Counterattack on China in
cyber-space By Peter Lee
The high-profile intrusion into the e-mail
server of China Electronics Import & Export
Corporation by "Hardcore Charlie" may mark the
coming out party for America's own band of
patriotic hackers.
Documents obtained
through the hack were posted on file-sharing
sites. For the most part, they are a bewildering
grab bag of seemingly inconsequential documents.
One folder contains regulations concerning the
privatization of public universities in
Vietnam; another reveals the
monthly salary of an English teacher working for
Ivanhoe Copper in Myanmar.
Then there are
the somewhat more disturbing documents: pages and
pages of spreadsheets and US military Acrobat
files detailing the recent movements of the
quaintly-named "jingle trucks" operated by local
companies delivering supplies to the network of US
facilities inside Afghanistan. The documents are
not marked secret, and the US government has
apparently still not taken steps to remove them
from the file-sharing services a week after they
were posted.
In a web statement, Hardcore
Charlie justified his hack with the assertion that
China was passing sensitive information to
America's enemies, including the Taliban. In a
pastiche of English, Spanish, obscenities and
racist references, he stated:
Hola comradezz, Today us prezenta
recently owneed chino military kontraktor CEIEC
Us be shoked porque their shiiit was packed with
goodiez cummin froma USA Military brigadezz in
Afghanistan, them lulz hablando mucho puneta sam
slit eyed dudz in Vietnam and Philiez doing
bizness in Ukraine and Russia selling goodiez to
Taliban terrorists.
CEIEC, for its
part, issued a denial equally deficient in
grammatical polish, stating:
CEIEC solemnly declares as
below: The information reported is totally
groundless, highly subjective and defamatory. It
is believed that rumors stop at wiser.
CEIEC reserves the right to take legal
action against the relevant responsible
individuals and institutions. [1]
Observers noted the apparent
incongruity of CEIEC asserting it had not been
hacked ... but reserving the right to take legal
action.
The Chinese version is somewhat
less incoherent, but only slightly. It appears
that CEIEC may be trying to say that it is taking
issue with the allegations - for instance, that
CEIEC is passing on the information to bad guys in
Ukraine, Syria, Russia and the Taliban - while
skating past the question of whether it was
actually hacked. [2]
CEIEC is described as
a "defense contractor" in foreign coverage.
However, this may be overstating the case
somewhat. CEIEC is one of the ancient
import/export corporations set up under the
Ministry of Foreign Trade 30 years ago. It did a
booming business when international trade was a
monopoly of the government import/export
corporations, and still benefits from its
government ties in handling foreign aid projects
and administering international tenders.
At the same time, it has successfully
reinvented itself as a prime contractor on
overseas projects and, in terms of gross revenue,
is one of China's bigger companies.
CEIEC
is not an industrial enterprise with its own
manufacturing capability. It has targeted the
defense electronics sector, as an integrator and
prime contractor, apparently hoping to supply
systems to China's allies overseas. Whatever it
has on its servers, it is probably not the crown
jewels of China's defense establishment.
But the question of how the minutiae of US
military truck transport in Afghanistan ended up
on CEIEC's servers remains a mystery. The CEIEC
case does highlight a remarkable trend in
international hacking - the appearance of
non-government auxiliaries in cyber-war battles.
China is notorious for its interest in
cyber-war as an asymmetric counter to the
conventional military superiority of the United
States ... and for its apparent willingness to
farm out, encourage, or benefit from private
hacker initiatives.
On 2010, Mara
Hvistendahl wrote in Foreign Policy:
[T]he hacking scene in China
probably looks more like a few intelligence
officers overseeing a jumble of talented - and
sometimes unruly - patriotic hackers. Since the
1990s, China has had an intelligence program
targeting foreign technology, says James A
Lewis, senior fellow for cyber-security and
Internet policy at the Center for Strategic and
International Studies. Beyond that, however,
things get complicated. "The hacking scene can
be chaotic," he says. "There are many actors,
some directed by the government and others
tolerated by it. These actors can include
civilian agencies, companies, and individuals."
