Categorized | China, Technology

Case Based in China Puts a Face on Persistent Hacking

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInShare on RedditDigg thisShare on StumbleUponBuffer this pagePin on PinterestShare on TumblrEmail this to someone

Reposted from The New York Times


Case Based in China Puts a Face on Persistent Hacking

Nicole Perlroth | March 29, 2012 |The New York Times

SAN FRANCISCO — A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups.

The attacks were connected to an online alias, according to a report to be released on Friday by Trend Micro, a computer security firm with headquarters in Tokyo.

The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.

“The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

Neither the Chinese embassy in Washington nor the Chinese consulate in New York answered requests for comment.

The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies; aerospace, energy and engineering companies in Japan; and at least 30 computer systems of Tibetan advocacy groups, according to both the report and interviews with experts connected to the research. The espionage has been going on for at least 10 months and is continuing, the report says.

In the report, the researchers detailed how they had traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name — and from there to an online alias.

The person who used the alias, “scuhkr” — the researchers said in an interview that it could be shorthand for Sichuan University hacker — wrote articles about hacking, which were posted to online hacking forums and, in one case, recruited students to a computer network and defense research program at Sichuan University’s Institute of Information Security in 2005, the report said.

The New York Times traced that alias to Mr. Gu. According to online records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a master’s thesis about computer attacks and prevention strategies. The Times connected Mr. Gu to Tencent first through an online university forum, which listed where students found jobs, and then through a call to Tencent.

Reached at Tencent and asked about the attacks, Mr. Gu said, “I have nothing to say.”

Tencent, which is a privately managed and stock market-listed Internet company, did not respond to several later inquiries seeking comment.

The attacks are technically similar to a spy operation known as the Shadow Network, which since 2009 has targeted the government of India and also pilfered a year’s worth of the Dalai Lama’s personal e-mails. Trend Micro’s researchers found that the command-and-control servers directing the Shadow Network attacks also directed the espionage in its report.

The Shadow Network attacks were believed to be the work of hackers who studied in China’s Sichuan Province at the University of Electronic Science and Technology, another university in Chengdu, that also receives government financing for computer network defense research. The People’s Liberation Army has an online reconnaissance bureau in the city.

Some security researchers suggest that the Chinese government may use people not affiliated with the government in hacking operations — what security professionals call a campaign.

For example, earlier this year, Joe Stewart, a security expert at Dell SecureWorks, traced a campaign against the Vietnam government and oil exploration companies to an e-mail address that belonged to an Internet marketer in China.

“It suggested there may be a marketplace for freelance work — that this is not a 9-to-5 work environment,” Mr. Stewart said. “It’s a smart way to do business. If you are a country attacking a foreign government and you don’t want it tied back, it would make sense to outsource the work to actors who can collect the data for you.”

The campaign detailed in the Trend Micro report was first documented two weeks ago by Symantec, a security firm based in Mountain View, Calif. It called the operation “Luckycat,” after the login name of one of the other attackers, and issued its own report. But Trend Micro’s report provides far more details. The two firms were unaware that they were both studying the same operation.

Trend Micro’s researchers said they were first tipped off to the campaign three months ago when they received two malware samples from two separate computer attacks — one in Japan and another in Tibet — and found that they were both being directed from the same command-and-control servers. Over the next several months, they traced more than 90 different malware attacks back to those servers.

Each attack began, as is often the case, with an e-mail intended to lure victims into opening an attachment. Indian victims were sent an e-mail about India’s ballistic missile defense program. Tibetan advocates received e-mails about self-immolation or, in one case, a job opening at the Tibet Fund, a nonprofit based in New York City. After Japan’s earthquake and nuclear disaster, victims in Japan received an e-mail about radiation measurements.

Each e-mail contained an attachment that, when clicked, automatically created a backdoor from the victim’s computer to the attackers’ servers. To do this, the hackers exploited security holes in Microsoft Office and Adobe software. Almost immediately, they uploaded a directory of the victims’ machines to their servers. If the files looked enticing, hackers installed a remote-access tool, or rat, which gave them real-time control of their target’s machine. As long as a victim’s computer was connected to the Internet, attackers had the ability to record their keystrokes and passwords, grab screenshots and even crawl from that machine to other computers in the victim’s network.

