Anatomy of a hack: When the GCN Lab was attacked from China

I was happy to see last week that the National Security Agency is joining the battle against Internet hackers by offering its own set of scanning tools to private companies. 

It’s good to see the government taking this threat seriously, because if defense companies have their security breached, its pretty much like our nation is being attacked as well. Countries that could benefit from knowledge about the projects those contractors are working on might view private companies as a softer target than trying to go directly at Defense Department databases. Attacks like the recent one at Lockheed Martin could be proof of this line of thinking. 

I’d like to take that logic a step further and say that, in a lot of ways, a new Cold War has begun, and we should take the threat just as seriously. The only difference is that, unlike the original Cold War, there is unlikely to be a scenario that ends in world annihilation, though damage can still be done to both sides.

China is taking the threat seriously, and claims that the United States is attacking its networks just as vigorously as we claim they are assaulting ours. And let’s not forget North Korea as a threat on this new battlefield as well.

The GCN Lab domain, which is a test setup for new products and not public, has even been attacked in the past, probably because attackers mistakenly thought based on the publication's name that we were part of the government. These attacks provided evidence that they were coming from China and were even tracked down to specific IP addresses in that country, mostly surrounding Beijing.

Make no mistake: There is a coordinated and ongoing effort by groups of hackers to invade websites based in the United States. The hackers even seem to operate in organized teams.

In our case, the first attacker, probably the best hacker on shift, tried to penetrate the network using very sophisticated techniques — codebreaking tactics and the like. He (for the sake of simplicity, we’ll call the hacker he) used a very soft touch, seeing what he could get away with but trying not to trigger any alarms. He probably recorded everything he learned for later use. He even tried to cover his tracks as best he could, mostly undoing everything he uploaded or changed before he left.

In the specific incident I am recounting, the first guy only got caught because he accidentally triggered a major error on the network. The Lab’s test network is not set up like a typical one, and it’s actually very easy to crash parts of it. In a sense, it’s designed that way because it has no function other than to be a constantly changing test bed. But the hacker must not have known this.

Once the main guy is finished in attacks such as these, a site is flooded with what I’m calling the sub-hackers. These guys do all the heavy-handed stuff like SQL injection attacks that every high school hacker knows how to perform. My guess is that this B-team tries to take the spotlight, bring down a site or embarrass the owners, and thus get all the focus on them. The real hack has already occurred and the information collected. The main hacker is probably having a coffee or tea break by then.

The attack I am describing happened two years ago, so don’t think this is something new, either. Based on the level of sophistication of recent publicized attacks, the hackers have only gotten better.

I will note that one security expert we talked with told us it’s possible that someone outside of China was licensing Chinese IP addresses and that the attack on the Lab’s test network did not actually come from China. But I have my doubts.

Call me crazy, but a country that puts such tight controls on Internet-based information, not wanting any real news to reach its citizens, probably can control their networks just fine, or at least know what’s going on within them. No, this to me seems like teams of well-practiced and well-rehearsed hackers. It’s doubtful that such a group could operate without support on Chinese government soil.

So there you have it. In a way, a cyber war is better than a real one because there are unlikely to be direct casualties unless we start turning off each other’s utilities or something. Still, this is a real threat and it’s nice to see the government taking it seriously. I only hope we’re doing enough.

About the Author

John Breeden II is a freelance technology writer for GCN.

inside gcn

  • A framework for secure software

Reader Comments

Fri, Jun 24, 2011 mercdragon Washington, DC

"did you give the Chinese ISP ..." Interesting thought, with no means of follow up. When was the last time you tried to stop SPAM by contacting the sending ISP? What response did you receive? Eve the CIA open site has been recently hacked. As long as there are needs to use the open internet, there will be holes to exploit. The only true secure net is closed to the outside and even that can be exploited by some one sneaker net attaching to it. "When you have it so secure no one can get in, let the opposition know. Because you can no get out either." Rules of combat #5 pfb

Wed, Jun 22, 2011 JC

how did GCN get attacked? I think it is too late for gov't to step in now when other countries gov't have been protecting gov't sites as well as businesses for years.

IP addresses can spoofed. where is the proof that it was in fact from China?

Tue, Jun 21, 2011

Yes, I highly suspect all these attacks usually originate from private profit-seeking companies to create a scare. Got to look the motive. If it was really from china, the attacks are likely decoys. Focus on the real kinetic threats and their weapon build up. China is smarter than tinkling with someone IP addresses. Cyber is child's play. Don't loose focus on kinetic effects.

Tue, Jun 21, 2011

The article states "it’s possible that someone outside of China was licensing Chinese IP addresses," but did you check? Did you ask the question and give the Chinese ISP an opportunity to accept responsibility and go after the perpetrators? Did they identify foreign agents? Did they deny the whole thing? What was their actual or official response? I keep seeing people make preemtive excuses like, "Well, they will probably..." this or that. Journalists are expected to get the answers and not speculate. So, what was their answer?

Tue, Jun 21, 2011

And again- why hasn't the Gov/DoD world, and their allied contractors, set up a private internet not reachable from the public internet? On DoD side, they have SIPR- seems like they need something like that for the vendor world.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group