[3]
Patriotic hackers in China are
called "hong ke" or "red guest", a pun on
the phonetic rendering "hei ke" or "black
guest" for hacker.
Their patriotic
cyber-duties included destroying the online
presence of South Korean boy band Super Junior
after an unruly and undignified crowd of Chinese
fans clamored to hear the band at the Shanghai
World Expo and embarrassed Chinese nationalists.
[4]
They also weigh in on foreign issues
of greater moment, mixing it up with their
Japanese counterparts when Sino-Japanese passions
are inflamed by visits to the Yasukuni Shrine or
the collision between a Chinese fishing boat and
Japanese coast guard vessel off Diaoyutai/Senkaku
in 2011.
But their major utility to the
Chinese government may be their ability to
generate chaff - a barrage of cyber-attacks to
distract and overwhelm US security specialists
trying to cope with China's pervasive,
professional program of industrial and military
espionage - and give the People's Republic of
China (PRC) government deniability when hacking is
traced to a Chinese source.
Chinese
industrial cyber-espionage has emerged as a
dominant near-term security concern of the United
States.
The Barack Obama administration
went public with its case against China in
November 2011, with a report on industrial
espionage titled Foreign Economic Collection. It
described China rather generously as a "Persistent
Collector" given the PRC's implication in several
high-profile industrial espionage cases and
soft-pedaled the issue of official Chinese
government involvement. The report stated:
US corporations and cyber-security
specialists also have reported an onslaught of
computer network intrusions originating from
Internet Protocol (IP) addresses in China, which
private sector specialists call "advanced
persistent threats." Some of these reports have
alleged a Chinese corporate or government
sponsor of the activity, but the IC
[intelligence community] has not been able to
attribute many of these private sector data
breaches to a state sponsor. Attribution is
especially difficult when the event occurs weeks
or months before the victims request IC or law
enforcement help. [5]
A month later,
in December 2011, US criticism of China became a
lot more pointed. Business Week published an
exhaustive report on Chinese cyber-espionage,
clearly prepared with the cooperation of federal
law enforcement authorities as it named and
described several investigations:
The hackers are part of a massive
espionage ring codenamed Byzantine Foothold by
US investigators, according to a person familiar
with efforts to track the group. They specialize
in infiltrating networks using phishing e-mails
laden with spyware, often passing on the task of
exfiltrating data to others.
Segmented
tasking among various groups and sophisticated
support infrastructure are among the tactics
intelligence officials have revealed to Congress
to show the hacking is centrally coordinated,
the person said. US investigators estimate
Byzantine Foothold is made up of anywhere from
several dozen hackers to more than one hundred,
said the person, who declined to be identified
because the matter is secret.
[6]
United States security boffin
Richard Clarke had this to say about Chinese
cyber-espionage in an interview with Smithsonian
magazine:
"I'm about to say something that
people think is an exaggeration, but I think the
evidence is pretty strong," he tells me. "Every
major company in the United States has already
been penetrated by China."
"What?"
"The British government actually said
[something similar] about their own country."
Clarke claims, for instance, that the
manufacturer of the F-35, our next-generation
fighter bomber, has been penetrated and F-35
details stolen. And don't get him started on our
supply chain of chips, routers and hardware we
import from Chinese and other foreign suppliers
and what may be implanted in them-"logic bombs,"
trapdoors and "Trojan horses," all ready to be
activated on command so we won't know what hit
us. Or what's already hitting us.
[7]
Some big numbers are being thrown
around to publicize the Chinese threat.
Business Week's report, while admitting
the woolliness of its methodology, stated that
losses to American companies from international
cyber-espionage amounted to US$500 billion in a
single year.
Scott Borg, director of a
non-profit outfit called the US Cyber Consequences
Unit told Business Week:
"We're talking about stealing entire
industries ... This may be the biggest transfer
of wealth in a short period of time that the
world has ever seen."
Beyond these
apocalyptic economic and military scenarios, we
might also descend to the personal and political
and point out that Google, a favorite target of
Chinese cyber-attacks, is Obama's friend,
indispensable ally, brain trust and source of
personnel in the high-tech sector.
