Cyberwar & Cyberespionage: All Quiet on the Eastern Front?

Posted on August 28, 2007
Filed Under Apparatchiks, China Internet, Cyberespionage, Malware |

With Germany’s Angela Merkel’s arrival in China for meetings with the Chinese government comes a report of Chinese attempts to steal information from German government websites. The Der Spiegel article says:

that a large number of computers in the German chancellery as well as the foreign, economy and research ministries had been infected with Chinese spy software

Funny how these stories have a way of cropping up at the most awkward moments. The Embassy of China in Germany first pooh-poohed the suggestion, but then Premier Wen Jiabao surprised everyone. In People’s Daily Online he’s quoted:

“The Chinese government attaches great importance to the hacker attack on the German government networks,” Wen said, adding China would take “determined” and “forceful” measures to combat hacker activities.

Is China a hotbed of cyberespionage?

On the Rectification of Names
Before we begin, let’s clarify what we’re talking about. Security incidents involving data fall into four basic categories (these concepts are drawn from CERT, the thought leaders in IT security):

For my purposes, cyberwar is the interruption and/or destruction of data/applications and cyberespionage is the disclosure and/or modification of data/applications. The most recent example of cyberwar would be the attacks on Estonian commercial and government servers in May of this year. Russia was widely assumed to be behind it (see the Guardian article). The attacks on Germany’s governmental sites in discussion are an example of cyberespionage.

The most common example of a cyberwar attack would be a Distributed Denial of Service (DDoS) attack. A server is rendered inoperable/unreachable after being flooded with requests.

A simple cyberespionage attack would plant a trojan program on a computer to capture user IDs and passwords. It would send that information back to the attacker via an email or file transfer or allow the attacker to “pick up” the data by initiating an application to accept remote requests.

How can you identify the source of a cyberattack?

All internet protocal (IP) packets have a source IP address field. Source IP addresses are issued to countries by IANA. If you know the source IP address you will know (often down to the city level) where the initiator of an attack is located.

For cyberwar attacks, this is no help. The computer/computers initiating the attack can easily spoof the source IP address and put in any IP address they like. Most cyberwar attacks are traced by analyzing the network devices that the attacks are passing through. The critical dependency is getting access to the routing information in those devices that are in another country.

Cyberespionage is different. It may be easy to reach across the internet to get to a target server, but you still need to get the information back to you. That requires a source IP address. Typically attackers will go through multiple machines (one machine hacks another, hacks another, etc.) and multiple means (FTP, email, anonymous storage, etc.) to retrieve the stolen data.

What happened with the German government?

The so-called “Trojan” espionage programs were concealed in Microsoft Word documents and PowerPoint files which infected IT installations when opened, SPIEGEL reported. Information was taken from German computers in this way on a daily basis by hackers based in the north-western province of Lanzhou, Canton province and Beijing. German officials believe the hackers were being directed by the People’s Liberation Army and that the programs were redirected via computers in South Korea to disguise their origin.

Lanzhou, for the record, is the capital of Gansu province. Canton? I guess that makes Der Spiegel a Saxon magazine.

Guangzhou, Beijing, and Lanzhou are the regional commands for their respective military districts. I assume the German “government officials” leapt to the conclusion that it was the work of the People’s Liberation Army. Just for the record, according to CNNIC:

Can they trace those IP addresses to specific PLA addresses? There’s nothing in the article about that.

Was there anything about the tradecraft (how the trojan was written, its functionality) that would suggest a PLA operation? There’s nothing in the article about that.

Was there anything in the article about Germany’s cyberdefenses? Any explanation of how a trojan slipped into their system? Any explanation of why the German government’s IT systems don’t use anti virus scanning? They don’t seem to know what’s going on:

German security officials managed to stop the theft of 160 gigabytes of data which were in the process of being siphoned off German government computers. “But no one knows how much has leaked out,” a top official told SPIEGEL.

Any explanation for what seems to be a pretty comprehensive effort in incompetence?

Nope.

Nothing other than the word of an anonymous source ties this to the PLA.

Could it have been anyone else?

There’s limited information about the substance of the attacks in the Der Spiegel article. As I’ve written about before the internet in China is a cornucopia of targets for hacking. Symantec identified China as having the most bot-infected computers worldwide.

If all the German government has to go on is a source IP address, they have no idea. If that’s their evidence, it could have been anyone.

And anyone could be anybody. Cyberwar and cyberespionage don’t require the same resources as war and espionage. Israeli and Palestinian private actors have had their own skirmishes on the internet. Similarly Chinese and American hackers had their own conflict in 2001, when a US spy plane collided with a Chinese fighter jet in the South China sea.

I don’t doubt that every government with the resources performs these kinds of activities. Spy stories abound, both in war and peace. But just because it happens it doesn’t mean that every instance is an example. Der Spiegel may have gotten some attention, but they didn’t get at the truth.

Poor reporting has the consequence, intended or otherwise, of forming public opinion. Suspicions and suppositions slowly become treated as facts. It all serves to walk the credulous farther down the road to unreasoned animosity. Maybe that can explain the timing and the substance of the accusations.

Does anyone “Remember the Maine”?