The high-profile intrusion into the e-mail server of China Electronics Import & Export Corporation by "Hardcore Charlie" may mark the coming out party for America's own band of patriotic hackers.
Documents obtained through the hack were posted on file-sharing sites. For the most part, they are a bewildering grab bag of seemingly inconsequential documents. One folder contains regulations concerning the privatization of public universities in Vietnam; another reveals the monthly salary of an English teacher working for Ivanhoe Copper in Myanmar.
Then there are the somewhat more disturbing documents: pages and pages of spreadsheets and US military Acrobat files detailing the recent movements of the quaintly-named "jingle trucks" operated by local companies delivering supplies to the network of US facilities inside Afghanistan. The documents are not marked secret, and the US government has apparently still not taken steps to remove them from the file-sharing services a week after they were posted.
In a web statement, Hardcore Charlie justified his hack with the assertion that China was passing sensitive information to America's enemies, including the Taliban. In a pastiche of English, Spanish, obscenities and racist references, he stated:
Hola comradezz, Today us prezenta recently owneed chino military kontraktor CEIEC Us be shoked porque their shiiit was packed with goodiez cummin froma USA Military brigadezz in Afghanistan, them lulz hablando mucho puneta sam slit eyed dudz in Vietnam and Philiez doing bizness in Ukraine and Russia selling goodiez to Taliban terrorists.
CEIEC, for its part, issued a denial equally deficient in grammatical polish, stating:
CEIEC solemnly declares as below:
The information reported is totally groundless, highly subjective and defamatory. It is believed that rumors stop at wiser.
CEIEC reserves the right to take legal action against the relevant responsible individuals and institutions. [1]
Observers noted the apparent incongruity of CEIEC asserting it had not been hacked ... but reserving the right to take legal action.
The Chinese version is somewhat less incoherent, but only slightly. It appears that CEIEC may be trying to say that it is taking issue with the allegations - for instance, that CEIEC is passing on the information to bad guys in Ukraine, Syria, Russia and the Taliban - while skating past the question of whether it was actually hacked. [2]
CEIEC is described as a "defense contractor" in foreign coverage. However, this may be overstating the case somewhat. CEIEC is one of the ancient import/export corporations set up under the Ministry of Foreign Trade 30 years ago. It did a booming business when international trade was a monopoly of the government import/export corporations, and still benefits from its government ties in handling foreign aid projects and administering international tenders.
At the same time, it has successfully reinvented itself as a prime contractor on overseas projects and, in terms of gross revenue, is one of China's bigger companies.
CEIEC is not an industrial enterprise with its own manufacturing capability. It has targeted the defense electronics sector, as an integrator and prime contractor, apparently hoping to supply systems to China's allies overseas. Whatever it has on its servers, it is probably not the crown jewels of China's defense establishment.
But the question of how the minutiae of US military truck transport in Afghanistan ended up on CEIEC's servers remains a mystery. The CEIEC case does highlight a remarkable trend in international hacking - the appearance of non-government auxiliaries in cyber-war battles.
China is notorious for its interest in cyber-war as an asymmetric counter to the conventional military superiority of the United States ... and for its apparent willingness to farm out, encourage, or benefit from private hacker initiatives.
On 2010, Mara Hvistendahl wrote in Foreign Policy:
[T]he hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented - and sometimes unruly - patriotic hackers. Since the 1990s, China has had an intelligence program targeting foreign technology, says James A Lewis, senior fellow for cyber-security and Internet policy at the Center for Strategic and International Studies. Beyond that, however, things get complicated. "The hacking scene can be chaotic," he says. "There are many actors, some directed by the government and others tolerated by it. These actors can include civilian agencies, companies, and individuals." [3]
Patriotic hackers in China are called "hong ke" or "red guest", a pun on the phonetic rendering "hei ke" or "black guest" for hacker.
Their patriotic cyber-duties included destroying the online presence of South Korean boy band Super Junior after an unruly and undignified crowd of Chinese fans clamored to hear the band at the Shanghai World Expo and embarrassed Chinese nationalists. [4]
They also weigh in on foreign issues of greater moment, mixing it up with their Japanese counterparts when Sino-Japanese passions are inflamed by visits to the Yasukuni Shrine or the collision between a Chinese fishing boat and Japanese coast guard vessel off Diaoyutai/Senkaku in 2011.
But their major utility to the Chinese government may be their ability to generate chaff - a barrage of cyber-attacks to distract and overwhelm US security specialists trying to cope with China's pervasive, professional program of industrial and military espionage - and give the People's Republic of China (PRC) government deniability when hacking is traced to a Chinese source.
Chinese industrial cyber-espionage has emerged as a dominant near-term security concern of the United States.
