MCLC: hacker's angst

Thu Mar 14 09:05:05 EDT 2013

MCLC LIST
From: kirk (denton.2 at osu.edu)
Subject: hacker's angst
***********************************************************

Source: LA Times (3/12/13):
latimes.com/news/nationworld/world/la-fg-china-hacking-20130313,0,4812955.s
tory 

China hacker's angst opens a window onto cyber-espionage
Young man's blog provides a rare glimpse of the secretive hacking
establishment of the Chinese military, whose efforts have become a growing
concern to the U.S.
By Barbara Demick

BEIJING — For a 25-year-old computer whiz enlisted in a People's
Liberation Army hacking unit, life was all about low pay, drudgery and
social isolation.

Nothing at all like the unkempt hackers of popular imagination, the young
man wore a military uniform at work in Shanghai. He lived in a dorm where
meals often consisted of instant ramen noodles. The workday ran from 8
a.m. to 5:30 p.m., although hackers were often required to work late into
the evening.

With no money and little free time, he found solace on the Internet. He
shopped, chatted with friends and courted a girlfriend. He watched movie
and television shows. He drew particular inspiration from the Fox series
"Prison Break," and borrowed its name for his blog.

The blog provides a rare peek into the secretive hacking establishment of
the Chinese military, which employs thousands of people in what is
believed to be by far the world's largest institutionalized hacking
operation.

Concern about computer security has risen sharply in recent weeks. Top
U.S. intelligence officials said Tuesday that attacks and espionage now
pose a greater potential danger than Al Qaeda and other militant
organizations. The computers of more than 30 journalists and executives of
Western news organizations in China, including the New York Times and the
Wall Street Journal, have been hacked.

Mandiant Corp., a U.S. computer security firm based in Alexandria, Va.,
said in a report last month that it had traced an epidemic of attacks on
dozens of U.S. and Canadian companies to an office building in Shanghai
occupied by an espionage unit of the People's Liberation Army.

Richard Bejtlich, Mandiant's security chief, said posts written by the
blogger, who called himself "Rocy Bird," provided the most detailed
first-person account known to date of life inside the hacking
establishment. Although the blog was discontinued four years ago, the
techniques described in it remain the same. "It is relevant," said
Bejtlich. "Things have not changed that much."

The hacker, whose real family name is Wang, posted some 625 entries
between 2006 and 2009. "Fate has made me feel that I am imprisoned," he
wrote in his first entry on Sina.com. "I want to escape."

Los Angeles Times reporters tracked down Wang and his blog through an
email address that was listed on a published 2006 paper about hacking. A
coauthor of the paper was Mei Qiang, identified by Mandiant as a key
hacker who operated under the alias "Super Hard" in Unit 61398.

One of many Chinese military units linked to hacking, Unit 61398 falls
under the People's Liberation Army's General Staff 3rd Department, 2nd
Bureau, which is roughly equivalent to the U.S. National Security Agency.

The PLA recruits computer scientists, mathematicians and linguists from
China's top universities for its Internet espionage programs. Not unlike
in the U.S., students can continue their education for free in return for
their enlistment in military service.

Wang earned his master's degree in Internet security at age 25 at the
Information Engineering University, run by the PLA in Zhengzhou, Henan
province.

Immediately after graduating in 2006, he was enlisted in a hacking
operation in Shanghai.

In the blog, Wang did not disclose which unit he worked for, but he made
it clear that he was wearing a uniform and carrying a military badge. He
described his building as being far from the Shanghai city center, one of
his many complaints.

"What I can't understand is why all the work units are located in the most
remote areas of the city," Wang wrote in an entry in 2007. "I really don't
get what those old guys are thinking in the beginning. They should at
least take us young people into consideration. How can passionate young
people like us handle a prison-like environment like this?"

One of his first tasks was to improve on a Trojan virus known as Back
Orifice 2000, which is designed to remotely hijack a computer system to
steal information.