Connect
the dots, and it is clear that the Obama
administration, in its usual meticulous way, is
escalating the rhetoric and preparing the public
and the behind-the-scenes groundwork for major
pushback against China in the cyber-arena.
Beyond moves in the legal arena such as
the aggressive prosecution of the DuPont
industrial espionage case - alleging that China
orchestrated a program to steal DuPont's titanium
dioxide technology - it is interesting to
speculate what other moves the Obama
administration might make.
The United
States is undoubtedly already doing its best to
penetrate China's government, military and
scientific networks.
How could the US
escalate, especially in the industrial and
commercial sphere, where the US mindset is that
everything worthwhile the Chinese have was stolen
from us, so what's worth stealing back?
Maybe the answer is cyber-harassment,
turning a blind eye - or actively egging on -
non-government hackers to embarrass,
inconvenience, humiliate and perhaps even
destabilize the Chinese regime.
Consider
this April 4 report by Emil Prodalinski at ZDNet
on an explosion in hacking against China since a
Twitter account was launched on March 30:
The hacktivist group Anonymous now
has a Chinese branch. An Anonymous China Twitter
account was created late last month ... Boy have
they been busy. Hundreds of Chinese government,
company, and other general websites have been
hacked and defaced in the span of a few days. A
couple have also had their administrator
accounts, phone numbers, and e-mail addresses
posted publicly. On the hacked sites, the group
even posted tips for how to circumvent the Great
Firewall of China.
A long Pastebin post
lists all the websites that were targeted. It
contains 327 websites in total, but an updated
list, also on Pastebin, brings that number to
485. Most of these websites are operational once
again, but many have been defaced a second time
after they were brought back. Not all of them
were hacked and defaced; some were treated with
more viciousness than others.
[8]
Prodalinski subsequently wrote
that the attacks had not abated and China, in an
interesting case of public relations jiu
jitsu, was using the campaign as evidence that
it was one of the world's many victims of
cyber-misbehavior (and, by implication, not a
major perpetrator):
While Anonymous was not specifically
mentioned, it's obvious what China's Ministry of
Foreign Affairs was referring to during a
briefing on Thursday, given the events during
the last week. "First of all, China's Internet
is open to all, users enjoy total freedom
online. China has gained 500 million netizens
and 300 million bloggers in a very short period
of time, which shows the attraction and openness
of China's Internet," spokesman Hong Lei said in
a statement, according to CNN. "Secondly, the
Chinese government manages the Internet
according to law and regulations. Thirdly,
certain reports prove again that China is a
victim of Internet hacker attacks." [9]
It will be interesting to see how
sympathetic the Obama administration will be if
the Chinese government begins squealing to it
about this outbreak of anti-PRC hacking.
The current Anonymous hacks have been of
remarkably unimpressive and uninteresting Chinese
sites - like the Taoyuan Bureau of Land and
Resources. One can wonder if escalation to more
tempting, juicier and more sensational targets is
in the future. [10]
My speculation is that
the campaign of cyber-attacks against Chinese
targets was seeded by the US government, but has
gathered its own momentum and is drawing in
freelance foreign and some Chinese hackers
searching for lulz - the hacker term for giggles
or detached/callous amusement.
Let us now
return to the perpetrator of the most spectacular
hack to date - Hardcore Charlie - and if his
postings reveal anything about his motivations.
Hardcore Charlie's web persona displays a
military bent. His web alias derives from a death
card (a specially printed playing card with an
intimidating message sometimes placed on an enemy
corpse by US servicemen) associated with the US
Army's 101st Airborne Division: "Compliments of
Hardcore Charlie - 3rd BN 502 Infantry - When you
care enough to send the very best - AIR ASSAULT."
[11]
Hardcore Charlie's postings also
quote lyrics on a military theme, from "Marines"
by the German thrash metal band Sodom. He
recommends reading the files to the accompaniment
of a Youtube videomontage of Francis Ford
Coppola's Vietnam epic film Apocalypse Now,
using Sodom's "Napalm in the Morning" as the
soundtrack.
