I have a picture in my head of a huge building just outside of the Forbidden City in Beijing. It is post industrial classical like a lot of the newer government buildings in China’s capital city. It has few windows and no identifier on the front, just a big red poster acclaiming the 2008 Olympics. Inside there are vast rooms with desks and computers. Sitting at those desks are uniform wearing Red Army Hackers. There are large overhead screens reminiscent of Japanese KanBan systems with attack targets and progress charts depicting the daily activity. One floor might be dedicated to censors. Most of them are busy identifying pornography sites but special groups are dedicated to finding and blocking Chinese access to information on Tibet, Taiwan, and Falun Gong.
Another room is dedicated to espionage where tools are developed and deployed to attack the Pentagon, Whitehall, and the German Chancellery. In this room last week the order was spread to infiltrate and spy on organizers and supports of Tibetan protests. The coders quickly modify Trojan Horse software and package it for the English speaking infiltrators to append to documents carefully crafted email messages and documents. Attackers then send the messages to lists of members of Tibetan organizations. Hundreds of “signal analysts” then pour through the results of captured files, keystrokes, and Skype conversations of the unwitting targets.
That is modern information warfare. The fact that the Chinese are doing this indicates to me that the picture in my head is probably fairly accurate. From F-Secure’s superb analysis of one such email:
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.
Are you a manufacturer? Are you responsible for IT Security at a government agency or research lab? Are you an athlete? Do you represent the cause of freedom in Tibet or peace in Darfur ? If so, you have a new enemy. The government of the largest country in the world is after your data. They have resources you cannot even dream of. They are organized. They know what they are doing.
About Stiennon
Richard Stiennon is a security industry innovator. He is currently consulting, speaking and writing on all manner of security topics and has just announced the launch of Seccom Global, a Managed Security Service Provider focused on UTM. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Netrex, the world's first managed security service provider.
|
|
xsz.8800.org
whois of the host ip address of the above address gives this:
OrgName: Media 3 Technologies, LLC
OrgID: MD3T
Address: 33 Riverside Dr.
City: Pembroke
StateProv: MA
PostalCode: 02359
Country: US
NetRange: 206.67.48.0 - 206.67.63.255
CIDR: 206.67.48.0/20
NetName: UU-206-67-48-D1
NetHandle: NET-206-67-48-0-1
Parent: NET-206-64-0-0-1
NetType: Reallocated
Comment:
RegDate: 1997-09-15
Updated: 1999-07-13
RTechHandle: RH504-ARIN
RTechName: Hayes, Robert
RTechPhone: +1-617-963-6050
RTechEmail:
But the 8800.org domain is administered from China.
As well, China has put a lot of investment money in dot coms in the Boston area. Some rich people from Taiwan and Shanghai even own some of the most expensive real estate in the suburbs of Boston.
My guess is, this has criminal tie ins with Beijing.
note: another server in the above ip address range is pwned by turkish hackers.
this range is either a honeypot farm or the admin is really slack with the security.
Thanks for the intel
Hmmmm. Boston + Shanghai. I'll have to fig into that connection.
-RS
Here's whois of the 8800.org
Here's whois of the 8800.org Yep, it's administered from Changzhou, China.
Domain ID:D82958043-LROR
Domain Name:8800.ORG
Created On:23-Jan-2002 17:40:01 UTC
Last Updated On:24-Jan-2008 01:21:47 UTC
Expiration Date:23-Jan-2009 17:40:01 UTC
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Status:OK
Registrant ID:ONLC-1348758-4
Registrant Name:Peng Yong
Registrant Organization:Yaako Ltd.
Registrant Street1:1406, Yinyuan Building
Registrant Street2:37, West Guanhe Road
Registrant Street3:
Registrant City:Changzhou
Registrant State/Province:Jiangsu
Registrant Postal Code:213002
Registrant Country:CN
Registrant Phone:+86.865196113322
Registrant Phone Ext.:
Registrant FAX:+86.865196620244
Registrant FAX Ext.:
Registrant Email:ppyy@staff.cn99.com
Admin ID:ONLC-1348758-1
Admin Name:Peng Yong
Admin Organization:Bentium Ltd.
Admin Street1:1406, Yinyuan Building
Admin Street2:37, West Guanhe Road
Admin Street3:
Admin City:Changzhou
Admin State/Province:Jiangsu
Admin Postal Code:213002
Admin Country:CN
Admin Phone:+86.865196608567
Admin Phone Ext.:
Admin FAX:+86.865196620244
Admin FAX Ext.:
Admin Email:ppyy@staff.cn99.com
Tech ID:ONLC-1348758-2
Tech Name:Peng Yong
Tech Organization:Bentium Ltd.
Tech Street1:1406, Yinyuan Building
Tech Street2:37, West Guanhe Road
Tech Street3:
Tech City:Changzhou
Tech State/Province:Jiangsu
Tech Postal Code:213002
Tech Country:CN
Tech Phone:+86.865196608567
Tech Phone Ext.:
Tech FAX:+86.865196620244
Tech FAX Ext.:
Tech Email:ppyy@staff.cn99.com
Name Server:NS2.3322.NET
Name Server:NS1.3322.NET
Kevin,
http://www.virtela.com