Given the attention that the recent McAfee’s report has generated, and in light of the fact that the report was not generally available when I wrote my post “Biggest-ever series of cyber attacks uncovered,” I have decided to do an updated post describing my personal response to the report.
Following are excerpts of the report – together with my observations. I will necessarily be able to address only specific passages given that the report is some 17 pages long. If people have questions on other passages I did not address, please direct those to me in the comments.
For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.
Having investigated intrusions such as Operation Aurora and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know
Here McAfee specifically cites two previous attacks that Google (Operation Aurora) and McAfee (Night Dragon) linked to China. One should note however that despite its high profile accusations, Google never provided any evidence that the Aurora attacks were masterminded from China (see also this and this). And while McAfee did provide some reasons why it believed Night Dragon attacks originated from China, those were speculative guesses at best. As the top of the section on Attribution in the Night Dragon report made clear in bold letters, “IMPORTANT: McAfee has no direct evidence to name the originators of these attacks but rather has provided circumstantial evidence.”
In reading this present report, one should not lose sight of the fact that McAfee is in the business of selling Cyber security solutions. It is in the interest of McAfee to highlight – even heighten – security threat, including – as the following shows – playing on fears of an uncertain Western in the face of a rising East.
The report continued:
Lately, with the rash of revelations about attacks on organizations such as RSA, Lockheed Martin, Sony, PBS, and others, I have been asked by surprised reporters and customers whether the rate of intrusions is increasing and if it is a new phenomenon. I find the question ironic because these types of exploitations have occurred relentlessly for at least a half decade, and the majority of the recent disclosures in the last six months have, in fact, been a result of relatively unsophisticated and opportunistic exploitations for the sake of notoriety by loosely organized political hacktivist groups such as Anonymous and Lulzsec. On the other hand, the targeted compromises—known as ‘Advanced Persistent Threats (APTs)’ (although this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT)—we are focused on are much more insidious and occur largely without public disclosures.
Cyber attacks have existed for a long time, and most attacks are unsophisticated. This is not surprising. Nevertheless, many attacks have recently been blown out of proportions by security companies pursuing “overzealous marketing tactics.” This is very true. But I also get the sense that McAfee’s writing of this report and hyping up the dangers of unknown attacks – those “insidious” attacks that “occur largely without public disclosures” (…the biggest fear is fear itself; you have nothing to fear but fear itself…) – also constitutes an example of such “overzealous marketing tactics.”
[These attacks] present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.
What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.
I do not fault McAfee for wanting to play to an insecure West the notion that Western institutions are under attack by non-Western ones intent on overtaking the West. But does the evidence McAfee produce even pass minimal scrutiny?
The mere existence or even prevalence of attacks against Western companies does not per se prove anything. Western companies have long been known to conduct espionage against each other (see, e.g., 10 most notorious acts of industrial espionage). In fact, since the world’s most valuable companies are still predominantly Western, it comes as no surprise that it is these companies – the ones with the most wealth, most resources, most intellectual property, the most closely guarded information – that provide the highest profile targets for attack. I mean, by contrast, would anyone be incentivized to hack into a poor Somalian company?
Also, would a poor Somalian company mount a sophisticated attack such as Shady RAT? Given the resources at the disposal of these most successful companies, and the vigor by which these companies compete with each other for shares of the global market, I’d not be surprised if the most audacious and most sophisticated of attacks are perpetrated by Western companies against Western companies.
Now, don’t get me wrong. I am not saying that China is a saint. As the Chinese economy develop, many Chinese companies will inevitably be competing with Western multinationals for a piece of the global market as well. As they gain resources, Chinese companies will join Western elite companies in conducting industrial espionage on each other using similarly sophisticated techniques.
But let’s not lose perspectives. The U.S. is the top source of cyber attacks in the world – originating some 2.7 times as many attacks as from China – according to this 2008 study. A more updated Q1 2011 study from Akamai ranks China only fifth in terms of hacking source traffic in Q1 2011 (with Myanmar, U.S., Taiwan, and Russia ahead) and in a practical tie with U.S., Taiwan and Brazil (each with about 7.5% of worldwide traffic, with Russia far ahead with 10%) in Q4 2010. YES, China ranks fifth – despite having by far the most Internet users in the world.
We do live in an era where power and influence is moving from West to East. So when people read passages such as the one above about an “adversary [who] is motivated by a massive hunger for secrets and intellectual property,” people may automatically jump to the conclusion that it is China who is behind the hacking. But there are many others interested in good “intellectual property” besides the Chinese government. As noted above, Western companies constantly spy on teach other. Western governments also regularly spy on each other. And Western non-profits like Wikileaks are interested in the “intellectual property” of “all society’s institutions, including government, corporations and other organisations.” Mere interests in these properties therefore does not indict Chinese involvements.
