[ISN] Defacements rise in China hacker war

From: InfoSec News (isnat_private)
Date: Mon Apr 30 2001 - 20:19:41 PDT

  • Next message: InfoSec News: "[ISN] Canada base for cyberwar?"

    By Robert Lemos
    Special to CNET News.com
    April 30, 2001, 4:50 p.m. PT
    Online vandals made good on their threats to disrupt U.S.-based Web
    sites Monday by defacing dozens of sites.
    By late Monday, the hacking group Honkers Union of China increased the
    number of Web sites defaced since early April to more than 80, while
    online vandals posting pro-American graffiti had tagged at least 100,
    according to several sources.
    Web sites falling victim to the vandals included the National
    Institutes of Health, the U.S. Navy, the California Department of
    Energy, and the U.S. Department of Labor, as well as many corporate
    Web sites.
    "This is very much statistically on par with the Israeli-Palestinian
    defacement war," said Chris Rouland, director of the internal
    development and research group for network protection firm Internet
    Security Systems. "We are seeing a seven- to 10-fold increase in scans
    and defacements."
    Federal authorities warned last week of a planned "Labor Day Strike"
    from Chinese hackers upset over the recent spy plane incident.
    According to the National Infrastructure Protection Center, a unit of
    the FBI, "Chinese hackers have publicly discussed increasing their
    activity" between two major holidays this week in China. May 1 is
    International Workers Day, and May 4 is Youth Day. Also coming up is
    the two-year anniversary, May 7, of the accidental U.S. bombing of the
    Chinese embassy in Belgrade.
    Rouland said most companies should be safe from the defacements, but
    IT managers should take the time to check how well their networks are
    The attacks come in the wake of the April 1 collision between a
    Chinese jet fighter and a U.S. surveillance plane. The pilot of the
    jet fighter, Wang Wei, died in the crash. Recent news reports say that
    Chinese officials have decided to allow U.S. officials to inspect the
    plane, which still remains on the island where it made an emergency
    landing after the collision.
    Chinese hackers rising
    The most active group of Chinese defacers appears to be the Honker
    Union of China. "Honker" is slang in China for hacker.
    "The manifesto of Honker maintains the reunification of the
    motherland! Guards the national sovereignty! Outside consistent
    resistance shame! Attack anti-Chinese arrogance!" read the standard
    defacement message that adorned several of the compromised sites.
    Web sites maintained by members of the group indicated that more than
    80 sites had been defaced as part of this week's protests. The site
    reported that another 400 servers had been compromised.
    Attacks have not been limited to defacing, either. One consultant for
    a large U.S. company said that almost all the data on two servers at
    the company had been systematically deleted on Saturday, leaving
    behind an expletive-filled message directed at the United States.
    While defacing Web sites has seemingly been a game for a great many
    online vandals, data about the efforts of Chinese hackers has been
    rare--not because of a lack of incidents, but because Chinese hackers
    don't report their defacements to sites that track such attacks, said
    Brian Martin, staff member at security site Attrition.org, a group
    that tracks Web site defacements.
    "One thing that is interesting is that over the past week, American
    hackers have said that the Chinese haven't done anything," he said.
    "Now it looks like the Chinese have been defacing sites but not
    reporting them to us or the other mirrors."
    Motives for attack?
    Martin believes news reports speculating on whether Chinese hackers
    would attack U.S. sites to protest the surveillance plane incident
    started a self-fulfilling prophesy.
    "A lot of this seems to have started because the media said it would
    start," Martin said. "The timeline clearly shows it didn't turn into a
    political-based defacement spree until (the media) said it would."
    Others disagreed. Fred Cohen, a security researcher and principal
    member of the technical staff at Sandia National Laboratories, said
    evidence suggests the Chinese attacks are condoned, if not actively
    organized, by the Chinese government.
    "The most important thing to understand is it is not like the U.S," he
    said. "We have hackers and miscreants--but they don't come from China
    without the government taking actions to make it happen."
    In China, because hacking is a capital crime, government approval
    would be necessary for such a large group of vandals to work together,
    Cohen said.
    Cohen also pointed to such incidents as the 1i0n worm, which
    apparently originated in China, as evidence that the situation could
    escalate. The 1i0n worm is an Internet program that uses scanners and
    automated exploit scripts to hack Linux servers and then send
    information regarding the servers back to China.
    Such information could be used to attack the servers later, Cohen
    said. The result could be a denial-of-service attack or some other
    assault on the U.S. Internet infrastructure. Its goal would be to show
    that such cyberattacks are another weapon in the country's arsenal.
    "It's not an accident; it's not a populist move," Cohen said. "It's a
    demonstration. They are saying, 'We are capable of doing this to you
    too, and we can do it in a controlled fashion, and we can stop it when
    we say.'"
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 23:40:27 PDT