The Barack Obama administration went public with its case against China in November 2011, with a report on industrial espionage titled Foreign Economic Collection. It described China rather generously as a "Persistent Collector" given the PRC's implication in several high-profile industrial espionage cases and soft-pedaled the issue of official Chinese government involvement. The report stated:
US corporations and cyber-security specialists also have reported an onslaught of computer network intrusions originating from Internet Protocol (IP) addresses in China, which private sector specialists call "advanced persistent threats." Some of these reports have alleged a Chinese corporate or government sponsor of the activity, but the IC [intelligence community] has not been able to attribute many of these private sector data breaches to a state sponsor. Attribution is especially difficult when the event occurs weeks or months before the victims request IC or law enforcement help. [5]
A month later, in December 2011, US criticism of China became a lot more pointed. Business Week published an exhaustive report on Chinese cyber-espionage, clearly prepared with the cooperation of federal law enforcement authorities as it named and described several investigations:
The hackers are part of a massive espionage ring codenamed Byzantine Foothold by US investigators, according to a person familiar with efforts to track the group. They specialize in infiltrating networks using phishing e-mails laden with spyware, often passing on the task of exfiltrating data to others.
Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. US investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret. [6]
United States security boffin Richard Clarke had this to say about Chinese cyber-espionage in an interview with Smithsonian magazine:
"I'm about to say something that people think is an exaggeration, but I think the evidence is pretty strong," he tells me. "Every major company in the United States has already been penetrated by China."
"What?"
"The British government actually said [something similar] about their own country."
Clarke claims, for instance, that the manufacturer of the F-35, our next-generation fighter bomber, has been penetrated and F-35 details stolen. And don't get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them-"logic bombs," trapdoors and "Trojan horses," all ready to be activated on command so we won't know what hit us. Or what's already hitting us. [7]
Some big numbers are being thrown around to publicize the Chinese threat.
Business Week's report, while admitting the woolliness of its methodology, stated that losses to American companies from international cyber-espionage amounted to US$500 billion in a single year.
Scott Borg, director of a non-profit outfit called the US Cyber Consequences Unit told Business Week:
"We're talking about stealing entire industries ... This may be the biggest transfer of wealth in a short period of time that the world has ever seen."
Beyond these apocalyptic economic and military scenarios, we might also descend to the personal and political and point out that Google, a favorite target of Chinese cyber-attacks, is Obama's friend, indispensable ally, brain trust and source of personnel in the high-tech sector.
Connect the dots, and it is clear that the Obama administration, in its usual meticulous way, is escalating the rhetoric and preparing the public and the behind-the-scenes groundwork for major pushback against China in the cyber-arena.
Beyond moves in the legal arena such as the aggressive prosecution of the DuPont industrial espionage case - alleging that China orchestrated a program to steal DuPont's titanium dioxide technology - it is interesting to speculate what other moves the Obama administration might make.
The United States is undoubtedly already doing its best to penetrate China's government, military and scientific networks.
How could the US escalate, especially in the industrial and commercial sphere, where the US mindset is that everything worthwhile the Chinese have was stolen from us, so what's worth stealing back?
Maybe the answer is cyber-harassment, turning a blind eye - or actively egging on - non-government hackers to embarrass, inconvenience, humiliate and perhaps even destabilize the Chinese regime.
Consider this April 4 report by Emil Prodalinski at ZDNet on an explosion in hacking against China since a Twitter account was launched on March 30:
The hacktivist group Anonymous now has a Chinese branch. An Anonymous China Twitter account was created late last month ... Boy have they been busy. Hundreds of Chinese government, company, and other general websites have been hacked and defaced in the span of a few days. A couple have also had their administrator accounts, phone numbers, and e-mail addresses posted publicly. On the hacked sites, the group even posted tips for how to circumvent the Great Firewall of China.
A long Pastebin post lists all the websites that were targeted. It contains 327 websites in total, but an updated list, also on Pastebin, brings that number to 485. Most of these websites are operational once again, but many have been defaced a second time after they were brought back. Not all of them were hacked and defaced; some were treated with more viciousness than others. [8]
Prodalinski subsequently wrote that the attacks had not abated and China, in an interesting case of public relations jiu jitsu, was using the campaign as evidence that it was one of the world's many victims of cyber-misbehavior (and, by implication, not a major perpetrator):
While Anonymous was not specifically mentioned, it's obvious what China's Ministry of Foreign Affairs was referring to during a briefing on Thursday, given the events during the last week. "First of all, China's Internet is open to all, users enjoy total freedom online. China has gained 500 million netizens and 300 million bloggers in a very short period of time, which shows the attraction and openness of China's Internet," spokesman Hong Lei said in a statement, according to CNN. "Secondly, the Chinese government manages the Internet according to law and regulations. Thirdly, certain reports prove again that China is a victim of Internet hacker attacks." [9]
It will be interesting to see how sympathetic the Obama administration will be if the Chinese government begins squealing to it about this outbreak of anti-PRC hacking.
