Increased Cyber Targeting Expected Out of China

Blue

Talk about a rough week – last week was one of cyber turmoil for the Chinese government.  First, on 21 January 2014, the International Consortium of Investigative Journalists (ICIJ) released an exposé on China’s Elite politicians and their connections to offshore accounts giving credence to the idea that they are hiding their wealth from the general public.  Then, in the same day, in what was likely a mistaken case of DNS poisoning by the Great Firewall of China, all of China’s Internet traffic was redirected to IP address 65.49.2.178, which currently acts a mirror site for a news portal operated by Falun Gong groups.  In a span of 24 hours, the Ministry of Public Security (MPS), the organization tasked with surveillance and Internet censorship, was scrambling to block the ICIJ report and all foreign media outlets covering the report, as well as prevent every Internet user in China from being routed to site affiliated with dissidents and censorship circumvention software.  And all this right before the biggest Chinese holiday of the year.  So much for vacation time… 

Despite the approaching New Year holiday, based on the activity observed last week, it is highly likely that there will be increased cyber targeting out of China over the next few weeks against news outlets doing follow-up investigations on the ICIJ report to uncover standing Chinese politburo members’ hidden wealth as well as against groups affiliated with Falun Gong.  For those keeping score at home, this is a textbook 101 maneuver out of the Chinese Communist Party (CCP) handbook designed to preserve the current regime’s power and eliminate any threat to its rule.  Alleging corruption of its top officials and promotion of anti-censorship and dissident viewpoints is not taken kindly by the CCP.  There is already an established precedent for this kind of activity against both foreign media and dissident groups. 

Last year, a group CrowdStrike identifies as NUMBERED PANDA, hacked the New York Times (NYT) following an investigative report on the wealth acquired by former Chinese Premier WEN Jiabao’s (温家宝) family.  Chinese netizens were shocked at the findings and took to Weibo espousing CCP corruption, but were quickly blocked from accessing the story by censorship associated with the aptly nicknamed Great Firewall of China (防火长城) or Golden Shield Project (金盾工程).  Shortly thereafter, NYT reported persistent attacks against its networks and employees from a group with suspected connection to Chinese military.   Previous reporting on the Golden Shield Project and NUMBERED PANDA is available to CrowdStrike Intelligence subscribers.

Similarly, targeting of dissident groups like the Falun Gong is common and often used to reinforce the CCP’s no-nonsense stance regarding dissidents.  Activity targeting dissidents has been previously observed by CrowdStrike and includes targeting of an Epoch Times journalist. CrowdStrike monitors this activity under the cryptonym SABRE PANDA. 

The disturbances caused last week serve as likely future targets for Chinese hackers.  The ICIJ report asserts that current Chinese President XI Jinping’s (习近平) brother-in-law DENG Jiagui (鄧家貴) owns a real-estate company and is connected to offshore accounts in the British Virgin Islands.  While the report explicitly states this is not necessarily an indication of illegal activities, the general goal of the report seems to be to map the exchange of money flowing between China’s political elite and the country’s richest men and women and expose covert use of government power for personal gain.  In China, there are a few things as taboo as alleging that the President (especially a President who has vowed to crack down on corruption in the CPC) has a family member possibly engaging in nefarious activity.  

The organizations affiliated with the ICIJ report include the Washington D.C.-based think tank The Center for Public Integrity, Hong Kong’s Ming Pao, Taiwan’s Commonwealth Magazine, Germany’s Süddeutsche Zeitung, U.K.’s The Guardian, Spain’s El País, France’s Le Monde, Canada’s CBC, Germany’s NDR, Belgium’s Le Soir, Italy’s L’Espresso, The Netherlands’ Trouw, Switzerland’s Le Matin Dimanche and SonntagsZeitung, Japan’s Asahi Shimbun, South Korea’s Newstapa, Australia’s The Global Mail, and the Philippine Center for Investigative Journalism.   In addition to being blocked by the Great Firewall, these media outlets and any others releasing further investigations into the hidden wealth of the top CPC officials mentioned in the report may face reprisals in the form of cyber intrusions.  These intrusions are not designed to be blackmail or to get an advanced release of potentially damaging stories, rather they are often search & destroy missions to find out the sources of the reports and enable further targeting or coercion of those sources.  If the recent trouble with Western journalists renewing their visas is any indication, these intrusions can have very real consequences for those involved.

Companies like Dynamic Internet Technology (DIT), which sells the popular censorship circumvention software FreeGate, and is owned by Falun Gong follower Bill XIA, are likely targets as well.  Although the sheer volume of traffic overwhelmed the DIT-owned IP 65.49.2.178 during the outage last Tuesday, many users were redirected either to a site offering anti-censorship tools or to the mirror site dongtaiwang.com hosted by Sophidea, which features The Epoch Times, a pro-Falun Gong publication.   The website greatfire.org, which tracks censorship in China, often in near real-time, posted screenshots showing conclusive evidence of DNS poisoning during the outage and proving that the Chinese root DNS server was not hacked.

DNSserver

As a result, targeted intrusions against DIT, The Epoch Times site, and possibly even greatfire.org is likely due to China’s desire to dissuade any Chinese netizens from learning more about anti-censorship measures and Falun Gong.  Historically, the CCP has used any opportunity to discredit Falun Gong in the public eye while surreptitiously targeting factions via malicious cyber tools to enable additional monitoring and sabotage.   Official Chinese news agency Xinhua already released that the official Chinese government response was that it suspected a hacking attack and that the ties to Falun Gong were suspicious.  This begs the question of when the silent targeting in the background is set to begin.

Although it is possible the fervor to eradicate any dissention among netizens may die down over the coming Chinese New Year holiday, it is more likely that crackdowns will continue and mobilization of cyber resources to counter any perceived threat from media organizations pursuing the ICIJ report or dissident groups aligned with Falun Gong using the sudden attention to push their agenda will ensue while most of the country gorges on New Year’s celebratory treats like Mandarin oranges and niangao.

For more information on CrowdStrike Intelligence, please contact sales@crowdstrike.com

Security Researcher Adam Kozy came to CrowdStrike, bringing forward several years of experience in security and threat intelligence analysis from the government sector where he conducted research at both a tactical and strategic level. He is a recognized cultural, political, and security pundit on East Asia and speaks Japanese and Mandarin.

He has delivered presentations and research findings to a variety of key cybersecurity influencers, including senior government officials and private-sector CEOs. He has also been a guest lecturer at several universities on cyber intelligence and recently presented at BlackHat USA on Chinese cyber weapons and monitoring capabilities.

 

Stop Breaches with CrowdStrike Falcon request a live demo