Home > Analysis, News, Opinion, politics > Biggest-ever series of cyber attacks uncovered

Biggest-ever series of cyber attacks uncovered

News of the uncovering of the “biggest-ever” series of cyber attacks by McAfee seems to be spreading through the media like wildfire.  In thisWashington Post article, it is reported:

A leading computer security firm has used logs produced by a single server to trace the hacking of more than 70 corporations and government organizations over many months, and experts familiar with the analysis say the snooping probably originated in China.

Among the targets were the Hong Kong and New York offices of the Associated Press, where unsuspecting reporters working on China issues clicked on infected links in e-mail, the experts said.

McAfee said hundreds of other servers have been used by the same adversary, which the company did not identify.

But James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said “the most likely candidate is China.” The target list’s emphasis on Taiwan and on Olympic organizations in the run-up to the Beijing Games in 2008 “points to China” as the perpetrator, he said. “This isn’t the first we’ve seen. This has been going on from China since at least 1998.”

Another computer expert with knowledge of the study, who spoke on the condition of anonymity out of reluctance to blame China publicly, said the intrusions appear to have originated in China.

Google’s disclosure early last year that hackers in China had broken into its networks and stolen valuable source code was a watershed moment: A major U.S. company volunteered that it had been hacked. Google also said that more than 20 other large companies were similarly targeted.

One measure of pain came recently when EMC Corp. disclosed that it had taken a $66 million charge to cover remediation costs associated with a March intrusion of its RSA division. That intrusion, which industry experts say appeared to have originated in China, resulted in the compromise of RSA’s SecurID computer tokens that companies and governments worldwide use to log on remotely to workplace systems.

Since the original McAfee report is not publicly released [actually, it has since been released, as DeWang noted in comment #4], it is difficult for us to assess what is going on. (Only Reuters appears to have had access to the report.)  But it looks like what we have is yet another wildfire of reports based on speculation and conjectures.

McAfee apparently did believe a “state actor” may be involved but did not have enough to point at any state. But the press ran with the story anyways, indicting China based on the speculation of one cyber expert at the Center for Strategic and International Studies. According to this expert, based on who might have most to gain from targets, the assailants was  probably the Chinese – or maybe Russians.

Are we reliving a James Bond movie during the Cold War or what?  Just when have Chinese and Russian interests so overlap that their targets of cyber attacks might be confused for each other? And why must the bad guys always be the Russians or the Chinese?

Given the timing of the report to coincide with the upcoming black hat conference in Las Vegas, I can understand why McAfee might want to make some noise about this major attack. But why must the press twist it into a political indictment on China, reporting based on speculations current and past.

In an ever more connected world, Cyber attack is a problem for everyone (China included). The U.S. is the top source of cyber attacks in the world – originating  some 2.7 times as many attacks as from China – according to this 2008 study.  Yet we don’t attribute such attacks to the U.S. – but to bad apples.  If there is proof that the Chinese gov’t is behind attacks – let’s have the evidence (or let the diplomats deal with them diplomatically). Otherwise, such speculating and smearing should stop.

  1. August 3rd, 2011 at 06:38 | #1

    There is nothing new here. The west need a bogeyman or two divert the attention of their citizens from many issues at home.

  2. Charles Liu
    August 3rd, 2011 at 10:09 | #2

    I hope James A. Lewis will never be convicted on “most likely candidate”, like he’s doing with China.

    Without access to servers in China, there’s no way to tell if these servers originated the attack, or were victims hijacked to relay the attack. The fact McAfee said “hundreds of other servers have been used” suggests the servers in China were not the originator, but relayed from a command source.

    Google “who owns botnet” for a little details on how hacking works. Hackers often compromoise a set of computer first, and use them to relay scaled attacks so to hide their identity/location/etc. Often several sets of machines perform relays in succession (hops) to further obfusicate the origin.

    So if the obvious signs point to China, it’s probably not China.

  3. raventhorn2000
    August 3rd, 2011 at 10:27 | #3

    The “Command and Control” server that McAfee got the trace logs from is in US.

    McAfee is simply trying to drum up more businesses. They just point to a general threat, and they don’t even say who did it.

    And “Center for Strategic and International Studies” is a known Right-wing Neocon think tank, with funding from large defense contractors in US.

    http://www.rightweb.irc-online.org/articles/display/Center_for_Strategic_and_International_Studies

  4. August 3rd, 2011 at 10:47 | #4

    Indeed, McAfee has a lot to gain by scaring Americans, because the bigger the fear is in ‘hacking,’ the more the public is predisposed to buy their anti-virus and security software.

