Google recently announced a spear phishing campaign that had been going on for over a year and ‘which appears to originate from Jinan, China’ that targeted the personal Gmail accounts of hundreds of various persons of interest, presumably to the Chinese government.
The proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman, who reported on the story for the Wall Street Journal, failed to disclose was that other countries IP addresses were used as well, including South Korea and the United States. Copies of the spoofed emails, along with the originating IPs, were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, two were from Hong Kong, two were from Beijing, one was from Seoul, and one was from New York:
1) 113.28.117.4: Hong Kong (PCCW Business Internet Access)
2) 115.160.146.16: Hong Kong (Wharf TT Ltd)
3) 218.56.241.32: Beijing (China Unicom)
4) 218.56.239.206: Beijing (China Unicom)
5) 61.106.26.226: Seoul (Korea NIC)
6) 69.147.251.108: New York (Nobis Technology Group LLC)
In 2010, Telegeograhy rated China Telecom (55 million customers) and China Unicom (40 million customers) as the two largest ISPs in the world, serving 20 percent of all broadband customers on earth. And neither company restricts its customer base to residents of the People’s Republic of China. Anyone can buy server time on any of these mainstream Chinese ISPs: China Telecom; China Mobile; China Unicom; and HiChina Zhicheng Technology Ltd.
Payment per year ranges from 5,000 yuan to 25,000 yuan ($770 to $3,860), and can be made via bank online transfer, domestic and international wire, Alipay (China's Paypal), and even cash in certain cities such as Beijing and Guangzhou. In other words, no matter where in the world you live, you can lease server time and set up an email account that will resolve to China. And if you use it to phish the Gmail accounts of your targets, you’ve hit the gold standard of mis-direction because there’s almost no alternative analysis done anymore when it comes to attacks that geolocate to an IP address in China.
Google may have chosen to focus on the two IP addresses that resolved to Jinan, the capital of Shandong Province, because its home to Lanxiang Vocational School, which was associated with the Google attacks of December 2009 to January 2010 and because it has a PLA regional command centre. The problem with this is that Jinan is a high-tech industrial zone with more than 6 million people and more than a dozen universities. Sourcing an email to Jinan is like sourcing a fruit shipment to California's Central Valley. It wasn’t good evidence back in January, 2010 and it’s no better now.
There are at least a dozen foreign governments that I can think of who have a vested interest in reading the personal email accounts of US China policy makers, military leaders, government officials, etc. and all of them are standing up Cyber Commands and enjoy the benefit of their own nationalistic hacker crews from time to time.
None of this rules China out as the responsible party, of course. I’m simply arguing for a higher bar of evidence before making the leap that China did it. One alternative method, for example, is to try to answer why the spear phishing attack was done. Once you have a clear grasp as to why, you can move on to creating a list of those who would benefit, and then look for reasons that might exclude each member of that list. The discipline of alternative analysis has been a difficult one to adopt even among those who do it for a living within the intelligence community because our individual perceptions are highly biased in favour of something called mirror-imaging; i.e., we imagine that everyone sees things as we do.
Another obstacle to alternative analysis is fear: the feat of being wrong; of looking silly; of taking an unpopular stand and suffering the consequences; and so on. Now that the Pentagon has determined that a cyber attack may be sufficient to justify a kinetic response, it’s imperative that corporate leaders like Google, government leaders like the US Secretary of State, and influential media exercise more due diligence before leaping to conclusions that may have harmful, possibly irreversible, international repercussions.
This is an edited version of an entry that also appears on Carr's blog. Carr is also the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld' (O'Reilly Media, 2009).
Reddit
Digg
StumbleUpon
Delicious
Technorati
Yahoo
Google
Plurk
Leonard R.
The author wants a higher bar of evidence. Why?
How long is he willing to wait? Until the US power-grid is disabled?
A better approach would be to ask one simple question,
“Cui bono fuisset?”
And the answer is obvious. The cyber attacks arise out of a context.
That context is two decades of US-China relations.
The United States is attacked every day. Rather than sitting back and accepting it, the US should take action to protect its citizens.
America already has all the evidence it will ever need about China’s intentions.
James
I seriously doubt the West are angels who have been victimized!
John Chan
With Leonard R as a friend why USA needs enemy. Leonard treats the talents in US IT field with contempt and disrespect. Leonard looks down US IT talents’ capability to handle any cyber attack.
theorycraft
also claims that China is also a victim of hacking are obvious lies as China has the most rigorously monitored internet network of any 5 countries combined. As soon as a signal routes through a Chinese IP server, it is monitored, its movements tracked, its activities documented, and its data intercepted and saved.
When I was in China, wikipedia worked completely fine with the exception of pages with references to Chinese politics/religion–those searches would result in the disconnection of my modem. And repeated attempts resulted in a technician suddenly knocking on my door to check for “connection issues”
Thomas
The Western government and media have demonized China and conditioned the public so well that any claim against China by the West is automatically truthful…even when it’s actually the West who hack into as well as out of China.
theorycraft
does China ever get tired of being the only “good” country left in the world?
or does state television never get tired of telling itself how great it is?
Nathan
Google is just another CIA sheep/proxy corporation!
theorycraft
no, but China Unicom is just another branch of government
Mick
It’s not just Google and the US that have been hacked. The same attacks have been seen in places as varied as India, Canada, Australia and the UK, and a wide range of companies and NGOs. As well as the technical forensic evidence pointing to China, the motives also point to the PRC. I don’t understand the motives of the non-Chinese sceptics. Are they suggesting there is another shadowy organisation out there that is hacking on a massive scale into companies and governments in which China has a major interest?
HL
You need to adhere to the princile of Occam’s Razor. The IP address is not as important as the MO, particularly the targets (US Diplomats, military officials, defense contractors, Chinese dissidents, etc), the content (US-China relations), and the scripts (Chinese origin – xKungfoo script). If you properly examine the Contagio blog, you will find that there is more evidence to suggest that this was an attack of Chinese origin. One must be careful of denial. After all there are those that denied the Holocaust. This does not even meet the standard of plauseable denial.
theorycraft
Ok smarty, which other organizations in the world would benefit from accessing gmail accounts of Chinese dissidents?? I’m not saying China DID it, but you seem to be trying too hard to defend the communist republic.
And really, any nation can hack, but it’s China’s potential combined with a complete lack of transparency neither domestic or international 3rd parties can confirm that make China the perfect criminal.
RITESH
Really perfect one……..
Another blog related to the Cyber Warfare.
cyber attack introduces a digital warfare