|
RAND Report: (Chinese-origin) Hacking
[Editor's note: This is an excerpt from RAND report "You've Got Dissent! -- Chinese
Dissident Use of the Internet and Beijing's Counter-Strategies" authored by Michael S. Chase
and James C. Mulvenon and published in 2002.] There is some evidence to suggest that the Chinese government or elements within it have engaged
in hacking of dissident and anti-regime computer systems outside of China. Given the inherently
indeterminate nature of the source of most computer network intrusions, it is often difficult if not
impossible to establish official culpability for hacking attacks without additional evidence.
Governments, usually by design, can therefore claim a reasonable measure of plausible deniability in
these cases. The Chinese-origin hacking attacks that occurred against Taiwan in August 1999 and
against Japan in February 2000 are examples of incidents in which government culpability, either
limited or complete, is difficult to determine solely on the basis of the intrusion data. Stronger evidence exists to support the conclusion that the Chinese government or elements within
it were responsible for one or more of the China-origin network attacks against computer systems
maintained by practitioners of Falungong in the United States, Australia, Canada, and the United
Kingdom. After the exposure of the role of certain Chinese security agencies in the attacks, the
later, more sophisticated intrusions were believed to have been carried out by cut-outs, making it
more difficult to ascertain the extent of government involvement. This was especially true of the
attacks that occurred in winter and spring 2000. Summer 1999. In mid-July 1999, the Chinese government authorities began a nationwide
[persecution of] on Falungong [...] News of the [persecution] spread quickly, due in large measure
to the [group's] extensive use of advanced information technologies and its network of Internet
sites around the globe. These sites provided real-time accounts of [persecutions] in some Chinese
cities, based on e-mails and other communications from Falungong [practitioners]. As the story was
gradually picked up by the global media, these sites, many of which were shoestring operations run
by group members, understandably began to strain under the increased hits they received. While this
slowdown in service was an expected consequence of worldwide attention, some of the sites began to
suffer from anomalous crashes. When the system administrators of these servers examined the
situation in detail, some realized that their networks were suffering from a sophisticated series of
computer network attacks. The July 1999 attacks against Falungong sites in four countries (one in
Britain, two in Canada, one in Australia, and two in the United States) bear greater scrutiny. The evidence of a Chinese government-directed information operation against Falungong is
strongest in the U.S. case. On July 14, 1999, Falungong practitioner Bob McWee of Middletown, MD,
established www.falunusa.net, with the express purpose of mirroring the files of existing Falungong
sites in Canada (www.falundafa.ca and www. minghui.ca) and the United States (www.falundada.org).
On July 20, 1999, the two Canadian sites began to suffer a degradation of network performance,
because of Chinese-origin hacking attacks. As a result, they began re-routing connection requests to
their mirror site, FalunUSA. Between July 21 and 23, the U.S. site began to have similar
difficulties. Specifically, it was suffering from a type of attack known generally as a
denial-of-service attack, in which the target machine is flooded with incomplete requests for data
and eventually succumbs to the attack by crashing. Backtracking a similar attack on July 27, 1999,
revealed the source IP address of the attack to be 202.106.133.101, an Internet address in China.
Examination of the Asia-Pacific Network Information Center (APNIC) database entry for this address
revealed the ownership information shown in Figure 1. The name of the organization, "Information Service Center of XinAn Beijing," sounded
innocuous enough, but the street address told a very different story. The address, #14 East Chang'an
Street (listed in Figure 1 in transliteration as "Dong Chang An Jie 14") in Beijing, is
that of the Ministry of Public Security, China's internal security service--the organization most
embarrassed by the unexpected appearance of thousands of Falungong practitioners outside the central
leadership compound, Zhongnanhai, in April 1999, which led to the MPS leadership being criticized
and purged. In addition, the MPS Computer Monitoring and Supervision Bureau has important
responsibilities related to the Internet in China, including computer network security and
management of ISPs. Of course, given the ambiguities of information warfare created by the structure of the Internet
itself, intrusion-detection logs alone are usually not sufficient to identify whether the true
source of an attack is the organization in question or simply a third party that has hacked into the
MPS network and used it as a base to launch attacks. Four crucial pieces of evidence, however,
strongly suggest that the MPS was the real culprit in the attacks against Falungong sites. First,
the network had been established shortly before the information operations began and was divorced
from other explicitly identified MPS networks in other parts of Chinese cyberspace, such as the
domain spaces belonging to the MPS web page (www.mps.gov.cn). Second, the name of the organization
in the database--Information Service Center--suggests an intent to deceive outsiders about its
actual affiliation. Third, at least one Western media source claimed to have called the telephone numbers listed in
Figure 1 and was told by the person answering the phone that the numbers belonged to the Ministry of
Public Security. A later call by the same news organization to the telephone operator at the
ministry confirmed that the numbers belonged to the MPS Computer Monitoring and Supervision Bureau.
