Series of EmergencyNet News Reports Concerning A Cyber-Conflict Between Chinese and USA Hackers: 13 Apr 2001 to 05 May 2001
05 May 2001
WASHINGTON, DC:
Chinese Hackers Suspected In White House Website Attack
POTUS appears to be the latest victim in an online assault by Chinese hackers, as the White House website was unavailable for several hours early Friday. The hackers' attack was similar to ones that took CNN and Yahoo offline last year. The White House confirmed that for two hours and 15 minutes their website was unavailable.
A White House spokesman said: "There was no security breach, and the attack is under review." The attack began between 1100 and 1200 GMT. Hackers in the US and China have been engaged in an online battle this week. Chinese hackers have reportedly defaced more than 660 sites in the past week.
The hackers promised a cyber-offensive against US sites in observance of May Day and Youth Day on 4 May and also in remembrance of the US bombing of the Chinese embassy in Belgrade two years ago on 7 May. The Federal Bureau of Investigation had warned of the increased threat, and this week it said it had seen a significant increase in attempted attacks.
According to the FBI's National Protection Infrastructure Center (NIPC), sites are being actively scanned for weaknesses. It said: "These probes and attempted exploitations currently number in the millions and the activity is ongoing."
The firm iDefense has been monitoring the activity of Chinese hackers. It put out an alert on 30 April, saying the hackers would specifically target 14 high-profile government and commercial websites. Government sites targeted included the White House, the CIA, the Pentagon, US Navy, and National Security Agency. The commercial targets included The New York Times, CNN and The Army Times.
The Chinese hackers have been distributing a denial of service attack tool on their website. Such attacks direct a huge amount of traffic at a website, rendering it unable to process legitimate requests. A similar method was used to cripple several high-profile sites last year, including CNN and Yahoo!
Chinese hackers had reportedly been trying to deface the White House website for much of the week. They even expressed frustration at the difficulty they were having in either defacing or crippling it. It apparently was better protected than they thought.
The Chinese hackers have been actively distributing what is described as a "flood" type of tool and were giving detailed instructions on how to configure the tool for the attack. There is also some evidence that Chinese hackers are not merely defacing websites but also destroying data. In some cases, if they have been able to achieve root compromise, they leave behind a script that when rebooted "wipes" the server hard-drive clean.
US hackers have not sat idle during this period and have increased their attacks over the past week as well. US hacker attacks began shortly after the collision of a US surveillance plane with a Chinese fighter jet last month. In the past 30 days, more than 450 Chinese sites have been defaced.
04 May 2001
CHINA/USA:
Chinese Cyber Blitz Being Faced By US
The international cyber battle following the US-China surveillance plane incident has reportedly intensified in recent days, with Chinese media reporting at least 600 websites attacked. Computer hackers in China say they are planning a massive wave of attacks on websites based in the United States in protest of the collision between US and Chinese military planes which left a Chinese pilot dead. Chinese activists allegedly have targeted US organizations, including the UPI news agency, U.S. Department of Labor, the US Surface Transportation Board, the U.S. Department of Health, and other mostly non-classified government sites.
A number of computer analysts, however, aren't taking the current batch of web-page graffiti all that seriously. Most notably, Michelle Delio of Wired News, today calls the alleged cyber-war "hot air," and Brock Meeks of MSNBC, who yesterday dispelled the myth of "hacktivism" as it pertains to the current exchange of "drive-by hacking that requires no talent."
William Knowles, an analyst for C4I.org, a computer security and intelligence site, told EmergencyNet News that the more sophisticated hackers in China aren't participating in the current plague of web-page defacements. Knowles, who admits to being a "white hat hacker" says that "the only sure winners of this 'cyber war' are the internet computer security companies who are exploiting this situation for profit." Knowles also says that he believes that we will see "an 30-40% increase in defacement incidents" over this coming weekend (05-06 May 2001) and then "this should be over by Monday."
According to other experts, a number of the attacks are probably coming from hackers outside the two countries in conflict -- with other adolescent "script-kiddies" trying to get in on the action. But a member of one of two groups of Chinese activists involved has reportedly said that hackers in China were now planning to target a broader range of US sites. He said the Chinese hackers had initially focused on official US government websites, posting patriotic and anti-American slogans, to express their anger at the loss of the Chinese pilot.
ERRI's Clark Staten, in an interview with Information Security magazine on Thursday said , "At least to some extent, U.S. hackers are causing this as much as the Chinese in the last few days...the problem is that as this thing escalates, it becomes a tit-for-tat situation. You hit me, I hit you harder. And it just goes on from there."