McAfee has gained access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. …
After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators. … [E]veryone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.
[The report goes on to present in graphics form the attacks across industries and nations: basically a lot of countries and a lot of institutions (government, defense, high tech, sporting) have been attacked]
The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks.
The last paragraph above has gotten a lot of press coverage. Many in the press believes the targeting of the IOC to be the smoking gun: China must be involved! But I ask: how is that? The IOC – as far as the 2008 Olympics is concerned – and China are practically in bed together. Their interests were perfectly aligned. They don’t need to hack into each other to influence each other. Not during the time around 2008 anyways. In fact, if there are those who has the motive to break in to spoil the party, it is the anti-China groups, not China. Perhaps instead of a “state actor,” McAfee should be looking to human rights and democracy “NGOs”?
As you further analyze this last paragraph, any accusation against China starts to make even less sense. I mean, why would China want to hack the World Anti-Doping Agency? A quick perusal of world’s sportdoping cases show a bunch of athletes who are Westerners, with very few (if any) Chinese. The Chinese might be interested in preventing others from hacking into their computers to discover the true age of Chinese gymnasts (actually, to learn more about that topic, see this or this or this or this) – but hacking the World Anti-Doping Agency???
The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.
Hmm… according to McAfee, only 1 small political democracy non-profit was a victim. But even if taking McAfee’s conclusion at face value that this represented significant breaches, what does the hacking of political non-profits suggest? Yes – one can speculate that the Chinese government may be behind these attacks; China after all is one of the most favorite targets of attacks by these groups (see, e.g., this Amnesty International Human Rights Report). But one could equally speculate that it is Western multinational companies that did it, given the long animosity between these companies and human rights and pro democracy organizations (see, e.g., here and here and here). And what about those Middle Eastern governments? Why not indict Egypt, Syria, Saudi Arabia, etc.?
After presenting time lines of various attacks, the report concluded:
Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.
This sounds right. As the world becomes more and more connected – every institution, government, non-profit, or for-profit – across every country (China included) – will face ever escalating security threats. As long as there are secrets worth stealing, there will be those who will do the stealing. China is not special. China is the victim, too.
In summary: the report presents some interesting insights into how slow-spread attacks work. Unfortunately it also makes some dubious conclusions based on motives (e.g., “state actor” conclusion) and presents enough of a narrative of fear that resonates with an uncertain West to start a wildfire of articles going attacking China.
C. Custer says
OK, but is there any more evidence to this claim than the “sense” you’re getting? What attacks are you talking about that have been “blown out or proportion” and what evidence is there that security companies were overstating the significance of the attacks?
And where in the section you quoted did it say the attacks were from non-Western sources? Simply saying the attacks were mostly targeted at Western institutions is not an implication that the attacks came from the East, it’s simply a statistical fact. But in fact I imagine that in addition to the attacks connected to China, they’re also referring to Anonymous, LulzSec, Wikileaks, etc. related attacks, which have stolen and leaked massive quantities of secrets from Western companies (why specify Western? Because as yet they have not, to my knowledge, done much of anything to any Asian companies or institutions).
I think you’re seeing some stuff that isn’t actually there because that (anti-China bias) is what you’re looking for.
I’m not sure that’s true. If you’ll recall, after the Olympics there were a number of scandals involving China, most notably the gymnast age issue. There was certainly some speculation that medals might be rescinded, and it makes sense that Chinese agents might be looking for the inside scoop on those investigations.
On the other hand, I’m not sure what a human rights NGO would have to gain from hacking the IOC after the Olympics were over. What could they have been hoping to accomplish? Any bad-mouthing of China they wanted to do would be much better done in the open. If, for example, they wanted to provide evidence against the Chinese gymnastics team, they’d be much better off leaking that anonymously to the press than secretly hacking into the IOC and leaving the evidence there, since there was a good chance no one would ever even find out about the hack.
Now, I agree the IOC being hacked is not proof that China was behind that or any of the other attacks. However, I don’t think it’s as implausible as you suggest, as China’s interests and the IOC’s diverged somewhat immediately following the close of the Games. China’s interest is in maintaining the story that the games were successful, and China’s athletes kicked ass without breaking the rules. The IOC’s interest is in maintaining their integrity to protect the “Olympics” brand, and scandals do tarnish the brand, but scandals that aren’t dealt with are even worse, so if China had faked the ages of gynmasts, for example, it would be in the IOC’s best interest to expose and rectify that (unless they could somehow totally cover up the whole thing, but that cat was already out of the bag).
