Chinese "Cyber-Attack" US Department of Commerce

Kranfer writes "The register has an article about how the Chinese have recently launched an attack against the US Department of Commerce. From the article: '...attacks originating from computer crackers largely located in China's Guangdong province are aimed at extracting sensitive information from targets such as the Commerce Department's technology export office. Security consultants and US government officials reckon the assaults have at least the tacit support of the Chinese government...' This is not the first time Chinese hackers have attempted to gain access to US Government systems."

Not Chinese

[suv4x4]

As mentioned before, the attack are most likely not from China at all.

No decent hacker would leave traces from his own machine when he could easily use a zombie network to carry out the attacks and collect information.

They keep claiming China, China, China.. I'm starting to think it's convenient for them to stick to that version for their own internal affairs.

Re:Not Chinese

[TopShelf]

Instead of "danger", think "rival". This kind of espionage is more commercial, not military, and frankly stuff like this has happened before even between our closest allies.

Re:Not Chinese

[Shoten]

Well, yes and no. There are a few problems with this hypothesis; one, and the most important of them, is that attacks have been conclusively back-traced to China. And yes, the guy who did it actually broke the law in the process, but c'est la guerre, non? The event is known as "Titan Rain," and it began with a series of targeted attacks against the Department of Energy. A computer security worker, in his spare time (and a wink/nod from the FBI) counter-hacked hosts that were the source of the attacks, eventually following the trail back to mainland China. There, he saw that the logins which executed commands were being performed locally, and that the devices were not forwarding pilfered data on to other hosts but were instead the repositories of that data.

Other things involve the fact that when you see attacks from China, you usually get one of two kinds of hosts: you get a wildly unpatched Windows box that's being used as a bot, or you get a decently-secured (usually linux or *BSD) system that is doing some rather specific things to a specific target. And last of all, let's not forget that most of the seminal works on information warfare were written by Chinese military officers, and that it's no secret whatsoever that China actually does have a significant infowar capability. We have no rules of engagement that classify hacking as an act of war, so they can get away with it; what are we going to do, bomb them over it? They have the world's largest standing army, are a (increasingly) crucial economic partner, and we're already overburdened militarily with a two-front war where we've bogged down fighting insurgents. They do it because they know they can get away with it, and they're correct in that thinking.

Re:Not Chinese

Does everyone have to take every story about someone attacking the US and claim it is a lie? I'm guessing since it' safer to believe nothing is wrong than face reality then this is the reason. "They keep claiming China...." Yes, god forbid someone should point out the person who is doing something. If the guy accross the street keeps attacking you, stealing from you, and destroying your property it's bad to keep blaming him.

This is why the United States will fall apart. We have two groups, one that sees no threat in anything and one group who wants to be the Nazi2000 party. What will happen is we will get a big smack in the face because we didn't defend ourselves and the Bush-like people will gain even more control because of it.

"I'm starting to think it's convenient..."

I'm starting to think that slashdot is full of know-nothing big mouths who don't really have any common sense. "No decent hacker would leave traces...". So that MUST mean that it's not China because they wouldn't leave traces. Kevin Mitnick must not be a very good hacker then because he got caught. We all know it's IMPOSSIBLE to catch good hackers.

And finally, there's the fact that maybe China DOESN'T CARE if we know.

However, once again we have people who tell us we are wrong to worry about security and that what is happening is not really happening. This plays right into the hands of people like Bush who will use the "told you so" argument to make this country a dictatorship.

Re:Not Chinese

[suv4x4]

I'd like to defend my viewpoint since I've been called, by some, an idiot and uninformed.

Consider you have to hack into Us givernment servers with confidential data. Even if you're not an incredible hax0r, it's obvious that if they find out about you, you're totally screwed. So the first thing you do, the MOMENT you grab the data, is cut the PC off the network.

Then encrypt and record the data on a mobile media (CD, DVD, Flash, whatever), and securely format the PC or even just destroy the original HDD.

Even before this, you'd turn off all possible logging activity, lock up the security, stop unneeded services, so that you can be relatively secure during the attack.

How is it that so much evidence in logs and what not was found on the "source" machines. This is WAY too much evidence. The contrast between the Windows hacked machines and the linux machines may be just a decoy to get the investigators stop tracing right there.

If the boxes were so secure, how did they get in there?

Why were the Windows boxes having "logs" of where the data was sent and so on. What kind of trojan would log their own activity on the compromised machine?

And the million dollar question is: how the f*ck they tied the Chinese *GOVERNMENT* with a Chinese *HACKER*... In fact, the first thought to occur to a government trying to hack into US's servers would be to hire hackers from another country to do it.

All the "evidence" presented is incredibly shallow and inconvincing if you try and put yourself in place of the people who did the attack.

Add to this the constant FUD that US spread that Lenovo puts spying chips in ThinkPads and similar conspiracy theories. It's apparent US find China a convenient target to blame, just the way they did with Iraq after 9/11.

