over it’s efforts to train new cyber operators and create new tools.

They probably didn’t think it was a big deal because it’s not directly related to any of the touchy CNE activities.

ChristianO • August 29, 2011 7:09 AM

What can it be beside a LOIC like software?

What I mean is: What can such a distributed software do except giving DDoS and potentially providing background noise to hide some other more sophisticated attack?

CoreComments • August 29, 2011 7:12 AM

seems like this software was developed by someone else and is being used by someone else it seems this software is in large circulation

Tomasz Wegrzanowski • August 29, 2011 7:28 AM

Couldn’t someone simply contact admins at UAB and ask for logs to get a pretty good idea what it’s like? It’s probably just Chinese version of LOIC.

Evan H • August 29, 2011 7:47 AM

Keep in mind that you’re citing the Epoch Times, a Falun Gong-controlled outlet that has a much stronger commitment to being anti-CCP than it does to responsible journalism.

hackchina • August 29, 2011 7:51 AM

Looool, censorship fail!

Clive Robinson • August 29, 2011 8:27 AM

There are quite a few analysis of this.

The first thing to note is the Chinese put it out on Chinese State television on a channel (CCTV7) which is combined military show case and agracultural programs…

The second thing to note is that it is a fairly crude attack that is more than ten years old.

It appears that acording to UAB there was a student/technician working there and they did run a website against UAB rules and it was taken down. Also they say that the IP address has not been used in a considerable period of time.

Of more interest is that some think the tool appears to have been written by crackers/gamesplayers possibly students at the Chhinese Military institution.

Have a look at one view,

http://www.chinasignpost.com/2011/08/a-smoking-cursor-new-window-opens-on-china%E2%80%99s-potential-cyberwarfare-development-cctv-7-program-raises-new-questions-about-beijing%E2%80%99s-support-for-hacking/

However as normal with such sites treat with caution.

L • August 29, 2011 9:13 AM

The Reuters article claimed that the UAB IP address was a compromised machine that would be used to launch the attack.

That’s kind of a wild conclusion, without supporting evidence in the video. If anything, it is the IP address that the hacking software associates with minghui.org (even though minghui.org does not resolve to that address). I had a Chinese friend translate the text, and she said that the IP text box is something like “target web server IP”.

Worth noting that my Chinese friend was unsurprised and unapologetic about the idea that China might attack overseas Falun Gong web sites.

Andrew • August 29, 2011 11:27 AM

And if you go into every research lab in the US, there will be applications with Chinese IP addresses typed in.

This is a non-news event.

Daniel • August 29, 2011 12:16 PM

Andrew.

That depends on what you mean by “news”. If what you mean is that this is something new and different to the security community, you’re correct; it’s not news.

It’s in the news, however, because it provides some small support to the larger public narrative that China is not just a rival to the USA/western world but an actual enemy.

Thomas • August 29, 2011 12:22 PM

And… it’s been pulled:

http://www.geek.com/articles/news/video-proving-chinese-hacking-pulled-20110826/

Gweihir • August 29, 2011 12:23 PM

For all those now crying “proof!”, it is nothing of the sort. This could well be a mock-up with no attack software connected to it. The choice of IP address is unfortunate, but again does not “proof” anything. In fact with the IP not being assigned to anything at the moment (according to some other report), the mock-up seems likely.

The one thing that can be observed here (again and again) is the incompetence of the press with regard to Internet technology and their unwillingness to ask people that understand.

Poster of Brucedom Currently Being Tracked by the SEC • August 29, 2011 12:44 PM

What’s on the screens in the vid I find immaterial. It could even be a total mock-up.

What’s material is they are telling millions of young Chinese kids that cyberwar is a valid military technology and they plan on exploiting it to the hilt. So…

1) Self-educated Chinese hackers feel like it’s a go-ahead to screw with western severs.

2) Young patriotic Chinese will show up at the military recruitment posts and want to get in on the “cyberwar” thing.

