, SecurityFocus 2007-09-04
Story continued from Page 1
Yet, tracking the attacks back to China is not a simple matter.
Attackers regularly use multiple servers and botnets to hide the true origins of their activities. For example, current data shows that nearly half of all spam comes from servers based in the North America, but that does not mean that the U.S. is spamming other countries, said Matt Sergeant, senior antispam technologist for e-mail security firm MessageLabs.
"Certainly, there is a lot of what we call -- in the spam world -- bulletproof hosting in China," Sergeant said. "But saying that the source of the attacks coming from those servers is in China is not straightforward. Using that naive viewpoint, most of spam is coming from the U.S."
NetWitness's Carpenter agreed.
"I don't think you can really 100 percent say" it's coming from China, said Carpenter. "Unless you have boots on the ground and someone kicks down the door in Beijing and you catch someone at the keyboard, you can never say it."
Still, a growing amount of evidence, outside of the location of servers used in the attacks, has pointed to China.
For example, attacks on U.S. agencies and other Taiwan political groups in the United States have steadily increased in the past year.
In January 2006, exploit code attached to an e-mail that appeared to be a weekly newsletter sent by the U.S.-Taiwan Business Council, a private organization that seeks to improve business between the United States and Taiwan, went to addresses at U.S. government agencies and Taiwanese groups. The e-mail posed as a copy of the previous week's legitimate newsletter with minor changes, including appending a malicious Word document rather than the PDF file typically sent by the group, said Lotta Danielsson-Murphy, vice president of the U.S.-Taiwan Business Council.
The attacks, which started in December, have become more frequent every week. In the latest, which happened over Labor Day weekend, another newsletter clone was sent to specific people touting the U.S.-Taiwan Business Council's Defense Industry conference. The e-mail appeared to come from a Taiwanese official and contained a ZIP file that downloaded malicious code from the hacked server of a construction company in Illinois, Danielsson-Murphy said.
"We have seen an onslaught," she said. "The e-mail messages are always very up-to-date, and we are getting more and more."
The content sought out by attackers also seems to indicate a connection to China. A similar e-mail allowed hackers to infiltrate computers at the U.S. State Department a year ago. The attachments established a beachhead in the State Department's systems, which the attackers used to search for information on China and North Korea.
Moreover, the People's Liberation Army (PLA) has publicly talked about recruiting people serving their national service into hacking squads, said Marcus Sachs, director of the SANS Internet Storm Center. If they are trained and then not selected for the permanent hacking teams, many of the people will likely use their skills for patriotic hacking, he said.
"Those that don't make the cut are still really good at hacking," Sachs said. "A few of them still want to be patriotic, so they form their own little clubs and hacking groups and do what they would have done if they had served with the military."
Earlier this year, the Naval Network Warfare Command warned that Chinese hackers were "constantly waging all-out warfare against Defense Department networks," according to a report in Federal Computer Weekly.
For now, China continues to deny involvement and has vowed to go after whoever is attacking other countries' systems.
"The Chinese government attaches great importance to the hacker attack on the German government networks," Chinese Premier Wen Jiabao said, according to Xinhua.
Member of Congress have already taken the leaders of the Departments of State, Homeland Security and Commerce to task for lax computer security, as part of a general investigation by the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology into the security of federal systems.
"I would think that all governments should be concerned and protected against this type of thing," MessageLabs' Sergeant said. "Because it is so targeted, it is something that regular antivirus protection is not going to pick up on."
However, ISC's Sachs, for one, believes the problem will get better quickly. Pointing at next year's Olympic games, the security expert predicts that China will have to clean up its act, likely meaning the hacking will subside for some time or at least become much stealthier.
"It is only a while before the hacking, which has gotten the tacit wink and nod, will get shot down because it is bad for China," Sachs said. "It will only take one government official in Beijing to have the light go on and say that this hacking is bad for the country -- it is no different than Chinese dog food killing pets or lead in toys."
If you have tips or insights on this topic, please contact SecurityFocus.