“I solemnly swear to put the interests of the Chinese nation above everything else. I am willing to do everything in my power to make the Chinese nation rise up”
– China Eagle Union Pledge
Hacker groups in China have come and gone since they first emerged around 1994. They are loose affiliations with names like the Green Army, the Red Hacker Alliance, the Honker Union of China and the China Eagle Union. Their members go by the handles of LittleFish, IceWater, Goodwill, and Brother Peng.
The fact that these groups exist in one of the most tightly controlled nations on Earth is irrefutable. Their history has been dutifully chronicled in the book The Dark Visitor by Scott Henderson, a retired US Army analyst. What sets many of these hacker groups apart from their Western counterparts, he notes, is their origins in patriotic endeavors.
Henderson said information about hacker groups in China is hardly secretive. “Chinese hackers are incredibly easy to find”, he wrote, “and [they] provide more information about themselves than anyone reading the news could imagine”.
So do hacker communities exist within China’s borders? If you ask Moustafa Mahmoud, chairman of the Middle East Cybercrime Task Force, the answer is a resounding yes. Many people think the Chinese hacking underground is a very secret organization to which no one has access, he told a recent audience at the RSA Europe Conference in London. “Nothing could be further from the truth”, he said.
Mahmoud noted there is no shortage of information available to the public, “however, the language barrier and cultural differences are probably the most significant challenges the rest of us face in trying to understand Chinese hackers”.
From Operation Aurora to Shady RAT, right up to the most recent report from the US National Counterintelligence Executive, insinuations that hackers in China may be responsible for some of the most significant breaches in recent memory continue to pile up.
In cases where China-based hackers have been accused, attribution is often an inexact science. In a world of advanced evasion techniques, digital snoopers often go to great lengths to cover their tracks or give off a misleading scent. This has allowed the Chinese government to repeatedly deny the existence of a coordinated and relatively unfettered hacker community in China. We may not know beyond a doubt whether the Chinese government is actively supporting cyberespionage activities, but one thing that is certain is the existence of extremely active, coordinated groups of hackers within the People’s Republic.
Patriotism to Capitalism
According to Mahmoud, researchers estimate there are up to 1.2 million hackers in China, among an approximate internet user base of 400 million. They first started as ‘Red Hackers’, part of an on-again/off-again confederation of those with strong patriotic views.
The beginning of the “reckless desire”, as Mahmoud recalled it, began around 2001 when these groups responded to several incidents involving Japan: “script kiddies start[ed] to appear...causing damage, mayhem and chaos, and true Red Hackers view this as a point of shame”.
Some people realized they could make a lot of money from hacking, Mahmoud remarked, and cybercrime became popular among those with ‘reckless desires’. “This is unfortunately how we perceive all Chinese hackers to be”, which is at odds with their origins as patriots, he lamented.
A transition is already well underway among hackers in China, as both Henderson and Mahmoud observed. The move from love of country to love of money has firmly engrained itself into the hacking culture, causing rifts within the original alliances.
The realm of mobile malware is one area where this evolution is in full swing. “At this point, approximately 90% of mobile malware targets users in Asia, and much of it targeting people in China – in my opinion, its proof that there is a malware writing community in China”, said Eddy Willems, chief security evangelist for Germany-based firm G Data.
“There is a very big, public hacking community in China”, in addition to the patriotic groups, he claimed. While the standard of living is rising in China, the average person still struggles. “One of the best ways to earn money is to write malware or become a hacker for hire” on behalf of an organization, Willems asserted.
With the Chinese government’s grip over the internet being well known, what this amounts to is Beijing’s tacit approval of nearly all hacking incidents – a point many security experts are quick to make. “There is definitely monitoring of the internet going on in China”, Willems affirmed. “This is something the whole world knows”.
Pointing the Finger
An October 2011 report from the US Office of the National Counterintelligence Executive compiled three years’ worth of evidence against state actors that it claimed were responsible for the theft of US technology and trade secrets, in addition to other allied nations. The Russians received their fair share of accusations in the report, but the primary focus was on China.
During a press conference accompanying the report’s release, Robert “Bear” Bryant – the US national counterintelligence executive – said that “trade secrets developed over thousands of working hours…are stolen in a split second and transferred to competitors”. In a very familiar reply, Chinese embassy spokesperson Wang Baodang refuted the report’s findings, telling the Washington Post that China opposes “any form of unlawful cyberspace activities”.
Quick to blame hackers from China, the report did acknowledge the inherent risk in doing so. “US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the [intelligence community] cannot confirm who was responsible”, the report noted.
