China’s Hacker Army
The myth of a monolithic Chinese cyberwar is starting to be dismantled. A look inside the teeming, chaotic world that exists instead -- and that may be far more dangerous.
A flier for a prominent Chinese hacker’s presentation on the how-tos and wherefores of hacking, drawing on sources as diverse as Shakespeare, the Diamond Sutra, and … Google. Click through to view FP‘s exclusive slideshow.
The autobiography of hacker SharpWinner opens on a bunch of young men in a high-rise apartment thick with cigarette smoke, in an unnamed city somewhere in China. Hacking is hard work, and this particular group, one of hundreds spread across the country, has been at it for hours. But the alpha male of the group, a “handsome and bright youth” — throughout The Turbulent Times of the Red Hackers, SharpWinner refers to himself in the third person — is unflappable. After he completes a backdoor intrusion into a Japanese website, he takes a break to field text messages from female admirers.
It would be easy to dismiss SharpWinner, who has promoted his book on national television, claiming he has a movie deal in the works, as an attention-hungry stuntman. And in fact, the news that Google and dozens of other companies had been hit by a mammoth attack originating in China this past winter evoked the strong arm of the Chinese government — not SharpWinner’s amorphous world of hacker bandits. The Internet giant said the decision to go public with information on Operation Aurora, as the hack has been dubbed, “goes to the heart of a much bigger global debate about freedom of speech.” The Chinese government’s spying on the email accounts of human rights activists, Google intimated, was behind its threat to pull out of China. (It has yet to make good on that claim.)
But a report released Tuesday by Atlanta security firm Damballa says the Aurora attack looks like work of amateurs working with unsophisticated tools. That revelation, along with a separate story in the Financial Times that a freelancer wrote the Aurora code, is focusing attention on China’s loose web of cowboy hackers. And SharpWinner — the leader of a coalition including anywhere from 50,000 to 100,000 civilian members and, before he disappeared from public view in 2007, a regular participant in international cyberconflicts, including the 2001 hacker war stretching from China to the White House — is just the beginning.
The Aurora attacks represented an attempt by hackers apparently based in China to steal valuable information from leading U.S. companies. (So far the list of victims includes Adobe Systems and Dow Chemical, in addition to Google.* Over the weekend, a security researcher told Computerworld that Aurora might have penetrated more than 100 firms.) Investigators are still trying to understand where Aurora came from and what it means, but already some surprising clues have emerged. The Financial Times story followed on the heels of a New York Times story reporting that researchers have traced the attacks back to two Chinese universities, one of which has long been a training ground for freelance or “patriotic” hackers. Among the implications of these reports: The U.S. understanding of Chinese hacking is seriously out of date.
Western media accounts typically overlook freelancers in favor of bluster about the Chinese government. Some pair breathy accounts of cyberwar with images dredged up from 1960s People’s Liberation Army propaganda, as if to suggest China has some centrally administered cyberbureau housing an army of professional hackers. Others make improbable or unsubstantiated allegations. Two years ago, a National Journal cover story claimed Chinese hackers were responsible for the 2003 blackout that crippled much of the U.S. Northeast, an event repeated investigations have attributed to domestic negligence.
In fact, the hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented — and sometimes unruly — patriotic hackers. Since the 1990s, China has had an intelligence program targeting foreign technology, says James A. Lewis, senior fellow for cybersecurity and Internet policy at the Center for Strategic and International Studies. Beyond that, however, things get complicated. “The hacking scene can be chaotic,” he says. “There are many actors, some directed by the government and others tolerated by it. These actors can include civilian agencies, companies, and individuals.”
To anyone who speaks Chinese, that chaos is obvious. Google the characters for heike — a transliteration of “hacker” that means, literally, “black guest” — and you’ll come up with pages and pages of results. Sites such as http://www.chinahacker.com, http://www.cnhacker.com, and http://www.hackbase.com contain step-by-step instructions, advertisements for how-to seminars — become a hacker in a few short weeks! — and screen shots of foreign casualties. And yet they are clearly not the work of the central government. Read on (or don’t — the sites are packed with malware and users visit at their own peril) and you’ll find threads roiling with bitter infighting, foul-mouthed forum posts, and photos of scantily clad women.
“There are literally hundreds of these sites,” says Scott J. Henderson, an intelligence contractor and former U.S. Army linguist who has written a book on Chinese hackers. “They all have different agendas and different personnel. It’s not as well-coordinated as everyone sitting down in a room and someone saying, ‘You, go write this code.’ ‘You, go write that.'”
