Watching The Defectives
Comment Crew are so named for the attackers’ penchant for embedding hidden code or comments into webpages. Based on the digital crumbs the group left behind, its attackers have been known to use the same malware, web domains, internet protocol addresses, hacking tools, and techniques across attacks.
“But those are only the ones we could easily identify,” said Mr. Mandia to the New York Times.
Other security experts estimate that the group is responsible for thousands of attacks. Mandiant discovered that two sets of IP addresses used in the attacks were registered in the same neighborhood as Unit 61398’s building.
“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.
The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”
One of the most visible hackers followed is UglyGorilla, who first appeared on a Chinese military forum in January 2004, asking whether China has a “similar force” to the “cyber army” being set up by the American military. By 2007, UglyGorilla was turning out a suite of malware with what the report called a “clearly identifiable signature.” Another hacker, called DotA by Mandiant, created email accounts used to plant malware. That hacker was tracked frequently using a password that appeared to be based on his military unit’s designation. DotA and UglyGorilla both used the same IP addresses linked back to Unit 61398’s neighborhood.
Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities.
Byzantine Candor
This has all been brewing up over the last decade. What we’re seeing here is a growing counter to many intelligence groups established by America, and countless other countries, that has become big enough or cocky enough to become sloppy and exposed. The Comment Crew could have easily become a tool of power factions in the Chinese political system to be thrown under the bus of international relations to discredit the likes of reformists like Wen Jaibao. Symantec has been tracking the hackers for over six years with no headlines, after all.
Bloomberg ran a piece about them last July complete with timeline, without all the Chicken Little screeching and wailing that the New York Times’s piece has caused. The rather specifically-named FierceGovernmentIT reported on Byzantine Candor in December of 2010.
Graph by Analysis Intelligence
Shawn Henry, former executive assistant director of the FBI in charge of the agency’s cyber division, told Bloomberg:
What the general public hears about — stolen credit card numbers, somebody hacked LinkedIn – that’s the tip of the iceberg, the unclassified stuff. I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.
China’s Response
Following the January 30 New York Times article, officials at the Chinese embassy in Washington insisted that their government doesn’t engage in computer hacking and that such activity is illegal. The Chinese officials describe China itself as a victim of computer hacking and accurately point out that there are many hacking groups inside the United States.
The following day, the Chinese Ministry of Foreign Affairs said that the allegations were ‘‘unprofessional.’’
Hong Lei, a ministry spokesman, said:
Making unfounded accusations based on preliminary results is both irresponsible and unprofessional, and is not helpful for the resolution of the relevant problem. China resolutely opposes hacking actions and has established relevant laws and regulations and taken strict law enforcement measures to defend against online hacking activities.
“The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established,” Defense Ministry spokesman Geng Yansheng is quoted by Reuters news agency as saying at a monthly press conference.
“Like other countries, China faces a serious threat from hacking and is one of the primary victims of hacking in the world,” Geng said. “Numbers of attacks have been on the rise in recent years.”
Geng said that 144,000 such attacks occurred each month last year and that an analysis of the IP addresses showed that 62.9 percent of them came from the U.S.
“We hope that the U.S. side can explain and clarify this,” Geng said, “but we do not point fingers at the U.S. based on the aforementioned findings, and every country should deal with cyber security in a professional and responsible manner.”
But America Did It First
Iran leads the world in green-screen technology.
The United States government also has cyberwarriors. Working with Israel, the United States has used malicious software called Stuxnet to disrupt Iran’s uranium enrichment program. Government officials insist they operate under strict, if classified, rules that bar using offensive weapons for non-military purposes or stealing corporate data.
America’s Response
The United States government is planning to begin a more aggressive defense against Chinese hacking groups. Under a directive signed by President Obama last week, the government plans to share with American Internet providers information it has gathered about the unique digital signatures of the largest of the groups, including Comment Crew and others emanating from near where Unit 61398 is based.
Government warnings won’t explicitly link those groups, or the giant computer servers they use, to the Chinese army. The question of whether to publicly name the unit and accuse it of widespread theft is the subject of ongoing debate.
President Obama alluded to this concern in his State of the Union speech.
We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.
Comments are closed.