    Given a situation like this and the fact that China has laws prohibiting hacking, I think the Chinese government should probe the company’s subsidiary within China.

    Chinese media should dig into this story too.

    Looks like Reuters now has provided link to the McAfee report. I’ve just read it.

    Right, IP addresses tracing to some computer in China means nothing. It might simply mean those computers in China are compromised.

    Gee, talking about a propaganda piece. You’d expect a security firm to be able to articulate the details leading the hacking to ‘China.’ But instead, this is the type of nonsense it writes:

    IOC’s servers where hacked during the run-up to the 2008 Olympics. The report claimed therefore certain ‘Asia’ country was likely the culprit. What kind of shit is that? (Forgive my language.)

    If anything, by their logic, the most likely culprit would be those wanting to label the 2008 the “genocide” Olympics.

  5. August 3rd, 2011 at 13:28 | #5

    McAfee’s evidence for hack attack on US and UN, included multiple hacks over period of a year on “Olympic Committee of Asian Country #1” and #2.

    Well, that’s not hack attack on US or UN is it?

    Sounds like pretty spread out hacks on many different countries.

    *Furthermore, FLG supporters in US have known incidents of hacking and defacing Chinese government websites, AND they are more directly supported by US government.

    Isn’t US a “state actor” in hacking?

    *Another point is what’s the effect of this “state actor” hacking? Stolen information are meaningless unless they are used somehow. Did China apparently benefit from these information? Surely if they did benefit, it would be easy to show.

    Are they implying that Chinese won more medals in the Olympics because they managed to gain secret information from the IOC computers??? Ridiculous. More likely, some teenage hacker just wanted to browse around, test his hacking skills, and didn’t really know what to do with the information.

    I mean, seriously, if China had all that much dirt on so many different organizations, do we see China releasing the information to bring pressure on these organizations?

    Hell no, China is the one receiving all the bad publicity and pressure.

    **Such BS theories are very typical of conspiracy theories, list a bunch of points and draw a line through to claim a trend. Of course, they don’t show you all the other data points, (which may show US funded hacking operations).

  6. August 3rd, 2011 at 13:33 | #6

    Reputable Hacktivist groups who have made assaults on Chinese websites include The Cult of Dead Cow and The Hong Kong Blondes. Both groups are highly skilled computer scientists who are the “hacker wing of China’s pro-democracy movement, scattered around the world and forced underground after Tiananmen.” Also, religious groups like the Falun Gong have performed notorious hacking of Chinese government websites in order to draw attention to their religion and support for human rights.

  7. August 3rd, 2011 at 13:42 | #8

    http://definitions.uslegal.com/c/computer-hacking/

    Computer hacking is broadly defined as intentionally accesses a computer without authorization or exceeds authorized access. Various state and federal laws govern computer hacking.

    The federal Computer Fraud and Abuse Act provides in part as follows:

    1. “(a) Whoever–
    having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
    intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains–
    information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
    information from any department or agency of the United States; or
    information from any protected computer if the conduct involved an interstate or foreign communication;
    intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
    knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
    knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
    intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
    intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
    knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if–
    (a)trafficking affects interstate or foreign commerce; or such computer is used by or for the Government of the United States; with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section. (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (c) The punishment for an offense under subsection (a) or (b) of this section is–

    *Conclusion, under this definition, US sponsorship of circumvention software to bypass China’s firewall is technically also “hacking”.

  8. colin
    August 3rd, 2011 at 13:42 | #9

    The US is assuredly home of the largest hacking efforts in dollar terms either within the government, the military, or at private companies. Anyone who doubts this doesn’t have a brain.

  9. Charles Liu
    August 3rd, 2011 at 13:43 | #10

    Without examining the machine in China that hijacked the server in US, how is it possible to know the machine in China is the origin, not another relay? Hackers often use multiple relays to hide their trail.

  10. August 3rd, 2011 at 16:08 | #11

    “Who else spies on Taiwan?” Lewis is quoted as saying to Vanity Fair. (That is not even a valid assumption).

    * Point of facts to Mr. Lewis, a US study on espionage concluded, http://rf-web.tamu.edu/security/security%20guide/Treason/Numbers.htm

    “The surprising thing is how many other neutral or allied countries have also been involved in espionage against the United States. American citizens have been arrested for conducting espionage on behalf of South Korea, Taiwan, Philippines, Israel, Netherlands, Greece, Saudi Arabia, Egypt, Iraq, Jordan, Ghana, Liberia, South Africa, El Salvador and Ecuador. Information is based on the 111 cases in which offenders succeeded in passing information.”

