07 December 2007


There was a report recently about the head of Britain’s MI5 (not the one with James Bond) pointing the finger directly at the Chinese government for hacking British companies.

The problem? The only source to claim to have seen the letter making this accusation is The Times of London. That would be the same Times that reported that “China’s Cyber Army is Preparing to March on America, Says Pentagon”, claiming that China’s hackers had a “detailed plan” to disable an American aircraft carrier group. A completely bullshit claim as illustrated here. And now The Times appears to be the only news outlet to have seen a “confidential letter” written by recently elevated MI5 head Jonathan Evans, sent to 300 British companies expressing his “concerns about the possible damage to UK business resulting from electronic attack sponsored by Chinese state organisations”. The British government has declined to comment and no one else seems to have seen the letter except for unnamed “private sector security specialists” and one Martin Jordan at KPMG.

Moreover, The Times leads with “The Government has openly accused China of carrying out state-sponsored espionage against vital parts of Britain’s economy, including the computer systems of big banks and financial services firms.” It then goes on to say the letter is on Center for Protection of National Infrastructure website, but in the section where “access to the site is limited to groups that form part of the country’s critical infrastructure, which include telecoms firms, banks and water and electricity companies.” Doesn’t seem such an open accusation by the government but rather by The Times.

Which apparently is how the Chinese government saw it as well, filing a formal complaint about The Times report - not the letter. In the Times followup, however, was this really weird and unsupported claim:

Hackers are usually based outside China – in Russia, Central Asia and in Europe – and are not directly tied to the PLA but are manipulated or managed through other agencies.

Yes, that’s right: The Times of London has claimed that Chinese PLA front organizations are recruiting and managing hackers in other countries. Without giving any credible reason why we ought to believe this. It’s always been hard enough to believe that the PRC would be hacking other governments and leaving a trail of breadcrumbs back to Chinese servers, instead of trying to mask it. Likewise, it always seemed more likely, given China’s preponderance of malware, viruses and zombie computers, that hackers anywhere in the world could attack places and make it look like the responsible party was in China for the same reasons. But this is most heinous: non-Chinese hackers are being duped by the Chinese government! It’s like Die Hard 4.0!*

The Times, in their followup, belatedly quotes somebody who at first doesn’t seem to subscribe to the “Chinese government is behind it all” theory, but then he apparently agreed anyway:

Andrew Yang, the secretary-general of the Taiwan-based Chinese Council of Advanced Policy Studies and an expert on the PLA, told The Times: “Information warfare in China is mostly conducted by the private sector so it is difficult to identify who is really behind this.”

He described the methods as highly decentralised but employing systems to ensure that any information garnered got back to state security organisations in China.

Again, these methods go undescribed to us. But don’t worry, The Times thought it made sense.

For a slightly better analysis, check out this article at govexec.com. And be sure to keep in mind the Honeyblog’s recent report (PDF) on Malicious Websites and the Underground Economy in China, pointing out that the Trojan business is thriving in China.

The New York Times has a sensible article on a cyber attack at Oak Ridge Laboratories that they take care to explain “Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.” The phishing attack only succeed, if at all, because “11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data.” The alleged MI5 letter said Chinese hackers were using “custom trojans”, which also use attached files and compromised websites. An intelligent advisory to British firms, then, would have advocated preventing staff from accessing suspect websites or opening email attachments without proper security precautions, especially since anyone can launch an attack from anywhere in the world, Chinese or otherwise.

*Which I heard is a favorite in The Times breakroom.

blog comments powered by Disqus