April 30, 2001 5:50 PM PDT
Defacements rise in China hacker war
By late Monday, the hacking group Honkers Union of China increased the number of Web sites defaced since early April to more than 80, while online vandals posting pro-American graffiti had tagged at least 100, according to several sources.
Web sites falling victim to the vandals included the National Institutes of Health, the U.S. Navy, the California Department of Energy, and the U.S. Department of Labor, as well as many corporate Web sites.
"This is very much statistically on par with the Israeli-Palestinian defacement war," said Chris Rouland, director of the internal development and research group for network protection firm Internet Security Systems. "We are seeing a seven- to 10-fold increase in scans and defacements."
Federal authorities warned last week of a planned "Labor Day Strike" from Chinese hackers upset over the recent spy plane incident.
According to the National Infrastructure Protection Center, a unit of the FBI, "Chinese hackers have publicly discussed increasing their activity" between two major holidays this week in China. May 1 is International Workers Day, and May 4 is Youth Day. Also coming up is the two-year anniversary, May 7, of the accidental U.S. bombing of the Chinese embassy in Belgrade.
Gartner analyst John Pescatore says that although "hactivism" is a real danger, security companies looking to grow their businesses have driven most of the publicity about the hacking threat from China.
The attacks come in the wake of the April 1 collision between a Chinese jet fighter and a U.S. surveillance plane. The pilot of the jet fighter, Wang Wei, died in the crash. Recent news reports say that Chinese officials have decided to allow U.S. officials to inspect the plane, which still remains on the island where it made an emergency landing after the collision.
Chinese hackers rising
The most active group of Chinese defacers appears to be the Honker Union of China. "Honker" is slang in China for hacker.
"The manifesto of Honker maintains the reunification of the motherland! Guards the national sovereignty! Outside consistent resistance shame! Attack anti-Chinese arrogance!" read the standard defacement message that adorned several of the compromised sites.
Web sites maintained by members of the group indicated that more than 80 sites had been defaced as part of this week's protests. The site reported that another 400 servers had been compromised.
Attacks have not been limited to defacing, either. One consultant for a large U.S. company said that almost all the data on two servers at the company had been systematically deleted on Saturday, leaving behind an expletive-filled message directed at the United States.
While defacing Web sites has seemingly been a game for a great many online vandals, data about the efforts of Chinese hackers has been rare--not because of a lack of incidents, but because Chinese hackers don't report their defacements to sites that track such attacks, said Brian Martin, staff member at security site Attrition.org, a group that tracks Web site defacements.
"One thing that is interesting is that over the past week, American hackers have said that the Chinese haven't done anything," he said. "Now it looks like the Chinese have been defacing sites but not reporting them to us or the other mirrors."
Motives for attack?
Martin believes news reports speculating on whether Chinese hackers would attack U.S. sites to protest the surveillance plane incident started a self-fulfilling prophesy.
"A lot of this seems to have started because the media said it would start," Martin said. "The timeline clearly shows it didn't turn into a political-based defacement spree until (the media) said it would."
Others disagreed. Fred Cohen, a security researcher and principal member of the technical staff at Sandia National Laboratories, said evidence suggests the Chinese attacks are condoned, if not actively organized, by the Chinese government.
"The most important thing to understand is it is not like the U.S," he said. "We have hackers and miscreants--but they don't come from China without the government taking actions to make it happen."
In China, because hacking is a capital crime, government approval would be necessary for such a large group of vandals to work together, Cohen said.
Cohen also pointed to such incidents as the 1i0n worm, which apparently originated in China, as evidence that the situation could escalate. The 1i0n worm is an Internet program that uses scanners and automated exploit scripts to hack Linux servers and then send information regarding the servers back to China.
Such information could be used to attack the servers later, Cohen said. The result could be a denial-of-service attack or some other assault on the U.S. Internet infrastructure. Its goal would be to show that such cyberattacks are another weapon in the country's arsenal.
"It's not an accident; it's not a populist move," Cohen said. "It's a demonstration. They are saying, 'We are capable of doing this to you too, and we can do it in a controlled fashion, and we can stop it when we say.'"