The presentation is divided into two distinct parts. In the first I very briefly outline the technology behind these attacks on our organizations. In the second I part I try to address the question that journalists most often ask, that is, "who is responsible?"

I have subdivided the technology section to include comments on: the message that carries the exploit, the exploit itself, the back door, the control connection, and the control server. Similarly I have subdivided the second section to consider whether the attackers have government affiliation, the state's cost-benefit analysis in allowing hackers to operate within its borders, the political context, and evidence of recruitment from China's computer underground.

First, the message designed to carry the payload. The content is to persuade the user to click on it, so the malicious code can execute. The writing style of the message content imitates the spoofed sender. The content of the document is appropriate to the topic of the e-mail message. In some cases users are convinced to return a message back to the attacker or forward to other users. We have seen memes ¹ redistributed to the targeted communities. For example, a Word document was collected from a compromised mailing list, edited to include an exploit, and forwarded to other members of the targeted community.

Here is a sample of a message that transports a targeted attack:

Date: Tue, 1 Apr 2008 02:22:57 -0700 (PDT)
From: Beijing Conference
Subject: Invitation to conference "Beijing Olympics 2008: Winning Press Freedom"
To: ..........

Dear Sir/Madam

We are cordially inviting you to the conference "Beijing Olympics 2008: Winning Press Freedom" which will be held from the 18th - 19th of April, 2008 in Maison de la Chimie Paris.
[...]

The schedule of the conference is in the attachment.

Email ........@wan.asso.fr OR
.........@wan.asso.fr
By TEL: +33 (0)1 47 42 85 37
By FAX +33 (0)1 47 42 49 48

This message was sent to potential participants of this conference. The English is good, the message is factually correct, the organization's footers are correct. The recipient is encouraged to download a pdf attachment. The attachment exploits a client-side vulnerability. The most common attack vectors so far have been, CHM help files, Adobe Acrobat Reader, PDF, Microsoft Word, Powerpoint, Excel, and Access. The file then exploits the vulnerability, and executes shell code which usually unpacks two components: the actual Trojan, and a non-malicious file which, rather than crashing the system, opens a non-malicious file.
The non-malicious file tends to be relevant to the message content, such as this Powerpoint presentation on Tibet.

It is important to realise that such low-volume malware attacks, such as used in cyber-espionage, have poor anti-virus coverage. In this case, only six out of thirty-two (18.75percent) anti-virus programs detected the Trojan

Researchers working on analyzing these attacks have identified at least eight different Trojan families. Common ones include, Enfal, Riler and Protux. Control over some machines is maintained using the Gh0st RAT remote administration tool. Gh0st RAT allows essentially unrestricted access to the compromised machine. Remember, many machines targeted in these incidents are home desktops, which provide the attacker with access to the administrator account.

The next stage is for the Trojan to connect back to the control server. This usually consists of two steps: domain name server (DNS) lookup to get the address of the control server, and the actual connection. The DNS lookup comes from a host-name embedded in the Trojan. To date, researchers have tracked over fifty unique host-names. Some are used once against a single targeted organization, others are reused against multiple targets, as we will see in a moment.

The overwhelming majority of control servers were identified as being located on Peoples Republic of China netblocks. The host-names pointing to these servers are, more often than not, configured on dynamic DNS services such as 3322.org. It should be noted, that while these services are not in themselves malicious, they are frequently used in these type of attacks. Interestingly, it appears at the moment that at least some of these control servers have themselves been compromised.
Let us now turn to look at some concrete examples of actual control servers behind these attacks. I will use examples from organizations sponsoring today's conference.

An attack on the World Association of Newspapers was traced to www.vic2088.com, which is currently 202.155.203.250, hosted at a company in Hong Kong.

An attack on Reporters sans Frontières: hi222.3322.org (117.14.210.181) on port 143 was traced to the following:

inetnum: 117.8.0.0 - 117.15.255.255
netname: CNCGROUP-TJ
descr: CNC Group Tianjin province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN

An attack on the the Committee to Protect Journalists was traced to cvnxus.8800.org

Its interesting to note that this server has been used in past hacker intrusions traced by US law enforcement to China.

Human Rights in China intercepted just two targeted email attacks in 2006, and by the end of last year that had grown to forty. In the first three months of 2008 the group received more than one hundred such targeted attacks.

Based on technical data such as this, it is not possible to assign attribution to these attacks - but if we take an inter-disciplinary approach and consider these incidents from a social science as well as a computer security perspective, we can come to some tentative conclusions about who is responsible.

Let us now consider who is responsible for these ongoing attacks against non-state actors that so effectively challenge the Chinese government's legitimacy.

While the Peoples Liberation Army established its first cyber-warfare units (zixunhua budui) in 2003 -- and we can assume the Chinese Ministry of State Security is also active in this field -- I will focus my comments on the what is termed the "Red Hacker Alliance".