"China always struggles with the image problem, and that’s why people are quick to blame them for many things in this area of cyber intrusions" |
Eddy Willems, G Data |
Furthermore, the report said many of the major private sector data breaches where Chinese sources have been implicated are missing any evidentiary connection between the alleged hackers and a specific state sponsor. These acknowledgements highlight the largest hurdle in connecting suspected hackers to their alleged exploits – the attribution conundrum. “IP addresses don’t mean anything in these cases”, says Willems, “these can easily be faked.”
What the intelligence and research communities have not made public, at least not yet, is irrefutable forensic evidence linking China to any specific cyberattack. Nor have they been able to produce evidence of state support for hackers within China’s borders. However, as one expert pointed out, this does not mean the evidence doesn’t exist.
“There is a lack of publicly available forensics proof”, acknowledged Roger Cressey, a senior VP with defense contractor Booz Allen Hamilton. He is a cybersecurity expert that served in both the Clinton and George W. Bush administrations, and was an advisor to then-candidate Barack Obama. According to Cressey, in many of these cases the lack of publicly evidence is “a question of ‘how much do you want to reveal that you know?’”
He believes the number of hackers working for the Chinese government number on the hundreds of thousands. Cressey said it is also important to differentiate between state-sponsored, state-supported, and state-tolerated hacking. “It becomes more complex as you go down the scale of attribution, as opposed to up. If it’s truly state sponsored, and you can attribute it and have a forensics trail, then you can present a pretty compelling case…If it’s state-supported or tolerated, then attribution” becomes more difficult, he pointed out. Regardless, “it’s a safe assumption to make that all levels operate within China”, Cressey said
Deny, Deny, Deny
It would be incomprehensible for David Cameron to take the podium and say the UK is completely void of cybercriminals, and it would be equally laughable if Barack Obama declared the US a hacker-free zone. And if both gentlemen made the assertion that their governments refrained from cutting-edge espionage techniques in cyberspace, then there would be little doubt that both were lying.
While some of the evidence that indicates China-based actors in high-profile cyber intrusions is far from irrefutable, when the government in Beijing immediately dismisses the possible connections, it seems disingenuous at best. The ‘not in my backyard’ defense appears more comedic than effective, and falls flat as a propaganda tool on the international stage. The Chinese government often uses the dual defensive prongs of attribution and anti-Chinese sentiment to defend itself in these cases.
Chinese foreign spokesman, Hong Lei, quickly refuted the US Counterintelligence report by pronouncing that “online attacks are notable for spanning national borders and being anonymous”. He said that insinuations about the alleged attackers were “both unprofessional and irresponsible”. I hope the international community can abandon prejudice”, he told the UK’s The Guardian.
A similar denial was issued in October of 2011, when Hong Lei called the findings of a draft report from the US-China Economic and Security Review Commission “untrue” and containing “ulterior motives”. In this case, the report examined alleged attempted hacks of two US government satellites in 2007 and 2008.
Going back to April 2010, Lei said that China “resolutely opposes all forms of cyber crime, including hacking” when responding to charges by Canada-based researchers at the Information Warfare Monitor, who publicized the existence of a cyberespionage network it called ‘Shadow’ with strong ties to China’s hacking community. What Lei did not detail was whether the accusations were true, and what the Chinese government was doing to investigate the allegations.
Year of the RAT
This year’s most infamous example of alleged Chinese cyberespoinage was McAfee’s Shady RAT report, which became public this past summer. The report detailed a multi-year intrusion at a wide swath of organizations, eventually concluding that a “state actor” was involved in the operation. While McAfee did not directly accuse China for the intrusions, many security experts took the opportunity to point a finger Beijing’s way.
This time, no official spokesperson was provided to rebut the accusations. Instead, a report in the People’s Daily – the communist party’s official newspaper – disputed the Shady RAT findings, saying the analysis “does not stand up to scrutiny” and that “linking China to internet hacking attacks is irresponsible”.
So why the continuous denials in the face of such mounting evidence? There is a very good reason for the repudiations G Data’s Willems believes. “China was a very closed country until a few years ago”, he observed, and coming out of this shell and being more open about internal problems will remain a long-term challenge.
Furthermore, China is not the lone wolf in the cyberespionage game. “I would agree completely [that] there are other groups and governments involved in this type of activity”, the US included, he said. “China always struggles with the image problem, and that’s why people are quick to blame them for many things in this area of cyber intrusions.”
"Why try and re-invent the wheel when you can steal the wheel from somebody else" |
Roger Cressey, Booz Allen Hamilton |
Harry Sverdlove’s approach to this issue is a bit more direct. The chief technology officer of US-based security company Bit9 previously blogged his firm belief that Shady RAT’s hackers were connected to the Chinese government, and he told Infosecurity that “many are unwilling to make the direct connection, in some cases even when there is fairly compelling evidence”.