But perhaps there's something
more going on here than pro-military pro-freedom
enthusiasm. Sodom is an avowedly anti-war band
that toured Vietnam, even though it was denied
permission to play there, so it could learn more
about the war and its aftermath.
Two more
bumpers in the postings quote KMFDM, German
industrial rockers (and, unfortunately sometimes a
favorite band of alienated and murderous
high-schoolers such as Eric Harris, the Columbine
shooter) with what one could characterize as a
vigorous anti-American government stance.
From KMFDM's anti-George W Bush anthem
"Stars and Stripes" (whose video includes a
Bush/Hitler juxtaposition) , Hardcore Charlie
pulled the quote: ... Cut back civil rights / Make
no mistake / Tell 'em homeland security is now at
stake / Whip up a frenzy / keep 'em suspended /
Don't let 'em know that their liberty's ended ...
[12]
From another KMFDM song, New American
Century, another quote: ... LOVE THY NEIGHBOR TURN
HIM IN.. its called PATRIOTISM ...
Interesting, especially when one considers
how Hardcore Charlie, in apparently his only media
availability, with Reuters, was described: The
hacker, who uses the name Hardcore Charlie and
said he was a friend of Hector Xavier Monsegur,
the leader-turned- informant of the activist
hacking group, LulzSec ... [13]
Rewind to
March 2012: Key members of the hacking collective
known as LulzSec were arrested Tuesday morning, a
move authorities are calling "devastating to the
organization". According to an exclusive report by
Foxnews.com LulzSec's alleged ringleader, Hector
Xavier Monsegur of New York City, helped
authorities with the arrest. [14]
As for
LulzSec, it was an ad hoc hacker collective spun
off from Anonymous (the same grouping bedeviling
China under the Anonymous China hashtag) by
Monsegur. Its sensational 50-day career in 2011
was described by PC Magazine:
May 7 - Lulz Security
[claims] to have gotten ahold of a database of
contestants from the Fox TV show X Factor.
Lulzsec follows up a few days later with more
sales and internal data gleaned from Fox.com.
May 30 - After hacks of
Sony in Japan and a British ATM database,
Lulzsec scores its first big publicity coup by
posting a fake story on the PBS website, which
claimed that Tupac Shakur was alive and well in
New Zealand.
June 2 -
Lulzsec posts personal data for more than a
million users from a handful of Sony websites, …
June 3 - The "Lulz Boat"
sets a course for the government, targeting
security organizations that work with the FBI
and other agencies …
June
13-20 - Lulzsec appears to be hitting
its stride, with a busy week hacking into the
US. Senate's website, stealing the account
information of more than 200,000 users from
video game maker Bethesda, claiming to have
temporarily brought down the CIA's website, and
going after more security agencies in the US.
and UK.
June 23 - In
protest of Arizona's controversial
anti-immigration law, Lulzsec posts internal
documents and information from the state's
Department of Public Security.
[15]
Lulzsec closed shop at the end of
June 2011, when an asset in England was arrested.
It appears that was not enough to elude the
bloodhounds of the Federal Bureau of Investigation
or forestall Monsegur's betrayal of his
associates.
Careful readers may find their
interest piqued by the fact that Fox News, which
got the exclusive on the arrests in 2012, were the
first hacked in 2011.
Pattern-oriented
readers might consider whether the sudden eruption
of Lulzsec resembles the cyber flashmob that is
currently swarming Chinese sites.
Contrarian readers might find it
interesting that the focus of hacking seems to
have done a 180-degree turn away from American
government, security and corporate targets to
tormenting their Chinese equivalents (despite the
limited lulz obtainable when hacking a site whose
language one does not understand).
Curious
readers might also wonder if information from
Monsegur has helped the authorities get "Hardcore
Charlie" in their sights and he is hacking into
Chinese websites either at their behest to help
get the Anonymous China ball rolling or is
pre-emptively demonstrating his utility and
eagerness to please.
In any case, the
cat's out of the bag.
The order of battle
in the cyber-armies of China and the United States
has been completed by the arrival of the volunteer
militias to serve next to the professionals.
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