The fourth and most telling piece of evidence resulted directly from the impending exposure in
the Western media of the network's governmental affiliation. Probably as a result of the increasing
media attention, especially an imminent article by Michael Laris in the Washington Post,
the information in the APNIC database was altered on 29 July 1999, as seen in Figure 2. Most
important, the owners of the network space changed the damning street address of the owner of the
network from #14 East Chang'an Street to #6 Zhengyi Road (listed in Figure 2 in transliteration as
Zheng Yi Lu 6). If the ministry's network had itself been the victim of an attack and was thus wrongly accused as
the perpetrator of the attacks on the Falungong site in the United States, why go to the trouble of
changing the database information to an address other than MPS headquarters? And was it a
coincidence that the network information was changed on the eve of an expos¨¦ in a major Western
newspaper of the MPS's alleged role in the attack? Most damning, the new street address (No. 6
Zhengyi Rd) is the address of the Ministry of Public Security's No. 3 Research Institute, which is
responsible for computer security. The evidence cited earlier, along with this last attempt to
further disguise the true owner of the network, strongly suggests that the perpetrator was caught
with its "hand in the cookie jar." Of course, the fact that the attacks might have
originated from an MPS network does not automatically imply that they were sanctioned by the
ministry leadership or their superiors in the senior party leadership. One possibility that must be
considered is that the attack was carried out by a "rogue element" within the MPS, without
approval from anyone. After the exposure of a rogue's efforts, a natural reaction would be to cover
up the network's ministry affiliation by changing the APNIC data. One might question whether the
ministry would be able to find the perpetrator, conduct an investigation of his actions, and
implement a technical fix so quickly, but as improbable as that seems, it is not impossible. One final footnote to the July 27, 1999, attack against FalunUSA.net: The manner in which the MPS
allegedly brought down the site contains a fascinating twist. The denial-of-service attack was a
classic "SYN flood" attack and appears to have been designed to make it appear as if
Falungong was conducting information operations against the U.S. Department of Transportation
(DOT). In the July attack, the MPS network sent a SYN to the FalunUSA site with an incorrect
return address, namely, a server controlled by DOT. A network engineer at DOT contacted Bob McWee
and the operators of the other Falungong sites to find out why www.falundafa.org, www.falunUSA. net,
and www.falundafa.ca were sending unauthorized packets to a DOT server, according to Everett Dowd,
deputy director of telecommunications in the DOT Information Technology Operations office. Why, out of the millions of possible IP addresses, did the MPS choose an address belonging to
DOT? One plausible hypothesis is that the perpetrator wanted a "two-fer": crash the
Falungong site, but also make it look as if the Falungong site was engaged in information operations
against a U.S. government site. At the time of the attack, the entire Chinese governmental
propaganda apparatus was in high gear, branding Falungong a "dangerous cult" and a
"terrorist organization." What better way to demonize Falungong than to make it appear
that the organization was hacking sites run by the U.S. government? Indeed, system administrators at
DOT initially thought they were under a different type of denial-of-service attack (a SYN-ACK flood)
from the Falungong site, since all they could see on their end was a series of SYN-ACK requests
entering their system from FalunUSA.net for no apparent reason. Only later did the DOT personnel
realize that the Falungong site had simply been the unwitting accomplice of a third party. Attacks on Falungong sites in England and Australia during late summer 1999 bear some interesting
similarities to the intrusions in the United States, particularly with regard to the source IP
addresses of the perpetrators. The U.K. Falungong web site (http://www. yuanming.org.uk) was set up
on July 20, 1999, by Zhu Bao, a Falungong practitioner living in Dublin, Ireland.92 By July 23¨C24,
1999, the site had come under continuous attack from China-origin IP addresses. At the beginning of
the attacks, the intruders disabled the server.93 Later, they deleted all the original files and
replaced them with the text of an article from the Xinhua News Agency [that slandered the
founder of Falun Gong.] Falungong's U.K.-based service provider (NetScan, www.netscan.co. uk) confirmed that the
intruders had obtained their root password. In a separate attack, Li Shao of Nottingham publicly
reported on July 26, 1999, that his Falungong site was attacked by hackers operating from a Chinese
IP address.94 Falungong sources claim that the British police linked the address to the Information
Service Center of XinAn in Beijing, discussed above, but no independent confirmation was possible. In Canada, two Falungong sites (www.minghui.ca and www. falundafa.ca) were attacked by hackers,
and both eventually succumbed. The ISPs for these sites, Bestnet Internet of Hamilton, Ontario, and
Nebula Internet Services of Burlington, Ontario, reported that their networks were attacked on July
30, 1999, by Chinese government servers because they hosted sites run by Canadian followers of
Falungong, including Jason Xiao, the system administrator of www.falundafa.ca.96 According to the
director of Bestnet Internet, Eric Weigel, the hack attempts originated with "Chinese
government offices in Beijing." Weigel stated that the specific originating addresses belonged
to the Beijing Application Institute for Information Technology (BAIIT) and the Information Center
of XinAn Beijing.97 No IP addresses were furnished by the newspaper accounts, but BAIIT's networks
can be found between 203.93.160.0 and 203.93.160.255. Possible government connections are suggested
by the P.O. box mailing address provided by BAIIT in the APNIC database, as P.O. boxes are often
used in lieu of street addresses by Chinese government and military hosts. By contrast, the
government affiliations of the Information Center of XinAn Beijing are much clearer, as discussed in
greater detail earlier in this chapter. Nebula Internet Services reported that the same sites had attempted to crash its servers, using
similar types of attacks. According to Nebula representatives, the assault went on for more than a
month, coinciding with the timetable of the [government's persecution of Falun Gong.] Unlike Bestnet,
which had more advanced equipment and was able to withstand the attacks with little loss of service,
Nebula's systems were crippled by the hackers, and the company was forced to shut off its service.