China is often the target of hacking attacks by Western political NGOs? I’d love to see some evidence for that. The article was clearly talking about big NGOs like NED. Are you saying you have evidence the NED or similar NGOs have hacked Chinese government servers? If for no other reason, that seems highly implausible because most NGOs don’t really have the level of technical sophistication it would take, I assume that something like that would have to be farmed out to contractors or something…
Anyway, as I understand it (I haven’t had time to read the full report though), the main reason people are pointing figures at China isn’t so much any of the things you mention in this article, it’s that China is one of the few (maybe the only) world powers that doesn’t appear to have been attacked at all. Is that a smoking gun? No. But…
An analogy: If I walk into a room that has seven dead people with gunshot wounds, one live person, and a gun on the floor in the middle of the room, I’d sure as hell want to bring the live guy in for questioning, and until we found someone else’s fingerprints on the gun, he’d be my #1 suspect….if you see what I’m saying.
In hacking cases, the “fingerprints on the gun” will probably never be found, so the best anyone really ever manages is circumstantial evidence like this, unless it’s a case where they can break into the hackers’ houses and seize computers and other tech. But obvious for hacks originating in China that’s impossible.
Also, as a side note, did you know that the actual fingerprints on the gun will probably be never found either? Probably things are a bit better now, but I know as of the late 80s/early 90s, police techs only found usable fingerprints on guns in something like 10% of cases!
@C. Custer #1
You wrote a lot, but in particular:
No I never wrote “China is often the target of hacking attacks by Western political NGOs.” All I am saying is if we want to use the fact that democracy promoting NGOs are attacked as evidence to indict China, we might as well indict multinational corporations – as both China and multinational corporations haven been targets of democracy promoting NGOs – whereby both have a motive to attack these NGOs.
You also wrote:
Fair enough. Unforutnately, the victims (only 72) McAfee gave only represented a sample and was never meant to be exhaustive. From the report:
But more importantly, you are presuming the attacks to be nation to nation. As I’ve written before, this is a biased way of looking at things.
If you look at individuals (bad apples) hacking sourced from the U.S., I am sure most of the targets they target will be U.S. U.S. domestic companies will spy on U.S. domestic companies, U.S. hackers will hack local targets such as U.S. banks. They do so because these targets are most relevant to them. It’s just not as relevant to hack a far away unknown company in some unknown country.
Of course this won’t be the case if the hacking is perpetrated by the the gov’t such as the CIA in operations against other gov’ts. Then you might see the patterns you suggested (though as I wrote in the post, allies do routinely spy on each other; also we know the U.S. gov’t does “wiretap” its citizens…).
In any case, looking at the list of victims alone per se doesn’t tell you which is the case. Since the vast majority of the victims are in the U.S. (49 out of 72), the same data could support a case that the hacking is from the U.S. (U.S. hackers hacking U.S. targets that they are familiar about) or outside the U.S. (anti U.S. forces hacking U.S. co.’s and gov’ts).
That report only looked at one server. You should ask McAfee what servers they have found hosting IP addresses from the U.S. targeting computers in China.
I just did a quick search; Xinhua reported these statistics couple of years ago:
Unless countries have agreements to work with each other to investigate hacking.
This is why CERT (Computer Emergency Response Team) from different countries often collaborate to mitigate security threats on the Internet. For example, in APCERT, there are China, Japan, Australia, India, and many other Asian nations.
China CERT and U.S. CERT collaborate too.
Google to date has NEVER provided information to Chinese authorities to investigate their alleged hacking claims.
Has McAfee? I don’t think so.
So, how do you know “that’s impossible?”
C. Custer says
Then what does “these groups” refer to in this sentence?
Will respond to the rest later, gotta run.
@C. Custer #4
“these groups” = “political non-profits”
But I see the confusion I may have caused.
By “favorite targets of attacks by these groups” I do not mean attacks as in “cyber attacks” but criticisms and politically motivated smears. Democracy, human rights organizations have been at the tail of China and multinational companies criticizing China and these companies for seemingly like forever!
I’ve added a link to an Amnesty International Human Rights report in the post as an example.
Thanks for forcing the issue and allowing me to clarify.
It’s amazing to see mass disinformation and agenda shaping of the western public at work. Here’s an article from an IT trade mag.
“pervasive five-year cyber-spying campaign likely initiated by China”
Again, vague references and hints that China is the culprit, but no proof there of or analysis of whether the insinuation might be called into question.
While China is coming on strong, it is no where near the hacking capabilities of the US and Russia/Eastern Europe and other countries. To proclaim China as the biggest cyber threat is completely ridiculous. And yet, the western media and public swallow the garbage without any qualms.
Another example of how certain parties in the West (McAffee et al) shape the the media discourse, and the western media buying hook line and sinker and serving as propaganda organ. Of course, the western media’s agenda also includes demonizing China, so I can’t say they are unwilling dupes.
@C. Custer #1
I forgot to address this point.
