In order to flourish, this kind of “Crime-as-a-Service” also requires so-called bulletproof hosting firms where hackers can run C&C servers and register malicious domains safe from the prying eyes of law enforcement. “These places provide a safe haven. Two or three different actors in China come to mind, accepting domain registrations which ultimately lead to attack campaigns – it’s a black hole,” said Manky.
“Interestingly China has done something. It had a problem with fraudulent registrations so the government acted to [tighten registration], but … there are still loopholes in the system – not just China but everywhere.”
The latest CNCERT stats reveal 140 malicious domains, just over a third located in mainland China, which could have been hosted in this way by attackers outside of the country.
FireEye EMEA product manager Jason Steer told El Reg that China was number three in the firm’s recent report for hosting C&C systems, below the US and South Korea, but agreed with Manky that this in no way signifies that actors inside the country are attacking global targets in huge numbers.
“Actually, I'd argue something different: attacks coming from within your country indicate that C&C servers are set up in-country to dupe defenders. Attackers are less easy to spot and find with traffic staying in country first and then being moved on,” he said.
“Given the size of China and the size of its PC population, it's an obvious place to attack from – with high speed internet and the same insecure computers running Windows there as they do across the world. As it rolls out high speed internet, clearly it’s a good place to locate systems without questions being asked.”
For the record, China's internet population at the end of 2012 stood at 564 million, around 50m more than a year previously. That's still only 42 per cent penetration but still a lot of users to target, meaning China is likely to remain an attractive location for global crime gangs to launch attacks from for some time to come. The vulnerabilities in the nation's address space are also being exploited by home-grown attackers, of course, as a report on China’s Online Underground Economy released last August shows. It claimed that nearly a quarter of the country’s internet users and 1.1m web sites were affected in 2011, at a cost of over 5bn yuan (£526m).
Trend Micro VP of cyber security Tom Kellermann told The Reg that there are over 90,000 members of the Chinese shadow economy.
“Over the past two years there has been an explosive growth in criminal hacking within China targeting Chinese corporations,” he added. “The great firewall of China has numerous vulnerabilities and as the nation becomes global economic hegemon the king of the mountain is beginning to experience the dark side of globalisation.”
China’s challenge is to promote greater levels of information security awareness among its vast populace, especially as more and more users come online for the first time, and tighten up the loopholes which have allowed bulletproof hosters to flourish. Such steps will make it less attractive for criminals – reducing the number of attacks launched by operators outside the country using compromised Chinese IP addresses, as well as cutting its domestic cyber crime problems.
It’s difficult to feel much sympathy with Beijing given the apparent volume and persistence of state-sanctioned attacks originating from within the Great Firewall. But it’s also worth remembering that activity of this kind is certainly being carried out to a lesser or greater extent by all major global powers.
In a notable report from last September, Trend Micro’s Kellermann even concluded that “hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts”. China’s problem is that it’s currently the noisiest out there. Perhaps if it wants the damaging headlines to go away it needs to get its own house in order and get caught less frequently. ®