Trend Micro’s researchers would not identify the names of the victims in the attacks detailed in its report, but said that they had alerted the victims, and that many were working to remediate their systems.

A spokesman for India’s Defense Ministry, Sitanshu Kar, said he was not aware of the report or of the attacks it described. Fumio Iwai, a deputy consul at the Japanese consulate in New York, declined to comment.

As of Thursday, the campaign’s servers were still operating and computers continue to leak information.

“This was not an individual attack that started and stopped,” said Nart Villeneuve, a researcher that helped lead Trend Micro’s efforts. “It’s a continuous campaign that has been going on for a long time. There are constant compromises going on all time. These guys are busy and stay busy.”

Vikas Bajaj contributed reporting from Mumbai and David Barboza from Shanghai. Xu Yan contributed research from Shanghai.

3 Responses to “Case Based in China Puts a Face on Persistent Hacking”

  1. American says:

    China has made industrial espionage an integral part of its economic policy, stealing company secrets to help it leapfrog over U.S. and other foreign competitors to further its goal of becoming the world’s largest economy, U.S. intelligence officials have concluded in a report released last month.

    “What has been happening over the course of the last five years is that China — let’s call it for what it is — has been hacking its way into every corporation it can find listed in Dun & Bradstreet,” said Richard Clarke, former special adviser on cybersecurity to U.S. President George W. Bush, at an October conference on network security. “Every corporation in the U.S., every corporation in Asia, every corporation in Germany. And using a vacuum cleaner to suck data out in terabytes and petabytes. I don’t think you can overstate the damage to this country that has already been done.”

    While a precise dollar figure for damage is elusive, the overall magnitude of the attacks is not, Borg said.

    “We’re talking about stealing entire industries,” he said. “This may be the biggest transfer of wealth in a short period of time that the world has ever seen.”

    Chinese `stole all nuclear secrets’ – Espionage: Devastating report reveals that for 20 years Peking agents stripped America of weapons technology

    For more than a year, hackers with ties to the Chinese military have been eavesdropping on U.S. Chamber of Commerce officials involved in Asia affairs, authorities say. The hackers had access to everything in Chamber computers, including, potentially, the entire U.S. trade policy playbook.

  2. Thomas Crumm says:

    Thanks Ellen.

  3. Joe Brooks says:

    Here are some quotes from a Richard Clarke interview, probably America’s most knowlegeable intelligence expert:

    “I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong,” he tells me. “Every major company in the United States has already been penetrated by China.”


    “The British government actually said [something similar] about their own country. ”

    Clarke claims, for instance, that the manufacturer of the F-35, our
    next-generation fighter bomber, has been penetrated and F-35 details stolen. And don’t get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them—“logic bombs,” trapdoors and “Trojan horses,” all ready to be activated on command so we won’t know what hit us. Or what’s already hitting us.

    Richard Clarke’s warnings may sound overly dramatic until you
    remember that he was the man, in September of 2001, who tried to get the White House to act on his warnings that Al Qaeda was preparing a spectacular attack on American soil.

    Clarke later delivered a famous apology to the American people in his testimony to the 9/11 Commission: “Your government failed you.”

    Clarke now wants to warn us, urgently, that we are being failed again, being left defenseless against a cyberattack that could bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system.

    But saying Clarke was a spy doesn’t do him justice. He was a meta-spy, a master counterespionage, counter­terrorism savant, the central node where all the most secret, stolen, security-encrypted bits of information gathered by our trillion-dollar human, electronic and satellite intelligence network eventually converged. Clarke has probably been privy to as much “above top secret”- grade espionage intelligence as anyone at Langley, NSA or the White House.

    I left Clarke’s office feeling that we are at a moment very much like the summer of 2001, when Clarke made his last dire warning. “A couple people have labeled me a Cassandra,” Clarke says. “And I’ve gone back and read my mythology about Cassandra. And the way I read the mythology, it’s pretty clear that Cassandra was right.”

    Read more:


Friends Don’t Let Friends Buy Imports

Sign up to receive periodic updates