Even with the leak I think the video was a brilliant move. Little things like this when you have a massive population with ever-increasing industrialization pay big benefits down the road.

Welcome to the 21st century!

NZ • August 29, 2011 2:39 PM

he shots then show a big “Attack” button

Something like http://www.turnofftheinternet.com/

Webster • August 29, 2011 2:45 PM

@Andrew

You’re changing the subject from “military-led denial of service attack” to “research” and then saying that because researchers (like myself) study Chinese and all other hosts, to prevent/limit abuse, that military-led denial of service attacks are okay, a “non-news event.” You are equating those who wage abuse with those who try to stop it.

Why?

Ronny • August 29, 2011 5:12 PM

Looks to me the article is about hackers / DDOS / attack of Falon Gong sites… The commentators change the subject and make it a military thing. My guess is all the above commentators are Americans? Who has changed the Internet in a tool for warfare? The 1st hacker who shuts down the whole military network has my blessings.
This week a man (taliban) has been killed by a little remote controlled airplane, USA made. (as usual)
So… yes, the rest of the world, China in this case, would be a fool not to participate in this ‘cyberwar’.
And for that you need hackers, they are the pioneers of the Internet. (in the sense of screwing things up =])
And lastly, a DDOS is only taking a site down. That is nasty if it happens to you.. nothing more. Find/fix the error and your site can go back online…

I rather have 10,000 hackers attacking my site than 1 military (USA) operator aiming with his joystick and put the cross on me and then push the fire button…

Poster of Brucedom Currently Being Tracked by the CIA • August 29, 2011 6:53 PM

My only concern is that we are spend more on trying to build systems to attack others than we spend on building protocols to defend with. And that problem, it seems to me, is rooted on the fact that the best defenses are built with open collaboration between interested parties which is anathema to the defense department.

Seriously, Bruce taught me that if you don’t put your code out in the public to be abused you’ll never find the holes. (Thanks, man!)

I honestly believe that the Powers that Be in the Pentagon think if we are attacked and things get bad they can just “turn off the internet.” So as I pay all my bills online, schedule classes online, make phone calls online, and surf pr0n – I think if all this was turned off for more than a week we’d have a serious economic crash.

We’re hip deep in the wires and there is no backing out gracefully. Better to start designing life rafts in case worse comes to worst. Wurst?

JT • August 29, 2011 8:17 PM

i hope the chinese dont watch 24. They might think we have amazing cyber hacking warfare tools that can be run from an Iphone to remotely hack a AES encrypted data stream.
They could use this video that was broadcast around the world as proof of the US violating international treaty (or some other claim, thats not true)

Jos • August 30, 2011 6:05 AM

It was featured on F-secure a couple of days ago, part of video is still there:

http://www.f-secure.com/weblog/archives/00002221.html

And the follow up when the video was gone:

http://www.f-secure.com/weblog/archives/00002224.html

Autolykos • August 31, 2011 7:15 AM

What’s the deal? A utility like that is nothing special – even I could code it on a slow weekend (but there’s no need to, since there are already dozens of those out there). It might be harder if it uses a botnet, but even that is not very impressive.
Denial of Service attacks are not a matter of skill, but of resources. If I can send more packets than you can process, you’re going down.

fatfish • September 2, 2011 1:48 AM

the IP belongs to:

–By ipaddress-whois.com–

Address Lookup
Domain name: dali.chem.uab.edu.
IP Address: 138.26.72.17

IP Location

Birmingham, United States[US]

the GUI of the attack tool is not so cute…

Xingdao • September 3, 2011 6:37 PM

UPDATE: The University of Alabama at Birmingham made a statement after the news broke, noting that the IP address belonged to a website that was decommissioned in 2001 because it had been created against UAB rules. They said that they believe the purpose of the action demonstrated in the video was not to launch an attack from that website, but to block access to it, and that they’re not aware of any such attack, past or present.

http://www.theepochtimes.com/n2/china-news/slip-up-in-chinese-military-tv-show-reveals-more-than-intended-60619.html

Schneier on Security