Regarding the IOC, I had written,
you wrote in response,
My point is not to say which theory is more or less plausible. We can openly speculate … but that’s not that useful. This report presents zero evidence of IP traces, network traffic, even tools used that can be – even remotely – traced to China. At least those would form circumstantial evidence of Chinese involvement. The only thing it presents here is potential motives – i.e. IOC is hacked -> hence we might have a state actor. My point is only to say, from the fact IOC is hacked there are many other reasonable conjectures. For example:
Why must we jump to this conclusion
You mentioned that China might want to hack IOC to get the inside scoop on investigations into Chinese athletes.
A perusal of scandals and controversies surrounding the 2008 Olympics (see, e.g., http://en.wikipedia.org/wiki/Olympic_Games_scandals_and_controversies) shows that there are other controversies involving other nations.
The IOC had launched probes into each of these incidents. Should not Swedan, Spain, S. Korea, Norway, and Cuba also be on the list since each might also have motives to hack the IOC?
It’s worse than you think. Instead of speculating based on circumstantial evidence presented in the report, the author of this article is speculating based on speculations of what the author must know but have decided not to disclose.
Western hacker group AntiSec releases 10 gigabytes of secret information on state law enforcement in US, from 56 law enforcement agencies.
*McAfee pointed at multiple incidents of US State government agencies getting hacked. Well, see above. Gee, “State Actor”??!!
McAfee Rivals say McAfee assessment of “threat” overblown
C. Custer says
Why would they? They say they were hacked by the government; why on earth would they feel compelled to then provide evidence of that to that same government?
I also wonder — and I don’t know enough about tech to be sure, but my guess is none of you either — to what extent releasing detailed evidence of any hacking incident would potentially require releasing security information or other network details that most companies don’t want out there.
C. Custer says
I don’t think that’s the same incident. AntiSec announced BEFORE their hacks that they were targeting US law enforcement and other state agencies. MacAffee may or may not be biased, but I think we can probably safely assume they’re not retarded.
@C. Custer #11
I remember you writing some time before (maybe on this blog, maybe on yours) that one reason there may be so much Western bias / misinformation about China is because China doesn’t have freedom of press. In light of complete transparency into what’s going on in China, people in the West are justified to freely and wildly speculate – presuming the worst if they so choose – about what is going on in China.
Well – I will do a general response to such thinking some time soon. But assuming your standard is golden, why should we give private for-profit companies in the West free reign in being non-transparent and yaking away whatever they want? Should we not demand some factual information? If not – why must we go along with the party line espoused by these for-profits? Why should we not sing a different tune and second guess these for-profits?
I also want to note a key difference between Chinese gov’t “non transparency” and Google “non transparency.” In the case of China, Chinese gov’t is not making any accusations. All accusations are from the West on China – and on China to disprove those accusations with “transparency.” In the case of Google, it is Google that is accusing – yet it provides no evidence. It’s been given free reign to accuse China whatever without being demanded any standard burden of proof.
C. Custer says
Whoa. I never said people are totally justified in any wild speculation they come up with. I just suggested that such speculation is inevitable. To put it in an economic framework, when there is a demand for information and the govermnent — or the media, or a company in any country — doesn’t supply that information, people are going to get it somewhere else, someone else is going to supply it. What they supply can vary from the truth to wild rumors and totally made-up crazy shit. But as you can see from the Wenzhou crash, for example, when people want information about something badly, they’re going to get it either way.
So my point was, the government could choose to be more honest and transparent and, ultimately, save itself a lot of trouble, by making ITSELF the provider of that information. Instead, their first instinct is to control and suppress it so that by the time they finally DO provide information either (a) everyone already knows it or (b) nobody believes it because they’ve been hearing everyone repeat the same rumors so long the rumors have become, to them, truth.
When someone is silent, people always presume the worst. If you had a relative in a hospital, and you asked your mom how they were doing and she didn’t say anything, what would you think? If your boss called you into his office and then stared at you while adjusting his tie, what would you be afraid he was about to say? When people plead the fifth, what do you assume that generally means?
If something is good, people/companies/governments don’t hide it. So if a person/company/government is silent, that rightfully makes people suspicious. This is not anti-China bias, it’s human nature.
This is a principle that would be true anywhere, and it certainly applies to US companies, western governments, etc. However, I think it becomes a problem more often in China because the government is, generally speaking, less transparent, and the media is restricted in terms of what it can cover.
So yes, we should demand that Google be more transparent about their hacking accusations. They’re free to ignore us, sure, but they do so at the peril of having people speculate that they’re full of crap. Which, as you know, is what you’re doing right now.
In this case, you’re right. However, that certainly works the other way around pretty frequently and you folks don’t seem to have a problem with it. Proof of Ai Weiwei’s charges, for example, have never materialized in public; in fact, last I checked, they were refusing to even show the “proof” to Ai’s lawyers. That was a few weeks ago though, not sure of the situation ATM.
