Analysis Cybercrooks and patriotic state-backed hackers in China are collaborating to create an even more potent security threat, according to researchers.

Profit-motivated crooks are trading compromised access to foreign governments' computers, which they are unable to monitise, for exploits with state-sponsored hackers. This trade is facilitated by information broker middlemen, according to Moustafa Mahmoud, president of The Middle East Tiger Team.

Mahmoud has made an extensive study of the Chinese digital underground that partially draws on material not available to the general public, such as books published by the US Army's Foreign Military Studies Office, to compile a history of hacking in China. His work goes a long way to explain the threat of cyber-espionage from China that has bubbled up towards the top of the political agenda over recent months.

The first Chinese hacking group was founded in 1997 but disbanded in 2000 after a financial row between some of its principal players led to a lawsuit. At its peak the organisation had about 3,000 members, according to Mahmoud. The motives of this so-called Red Hacker group were patriotic, defending motherland China against its enemies.

The hacking the US Embassy and the White House over the accidental bombing of the Chinese Embassy in Belgrade back in 1999 brought many flag-waving Chinese hackers together to, as they saw it, defend the honour of the motherland and fight imperialism in cyberspace.

This role was taken over by the Honker Union of China (HUC) after 2000, and the HUC later became the mainstay of the Red Hacker Alliance. China’s so-called “red hackers” attack critics of the state and infiltrate foreign government and corporate sites – among other activities. The phenomenon of patriotic hackers is far from restricted to China and also exists in Russia, for example. Russian hackers tend to make greater use of defacement and botnets to silence critics rather than spying.

Enter the Dragon

Over more recent years, different groups – which are involved in cybercrime to make money rather than patriotic hacking – have emerged in China, some of which are affiliated with the Triads. These groups are involved in running so-called bulletproof hosting operations, providing services for other phishing fraudsters and the like that ignore takedown notices that ethical ISPs would comply with - as well as various botnet-powered scams, spam and paid-for DDoS attacks for hire. "These firms did not target Chinese firms and were are therefore not prosecuted," Mahmoud explained.

Over the years patriotic hacker groups and criminal hackers have forged alliances, a process facilitated by the Chinese government and in particular the Peoples' Liberation Army, according to Mahmoud. One landmark event in this process was the defacement of Western targets and similar cyber-attacks following the downing of a Chinese jet by US warplanes in 2001. These attacks promptly ceased after they were denounced by the People's Daily, the organ of the ruling Communist Party.

The Chinese government began to see the potential of cyberspace at around this time and established a PLA hacking corp, as Mahmoud described it, featuring hand-picked soldiers who showed talent for cyber-security.

Mahmoud said that despite the existence of this corps the Chinese often prefer to use "freelance hackers" for "plausible deniability". "We can talk about hackers but it's better to talk about businessmen selling secrets. An entire underground industry has grown up to support cybercrime," he said.

There are various roles within such group including malware distribution, bot master, account brokers and "most importantly vulnerability researchers, whose collective ingenuity has been applied to run attacks against Western targets and to develop proprietary next-generation hacking tools", according to Mahmoud.

Small groups, including the Network Crack Program Hacker (NCPH), that research gaping security holes and develop sophisticated malware strains are reportedly sponsored by the PLA.

Western governments, hi-tech firms, oil exploration outfits and military targets have variously been targeted in a expanding series of so-called Advanced Persistent Threat (APT) cyber-attacks, commonly featuring Trojan backdoors, over the years. These operations have been known as TitanRain, ShadyRAT and Night Dragon, among others.

"It's sometimes difficult to differentiate between state-sponsored and industrial espionage attacks but what's striking is that all these attacks happen between 9am and 5pm Chinese time," Mahmoud noted.

Gaining access to industrial secrets is part of a deliberate targeted government plan, Programme 863, whose mission aim is to make Chinese industry financially independent of foreign technology. It also has a military dimension. "China sees cyberspace as a way of compensating for its deficiency in conventional warfare, for example by developing strategies to cripple communication networks," Mahmoud said. "That does not mean China wants to fight. Inspired by the ideas of Sun Tzu [author of The Art of warfare] China regards it as a superior strategy to break the enemy without having to fight."

North Korea is also developing expertise in cyber-warfare, running training schools that resemble those run in China. However there is little or no collaboration between the two countries, according to Mahmoud.

"The Chinese see their expertise in cyberspace as an edge they are not willing to share. That's why there is no collaboration with hackers outside the country."

The Wall Street Journal reported last Tuesday that US authorities have managed to trace several high-profile hacking attacks, including assaults against RSA Security and defence contractor Lockheed Martin, back to China. Information obtained during an attack on systems behind RSA's SecurID tokens was later used in a failed attack against Lockheed Martin.

"US intelligence officials can identify different groups based on a variety of indicators," the WSJ reports. "Those characteristics include the type of cyberattack software they use, different internet addresses they employ when stealing data, and how attacks are carried out against different targets. In addition to US government agencies, major targets of these groups include US defence contractors."