In July 2007, he boasted that his virus had successfully escaped detection
by three leading detection programs made by McAfee, Symantec and Trend
Micro, but that it didn't get past a fourth, Kaspersky. He also described
another assignment: write a virus that would detect any USB storage device
attached to a computer and copy its files. The virus was a success and
Wang's boss was pleased.

"If we're lucky enough, we might be able to complete this year's target
and earn a year-end bonus for everyone," Wang wrote with enthusiasm.

Otherwise, Wang poured out his unhappiness. The hackers were required to
speak English, the international language of technology, as well as an
essential for phishing attacks on mostly U.S. targets. But when Wang tried
to hone his English skills by reading magazines such as the Economist and
Harvard Business Review, his boss rebuked him for reading too much foreign
press.

"The boss doesn't understand. I'll have to be more careful," he
complained. Wang was also unhappy that supervisors refused to reimburse
him for a $1 bus ticket to attend a business conference, while his boss
claimed more than $100 for a bottle of liquor.

A high school reunion left Wang feeling discouraged about his paycheck and
prospects.

"They all have a bright future. Some of them became lawyers; some went
into property business or finance; some wrote programs for a commercial
software company. Compared with their handsome monthly income, I even felt
ashamed to say hello to them," Wang wrote.

Wang never reflected on the pros and cons of hacking for the Chinese
government, but he clearly regretted having enlisted. "My only mistake was
that I sold myself out to the country for some minor benefits and put
myself in this embarrassing situation," he wrote. With the help of his
family, he managed to get out in 2008. He stopped writing the blog a year
later.

Wang is believed to be living in Chengdu. One of his last online traces
was a comment posted on Dianping, a popular restaurant review site, about
an ice cream parlor in that city.

Wang did not return several emails and instant messages requesting comment.

The period covered in Wang's blog coincides with an upsurge in hacking
detected by Mandiant. In a report issued last month, the company said
hackers had systematically stolen hundreds of terabytes from 141
organizations, most of them American.

Industries targeted included chemicals, technology, financial services,
mining, energy, healthcare, media and international organizations. The
data included blueprints, pricing strategies and emails, which are
suspected of being given to Chinese state-owned enterprises for
competitive advantage.

The Chinese government has repeatedly denied hacking and has said it has
been the victim of attacks originating from the United States.

"Cyberspace needs rules and cooperation, not war. China is willing to have
constructive dialogue and cooperation with the global community, including
the United States," Foreign Ministry spokeswoman Hua Chunying said at a
briefing Tuesday.

Last month's report by Mandiant marked the first time individual hackers
were identified by name. More information has trickled out since.

Investigators have unearthed birthdays, photographs, profiles on Kaixin (a
Chinese version of Facebook), shopping and dining preferences. One
hacker's user name appeared in a forum for flower-arranging enthusiasts.

They logged on to personal email or social networking sites from work, or
used their real phone numbers to register Gmail or Hotmail accounts later
used for phishing attacks. Mei Qiang, Wang's research partner, posted a
note on a software developer's message board looking for extra work.

"I'm good at writing hacking tools, such as Trojan viruses," read the
advertisement posted in 2005. It was taken down last month after it was
discovered by an investigator based in India who runs a blog called
Cyb3rSleuth.

"These were not elite uber-hackers," said Richard Mogull, an Internet
security consultant and head of the Phoenix-based Securosis. "Some people
want to demonize these guys, but they are just frontline soldiers doing
their job for their country — not evil people."

Wang probably never imagined his blog would catch the focus of journalists
or Internet security experts, Bejtlich said. "This is really an anguished
person who didn't enjoy his situation, and this is probably just an outlet
for him to share his story," he said.

Because the hackers were operating under military protection, they
probably weren't as intent on concealing their identities as criminals who
would face punishment if caught. Bejtlich compared them to members of the
U.S. military who inadvertently make disclosures on Facebook or on blogs.
"They will get better. That's how they will learn."

barbara.demick at latimes.com
Tommy Yang of The Times' Beijing bureau contributed to this report.

Copyright © 2013, Los Angeles Times <http://www.latimes.com/>