One of the key questions in Scott Henderson's research is whether the groups that make up the Red Hacker Alliance are officially exploited by the Chinese state? Is tasking, oversight and control of the organization in the hands of the central government? Henderson's simple answer is that the Red Hacker Alliance is not part of the government. He sees them as just who they claim to be: an independent confederation of patriotic Chinese youth committed to defending the motherland from what it perceives as threats to national pride.

No one working with Open Source intelligence has been able to yet substantiate the claim that there is direct government oversight of the Red Hacker Alliance, on the contrary, there is a significant weight of evidence to suggest that the organisation is a non-state actor. However, it has been argued that the couching of the terms of this inquiry is flawed - a straightforward answer in the negative is highly misleading.

The essential difficulty with the thought processes behind our enquiry is that we tend towards considering the issue from a western, liberal, democratic conception of the nation-state - leading to a position where we are susceptible to cultural bias. Many authors have made it clear that in Chinese society acting independently of the government does not imply disconnection from the state.

The Chinese government regards its people as an essential component of what it calls, "comprehensive national power" and as critical to national security. The "masses" are prominent in China's strategic reckoning and will be aggressively deployed in both war and peace time.

Therefore, to argue that the Red Hacker Alliance is a non-state actor is basically true, it is also highly misleading. It would suggest that the hackers are not working with the government's intelligence bureaucracy. This would also be wrong. The tendency to seek a simple "yes" or "no" to our inquiry may reflect a mirror imaging of societal norms where none exist.

From a liberal, democratic point of view, espionage targeting another state involves government direction and supervision. It is unnatural for westerners to conceive of linkages between state actors and freelance intelligence operations. It does not conform to our notions of an appropriate relationship.

However, Henderson argues that this is very probably the type of relationship the government has formed with the Red Hacker Alliance. Western governments do not systematically apportion intelligence gathering roles to non-state actors, even in times of war. The Chinese government, however, and the People's Liberation Army in particular highlight the integration of military and civilian roles even in their contemporary doctrine of "local war under modern high-tech conditions":

"In the high-tech local war which we will face in the future, the role of the masses as the main body of the war is embodied by the country. The great power of the people's war is released through comprehensive national power, the combination of peace time and war time, the combinations of the military and the civilian, and the combination of war actions and non-war actions. Besides the direct participation and cooperation with the army's operations in the region where war happens, the masses will support the war".

China retains the idea of a "people's war" in which the masses are mobilized to fight shoulder to shoulder with regular military forces. There is considerable evidence to suggest that the Red Hacker Alliance will actively engage in targeting western organizations - that is, being a non-state actor will not inhibit their participation in attacks - be they preemptive or retaliatory.

The question we must ask then, is what form would these freelance intelligence gathering operations take? An interview with a hacker from Beijing provides a good example of what Henderson refers to as a "non-traditional relationship":
"One Beijing hacker says two Chinese officials approached him a couple of years ago requesting 'help in obtaining classified information' from foreign governments. He says he refused the 'assignment,' but admits he perused a top US general's personal documents once while scanning for weaknesses in Pentagon information systems 'for fun.' The hacker, who requested anonymity to avoid detection, acknowledges that Chinese companies now hire people like him to conduct industrial espionage. 'It used to be that hackers wouldn't do that because we all had a sense of social responsibility ... but now people do anything for money.'"

The approach used with the Beijing hacker reflects the same methodology the government employs with human intelligence collectors. China has developed a diverse, informal network of students, teachers, tourists, and foreign workers inside of host nations to collect tiny bits of information, and from there develop a composite picture of the environment.

Henderson and others have tried to demonstrate that what is true for the realm of human intelligence gathering is reflected in Chinese information operations. That is, rather than assign a targeted goal for collection, the intelligence apparatus tends to rely on sheer weight of information to develop a global perspective. Experts have hypothesized that this is exactly the informal association the government and the Red Hacker Alliance share.

The Chinese government appreciates the value of the Chinese computer underground and has made tentative contacts with them. From the government's perspective the hackers make excellent candidates for mounting information operations against overseas targets. They have demonstrated that they are creative, highly patriotic, they have the ability to launch sophisticated attacks, and are motivated to do so.

That is not to suggest that every member of the Red Hacker Alliance has informal connections with the intelligence bureaucracy, rather, there are probably very few members who have any dealings with the government. But this relationship is not straightforward or simple. At times it must be uneasy and require a delicate balance of constraints and freedoms.

A more detailed understanding of how the parties interact, especially where mutual interests converge, will enable us to uncover the complex cost-benefit analysis that the government has to calculate when it allows the Red Hacker Alliance to operate within its borders.

From the government's perspective, the Chinese computer underground must have benefits that outweigh their liabilities, otherwise the Red Hacker Alliance's activities would be halted.

At the moment, however, there are very few indicators that the government is making any efforts to shutdown the Red Hacker Alliance, surely a telling sign that the cost-benefit analysis is in the underground's favor. So, if this is not a state-sponsored organization, what are the factors that make it worth the government's while to allow the alliance to operate?