Anyway, yes, you’re free to be skeptical of Google’s claims, and in the absence of evidence, everyone should take them with a grain of salt. They have, however, released a little evidence — look at the people whose google accounts were hacked, lots of Chinese dissidents in there — and that, in combination with my own experience (my own google account was hacked more recently) has led me to be inclined to believe their claims about China. But it’s certainly not unimpeachable without proof, you’re right.
“Whoa. I never said people are totally justified in any wild speculation they come up with. I just suggested that such speculation is inevitable.”
Well, people will inevitably speculate wildly, regardless of information control. (Just look at stockmarket and housing bubble, even without information control, since you want to look at it from economic framework).
Which is odd then, because apparently, US regulations on markets often does turn on information control, ie. no insider information.
And yet we are full of apparently “insider information” from god knows who on the internet.
Some would say that’s plain fraud, speculations sold online as “secret insider information”.
Before I address what you wrote, so the fact your account was hacked, you automatically presume it must be Chinese gov’t?
My Google account was hacked, IP traced to Turkey (a NATO country). (I’m completely serious).
Now, I can also “speculate” that my Google account was hacked by (1) NATO, or (2) Uighur exiles living in Turkey.
Now, I guess I will keep “speculating” until someone from NATO or WUG release enough information to satisfy my suspicions.
(See, I can do paranoid).
C. Custer says
No, I “presume” it was hacked by someone connected to the Chinese government because of what the hacker specifically targeted within my account once they had gotten in.
C. Custer says
Yes, you’re very clever. Have a cookie.
C. Custer says
I don’t think that’s really true. Some people will speculate wildly, but my point is that if information is readily available and facts are transparent, there is less wild speculation.
Yeah, that was my point. “Information control” breeds speculation. In the absence of REAL information about a company’s performance, of course some jackass is going to make something up to make some money. However, that jackass’s rumor will spread much more slowly if the company’s financials are readily available online, their spokesman responds swiftly and with accurate data, etc. etc.
“I don’t think that’s really true. Some people will speculate wildly, but my point is that if information is readily available and facts are transparent, there is less wild speculation. ”
I don’t think so. One can plainly see the rampant speculations in US politics. Even if information is available and facts are transparent, MANY will simply ignore them and believe what they want to believe. MANY in US still dis-believe in evolution, and believe taxation is equivalent to stealing by the government.
Human beings are irrational, when when given perfectly free information exchange medium, they choose NOT to be restrained by their own reasons. Freedom is inherently dangerous to the hoggoblins of the little minds.
“Yeah, that was my point. “Information control” breeds speculation. In the absence of REAL information about a company’s performance, of course some jackass is going to make something up to make some money. However, that jackass’s rumor will spread much more slowly if the company’s financials are readily available online, their spokesman responds swiftly and with accurate data, etc. etc.”
I don’t think so. The “jackass” only make money because the PEOPLE choose to go along with the lies. Bernie Madoff’s lies convinced so many easily, even when the REAL information was available. The People simply relied upon government regulators to make up their opinions/speculations as FACTS.
There were guys to clearly pointed to Madoff’s scam way back, but people simply refused to believe them.
“However, that jackass’s rumor will spread much more slowly if the company’s financials are readily available online, their spokesman responds swiftly and with accurate data, etc. etc.”???!!
UNFORTUNATELY, the “jackasses” are often the ones in control of the scam companies’ financials!!! Madoff, Enron, do we need to go on? Who regulates them, when they are the ones doing all the speculating??!
@C. Custer #18
I had written:
To which you responded:
So you have an idea of what information that was obtained? That’s usually a pretty hard thing to do – something that no one – not McAfee, not Google – ever publicly pretended to have. How did you assess that?
And can you share with us any information about the nature of the breach? Without that, again, we will end up with another Google-esq accusation: I was hacked, he did it; I can’t provide any info publicly except that he has motive, you have to trust me, he did it…
Matthew Robertson says
Note that I didn’t read the discussion up to this point, only scanned the first post and a few of the comments; but I noticed that one addition to the debate had not been mentioned here. The question is whether these attacks are traceable to China, right?
“Every hidden IP address observed in the HTran error messages captured during our survey is located on just a few different networks in the People’s Republic of China (PRC). …”
“It’s not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government. ”
Suggest reading the whole thing, it’s more in-depth. Will have a blog post coming in the next few days showing correlations between the attacks and PRC-affiliated dealings with the targets. No absolute claims here, just more circumstantial evidence.
China claims it was hacked 500,000 times last year, 15% of them traced to IP addresses from US, 8% from India.
Charles Liu says
Just for reference. Matt Robertson is a Falun Gong disciple and Epoch Times reporter. I’ve had run-ins with him when he actively promoted the organ harvesting propaganda, as well as on Wikipedia, where Falun Gong disciple continues to wage an organzized “circle the wagon” edit wars.