The firm’s CTO understands the underlying political implications of directly blaming the Chinese in these cases, and, the internet’s ability to obscure identity and location. Just as in a criminal case, however, “you have to look at the totality of evidence” Sverdlove reminds us. “In the case of Shady RAT, the most compelling evidence is the motivations”, he emphasized.
When you put all of the compromised organizations together, Sverdlove believes the signs point in only one direction. “Even if it is just a lone hacker, or a hacktivist organization selling this information on the open market…there really is only one country with interest in this information, and it’s China.”
Cultural Matters
The US Counterintelligence Executive also said China would continue to engage in cyberespionage because the nation is “driven by its longstanding policy of ‘catching up fast and surpassing’ Western powers”.
“I do not think there are clearly delineated lines between public and private sector in China”, Cressey commented when asked about China’s “catch up” policy. He views it as a cultural phenomenon that is less malicious than one might think.
“It’s not personal – it’s just business”, Cressey said, channeling his inner Michael Corleone. The Chinese will “identify information and IP that is valuable to” its national interests, and take it if possible, referring to the nation’s tremendously strong IT capabilities.
“Why try and re-invent the wheel when you can steal the wheel from somebody else, and then use that wheel for your own unique purposes?”, Cressey remarked. The policy, he added, has been a driver for Chinese economic espionage for years.
But Frost & Sullivan’s Cathy Huang sees the current situation in China as the result of different interpretations of a single cultural concept. Huang is a Hong Kong-based industry analyst in the firm’s ICT practice. Cultural tolerance of IP theft is an interpretation of the shan zhai concept, which literally refers to remote mountain villages that are beyond the reach of administrative control and historically the home of semi-organized criminal gangs.
“This shan zhai phenomenon is very much debatable. To some people, it is an acceptable practice whereby it helps people – particularly at the grassroots – have access to modern technology at a very affordable price”, she observed. “However, some people see shan zhai as pirated brand goods with inferior quality.”
Huang said whether it is legally and culturally acceptable to infringe on IP rights depends if the product in question is inspired largely by the original, or an outright copy. “If shan zhai refers to counterfeit or pirated products, it is definitely not acceptable”, she says. On the other hand, if shan zhai applies to products with a high degree of imitation “without infringing on other’s IP rights, it is generally acceptable in China”.
According to this analysis, what is abundantly clear is that a vast gray area exists in China when it comes to cultural attitudes toward IP theft and the practices employed to “catch up” to the rest of the world’s technology.
An Ounce of Prevention
It’s not just the Chinese who are guilty of cyberespionage, according to the Counterintelligence Executive’s Report. Allies of the US are apparently gunning for sensitive information as well – a fact that likely applies to any country with significant stores of valuable information to protect.
“The Department of Defense has come out publicly and said there are over 100 foreign intelligence services looking to penetrate the DoD network”, Roger Cressy reminded us. “If that’s the case, then we have a friends and family issue here as well.”
Moreover, the issue here may not even be China, Russia, or the issue of cyberespionage. What the blame game overshadows is that more complex defense strategies are required in cyberspace no matter the adversary.
This exact point was made recently by Desmond Ball, a professor with the Strategic and Defense Studies Center at the Australian National University. Ball has spent years studying China’s cyberespionage capabilities, and he considers them rudimentary at best. In fact, he said most cybercriminals working on the black market today employ far more sophisticated tools.
“They have evinced little proficiency with more sophisticated hacking techniques”, Ball noted in his report that appeared in a recent issue of Security Challenges. “There is no evidence that China’s cyber-warriors can penetrate highly secure networks or covertly steal or falsify critical data”, he wrote. “They would be unable to systematically cripple selected command and control, air defense, and intelligence networks and databases of advanced adversaries, or to conduct deception operations by secretly manipulating the data in these networks.”
This sentiment was echoed by Cressey, whose own assessment is that when alleged Chinese hackers are implicated, most of the methods used have been fairly basic. He believes the solution is less complex than we might think and involves preparing for inevitable breaches while also moving to make systems more resilient in response.
“We often make the assumption that this is just a technology issue, when in many cases it’s a people and policy issue first”, Cressey affirmed. “Better trained people, more aware of their surroundings, and following the right policies, will do a great job at mitigating the risk we are dealing with right now. The technology enables people – it’s not the other way around.”
So what does the advisor to three US presidents think is the key to the more resilient network defense he champions? “Dynamic defense by constantly changing your security approach”, Cressey replied, in addition to “better training, more education, and increased awareness”.
All are common refrains throughout the world of information security, so perhaps the problem is not hackers from China, but our unwillingness to follow sound advice. Maybe the larger issue requires some introspection and for each of us to look in the mirror and ask: Are we doing enough to prevent this from happening in the first place?