Re:Not Chinese

[lawpoop]

"attacks have been conclusively back-traced to China."

How could one do this?

...you usually get one of two kinds of hosts: you get a wildly unpatched Windows box that's being used as a bot, or you get a decently-secured (usually linux or *BSD) system that is doing some rather specific things to a specific target.

Isn't the first thing that a hacker does when they get their hands on a decent box is apply all security patches so that *another* hacker cannot get into it? What's the point of co-opting a wide-open Windows box that anyone else on the net can use?

You're telling me that because it's a secured linux or BSD box doing specific things to specific hosts, instead of a promiscious zombie squirting spam everywhere, therefore it *must* be Chinese military, rather than random hacker from anywhere in the world (including China)?

How do you know it isn't a random hacker ssh'ing in (via a series of proxies, anonymous or compromised) to a host that they have secured for their own personal use?

Re:Not Chinese

[Shoten]

You're reading too much into individual components of my post, and not taking them as a whole. I'll answer your questions in turn. For one, how does someone backtrack to the original host? By gaining control of the next hop, one at a time, essentially. You know that your box got owned by 10.20.30.1, so you counter-hack it. Once in, you look around, and see who connects to it. More importantly, you see who is connected to it while it connects to your box. (This is detailed in a number of the articles linked in the Schneier article I referenced in my original post as the method used.) Rinse, repeat, until you are on a box where the person connecting to the next hop in the chain isn't on an SSH shell, but is local. This is an oversimplified explanation, but is quite technically accurate; the means employed can range from leveraging the tools placed there already by the hacker to using your own. You could also conceivably enlist the assistance of the organizations that own all the hacked boxes, but this would be a nightmare to accomplish, and since the person investigating Titan Rain has been confirmed to essentially be breaking the law by hacking, I'm sure this wasn't how he did it.

And no, I'm not saying that just because it's not a Windows box spouting spam or whatnot, but is instead a unix-flavored system doing very specific things, it's the Chinese. I'm saying that because it's a unix-flavored box at the end of a long train of hacked proxies (keep in mind that without the backtracking, the assumed culprit would have been South Korea in most cases, everyone) where the only person logged in doing naughty things to us is there locally, in a country whose military was the very first to espouse information warfare as a legitimate method in current times...well, that's a much clearer picture. I think you get the idea. To counter, let me point out that the argument has been, up to this point, "It can't be China, because lots of Chinese boxes get owned, and it could just be a bot owned by someone else." That's an argument for skepticism and closer investigation, not a logically sound way to say that the entire population of the world's largest country is impossible of being capable of hacking. And when you look at WHAT is being hacked, and what information is being stolen, then you can see the shopping list that is being used, which is typical of an organized intelligence-gathering organization.

WindowsUpdate

[crazyjeremy]

They hacked WindowsUpdate.com as well... It must be them. The screen capture of the hacked website says "hacked by chinese".

Block China From the Firewall

[organgtool]

I was going to suggest blocking all traffic coming from the IP range of addresses from China, but they could easily circumvent that by using a proxy outside of China. Maybe the U.S. Department of Commerce could create a welcome message that promotes democrary and condemns the inhumane treatment of the Chinese government and have that message appear before prompting for the username. That traffic would probably get blocked by the Great Firewall of China. When your weapons fail to work, turn your enemy's weapons against them.

Re:Block China From the Firewall

[smilindog2000]

That would really PO the Chinese. They hate it when we point at their miserable human-rights record in public. A better way IMO to deal with the Chinese is to work behind the scenes to get them to improve while publicly praising their efforts. IMO, Chinese culture cares much about 'face', a concept of honor that requires the appearance of respect, even if we bicker shamelessly behind closed doors. Bush routinely shows his ignorance of the Chinese by publicly lashing them, and then he gets bent out of shape when the Chinese retaliate with substance rather than words.

When the Chinese accidentally rammed one of our surveillance planes was a great example. Bush immediately publicly blamed the Chinese overly-hostile pilots (who were, of course, at fault), and demanded back our plane and it's crew. The correct course would have been to call the Chinese first, and negotiate terms for getting our plane and crew back secretly. IMO, the Chinese can be far more reasonable if we agree to put on a face showing friendship, cooperation, and respect for each other. We could have agreed to publicly call it a freak accident, with no one to blame. That probably would have gotten our guys and maybe even the plane back far quicker.

So, I think changing the web site to shame the Chinese government would be a bad idea. Instead, we should work with the Chinese behind close doors to solve the problem. Of course, that wont end Chinese spying on the US, nor will it end our spying on them. In general, I feel that it is good for world stability when we know the truth about each other. Fear of the unknown can cause major problems (like WMD in Iraq).

I'm sure this is intended to provide an excuse...