Of course, he and his cohorts constantly makes “chinese spy” charge against people who disagree with their brand of propaganda.
Charles Liu says
And look at the source Matt cited – Joe Stewart is the same guy that mistakenly claimed Operation Aurora malware having “China Code” last year.
The code turned out to be the Nibble-CRC that is used in device programming area for decades:
@Matthew Robertson #23
This article raises different issues than the main point being addressed by my post. In the case of “circumstantial evidence,” much can be debated. As I addressed in the Night Dragon report and McAfee itself addressed – the mere tracing of some IP addresses to China and use of tools popular in China’s hacking underground for attack – does not provide direct evidence that the attacks were masterminded from China.
Now in the secureworks article, it claims to have discovered circumstantial evidence that some RSA attacks originated from China. The evidence involved the discovery of code that sent to a set of “hidden IP addresses” when there are network connectivity issues between the hacked computer and some presumptive relay computers. The code was alleged (based on copyright labels in the code) to be authored by a hacker from China.
I have several problems with this kind of analysis.
First, as has been noted by Raventhorn2000 in comment 10 above, RSA attacks are very common and very prevalent. No one – not even McAfee (see post above and McAfee report directly) – is alleging RSA attacks are created by the Chinese or even the Chinese gov’t. It’s sort of a general low hanging fruit type of attack that many people are using.
Thus, even assuming if the secureworks report is correct in establishing some attacks that leaves behind a specific code fragment did originate from China, what does that prove? China is ranked 5th last quarter by Akamai in terms of source of cyber attacks (U.S. was ranked #2), I am sure China will have its share of attacks. But why focus on China and not others – original from U.S., Russia, U.K., Germany, or France?
Focusing on China as its somewhat special – that’s just playing off on politics (it’s trendy to bash China). We’ve got to understand, as I wrote in Comment #2, when we talk about hackers, we need to talk at the level of hackers – attributing to bad apples and not be politically quick to assign to peoples, civilizations … or governments (esp. governments we love to bash), even if we all know governments in general are often involved in hacking (e.g., this article discusses hacking by U.S. enforcement agencies). Indiscriminately attributing to a state or a people or civilization as in the case of China merely represents political gaming.
Second, let’s exam securework’s circumstantial data in a little more detail. One piece of evidence is supposedly copyright notices, which suggests that this piece of code was authored “lyon” – a Chinese hacker. The presumption is supposedly that “lyon” authored this attack – this attack is Chinese. Now ignoring my call against attributing hacking to a people or a civilization or a state, do you think a true hacker would publicly announce his hacking attempts by embedding a big copyright claim? No, real hackers will hide his signature. Perhaps his programming style or a certain technique will give him away, but not copyright notices. More likely, “lyon” has put a piece of code up merely as a useful tool to demonstrate what can be done (hackers are notorious for showing off). Some other hacker – unrelated to “lyon” – then downloaded it and used it.
In any case, for anyone who wants to bother wanting to hide the IP addresses being connected to and generally want to avert detection, they would probably use multiple layers of redirection to hide their true identity. A “connection bouncer” can be used to map to one server, and from that server, another “connection bouncer” used to relay to the true server, for example. The fact that some hacker is able to get Chinese hacking tools (not hard to get), has access to some Chinese servers (not hard to get) and uses a Chinese server as a first level of redirection is not surprising. As the secureworks report itself noted:
This person thus needs not be Chinese – only be opportunistic enough to sign up for a Chinese account and to download Chinese hacking tools (remember: Chinese did not invent hacking; the tools cited here are variants of standard tools, written in standard code, where non-Chinese but computer literate hackers will be able to use these tools without learning Chinese).
Not surprisingly, the report itself does not claim that the attacks were masterminded from China – only that the first layer of tools appear to be Chinese in origin – and that in order to go further, one would need to have access to servers under control of Chinese ISPs, which would require the systemic cooperation of the PRC gov’t. But systemic cooperation is not sufficient (by the way, before one points a finger to Chinese gov’t and say ahaha, they must be hiding something, one should ask: does the U.S. systematically cooperate with other gov’ts regarding hacks that trace to U.S. IP addresses???), as this Scientific American article discussed, the problem is with the Internet architecture – it’s easy to spoof source destination, and it’s easy to hijack unsuspecting middlemen and use them as proxies.
What irony we see here if you really want to be ideological: the same architecture that allegedly prevents authoratarian governments from tracking demonstrators is now being accused of hiding the malicious acts of authoritarian governments. Ideological based thinking, where does it end?
“Circumstantial evidence” = somebody’s pile of paranoid news clippings and aliens in a jar.
C. Custer says
I have no idea what may have been obtained or saved. I also have no idea how the hacker got it. I changed my password and that seems to have solved the issue at least temporarily, but my original password was already “very secure” — I only use long sequences of random numbers and letters (caps and lowercase) for passwords. For that reason, I assume it was hacked by a very skilled hacker or someone with access to a super computer…hacking that password by traditional means using a desktop or laptop would take about 6,000 years, according to this site.
