U.S.-China hacker brawl draws few Web combatants

By Ellen Messmer
Network World, 05/07/01

Although not exactly a cyberwar, a hacking brawl of sorts erupted last week between Chinese and U.S. combatants.

The National Information Protection Center (NIPC) at the FBI had earlier warned that Chinese hackers would attack U.S.-based Web sites in a campaign to avenge the U.S. spy plane incident and arms sales to Taiwan.

Web sites run by the Department of Labor, Health and Human Services and the White House Historical Society were among many defaced with Chinese flags and slogans such as "Beat down imperialism of America!" from groups claiming names such as the "Honker Union of China" and "China Eagle."

At the same time, U.S. hackers defaced hundreds of Chinese sites operated by local and national government departments with the .cn domain name, frequently leaving vulgar and racist taunts along with anti-Communist invective and images of nuclear bomb explosions.

Security consulting firm TruSecure, which was tracking the hacker activity, says there were about 260 successful attacks each day perpetrated by perhaps 12 individuals from both sides.

"But we're just beating the snot out of the Chinese," says Peter Tippett, TruSecure's CTO. It appears there were roughly three times more hacks from American locations against Chinese sites than vice versa, although Tippett acknowledges that hackers can use spoofed IP addresses.

He says the main reason the Americans seemed to be having more success than the Chinese was because the Chinese haven't updated their Web servers with software patches to prevent known attacks, which are frequently carried out by hackers with an array of easily obtained scripting hack tools. Software patches for Chinese-language servers using double-byte code don't usually become available as quickly as those for English-language servers.

The American hackers, who sometimes called their fight "Project China," were the usual suspects. The Chinese participants included the Li0n Group, known to have released the dangerous Li0n Trojan horse.

Tippett says there's no evidence the hackers have gone beyond defacing Web sites. "It's like spray-painting a bridge," he says. The attackers frequently even left a link to the home page.

"It's the kind of thing we've seen before, two kids on both sides going after each other," says Steve Trilling, Symantec's director of research. "It's like graffiti."

The NIPC advisory about the attacks and publicity from news sites served to fuel the fire, Tippett adds.

An organization called Attrition.org, which runs a site that documents hacked sites, usually steers clear of commentary, but last week, the group issued a statement denouncing the China-U.S. hacker feud.

"It's just the collective [posturing] of a bunch of script-kiddies fueled by so-called journalists generating media hype, the former trying to feed their egos and the latter to feed their hit counts," the statement says.