A Beijing-based hacker said Americans had reportedly targeted all kinds of Chinese websites and has allegedly placed pornographic pictures on the home page of the official Beijing radio station. He said his group, known as the "Honkers' Alliance," aimed to hit 1,000 US websites of various types over the next two days. The cyber attacks are timed to coincide with China's 4 May public holiday, which commemorates Chinese resistance to foreign powers in the early part of the 20th century. The Chinese hacker also said there would also be a series of computer attacks on 18 May, the second anniversary of the bombing by NATO of the Chinese embassy in Belgrade.
02 May 2001
US And Chinese Hackers Continue To Duke It Out
Although the whole situation is being downplayed by at least some computer analysts as "lame," computer hackers in both the United States and China are reportedly continuing their conflict in cyberspace. Responding to a wave of attacks by US hackers, a group of Chinese hackers are thought to be embarking on a campaign to deface as many American websites as possible. So far, the attacks seem to be limited to replacing legitimate web-pages with pro-China messages.
But the FBI and web security organizations are warning that more serious attacks could be on the way. Soon after the mid-air collision of a US surveillance plane and a Chinese military jet, US hackers started attacking Chinese websites in their own form of protest against China's actions. Since the 01 April incident, US hackers have reportedly been carrying out 40-50 attacks a day on Chinese websites, and defacing or hijacking those found to be vulnerable.
Websites that watch and report on hacking activity say up to 300 Chinese websites may have been hit. Many of the attackers left behind racist messages or images accusing the Chinese Government of cowardice. Now, a Chinese hacking group called the "Honker Union of China" has said it is retaliating against these attacks. Several other groups and individuals were identified as making threats against U.S. computer systems.
07:00CDT - 01 May 2001
COMPUTER PROBES/ATTACKS UNDERWAY....
NIPC ALERT 01-010: "Significant Increase in Unix-based Network Scanning and Probing Activity at Ports 515 and 111 Directed at lpd/LPRng and RPC Services"
NIPC, 5/1/2001
Source: http://www.nipc.gov/warnings/alerts/2001/01-010.htm
The National Infrastructure Protection Center (NIPC) has
reliable information indicating a very significant increase in attempts to
exploit known weaknesses in the lpd/LPRng and RPC daemons of Unix-based
operating systems. These probes and attempted exploitations currently number
in the millions and the activity is ongoing. Network security and systems
administration personnel should be especially sensitive to unusual traffic on
their systems or networks directed at the lpd/LPRng and RPC services (ports 515
and 111 respectively). The exploitation of these vulnerabilities could result in
root compromise, and is consistent with past activities involving the
installation and operation of the "mstream" Distributed Denial of
Service (DDoS) tool. Further information on the lpd/LPRng vulnerabilities and
available countermeasures may be found at:
www.sans.org/newlook/alerts/port515.htm
www.cert.org/advisories/CA-1991-10.html
www.cert.org/advisories/CA-2000-22.html
www.kb.cert.org/vuls/id/382365
Further information on the RPC vulnerabilities and available countermeasures may be found at:
www.sans.org/newlook/resources/IDFAQ/blocking
www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
www.kb.cert.org/vuls/id/34043
Further information on DDoS tools such as "mstream" were last reported in NIPC Advisory 00-063, dated 28 December 2000. The NIPC "Find DDoS" utility may be used to determine if your network has been victimized by the implanting of certain DDoS attack tools (The tool may be downloaded from: www.nipc.gov/warnings/advisories/2000/00-55.htm )
Recipients of this alert are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.NIPC.gov/incident/cirr.htm The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or by e-mail to: NIPC.Watch@fbi.gov
RE: Follow-on to report yesterday on Chinese Hacktivists by EmergencyNet News...
Excerpted from: 08:00CDT - 30 Apr 2001; Chicago Institute Issues "Civil Unrest" Advisory Concerns About May Day-Related Violence
On-Line Protests/Pro-Chinese "Hactivist" Campaign
In addition to the protest activity listed above, warnings have also been issued by the U.S. Federal Bureau of Investigation (FBI -- see below in Cyber-Crime/Viruses/Cyber-Terrorism section) in regard to the possibility of a "hacktivist" internet campaign involving "denial of service attacks," webpage defacements, e-mail bombardment, and distribution of computer viruses. This illicit computer activity may be the result of a threatened "May Day Campaign" on the part of Chinese "crackers" and "script kiddies." Unconfirmed reports coming from Chinese discussion groups and webpages are reportedly calling the anti-U.S. campaign, "Network War of National defense" or (Wu Yi Wei Guo Wang Zhan).