I have since updated to a password that should take 6 sextillion years (seriously) to crack, and added two-step authentication.
Anyway, what I do know was what was deleted. You’ll understand that for reasons of privacy and also because it relates in some extent to my job, I can’t go into a lot of detail about specifically what was deleted, but suffice it to say that (1) everything deleted was related to China; nothing unrelated to China was deleted (2) the pattern of deletions indicate to me that someone was attempting to disrupt my communication with several people in regards to a job I do that involves reporting on Chinese current events.
Specifically, it appears that the hacker was deleting incoming messages before I saw them (most were being sent from the US so they were often in my box for hours before I woke up each day) in an attempt to get me to miss deadlines and to stop me from providing my completed reports to them. I really can’t go into more detail than that, though.
So, I don’t have any physical evidence, it’s just a motive. However, I can’t think what the motive for such a subtle and targeted attack would be. If, for example, it were just someone with a personal vendetta against me, they could have done a lot more damage, and even if they were just trying to “fuck with my money” (as it were) they could easily have attempted to disrupt much more than they did as the stuff that was deleted was centered around one freelance job that constitutes a minor percentage of my income.
@C. Custer #29
OK – given the sensitive / private nature of the evidence that must be revealed for us to settle our discussion: I’ll take your word and respect your decision to think it’s the Chinese gov’t involved. But I hope you will respect my reservation of doubt.
Assuming you were hacked by a real person: maybe it’s a competitor of whoever you want to work for: didn’t want timely updates from you to your boss. Perhaps it’s one of us bloggers who think you are too anti-China? 😉 Perhaps it’s technology related: maybe it’s some kind of bug based on filters – moving any emails with keywords “China” – to the trash during some period, but when you changed your password, that triggered something which fixed the bug (don’t snicker, google calendar had some event driven bugs like these, where no notification gets sent out until you changed some unrelated calendar settings). I don’t know…
C. Custer says
That seems unlikely. The place I work for is pretty small and doesn’t really have any competitors that would consider it enough of a threat to resort to illegal measures, I don’t think. I can’t be sure, of course, but I’d be pretty damn shocked.
That’s possible, but I’d assume someone like that would have tried to wreak a lot more havoc than they did. And the emails that were deleted didn’t really have any effect on my blogging. As for the job in question, I highly doubt any of you have even seen it so I can’t imagine it made anyone angry enough to hack my email.
That’s possible I guess, but it’d have to be a huge coincidence and I’m not sure how it would have worked. It wasn’t all emails about China, it was just emails from a few sources related to that one particular job that has to do with politics in China. Some of the emails deleted didn’t actually mention China at all, and plenty of emails about China got through — as you can imagine, on any given day a pretty significant percentage of my emails mention the word China.
Anyway, like I said, there’s no smoking gun. However, I tend to subscribe to Occam’s Razor in situations like this, and in this case, I think the simplest explanation is that it was someone working for or in some other way on behalf of the Chinese government.
“I tend to subscribe to Occam’s Razor in situations like this, and in this case, I think the simplest explanation is that it was someone working for or in some other way on behalf of the Chinese government.”
I think your interpretation of Occam’s Razor is bit fuzzy.
The simplest explanation is that there is NO conspiracy against you. ZERO conspiracy is far simpler than your convoluted belief of some UNKNOWN people working for some other UNKNOWN people against you.
(by analogy, the simplest explanation by Occam’s Razor is there is NO god, because NO god is far simpler than a system of belief in a deity with his system of “motives” and powers and subordinates, bestowing benefits or misfortune onto human beings).
The simplest explanation is always CHANCE.
Hacker groups Anonymous and LulzSec release public statement challenging FBI, and hacking NATO data.
Do’t think pastebin.com keeps texts indefinitely, so here is the text rv2k posted in #33,
C. Custer says
Emails about a specific topic but coming from different locations and authors don’t all magically delete themselves by chance.
I think your understanding of Occam’s Razor is flawed; it refers to the simplest plausible explanation, not magic.
“Emails about a specific topic but coming from different locations and authors don’t all magically delete themselves by chance.”
Nothing magical about chance. It might be improbable, but not impossible.
“I think your understanding of Occam’s Razor is flawed; it refers to the simplest plausible explanation, not magic.”
Nothing magical about chance. I think your understanding of Occam’s Razor is akin to the logic of the anti-Evolution Creationists. Yes, finite statistical occurances of mutations must seem like “magic”.
@raventhorn2000 #32 and @C. Custer #35,
I take offense of you characterizing what I wrote in comment #30 in terms of “CHANCE” or “magic”!