US investigators working for the National Security Agency have reportedly identified twenty groups of hackers, a dozen of which have links to China's People's Liberation Army. Others are affiliated to Chinese universities. In total, several hundred people are said to be involved in the attacks, some of whom have been individually identified. The information has helped to strengthen the US's hand in diplomatic negotiations with China.

The data also provides a list of targets for possible counter-attacks.

Bloomberg reports in a similar vein that China is engaged in an undeclared cyber Cold War against Western targets with the goal (unlike the Soviet-era Cold War) of stealing intellectual property rather than destabilising regimes or fostering communism.

Targets have included tech giants such as Google and Intel to iBahn, selected because it supplies Wi-Fi technology to hotels frequented by Western execs, oil exploration biz bosses and government and defence contractors. Chinese hackers stand accused of stealing anything and everything that isn't nailed down from as many as 760 different corporations over recent years resulting losses in intellectual property valued in the billions.

Paper tiger, hidden Trojan

Recent reports have painted a conflicting picture of Chinese cyber-warfare capabilities. A recent report [PDF] by The Office of the National Counterintelligence Executive (ONCIX), which was presented to Congress, named and shamed China and Russia for running cyber-espionage campaigns geared towards stealing the US's technology and economic secrets. The report, straightforwardly titled Foreign Spies Stealing US Economic Secrets in Cyberspace, described China as the source of the majority of intrusions without blaming its government directly.

Some observers suggest that the US intelligence community has decided to publicly finger China and Russia over cyber-espionage only after diplomatic efforts failed to yield a result.

China routinely and angrily denies any involvement in cyber-espionage, arguing that it is frequently victimised by these types of attacks itself, and most recently said that it wanted to help improve cyber-security defences across all nations.

Regardless of what's happening elsewhere we've frequently heard praise for the staffers of China's computer emergency response centres. Over several years various businesses and teams in the country have been more pro-active and helpful in working with organisations, such as Spamhaus, in dealing with spam.

However evidence showing that Chinese denials over the use of hacking tools ought not to be taken at face value emerged unexpectedly earlier this year. An extract from a propaganda film illustrated the use of custom tools to hack websites run by the banned spiritual movement Falun Gong. The video named the PLA's Electrical Engineering University as the source of the utility.

Security experts who have visited China praise its universities. HD Moore, the developer of Metasploit and chief security officer at Rapid7, said: "They are focused on defending China and malware research."

Moore, who toured computer science departments in universities in Beijing and elsewhere, found students frequently had an aptitude for malware analysis, and saw the potential for work in this area. However those with expertise in exploit development were "few and far between", he said. "Not that many people in China are doing penetration testing work either," he added.

A recent report by the Australian National University concludes that China's cyber-warfare capabilities, at least, are actually mediocre at best. Desmond Ball, a professor at the Australian National University, argues China's offensive capabilities are limited. Local internet systems are notable for their deficiencies and vulnerabilities, he adds.

Information security experts, particularly with an intelligence background remain wary of China's capabilities.

Prescott Winter, chief technology officer for the public sector at HP ArcSight and former NSA associate deputy director of national intelligence for information integration, said that China remains a major threat.

"China is a major player in cyber-espionage. It has a well-constructed underground economy that is targeting intellectual property. Western governments are also at the front line," he said, adding that hackers often cause collateral damage when they access and ransack targeted networks.

Other former intelligence officials argue that the focus on China hides the greater truth that everyone is engaged in cyber-espionage.

"Every country (especially China, Russia, and even our allies), engages in industrial espionage against the United States and each other," writes Marcus Carey, who worked for the NSA for eight years before joining Rapid7 as a security researcher and community manager.

"For these countries, cyber-espionage is likely just the tip of the iceberg, very much complementing the main areas of espionage being conducted in the physical world," he said. "It’s much cheaper for foreign governments to 'borrow' research and development information and go straight into production, particularly in countries like China and India where there is a strong supply of industrial low-wage workers to crank out products. For this and other reasons, espionage is certainly not a new practice, rather the internet has simply made it more visible and traceable."

"The truth is, a good espionage program is vital to a country's success, as we saw during WWII and the Cold War. It is the responsibility of governing agencies to perform espionage against other countries, as well as helping their own citizens with counter-espionage and cyber defense strategies," he added.

Carey, paraphrasing baseball legend Mark Grace on cheating, concludes "countries that aren't engaging in espionage aren't trying hard enough!" ®

Hacknote

Dexter fans may like to know that the Chinese characters for hacker transliterate to Dark Visitor. A blog of the same name is one of the best online resources keeping hype-free tabs on the Chinese cybercrime scene.