    Indeed, many neutral or allied nations spy on each other. Taiwan spies on US, So does Israel, South Korea. Is it surprise that they might spy on each other?!

  11. August 3rd, 2011 at 17:20 | #12

    @YinYang #4,

    Thanks for linking the report. I will do a follow up post responding to the report later tonight.

    But as I predicted, the wildfire spreads. Now we have InformationWeek quoting a lawyer, former gov’t bureaucrat, for further proof that the attacks must have originated from China.

    McAfee said that a single entity was behind the attacks. While it declined to name a suspect, it did suggest that a nation state might be the perpetrator. …

    Experts, however, said there was little doubt who launched Shady RAT. “This just further confirms what we already know, that China is doing these things,” Joel Brenner, former senior counsel to the NSA, former head of U.S. counterintelligence under the Director of National Intelligence, and currently of counsel to Cooley LLP, told InformationWeek at the Black Hat conference, a UBM TechWeb event, in Las Vegas on Wednesday.

    Politics knows no ends…

  12. August 3rd, 2011 at 21:22 | #13

    The targets are in Hong Kong, Taiwan, people doing stories on China, etc. The “speculation” is staring you right in the face. It’s the targets of the Chinese government. The Chinese government. The Chinese government. It’s that simple. The Chinese government. Get it?

    (Your 2008 reference is surely out of date now, by the way.)

  13. Charles Liu
    August 3rd, 2011 at 21:25 | #14

    @Mike Cormack

    Now the story has morphed into possibly hackers from Eastern Europe:

    http://www.latimes.com/la-fi-cyber-attacks-20110804,0,7350113.story

    “The hackers, who belong to a government-sanctioned group from either Eastern Europe or East Asia, not only broke in but remained embedded in the computer systems, quietly siphoning secret data for years, security analysts say.”

  14. August 3rd, 2011 at 22:41 | #15

    @Mike Cormack #13.

    Alright, here is the latest from Akamai, the leading provider of services for accelerating and improving the delivery of content and applications over the Internet, published Q1 2011.

    Ranking of cyber attack traffic by country/region.

    Traffic Country/Region  Q1 ‘11 %    Q4 ‘10 %
    1 Myanmar                13  %        N/A
    2 United States          10  %        7.3%
    3 Taiwan                  9.1%        7.6%
    4 Russia                  7.7%       10  %
    5 China                   6.4%        7.4%
    6 Brazil                  5.5%        7.5%
    7 India                   3.8%        2.1%
    8 Hong Kong               3.3%        0.3%
    9 Romania                 2.5%        2.6%
    10 Italy                  2.5%        3.6%
    – Other                  36  %       45  %
    

    You can get the report yourself http://www.akamai.com/stateoftheinternet/.

    Or download here from our server

  15. August 4th, 2011 at 06:25 | #16

    “(Your 2008 reference is surely out of date now, by the way.)”

    REALLY?! McAfee’s own report points to data back in 2006-2008. Are those also out of date?

  16. August 4th, 2011 at 06:34 | #17

    Majority of the targets (in McAfee’s report) were US military and security agencies, defense contractors, etc.

    Plenty of Americans and Western NGO’s dislike these organizations, ie. anti-war groups, anti-neocon groups, eco-terrorist groups, anti-World Bank group, etc.

    plenty of non-Chinese groups would hack the US military agencies, and US defense contractors. (Seriously, Julian Assange was connected to bunch of US hackers, who connected Bradley Manning to him).

    And we all know Wikileak type folks would love to hack just about EVERYBODY in the world.

  17. August 4th, 2011 at 07:01 | #18

    I like to propose another possible candidate as the hacker in question: Drug Cartel and Asian Triad.

    1 thing that bugged me was, why hack all the Olympic organizations? They don’t have much secrets.

    McAfee suggests that private organizations would have little reason to hack these groups, since no profit motives, thus points to “state actor”.

    But I disagree, I think there is actually huge Profit motive, if the profit was ILLEGAL.

    What sort of profits? Drugs, illegal gambling (especially in sports), and smuggling (including weapons).

    All the olympic organizations contain much non-public information about specific atheletes, not particularly useful as “political weapons” of any kind, but would be extremely valuable for criminal organizations to use for conducting illegal gambling operations.

    *And hacking into State governments in US, and Canadian government agencies? 1st, state governments in US have little information that is useful for international espionage. And Canada possess little in way of international secrets that would be useful.

