US-China cyberwar a dud, but trouble lingers

What if they gave a cyberwar and nobody came? That seems to be the situation days after the end of what was described by some as a 'cyberwar' staged by Chinese hackers against the US in retaliation for the death of Chinese pilot Wang Wei in early April.

          What if they gave a cyberwar and nobody came? That seems to be the situation days after the end of what was described by some as a "cyberwar" staged by Chinese hackers against the US in retaliation for the death of Chinese pilot Wang Wei in early April.

          Doubts linger in some internet security experts' minds, however, whether this "cyberwar" was the week's real threat.

          A Chinese hacker group, the Honker Union of China, issued a statement to the Chinese portal Chinabyte earlier in the week declaring a truce and saying that they had reached their goal of hacking 1000 US sites.

          But a truce was perhaps unnecessary, as nothing approaching a war ever materialised over the 10 days since the US National Infrastructure Protection Center issued a warning saying that Chinese hackers would take April 30 to May 7 to attack US websites to commemorate Wang Wei and celebrate May Day (May 1), Youth Day (May 4) and mark the anniversary of the US bombing of the Chinese embassy in Belgrade, Yugoslavia (May 7).

          Rather, the only traces of any conflict are a series of web page defacements showing pictures of Wang Wei -- who died when his plane crashed into a US spy plane -- and promising to fight "hegemony" and "unify the motherland" on one hand and a good deal of frequently vulgar anti-Chinese sentiment from US hackers on the other.

          Both were complemented by a pile of press releases from eager computer security firms warning users of the danger from "this new form of terrorism" and offering up sources to reporters, as well as a flurry of news stories. Some security experts say that the real problem that cropped up over the last week was that more computers may be potentially vulnerable to being used in denial of service attacks due to the spread of so-called internet worms.

          Web pages defacements are a form of slightly sophisticated digital graffiti. Like graffiti, they involve a hacker leaving a message or an image on a website to show that they succeeded in cracking it. However, unlike graffiti, web page defacement requires that a hacker break into a website, a bit harder than simply spraying paint on the side of a building. This sort of attack, however, is equivalent to "pouring paint on some ... person's building," says Alan Paller, director of security research at the SANS Institute.

          Two high-profile incidents started the week of defacements when hackers defaced the websites for the US Department of Labor and two sites controlled by the US Department of Health and Human Services -- Health.gov and Surgeongeneral.gov -- with pro-China messages. In the days following those hacks, a number of other low-level US government and military sites were hit, with similar postings left on them.

          US hackers responded in kind, with a flurry of hacks against Chinese government and private sector sites. The mirrors -- or copies -- of defaced pages at security website Attrition.org show that US hackers were still going strong Monday, though the efforts of their Chinese counterparts have largely abated.

          Such, evidently, is the fate of the most public face of the cyberwar.

          The web page defacements of the last 10 days were business as usual in the computer security field, says Shawn Hernan, the vulnerability handling team leader at CERT/CC (Computer Emergency Response Team Coordination Center), a computer security research and development facility located at Carnegie Mellon University.

          The week's events "were certainly not remarkable in the scope of the activity we saw, regardless of (where the hacks came from)," he said.

          The source of the hacks is difficult to establish or trace. Because hackers can take over machines based in locations other than the hacker's own, hacks can appear to be coming from one location, when in fact they are only be routed through that PC from a different source.

          "Without police work, you really can't know" the actual source, nationality or motivations of a hacker, Hernan says.

          Because of this, there is no way to "distinguish state-sponsored terrorism from bored teenagers from people who have compromised Chinese sites from people trying to impersonate these groups," he says.

          Though the defacements add up to only minor incidents with indeterminate origins, there is another, larger issue that has been obscured due to the attention given to the defacements, according to SANS' Alan Paller. The last week has seen a rise in the spread of the Lion worm on Linux systems worldwide, he says. Data from Incidents.org, an information-sharing organisation which boasts over 1000 members, including SANS, shows that at least 5000 computers have been infected with the worm in the last 12 to 14 days, he says. Computers infected with the worm can then be used in distributed Denial of Service (DoS) attacks, he says.

          The Lion worm was written by Lion, the founder of the Honker Union of China, according to a web report on the worm by white-hat (ie nonmalicious) hacker Max Vision. The Honker Union of China defaced a number of web pages over the last 10 days. Several worms, including Lion, have code that sends passwords and other information to .cn domain names (.cn is China's country address), but because of the nature of the Net and hacking, it can't be known whether that is actually someone in China or an imposter, CERT/CC's Hernan says.

Join the newsletter!

Error: Please check your email address.

More about Attrition.orgCarnegie Mellon University AustraliaCERT AustraliaComputer Emergency Response TeamDepartment of HealthLinuxMellonSANS InstituteWang

Show Comments

Market Place

[]