[BlabberMouth]

for all the cracking attempts our own guys have launched against China. I'd be schocked if we (the United States) haven't been doing this type of thing against China, North Korea, Iran, or just about anybody all long.

Re:US Department of Commerce?

[acvh]

Actually, the Department of Commerce has become as important to foreign relations as the Department of State. Maybe even more so. State is concerned with PR, diplomacy and such. Commerce cuts deals worth billions of dollars; the prospect of being able or not to do business with the US is a much bigger stick than threatening to refer someone to the UN.

If a foreign power could gain access to internal Commerce discussions it would give them some leverage in negotiations; and in the realm of international business a little inside info can go a long way.

Export Control, and the Information Age.

[lwap0]

I frequently work with the U.S. government to prevent export control violations in the defense contracting world. While I can't name specific countries, I can tell you that East Asia accounts for 34% of all attacks both cyber and conventional targeting U.S. Industry and government agencies (as of 2005). My peers and I agree that this is likely directly or indirectly sponsored by the Chinese government. And contrary to popular belief, about 90% of what they want is export controlled information, not classified information.

Why export controlled information? Think about how much money it takes to protect classified information - guards, safes, alarm systems etc., it's a lot of cash, and it's damn secure. Export controlled information doesn't enjoy those same protections, just export compliance waivers to sell or ship said products overseas. As an example: Say we have a dual use technology, both military and civilian use - like jet engines. We won't sell it to certain countries we compete with both economically, and militarily, but they will do their very damndest to steal it, either by forging state department waivers, lying, stealing, black-mailing, hacking - whatever it takes. Why do they want it? To equip their jets to compete with ours on the battlefield, or to sell, or maybe even find it's weaknesses to compromise if we ever went to war with them.

I'm willing to bet here that the network used to launch the attack was a University school network, which to most people seems pretty innocent - except that in China, all schools are state run and owned. Is it an academic institution, or an extension of the Chinese government? Likely both. In this instance, the Chinese government gets plausible deniability - they had no control over, or knowledge of any cyber attack. I'll don my tin-foil hat, and disagree with that assertion only because I'm jaded and cynical enough to know better.

Why is this info internet-accessable anyways?

[knorthern+knight]

According to the Register article...
> Information housed on the department's systems includes sensitive commercial and
> economic data on US exporters as well as data involving law enforcement records.

    How many times does this have to be drilled into people? If you put something on an internet-accessable server, it *WILL* be accessed from the internet, and not only by "authorized personnel". For additional giggles, put the following key into a Google search...

inurl:.gov confidential "do not distribute"

    The f***ing idiots who put sensitive government data on publicly accessable servers should be shot by a firing squad for treason.

Re:To everyone who says it can't be China

[ObsessiveMathsFreak]

China is our enemy

Depends on who you are.

If you're a democracy and liberty loving citizen, then yes, the Chinese regieme represents oppression and injustice and stands against you and your way of life.

However, if you're a corporate shareholder, or one of their shills in public office, then the Chinese regieme represents untold potential to shaft billions and make billions in the process. Ergo, you'll want to keep them sweet.

People seem to forget....

[heybo]

People seem to forget. The US does this kind of thing all the time. Not only to other countries but to their own Citizens. Remember we have all those three letter agencies that do this sort of thing all the time. So what is good for the goose is it not good for the gander? Or is it like torture these days? We gasp and cry when we see someone get their head lopped off on TV, and say "What savages!" Still it is ok for us to torture people for weeks on end because we are the good guys so this is good torture. Who is the savage really? The person that quickly puts and end to the pain of the enemy by whacking off their head or the person that makes their enemy suffer for weeks without end?

You see I come from a group of people that was once "Branded" savages by the US goverment. One example that even lives up to today. We were savages for taking scalps of our enemies. The part that is ALWAYS left out is we only took scalps in revenge for taking the scalps of our women and children for $5.00 a scalp. Payable by the US Goverment. Funny how that part of history is left out and still scalping is always related back to Native Americans even today. "Scalp'm Braves"

So are the Chinese really the bad guys or are they protecting their own assests? We're trying to pick their pockets all the time so why is it so bad when they try to pick ours?

The simple truth for people and goverments is you can't run around beating up other people all the time. Sooner or later someone bigger and badder than you will finally get tired of your shit and your continued assaults against them and in defense will either gang up with the other guys you are beating up on or if big enough on their own will turn around and beat the shit out of you.

The solution is simple. Leave them alone and they will leave us alone. It is all "Cause and Effect" Don't be the "cause" and you won't feel the effect. You can't blame someone for taking a defensive position to your offenceive moves.

The same rule of "cause and effect" applies to networks. You choose to run Windows that can access sensetive areas then YOU are setting yourself up to get hacked. I find it strange that the NSA would build something as secure as SELinux and the rest of the goverment not use it. Maybe not strange just stupid. The point is they have the tools to lock everything down and if they don't well too bad should have bought a better lock for the front door.