    That also points to criminal organizations who might be looking toward information on LOCAL law enforcement and policies.

  18. silentvoice
    August 4th, 2011 at 07:30 | #19

    To be fair, this COULD be true. Nobody can say for certain its not.

    Would China profit from the hacking of those websites? Yes. But it makes more sense to hack defense related sites than “the Hong Kong and New York offices of the Associated Press”.

    So… let’s say McAfee is not bullshitting us, how does this compare with last week’s news about American spy planes flying close to China shores? Where’s the outrage then?

    http://www.presstv.com/detail/191094.html

    Mike Cormack, do you think its alright for the US to spy on China, but not in return?

  19. August 4th, 2011 at 10:32 | #20

    @silentvoice
    Certainly, this COULD be true. Just as I have received phishing emails from friends in the past, those COULD be true too.

    In both cases, we have to look at the evidence. It’s obvious the issue we take is the insinuation and the lack of evidence McAfee presented and then the U.S. media running with.

    I understand what you are saying about the spy plane comparison, but to me, the better comparison (the contrast rather) would simply be:

    U.S. spy plane / drones buzzing China’s coast vs. no such acts from China on any U.S. coasts.

    This is heavy handed and everyone with a brain can see. It is wrong.

    Hacking to obtain other peoples information is wrong too.

    With respect to hacking, McAfee simply needs to present evidence which is really weak right now. Just imagine if there is real evidence that conclusively points to ‘China?’ If so, the U.S. government will be confronting for sure. Right now it is a smearing campaign.

  20. Charles Liu
    August 4th, 2011 at 10:48 | #21

    @YinYang

    The recent news on PRC fighter jet entering ROC airspace reminded me the EP-3 collision off Hainan few years ago.

    The EP-3 SigIntel plane we fly out of Japan has been doing the same thing for decades. These giant bombers (could be loaded with camera or atom bombs) charging towards Chinese territorial space in order to trigger China’s radar defenses on the coast has not once made the news with the same parity.

    Besides the conflicting Chinese/Eastern Europe link, now there’s also the “sophisticated embedding for years” and “unsophiscated ISP reveal” contradiction. Which is it?

    The Chinese ISP give away sounds more like an intentional red herring to throw people off the trail.

  21. August 4th, 2011 at 11:05 | #22

    @Charles Liu
    Intentional red herring indeed is more likely than anything else, because it sells papers too.

    But the truth is we all don’t know. McAfee has no real evidence really, and pointing out their inconsistencies is absolutely the right thing to do.

    Look at the Oslo bombing/shooting issue. U.S. media were insinuating it was a Muslim who did it. Well, people could have tried to disprove the U.S. media before Anders Behring Breivik was revealed. That’d be impossible.

    People can definitely call out the U.S. media for pulling stories out of their ‘ass’ as the Colbert Report shown.

    And that is exactly the same nonsense the U.S. media is engaging now – pulling stuff out of McAfee’s ass.

  22. August 4th, 2011 at 11:06 | #23

    LOL!

    OK, China will cooperate with US to investigate the claim of cyber-crimes originating from Chinese ISP’s.

    So I guess, it’s time for China to roll out Great Firewall Version 2.0, because we have no idea who is hacking into Chinese ISP’s these days!!

    Yes, Western Media and McAfee, you win on this issue, China needs to lock down its internet 100% to avoid letting hackers hack into non-Chinese computer systems!!

    No, no, no, in the interest of cooperation on cyber-security, Western nations need to lock down their internet too, otherwise, who is to say where the hackers are originating from??!!

    LOL! 🙂

  23. colin
    August 4th, 2011 at 13:43 | #24

    Mike Cormack :
    The targets are in Hong Kong, Taiwan, people doing stories on China, etc. The “speculation” is staring you right in the face. It’s the targets of the Chinese government. The Chinese government. The Chinese government. It’s that simple. The Chinese government. Get it?
    (Your 2008 reference is surely out of date now, by the way.)

    Nothing is that simple. Statements like that just speaks to one’s ignorance.

  24. August 5th, 2011 at 09:58 | #25

    @Charles Liu #2

    Without access to servers in China, there’s no way to tell if these servers originated the attack, or were victims hijacked to relay the attack. The fact McAfee said “hundreds of other servers have been used” suggests the servers in China were not the originator, but relayed from a command source.

    Actually we don’t need to go even there. Unlike say McAfee’s Night Dragon report – which pointed to IP addresses in China and existence of tools and techniques popular amongst Chinese hackers as circumstantial evidence that the attacks probably originated from China, in this current report – there is no mentioning of any IP addresses – no revelations of tools common to hackers of a country (in fact, the tools and techniques used appeared to be common and standard) – only speculations based on motive.

