GCN LAB IMPRESSIONS
Anatomy of a hack: When the GCN Lab was attacked from China
- By John Breeden II
- Jun 20, 2011
I was happy to see last week that the National Security Agency is joining the battle against Internet hackers by offering its own set of scanning tools to private companies.
It’s good to see the government taking this threat seriously, because if defense companies have their security breached, its pretty much like our nation is being attacked as well. Countries that could benefit from knowledge about the projects those contractors are working on might view private companies as a softer target than trying to go directly at Defense Department databases. Attacks like the recent one at Lockheed Martin could be proof of this line of thinking.
I’d like to take that logic a step further and say that, in a lot of ways, a new Cold War has begun, and we should take the threat just as seriously. The only difference is that, unlike the original Cold War, there is unlikely to be a scenario that ends in world annihilation, though damage can still be done to both sides.
China is taking the threat seriously, and claims that the United States is attacking its networks just as vigorously as we claim they are assaulting ours. And let’s not forget North Korea as a threat on this new battlefield as well.
The GCN Lab domain, which is a test setup for new products and not public, has even been attacked in the past, probably because attackers mistakenly thought based on the publication's name that we were part of the government. These attacks provided evidence that they were coming from China and were even tracked down to specific IP addresses in that country, mostly surrounding Beijing.
Make no mistake: There is a coordinated and ongoing effort by groups of hackers to invade websites based in the United States. The hackers even seem to operate in organized teams.
In our case, the first attacker, probably the best hacker on shift, tried to penetrate the network using very sophisticated techniques — codebreaking tactics and the like. He (for the sake of simplicity, we’ll call the hacker he) used a very soft touch, seeing what he could get away with but trying not to trigger any alarms. He probably recorded everything he learned for later use. He even tried to cover his tracks as best he could, mostly undoing everything he uploaded or changed before he left.
In the specific incident I am recounting, the first guy only got caught because he accidentally triggered a major error on the network. The Lab’s test network is not set up like a typical one, and it’s actually very easy to crash parts of it. In a sense, it’s designed that way because it has no function other than to be a constantly changing test bed. But the hacker must not have known this.
Once the main guy is finished in attacks such as these, a site is flooded with what I’m calling the sub-hackers. These guys do all the heavy-handed stuff like SQL injection attacks that every high school hacker knows how to perform. My guess is that this B-team tries to take the spotlight, bring down a site or embarrass the owners, and thus get all the focus on them. The real hack has already occurred and the information collected. The main hacker is probably having a coffee or tea break by then.
The attack I am describing happened two years ago, so don’t think this is something new, either. Based on the level of sophistication of recent publicized attacks, the hackers have only gotten better.
I will note that one security expert we talked with told us it’s possible that someone outside of China was licensing Chinese IP addresses and that the attack on the Lab’s test network did not actually come from China. But I have my doubts.
Call me crazy, but a country that puts such tight controls on Internet-based information, not wanting any real news to reach its citizens, probably can control their networks just fine, or at least know what’s going on within them. No, this to me seems like teams of well-practiced and well-rehearsed hackers. It’s doubtful that such a group could operate without support on Chinese government soil.
So there you have it. In a way, a cyber war is better than a real one because there are unlikely to be direct casualties unless we start turning off each other’s utilities or something. Still, this is a real threat and it’s nice to see the government taking it seriously. I only hope we’re doing enough.