Related stories

• Chinese arrest 9,000 cyber-crims (16 October 2012)

  https://www.theregister.com/2012/10/16/china_police_arrest_thousands_online_crime/

• Apple supplier AU Optronics suffers IP theft blow (16 October 2012)

  https://www.theregister.com/2012/10/16/au_optronics_indsutrial_espoinage_apple/

• Asian hackers p0wned by Eastern European rivals (20 September 2012)

  https://www.theregister.com/2012/09/20/eastern_european_hackers_beat_asia/

• Exposing China's vast underground economy (18 August 2012)

  https://www.theregister.com/2012/08/18/baidu_tencent_used_by_chinese_cyber_crims/

• Alleged Anon arrested for planning gov DDoS attacks (7 August 2012)

  https://www.theregister.com/2012/08/07/facebook_anonymous_suspect_ddos_hong_kong/

• China lays out glorious eight-point infosec masterplan (19 July 2012)

  https://www.theregister.com/2012/07/19/china_government_cyber_security_guidelines/

• DDoS blackmailers busted in cross-border swoop (4 July 2012)

  https://www.theregister.com/2012/07/04/hong_kong_china_bust_ddos_gang_blackmail/

• Hong Kong firms also at risk from Chinese hackers (1 June 2012)

  https://www.theregister.com/2012/06/01/experts_warn_hong_kong_attacks/

• Hong Kong CERT wants bigger team to tackle cyber threats (17 May 2012)

  https://www.theregister.com/2012/05/17/hkcert_funding_call_china/

• Patriotic hackers face off in South China Sea (27 April 2012)

  https://www.theregister.com/2012/04/27/philippine_china_hack_stand_off/

• Thais trample over Chinese to snatch Asia's e-shopping crown (13 April 2012)

  https://www.theregister.com/2012/04/13/thailand_online_shopping/

• Chinese shoppers lead way in global e-commerce stakes (3 April 2012)

  https://www.theregister.com/2012/04/03/china_e_commerce_four_times/

• NSA's top spook blames China for RSA hack (29 March 2012)

  https://www.theregister.com/2012/03/29/nsa_blames_china_rsa_hack/

• Election poll shot down by DDoS-ers (26 March 2012)

  https://www.theregister.com/2012/03/26/hong_kong_vote_hack/

• Now CHINA complains of surge in cyber-attacks (20 March 2012)

  https://www.theregister.com/2012/03/20/china_complains_hack/

• Cyber snoopers target NATO commander in Facebook attack (12 March 2012)

  https://www.theregister.com/2012/03/12/nato_chinese_hacker_facebook/

• Chinese tech firms fingered for military collaboration (8 March 2012)

  https://www.theregister.com/2012/03/08/northrop_grumman_china_pla/

• China churns out homemade aircraft for global travel DOMINATION (1 March 2012)

  https://www.theregister.com/2012/03/01/china_plane_expansion/

• Apple vs Bank of China in iPad Shanghai showdown (23 February 2012)

  https://www.theregister.com/2012/02/23/apple_proview_bank_of_china/

• Whistleblower: Decade-long Nortel hack 'traced to China' (15 February 2012)

  https://www.theregister.com/2012/02/15/nortel_breach/

• N Korea mobile phone subscribers top 1 million (7 February 2012)

  https://www.theregister.com/2012/02/07/north_korea_mobile_phone_one_million/

• North Korea labels phone users war criminals (27 January 2012)

  https://www.theregister.com/2012/01/27/north_korea_labels_phone_users_war_criminals/

• Davos report: Cyber-attack risk to global stability is real (12 January 2012)

  https://www.theregister.com/2012/01/12/world_economic_forum_risks/

• Etrade suffers DDOS festive treat (5 January 2012)

  https://www.theregister.com/2012/01/05/etrade_in_ddos_attack/

• US military's non-lethal weapon plans revealed (4 January 2012)

  https://www.theregister.com/2012/01/04/military_non_lethal_weapons_revealed/

• China, Russia called out as cyberspy hotbeds (3 November 2011)

  https://www.theregister.com/2011/11/03/china_russia_cyber_spies/

• Top general warns of cyberspy menace to UK biz (25 October 2011)

  https://www.theregister.com/2011/10/25/cyberespionage_menace/

• Cyberspy attacks targeting Russians traced back to UK and US (22 September 2011)

  https://www.theregister.com/2011/09/22/russia_cyberespionage_attack/

• Chinese government under cyber siege (10 August 2011)

  https://www.theregister.com/2011/08/10/china_cyber_espionage_victim_report/

• State-sponsored 5-year global cyberattack uncovered (3 August 2011)

  https://www.theregister.com/2011/08/03/operation_shady_rat/

• Leaked US cables finger Chinese army hackers for cyber-spying (18 April 2011)

  https://www.theregister.com/2011/04/18/byzantine_hades_cyber_espionage/

• 'Chinese cyberspies' target energy giants (10 February 2011)

  https://www.theregister.com/2011/02/10/night_dragon_cyberespionage/