The most obvious reason for the government's tolerance of the Red Hacker Alliance is that it is likely that it receives valuable information. Thousand of attacks per day could surely fill in some of the gray areas of a composite intelligence picture. Furthermore, as a non-state actor, the Red Hacker Alliance provides Beijing with plausible deniability. Even if freelance hackers could be positively identified, it is easily disavowed as the actions of patriotic youth, and certainly not of the government.

In addition to intelligence collection, and the distinct possibility that the government and the alliance have financial ties, nationalist politics also binds the computer underground and the government together.

The political sphere can be divided into two distinct categories, domestic and international.

Domestic political hacking targets dissidents and separatist social movements found inside China - and extends to overseas supporters. The targets of these attacks are groups that are perceived to challenge the "unity of the motherland", or question the legitimacy of the Communist party, such as Falun Gong, the Tibet movement, and democracy activists and dissident networks such as Human Rights in China. Since at least 2002 dissident groups operating outside of China have claimed that they have experienced targeted malware attacks such as the ones we considered earlier. Its also been noted that such attacks have coincided with officials from the Ministry of Public Security calling for more aggressive measures in dealing with hostile "foreign forces subverting China via the Internet."

When we consider the international sphere we see that Beijing has been able to turn to the Red Hacker Alliance as a proxy force as well as a rallying force for Chinese solidarity. Any historical account of the computer underground in China demonstrates an organization that aggressively supports government policy through sophisticated on-line operations. Positive public perception of the alliance's nationalistic posturing also offers some degree of protection and support from the central government. The Chinese public tends to regard hackers as a voice of the people, capable of reaching across great distances to right the wrongs done to China by her enemies. In certain circles famous hackers are revered as Hollywood stars might be, and not as criminals.

Let us now consider evidence that the central government is engaged in tentative efforts to recruit members of the computer underground. Evidence drawn from Chinese Internet forums and news broadcasts clearly demonstrates that members of the Red Hacker Alliance would like to be a state-sponsored entity, and are rather offended that they are not.

In August 2005, Phoenix television news carried a report that Chinese hackers wanted to be recruited by the government to form Internet security battalions in order to safeguard the security of domestic networks. Posts on the Honker Union ² of China's bulletin board system were in agreement:

"We need to move toward standardized honker unions. We can't wait until the nation has a crisis to act; we must be prepared to do something meaningful for the motherland. Why can't we become a government-approved network technology security unit?"

According to other postings, various members of the organization had learned of foreign countries establishing "hacker network security units" and felt China should do the same.
On the government side we can see something similar - some authorities expressing interest in recruiting or learning from members of the Red Hacker Alliance.

Following the Sino-US cyber-conflict of 2001, ignited by the mid-air collision of a US reconnaissance aircraft and a Chinese fighter aircraft, the renowned Chinese military expert, Professor Zhang Zhao Zhong, expounded on the vital significance of the seven-day network war.

He suggested that these real-life experiences in network warfare should be officially researched for the benefit of the country. As the director of the National Defense University's Military Science and Technology and Equipment Research Department, Zhang pointed out that during the course of the cyber-conflict, Chinese hackers had developed many new tactics and gained much experience.

The weakness of security on government servers may be a possible explanation for the cyber- espionage charges leveled at China. Non-state hackers inside China, and hackers outside the country compromising these systems could account for a significant percentage of attacks emanating from Chinese government networks. It is highly doubtful that the Peoples Liberation Army, for example, would launch attacks from accounts so easily identified. However, civilian hackers could find these compromised machines excellent launching pads for attacks.

Finally, a further blurring of the lines between civilian and government activities is the way the government will tend to co-opt public facilities and draft them into military service. In 2003, Dongshan District of Guangzhou China, one of the major science and technology centers in the southern region, spent US $54,000 to turn the provincial telecommunications company, data communications bureau, microwave communications bureau, and Southern Satellite Telecommunications Services Corporation into a militia information warfare battalion.

While these public facilities were becoming an official unit in the militia battalion, others such as NetEase Guangdong and the China Unicom Paging Company in Guangzhou were being brought on board, even though they did not have an established mission.

The Guangdong area has been cited as one of the major areas for "government sponsored" hacking and the activities of groups such as these may be adding to the confusion of what is state organized and what is civilian.

I hope that this brief overview of the technology behind these targeted malware attacks, and consideration of who might be responsible has proved interesting and informative - particularly to those of you whose organizations have been recently attacked.

Journalists who are traveling to Beijing in August need to be aware of the dangers that exist on line in China. Media organizations have been very recently targeted by Chinese hackers - both through stealthy cyber-espionage, and less subtle denial of service attacks on CNN, for example. Also, you may wish to report on these issues. If, in the future, you find your organization has been attacked in the ways I have outlined here, please, don't hesitate to get in touch: jamyang@08310.org My thanks to Mikko H. Hypponen, Maarten Van Horenbeeck and Scott Henderson.

^{2: A group known for hacker activity, mainly present in mainland China. Literally, the name means "Red Guest." - Wikipaedia}