Highlights
– China has been accused of masterminding multiple cyber espionage attacks
– Such attacks appear to be executed by hacking groups sponsored by the government
– State control of skilled hacking groups may decrease as the desire for profit overtakes patriotic loyalty
This past year much attention has been given to an alleged series of cyber espionage attacks sponsored by China’s People’s Liberation Army (PLA) against a number of foreign governments and private sector defense contractors. Most notably, the PLA has been accused of supporting attacks against the following countries:
– United States (Previous Report)
– Germany (Previous Report)
– United Kingdom (Previous Report)
– France (source)
– Australia (source)
– New Zealand (source)
Security researchers have noted that in most cases data stolen during the above attacks have been sent to servers hosted in China. On the surface this would seem incriminating. However, security experts caution against drawing a firm conclusion of Chinese government involvement from the above evidence. Experts have noted that it is possible that a criminal hacker from another state could have used compromised servers in China as a dead drop for siphoned stolen data in an effort to obfuscate the origins of the attack and implicate Chinese involvement.
While this is technically correct, new sources of evidence has emerged and shed light on the cyber criminal underworld in China and its relationship with the Chinese military.
Withered Rose – Hacking Guru
A recent article in TIME magazine focused exclusively on a Chinese hacking crew known as the Network Crack Program Hacker (NCPH) led by a hacker with the handle Withered Rose. According to the magazine article, Withered Rose, then a student at Sichuan University, earned approximately $4,000 of prize money by winning various state sponsored hacking competitions. Rose and his compatriots in the NCPH were also identified by the Sichuan Military Command Communications Department and asked to take part in cyber warfare training established by the Sichuan military command. According to iDefense, Rose’s skills and successes earned him a glowing reputation and he was ultimately rewarded with a monthly subsidy of $271 by the PLA to continue research into cyber warfare strategies and tactics.
This example has likely been replicated throughout China and the government and the military has probably funded the creation of multiple hacking crews. A study of Withered Rose’s personal blog reveals the intentions of many of these hacking crews. According to Rose, “true professional hackers don’t hack inside the country because China is too poor and there is no money in it; furthermore, it is also very dangerous.”
People’s Information War
Implicit in Rose’s writings is the notion of patriot hacking or what has become known as the ‘People’s Information War.’ These hacking crews that have been groomed and recruited by the Chinese government have previously been called on by the state to act in the country’s interest. For example, in 2001 Chinese hackers targeted an American website with denial of service and defacement attacks in the wake of the P-3 spy plane incident. It therefore appears that the Chinese government has established these hacking groups with the understanding that they will act in the nation’s interest when required.
Rose also reveals his preferred cyber attack strategies and tactics on his blog. He states that social engineering tactics typically return the best results. Rose conducts careful research gathering information of the targets website. The information gathered can be used to map a rough organization chart. This research is in turn used by Rose to craft a phishing email with a Trojan attached or a link to a drive-by-download sent to upwards of thousands of users in the target organization. The email is designed to appear as though it was sent by someone within the target organization thereby increasing the likelihood that at least one of its recipients opens the emails and infects the organization.
According to iDefense, a branch of VeriSign, Rose and his colleagues in the NCPH authored 35 zero-day exploits that attacked vulnerabilities in Microsoft Office programs. These zero-day installed Trojans were then used to steal data from the infected machines and route the pilfered data back to China.
Not surprisingly, these strategies and tactics have been repeatedly used in a number of attacks against various US government institutions, private sector businesses, and foreign governments (Previous Report).
Future Outlook
While it is evident that the Chinese government’s strategy of sponsoring hacking groups and executing out cyber espionage has been successful as demonstrated by the increasing number of ‘successful’ breaches, the long-term viability of this strategy is uncertain. In time, these hacking groups will realize their potential for profit and as a result likely become less interested in patriotic hacking and the ‘People’s Information War.’ Instead as hacking at the request of the PLA, these groups may realize there is more money to be made via trade of stolen data, such as personal information, in the cyber criminal underworld.
As such, the nationalistic cohesion that binds many of these groups may be lost. Instead these groups may pick targets based on profit motives. Certainly the skill set required for cyber criminal activity is similar to that required for cyber espionage. However, it is possible that groups motivated by profit will become risk averse and unwilling to risk the profitability of their online criminal profit-making infrastructure for attacks designed to defend their country’s honor.