Instead, China’s hackers spring up organically. Mix together widespread youth nationalism with a highly wired population — China now boasts the most Internet users in the world, with 384 million people online — and out comes patriotic hacking. The self-described “red hackers” are the product of the “the fact that we live in a time when our country is moving toward prosperity,” SharpWinner once said, quite accurately. Prosperity also ensures a market for abundant hacker memorabilia: hacker magazines, hacker T-shirts, and tell-all books like his. While traveling through rural China once, I stumbled across bins in a village store filled with Hacker brand candy. (It tastes like saltwater taffy.)
Every August, top hackers convene in Beijing for a conference ostensibly about information security but described by one participant as including seminars on common attack techniques. China’s hackerati range from flamboyant prima donnas like SharpWinner to Sunwear, a slight, pixie-ish twentysomething who marks his website defacements with the innocuous tag line “just for fun!“, to Xiao Tian, the unattainable femme fatale leader of China Girl Security Team. Many of their causes neatly overlap with the interests of the Chinese government. Take one of the events that drove the development of hacker culture in China: the 1999 NATO bombing of the Chinese Embassy in Belgrade. In retaliation, hackers plastered the website of the U.S. Embassy in Beijing with the phrase “Down with the Barbarians!” Or the targeting of email accounts of the Save Darfur Coalition, which opposes Chinese involvement in Sudan, in 2008. Or GhostNet, the cyberspying operation originating in China that was revealed last year to have infected 1,295 computers in 103 countries — including the Dalai Lama’s network in Dharamsala, India. The University of Toronto researchers who uncovered the attack have not yet pinpointed its architects, but in a report on the attack, they noted the operation could easily be the work of patriotic hackers using “do-it-yourself signals intelligence.”
But the fact that these hackers’ interests overlap with Chinese policy does not mean they are working on behalf of Beijing, and indeed many of their activities suggest no government interference at all. “Governments are not taking over botnets of compromised computers to conduct denial-of-service attacks,” says Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. It helps, however, that Beijing turns a blind eye to their attacks. An unwritten rule holds that freelance hackers are left alone as long as they target foreign sites and companies. Once they go after information inside China, the government cracks down. For a hacker interested in self-preservation, the choice is clear.
Another part of the bargain appears to be remaining open to government requests. If the Financial Times report is correct, Operation Aurora was executed with code developed by a thirtysomething freelance Web security consultant working independently, without government prodding. According to the paper’s informant, described as a U.S. government researcher, the hacker simply posted a chunk of the code on a hacking forum, where it found its way into Chinese government hands. “He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing,” the researcher was quoted as saying.
The rest of the story should become clearer in coming months. But another report traces the attacks to servers at Shanghai Jiao Tong University’s School of Information Security Engineering, one of China’s top computer science schools and a hotbed for freelance hackers. For years, students there have freely organized hacker groups and traded war stories in forums hosted on the school website. In 2007, Shanghai Jiaotong graduate student and veteran hacker Peng Yinan hosted an information session titled “Hacker in a Nutshell” in a school conference room. The PowerPoint slides he worked off — which until recently could be downloaded from his group’s website, now down — glorify hacker culture and explain successful techniques that can be tried at home, pointing out that Chicago Tribune reporters once uncovered contact information for thousands of CIA agents using a basic online service. A flier advertising the event described Peng as a consultant for the Shanghai Public Security Bureau.
Another student whose screen name appears on Peng’s hacks — but who told me he wasn’t involved — went on to work for Google.
Could Operation Aurora have been written by a freelancer, picked up by a bureaucrat, and then reassigned to a freelancer with ties to Google? It is a possibility worth entertaining, at least. Some have argued that the Chinese government should have more effective means for securing intelligence than students and online misfits. But others say a decentralized approach suits Beijing just fine. “You can see the benefits of having a blurry line,” says Lewis. “The Russians do it all the time with Estonia: ‘Of course it wasn’t us. Can you prove it was us?'”
Ultimately, a loose connection between Beijing intelligence operatives and patriotic hackers is more troubling than a strong one. Governments operate under constraints. Gangs of young men — as the United States has learned the hard way — don’t. “Certainly if it’s government-sponsored cyberwarfare, I have someone I can deter,” says Henderson. “If it’s mutually assured online destruction — OK, I can at least develop a theory on that. But with rogue Internet actors it’s very difficult. They’re potentially very dangerous.”
The thought would flatter SharpWinner. In his TV appearance, he confided his concerns about hacking culture in China. He had witnessed the disintegration of some prominent hacker groups, and he fretted that most patriots simply get on board whenever some international incident flares up and lay off hacking foreign companies once things cool down. But with a little effort these challenges can be overcome, he concluded, saying that he is encouraged by a recent resurgence of interest in hacking. Then he addressed listeners directly. “Brothers,” he intoned, “go with me! The future of red hacking is bright!”
*The original version of this article cited reports that RAND Corporation had been hit by Aurora. A RAND spokesman wrote in to say “RAND has not been hit — we have no evidence of attacks or having been targeted by Aurora.”