Anyways rather than haggling over what is likely, what is less – thus what requires more and less assumption (we have have our own wordview) – I want to ask C. Custer whether in attributing some attacks to the “Chinese gov’t” whether he distinguishes someone high up in the Chinese central gov’t, someone affiliated with some depts of 国安部 or 情报部, someone from one of the official stateowned newspapers, somone affiliated with provincial or municiple gov’t, some lowly bureaucrats.
I ask because I know if we take the U.S. gov’t to be broadly defined, the U.S. hacks all the time (see links in above comments), if not through standard hacking techniques – then simply by armtwisting companies to do so (see e.g. http://news.softpedia.com/news/Google-Admits-Handing-over-European-User-Data-to-US-Intelligence-Agencies-215740.shtml) – or through “legal” means (see e.g. http://en.wikipedia.org/wiki/USA_PATRIOT_Act).
As an aside: part of the reasons facebook and google are not welcome in China is because by the laws they must operate under, they are effectively tools of the U.S. gov’t (http://www.ufo-blogger.com/2011/06/julian-assange-facebook-google-yahoo.html). The issue with facebook and google in China is not about freedom, but about compliance. If these companies can show the same deference to Chinese law as they do U.S. laws, they will be fine in China.
I was only objecting to Custer’s misuse of Occam’s Razor. I have no characterization on what you wrote, Allen.
And I agree, Google complies with government request to hand over private information all the time, they even track it themselves on their own website.
Obviously, their non-compliance with Chinese law is also political in nature, which is attributable to “state actor” in US.
C. Custer says
It could have been chance, sure. But the chances are far, far, far, far, far less likely that it was human agent acting with an agenda, especially since it stopped as soon as I changed my password and added two-step authentication.
Could it still, technically, have been chance? Sure. Maybe your comments are also chance, just the random misfirings of a machine somewhere in the net. It’s possible, but I don’t believe that because it is extremely fucking improbable. Just like a specific set of emails grouped by non-keyword-based content disappearing for no reason and then not disappearing as soon as I change a setting that has no affect on my inbox or sent mail.
Honestly, even you have got to admit that you are way off on this one. (You can tell because no one else here is agreeing with you, even though most of them prefer to disagree with me if possible).
Baiting for support on your part only shows that no one is agree with YOU.
Just you spinning your conspiracy theories about the “motives” of unknown people with “agendas”.
Pure clinical psychotic paranoia. (And that’s statistically VERY VERY PROBABLE, because you have a long history of “speculations” that don’t lead to reality).
C. Custer says
Yes, I’m the crazy one in this conversation.
Well, you have a history of “speculations”. Your paranoia is obvious and rampant, to a specific direction.
It wouldn’t be the 1st time you made some claims about the Chinese government’s “agenda” that you couldn’t back up.
It’s just another one in a VERY VERY LONG line of historical pattern. (In that OBVIOUS context).
That’s the simplest explanation. That’s Occam’s Razor!
@C. Custer #39
Actually, unlike other blogs, we try to discourage each other from cheering for the chorus. YinYang and I talked about this before we started HH. For a while, we did have some people like Josef and SKC who complimented each other’s back on what seems like every other post. We try not to do that. That’s not fair to the reader as we are not the judge of what we write. Exchanging ideas – not drinking our own coolaid – is the point of this blog.
So the silence on my part (and many others) means nothing: it could mean we agree fully but have nothing to add, or maybe we don’t agree but don’t have time to write, or it could be we simply were too busy and somehow completely missed what was written here. Don’t assume from what is not written what our positions are.
In your case, for example, when you don’t respond to what I write, I don’t necessarily presume you lost the argument. Perhaps that is the case 😉 , but it could also easily be the case that you were too busy to reply or … perhaps even that you didn’t think my writing worth a respose!
C. Custer says
Fair enough. Is that hypothetical, or is there something I didn’t respond to? If I did ignore something, it wasn’t intentional, but I do get distracted by work fairly often.
Another example of so called western journalism:
All rumors, possibilities, if’s, could be’s, insinuations, etc. No proof.
Seriously, I can write an article on how the US is in direct contact with extraterrestrials, and it would have the same credibility as the above article.
Ah, but that is the beauty of cyber warfare.
There will NEVER be sufficient proof. Even if they could trace the computers back to a certain country anyone can argue that they were being remotely operated somewhere else, or that they were renegade criminals etc.
There’s no point in conducting an electronic attack if you’re not gonna deny it after, because the anonymity is the sweetest part. In that sense any hacking can be dismissed with no concrete evidence.
So wrangling about evidence aside it’s safe to assume all capable governments employ electronic warfare because of its ease, cheapness and difficulty to pinpoint. That undoubtedly includes the US, China, Russia and anyone who can.
Which brings us to the familiar logical conclusion: if you must play the game, you should strive to be the best at it.