Preliminary reports have already been received on webpage defacements of at least two U.S. government agencies -- The Dept. of Labor and the Dept. of Health and Human Services. Both were adorned on Saturday with pictures of a Chinese pilot who was believed lost in an accident involving a U.S. EP3-E surveillance plane a couple of weeks ago. The United Press International (UPI) website reportedly suffered a similar fate this morning (Monday). Significant on-line protests, hacktivist activity, and various forms of computer attack could take place in the next 24-48 hours.
References:
http://www.emergency.com/2000/dos2000.htm
http://www.emergency.com/2000/compdefnse-implc.htm
http://www.emergency.com/techpage.htm
21:00CDT - 26 Apr 2001
ADVISORY 01-009
"Increased Internet Attacks Against U.S. Web Sites and
Mail Servers Possible in Early May"
Issued 04/26/2001
Citing recent events between the United States and the People's Republic of China (PRC), malicious hackers have escalated web page defacements over the Internet. This communication is to advise network administrators of the potential for increased hacker activity directed at U.S. systems during the period of April 30, 2001 to May 7, 2001. Chinese hackers have publicly discussed increasing their activity during this period, which coincides with dates of historic significance in the PRC: May 1 is May Day; May 4 is Youth Day; and, May 7 is the anniversary of the accidental bombing of the Chinese Embassy in Belgrade.
To date, hackers already have unlawfully defaced a number of U.S. web sites, replacing existing content with pro-Chinese or anti-U.S. rhetoric. In addition, the NIPC previously reported on an Internet worm named "Lion" that is infecting computers and installing distributed denial of service (DDOS) tools on various systems. Analysis of the Lion worm's source code reveals that, when illegally exploited, it sends password files from the victim site to an email address located in China. For more information on the Lion DDOS tool, refer to NIPC Advisory 01-005.
As a result of the activity already seen, together with public statements threatening increased illegal activity, network and system administrators are encouraged to more closely monitor their web sites and mail servers during April 30, 2001 through May 7, 2001 for attacks that could include web page defacements and denial-of-service attacks.
Recipients of this advisory are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.NIPC.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or NIPC.Watch@fbi.gov.
Source: http://www.nipc.gov/warnings/advisories/2001/01-009.htm
13 Apr 2001
U.S. Computer Systems Defaced by Chinese Crackers?
Washington, DC (EmergencyNet News) -- ERRI computer security analysts have learned that several instances of website defacement have taken place in the United States in recent days. Each of the attacks apparently involved the posting of Chinese propaganda and/or pictures of Chinese flags. Preliminary investigation of the incidents would suggest that the cracks originated in or were routed through China. Additionally, it is believed that a group that calls itself "Hackers Union of China" has been encouraging such attacks on various IRC chat channels. At least some more conservative computer analysts are calling the incidents "script-kiddie" attacks and downplay the seriousness of the threat from China. The Washington Post featured an article by Ariana Eunjung Cha , which provides additional details...click here to review the Washington Post article.
Infrastructure/Directed Virus Attacks:
Are We Under (Computer) Attack?
Some experts think we are, or could be soon
It almost sounds like something straight out of a Warner Brothers' movie called The Conspiracy Theory except this time there's more than just Mel Gibson proclaiming subversive intent. Many experts feel targeted Internet attacks, via malicious viruses and illicit access, are on the horizon - and in some cases, already a reality. Don't believe it? Ask the United Bank of Switzerland customers who found themselves targeted by a virus that stole their PIN numbers and emailed them to hackers. Or the Israeli officials spammed by a political virus intent on publicizing the plight of the Palestinians...
Article continues at:
http://antivirus.about.com/compute/antivirus/library/weekly/aa040501a.htm
20 Mar 2000- 09:30CST Report entitled, "Recent DoS Attacks Point Out Already Known Vulnerability of U.S. Infrastructure"
06/02/99-08:30CDT- Netwar: F0rpaxe Claims Credit For Government/Corporate Computer Attacks03/08/99 - 08:30CST--ERRI Special Report: Pentagon Computers Under Attack??
Rand Corp.-- Information Warfare: A Two-Edged Sword
Rand Corp. -- Cyberwar and Netwar: New Modes, Old Concepts, of Conflict
Insurgency On the Internet, Series of CNN Reports on Hackers and CyberTerrroism
ERRI Computers/Technical Operations Page: http://www.emergency.com/techpage.htm
© EmergencyNet News Service, 2001. All rights reserved. May not
be redistributed or otherwise published without the expressed permission of ERRI/EmergencyNet
News.
Emergency Response & Research Institute
6348 N. Milwaukee Ave., #312
Chicago, IL. 60646
(773) 631-3774 - Voice
(773) 631-4703 - Fax
(773) 631-3467 - Modem/Emergency BBS On-Line
http://www.emergency.com - Main Webpage
webmaster@emergency.com - E-mail