MCLC: persistent hacking in China

[Denton, Kirk]

MCLC LIST
From: kirk (denton.2 at osu.edu)
Subject: persistent hacking in China
***********************************************************

Source: NYT (3/29/12):
http://www.nytimes.com/2012/03/30/technology/hacking-in-asia-is-linked-to-c
hinese-ex-graduate-student.html

Case Based in China Puts a Face on Persistent Hacking
By NICOLE PERLROTH

SAN FRANCISCO ‹ A breach of computers belonging to companies in Japan and
India and to Tibetan activists has been linked to a former graduate
student at a Chinese university ‹ putting a face on the persistent
espionage by Chinese hackers against foreign companies and groups.

The attacks were connected to an online alias, according to a report
<http://trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pa
pers/wp_luckycat_redux.pdf> to be released on Friday by Trend Micro, a
computer security firm with headquarters in Tokyo.

The owner of the alias, according to online records, is Gu Kaiyuan, a
former graduate student at Sichuan University, in Chengdu, China, which
receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China¹s leading Internet
portal company, also according to online records. According to the report,
he may have recruited students to work on the university¹s research
involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed
hackers. But security experts and other researchers say the techniques and
the victims point to a state-sponsored campaign.

³The fact they targeted Tibetan activists is a strong indicator of
official Chinese government involvement,² said James A. Lewis, a former
diplomat and expert in computer security who is a director and senior
fellow at the Center for Strategic and International Studies in
Washington. ³A private Chinese hacker may go after economic data but not a
political organization.²

Neither the Chinese embassy in Washington nor the Chinese consulate in New
York answered requests for comment.

The Trend Micro report describes systematic attacks on at least 233
personal computers. The victims include Indian military research
organizations and shipping companies; aerospace, energy and engineering
companies in Japan; and at least 30 computer systems of Tibetan advocacy
groups, according to both the report and interviews with experts connected
to the research. The espionage has been going on for at least 10 months
and is continuing, the report says.

In the report, the researchers detailed how they had traced the attacks to
an e-mail address used to register one of the command-and-control servers
that directed the attacks. They mapped that address to a QQ number ‹
China¹s equivalent of an online instant messaging screen name ‹ and from
there to an online alias.

The person who used the alias, ³scuhkr² ‹ the researchers said in an
interview that it could be shorthand for Sichuan University hacker ‹ wrote
articles about hacking, which were posted to online hacking forums and, in
one case, recruited students to a computer network and defense research
program at Sichuan University¹s Institute of Information Security in 2005,
the report said.

The New York Times traced that alias to Mr. Gu. According to online
records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he
wrote numerous articles about hacking under the names of ³scuhkr² and Gu
Kaiyuan. Those included a master¹s thesis about computer attacks and
prevention strategies. The Times connected Mr. Gu to Tencent first through
an online university forum, which listed where students found jobs, and
then through a call to Tencent.

Reached at Tencent and asked about the attacks, Mr. Gu said, ³I have
nothing to say.²

Tencent, which is a privately managed and stock market-listed Internet
company, did not respond to several later inquiries seeking comment.

The attacks are technically similar to a spy operation known as the Shadow
Network, which since 2009 has targeted the government of India and also
pilfered a year¹s worth of the Dalai Lama¹s personal e-mails. Trend
Micro¹s researchers found that the command-and-control servers directing
the Shadow Network attacks also directed the espionage in its report.

The Shadow Network attacks were believed to be the work of hackers who
studied in China¹s Sichuan Province at the University of Electronic
Science and Technology, another university in Chengdu, that also receives
government financing for computer network defense research. The People¹s
Liberation Army has an online reconnaissance bureau in the city.

Some security researchers suggest that the Chinese government may use
people not affiliated with the government in hacking operations ‹ what
security professionals call a campaign.

For example, earlier this year, Joe Stewart, a security expert at Dell
SecureWorks, traced a campaign against the Vietnam government and oil
exploration companies to an e-mail address that belonged to an Internet
marketer in China.

³It suggested there may be a marketplace for freelance work ‹ that this is
not a 9-to-5 work environment,² Mr. Stewart said. ³It¹s a smart way to do
business. If you are a country attacking a foreign government and you
don¹t want it tied back, it would make sense to outsource the work to
actors who can collect the data for you.²

The campaign detailed in the Trend Micro report was first documented two
weeks ago by Symantec, a security firm based in Mountain View, Calif. It
called the operation ³Luckycat,² after the login name of one of the other
attackers, and issued its own report. But Trend Micro¹s report provides
far more details. The two firms were unaware that they were both studying
the same operation.

Trend Micro¹s researchers said they were first tipped off to the campaign
three months ago when they received two malware samples from two separate
computer attacks ‹ one in Japan and another in Tibet ‹ and found that they
were both being directed from the same command-and-control servers. Over
the next several months, they traced more than 90 different malware
attacks back to those servers.

Each attack began, as is often the case, with an e-mail intended to lure
victims into opening an attachment. Indian victims were sent an e-mail
about India¹s ballistic missile defense program. Tibetan advocates
received e-mails about self-immolation or, in one case, a job opening at
the Tibet Fund, a nonprofit based in New York City. After Japan¹s
earthquake and nuclear disaster, victims in Japan received an e-mail about
radiation measurements.

Each e-mail contained an attachment that, when clicked, automatically
created a backdoor from the victim¹s computer to the attackers¹ servers.
To do this, the hackers exploited security holes in Microsoft Office and
Adobe software. Almost immediately, they uploaded a directory of the
victims¹ machines to their servers. If the files looked enticing, hackers
installed a remote-access tool, or rat, which gave them real-time control
of their target¹s machine. As long as a victim¹s computer was connected to
the Internet, attackers had the ability to record their keystrokes and
passwords, grab screenshots and even crawl from that machine to other
computers in the victim¹s network.

Trend Micro¹s researchers would not identify the names of the victims in
the attacks detailed in its report, but said that they had alerted the
victims, and that many were working to remediate their systems.

A spokesman for India¹s Defense Ministry, Sitanshu Kar, said he was not
aware of the report or of the attacks it described. Fumio Iwai, a deputy
consul at the Japanese consulate in New York, declined to comment.

As of Thursday, the campaign¹s servers were still operating and computers
continue to leak information.

³This was not an individual attack that started and stopped,² said Nart
Villeneuve, a researcher that helped lead Trend Micro¹s efforts. ³It¹s a
continuous campaign that has been going on for a long time. There are
constant compromises going on all time. These guys are busy and stay busy.²

Vikas Bajaj contributed reporting from Mumbai and David Barboza from
Shanghai. Xu Yan contributed research from Shanghai.