The owner of two Canadian Falungong sites (perhaps the same sites discussed above), Jillian Ye of
Toronto, claimed that her sites had been under attack every day for several months and that the
problems had gotten progressively worse until she finally moved the sites to a more secure server.98
Fewer similarities exist between the attacks described above and those against Falungong servers
based in Australia, but the timing of the Australian attacks (in late summer 1999 and mid-spring
2000) coincides to a significant degree with attacks in other countries. An Australian practitioner
of Falungong established a Falungong mirror site (http://falundafa. au.cd) in March 1997 on a
Windows NT server.99 On September 6, 1999, computer attacks originating from a Chinese IP address
forced this site to shut down.100 The victims reported to the police that the intruders tampered
with their e-mail system. The system administrator of the site noticed that the infiltrators were
able to manipulate the cursor on their screen, which suggests that the attackers were using a hacker
tool known as Back Orifice 101 to penetrate the site. Beginning in September 1999, Australian police
undertook constant monitoring of the site. Spring 2000. The first of the renewed attacks
against Falungong servers occurred on March 11, 2000, coinciding with the meetings of the National
People's Congress in Beijing. The hack, which used a denial-of-service technique known as a "smurf"
attack, brought down the main server in Canada (www.minghui.ca), as well as three mirror sites (www.falundafa.ca,
www.falundafa.org, and www. minghui.org).102 Since smurf attacks are quite effective in masking the
identity of the attacker, no useful source information could be gained from the logs of the
intrusions. Attacks on Falungong servers reached a crescendo in mid-April 2000, when five sites--three in the
United States (www.falunUSA.net, www.falundafa.org, www.truewisdom.net) and two in Canada (www.minghui.ca
and www.falundafa.ca)--were smurf-attacked simultaneously. 103 The timing of the attacks coincided
with two sensitive political events: (1) the impending vote in the United Nations Human Rights
Commission on a UN resolution condemning Chinese human-rights abuses, including persecution of
Falungong; and (2) the one-year anniversary of the April 25, 1999, gathering of Falungong
practitioners outside the central leadership compound in Beijing. Falungong system administrators received a variety of warnings about the impending attack. Around
April 6, Falungong received an e-mail warning that the Public Security Bureau had paid two network
security companies to hack the group's sites abroad. After the first wave of attacks, Falungong
system administrator Li Yuan received an anonymous tip on April 12 confirming the situation.
"We received an anonymous e-mail from a Chinese computer expert on April 12 warning us that the
police computer security bureau had offered to pay a computer company money to hack into our
sites," said Yuan. According to the Maryland-based system administrator for FalunUSA, the
attacks themselves began around April 9 or 10. The intruders attacked the IP addresses of the sites,
not the domain names, and likely got into the system using security holes in the ftp command. Once
inside, the attackers replaced most of the original network command files (e.g., ls, df,
and find) with versions of these files that contained "trojan horses" for later
penetration. The system administrator reports that after he discovered and dismantled the hackers'
efforts, intruders attempted to log on to his server, using ftp and SSH commands, but these probes
were rebuffed. In Australia, the attacks started again between March and May 2000, with the most serious attack
coming on May 22. The Australian server was crashed by hackers around 3 a.m. on May 22, rebooted the
next morning, and hacked again one hour later. It was not rebooted a second time until 7 or 8 p.m.
Logs of these attacks and the addresses of the attacking sites were unavailable for analysis, but
the Australian system administrator said that the intruders used an exploit known as IISATTACK, and
their IP addresses could be traced to Hong Kong, England, and the United States. The system
administrator asserted that the attacks in 2000 were far more sophisticated than those in 1999, and
the attackers were able to easily exploit the server's remote logins, which were later disabled by
its owners. Source: http://www.rand.org/publications/MR/MR1543/ Posting date: 9/20/2003 |