The smoking gun on China's US cyberattacks
- By John Breeden II
- Aug 26, 2011
A few weeks ago I wrote a column explaining, step by step, how hackers with a Chinese IP address attacked a honeypot network in the GCN Lab that had been set up for just that purpose.
We watched the attacks take place, made notes about what the hackers did, the techniques they used, and tracked them back to several addresses inside China.
In the comments section that followed, a few people complained that I had no evidence that the attack actually came from China, implying that I was slandering them in some way. Given that the Chinese government’s official line has always been that it respects the rule of law and would never attack a sovereign nation in cyberspace, I can see why they would have defenders. In truth, other than the IP address of the people who attacked our honeypot, I had no comeback, especially since IP addresses can be spoofed.
But now, thanks to China itself, I have proof that the People’s Liberation Army does attack the United States, and likely does so on a regular basis.
China’s claims of innocence have come crashing down because of an apparent mistake in editing in a documentary on the country’s own state TV that should never have gone live. The PLA presentation demonstrated its military capabilities. Amid all the tanks and planes, the propaganda piece showed a mere four seconds inside the group's cyber warfare center.
Without narration, one has to think that the cybersecurity part of the piece was only put into the video by accident, a technical background shot placed between segments for a bit of extra color. However, those four seconds are both telling and damning to the Chinese lie that they don’t attack the United States.
Here is the incredible part: During those four seconds, we clearly see a Chinese soldier use a drop-down list to choose from preset target websites around the world. Then he actually attacks a website in Alabama.
In this case, the website was setup to support Falun Gong, a spiritual movement outlawed in China that practices meditation and a philosophy that emphasizes moral responsibility.
Going back to my original article, the type of attack that could be instigated with the push of a button is exactly what I said happened to the GCN honeypot network. First, a real hacker came in and tried to steal data. Then the second team covered his tracks. The machine shown on the PRC TV show is probably part of that second team. It could easily do automatic attacks of the heavy-handed kind, things like SQL injections that every high school hacker knows about. That program and perhaps even that machine could be the one that attacked the lab network.
Even though all the targets shown in the four-second video were Falun Gong sites around the world, the fact that they were in a drop-down menu is telling and appalling. You don’t set up drop-down menus with attack buttons unless you plan to use them. And the Chinese military did push the attack button in the video, so apparently it has no problem pulling the trigger.
How many of these attack lists do they have? Is there another one with U.S. government sites listed? Is there one with corporations or media outlets in this country?
China has proved that it does not respect our borders when it comes to cybersecurity. Government officials, Google and other victims of cyberattacks have blamed China before, but always with China denying involvement and its defenders using the spoofed-IP-address defense. But now we have the proof. This was not a video made by “evil Western democracies” or political dissidents. This was a program created by the Chinese government and run on the country's own state TV.
So to all you people who wanted to know where my smoking gun was, watch the video. It’s clear to me that we are under attack from China right now.
It’s time for China to own up to what it is doing. Or it’s time for the United States to do something about it.
John Breeden II is a freelance technology writer for GCN.