    From the report:

    McAfee has detected the malware variants and other relevant indicators for years with Generic Downloader.x and Generic BackDoor.t heuristic signatures.

    The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware.

    That’s what’s so damning about this whole thing. As I tried to point out in my post on my reaction to the report, if one is into speculating about motives, there are plenty of others with motives to hack the targets cited in the report.

  25. August 5th, 2011 at 15:58 | #26

    “That’s what’s so damning about this whole thing. As I tried to point out in my post on my reaction to the report, if one is into speculating about motives, there are plenty of others with motives to hack the targets cited in the report.”

    Of course.

    I question the basic assumption McAfee report made about “no profit motive in these hacking”.

    I say, McAfee geeks just have no imagination.

    Any information that is secret automatically creates a demand, and where there is demand, there is potential profit. (Maybe illegal profit, but still profit).

    Even for the sake of argument that Chinese government does WANT these secrets, (then probably MOST governments in the world would want these secrets for the same reasons), then any number of private entities would have the profit motive to obtain these information and sell them to the Chinese government.

    *
    I also indicated that Criminal Syndicates can easily use the Olympic organization information for illegal gambling purposes.

    And McAfee’s report indicated that the hacking of the Olympic organizations went on for over 3 years, spread out evenly.

    Now, McAfee spin it as hacking of the Olympic organizations “leading up to and after 2008 Olympics”, implying that there was an increase of these hacking activities coinciding with the 2008 Olympics, but that’s NOT what the data showed. The data showed no increase in activities around the 2008 Olympics, but rather regular interval’ed access activities in the various Olympic organizations from 2007 to 2011.

    Hence, the pattern does NOT indicate politically motivated hacking of the Olympics organizations, but rather someone who is constantly looking for NEW information from these organizations (likely private party seeking information advantage, such as in sports gambling).

  26. August 5th, 2011 at 16:45 | #27

    @raventhorn2000 #26

    I question the basic assumption McAfee report made about “no profit motive in these hacking”.

    Agreed.

    This article is not kind of the Chinese gov’t, but it does make it clear that Olympics is big business. According to the article, it is big, bad, dirty business though – made possible by 3 ugly parties: IOC, Chinese gov’t, and multinational companies…

    So if the IOC is hacked, the people who sympathize with the linked article should definitely be among the suspected perpetrators.

  27. August 5th, 2011 at 17:05 | #28

    Canada’s Globe & Mail ran three articles on this subjects this week alone.

  28. August 5th, 2011 at 17:45 | #29

    @Ray #28

    Well … we’ve got 2 posts. Anyone want to write another post from another angle? 😉

  29. August 5th, 2011 at 19:23 | #30

    http://www.strategypage.com/qnd/korea/articles/20110805.aspx

    South Korean police have uncovered a hacking effort organized by South Korean gangsters, who used North Korean Cyber War operatives, working out of China, to defraud South Korean online gamers. The South Korean gangsters and the North Koreans split the take, which was over $10 million. At least fifteen South Korean criminals have been arrested so far, but none of the North Korean hackers have. It is assumed that the North Korean hackers were working at the behest of the North Korean government. North Korea has long employed criminal scams, and worked with criminals, to make money.

    *Other parts of this article is quite interesting, hinting that in event of North Korea’s collapse, South Korea would allow China to take indirect control of new North Korean regime, because the cost of reunification would be too high. (I believe, i already made some similar predictions about that).

    *In any case, it is apparent that at least South Korean syndicates hired North Korean hackers to hack their own people for profit.

    Now, what’s to stop them from hacking other places for profit? Nothing.

  30. August 5th, 2011 at 22:35 | #31

    @raventhorn2000

    “South Korean police have uncovered a hacking effort organized by South Korean gangsters, who used North Korean Cyber War operatives, working out of China, to defraud South Korean online gamers.”

    Criminals know no boundaries. With the Internet, I am sure that’d be even more true. That’d be a perfect instance where North Korea, South Korea, and China cooperate for the greater good.

  31. raventhorn2000
    August 8th, 2011 at 08:00 | #32

    Members of Anonymous and LulzSec joined forces, forming “AntiSec”, and hacked 10GBytes worth of law enforcement secret information from state agencies in US, then releasing them to the public.

    Now, clearly these guys are based in the West, and they have a track record of targetting US government agencies and corporations.

Time limit is exhausted. Please reload the CAPTCHA.