The current Anonymous hacks have been of remarkably unimpressive and uninteresting Chinese sites - like the Taoyuan Bureau of Land and Resources. One can wonder if escalation to more tempting, juicier and more sensational targets is in the future. [10]
My speculation is that the campaign of cyber-attacks against Chinese targets was seeded by the US government, but has gathered its own momentum and is drawing in freelance foreign and some Chinese hackers searching for lulz - the hacker term for giggles or detached/callous amusement.
Let us now return to the perpetrator of the most spectacular hack to date - Hardcore Charlie - and if his postings reveal anything about his motivations.
Hardcore Charlie's web persona displays a military bent. His web alias derives from a death card (a specially printed playing card with an intimidating message sometimes placed on an enemy corpse by US servicemen) associated with the US Army's 101st Airborne Division: "Compliments of Hardcore Charlie - 3rd BN 502 Infantry - When you care enough to send the very best - AIR ASSAULT." [11]
Hardcore Charlie's postings also quote lyrics on a military theme, from "Marines" by the German thrash metal band Sodom. He recommends reading the files to the accompaniment of a Youtube videomontage of Francis Ford Coppola's Vietnam epic film Apocalypse Now, using Sodom's "Napalm in the Morning" as the soundtrack.
But perhaps there's something more going on here than pro-military pro-freedom enthusiasm. Sodom is an avowedly anti-war band that toured Vietnam, even though it was denied permission to play there, so it could learn more about the war and its aftermath.
Two more bumpers in the postings quote KMFDM, German industrial rockers (and, unfortunately sometimes a favorite band of alienated and murderous high-schoolers such as Eric Harris, the Columbine shooter) with what one could characterize as a vigorous anti-American government stance.
From KMFDM's anti-George W Bush anthem "Stars and Stripes" (whose video includes a Bush/Hitler juxtaposition) , Hardcore Charlie pulled the quote: ... Cut back civil rights / Make no mistake / Tell 'em homeland security is now at stake / Whip up a frenzy / keep 'em suspended / Don't let 'em know that their liberty's ended ... [12]
From another KMFDM song, New American Century, another quote: ... LOVE THY NEIGHBOR TURN HIM IN.. its called PATRIOTISM ...
Interesting, especially when one considers how Hardcore Charlie, in apparently his only media availability, with Reuters, was described: The hacker, who uses the name Hardcore Charlie and said he was a friend of Hector Xavier Monsegur, the leader-turned- informant of the activist hacking group, LulzSec ... [13]
Rewind to March 2012: Key members of the hacking collective known as LulzSec were arrested Tuesday morning, a move authorities are calling "devastating to the organization". According to an exclusive report by Foxnews.com LulzSec's alleged ringleader, Hector Xavier Monsegur of New York City, helped authorities with the arrest. [14]
As for LulzSec, it was an ad hoc hacker collective spun off from Anonymous (the same grouping bedeviling China under the Anonymous China hashtag) by Monsegur. Its sensational 50-day career in 2011 was described by PC Magazine:
May 7 - Lulz Security [claims] to have gotten ahold of a database of contestants from the Fox TV show X Factor. Lulzsec follows up a few days later with more sales and internal data gleaned from Fox.com.
May 30 - After hacks of Sony in Japan and a British ATM database, Lulzsec scores its first big publicity coup by posting a fake story on the PBS website, which claimed that Tupac Shakur was alive and well in New Zealand.
June 2 - Lulzsec posts personal data for more than a million users from a handful of Sony websites, …
June 3 - The "Lulz Boat" sets a course for the government, targeting security organizations that work with the FBI and other agencies …
June 13-20 - Lulzsec appears to be hitting its stride, with a busy week hacking into the US. Senate's website, stealing the account information of more than 200,000 users from video game maker Bethesda, claiming to have temporarily brought down the CIA's website, and going after more security agencies in the US. and UK.
June 23 - In protest of Arizona's controversial anti-immigration law, Lulzsec posts internal documents and information from the state's Department of Public Security. [15]
Lulzsec closed shop at the end of June 2011, when an asset in England was arrested. It appears that was not enough to elude the bloodhounds of the Federal Bureau of Investigation or forestall Monsegur's betrayal of his associates.
Careful readers may find their interest piqued by the fact that Fox News, which got the exclusive on the arrests in 2012, were the first hacked in 2011.
Pattern-oriented readers might consider whether the sudden eruption of Lulzsec resembles the cyber flashmob that is currently swarming Chinese sites.
Contrarian readers might find it interesting that the focus of hacking seems to have done a 180-degree turn away from American government, security and corporate targets to tormenting their Chinese equivalents (despite the limited lulz obtainable when hacking a site whose language one does not understand).
Curious readers might also wonder if information from Monsegur has helped the authorities get "Hardcore Charlie" in their sights and he is hacking into Chinese websites either at their behest to help get the Anonymous China ball rolling or is pre-emptively demonstrating his utility and eagerness to please.
In any case, the cat's out of the bag.
The order of battle in the cyber-armies of China and the United States has been completed by the arrival of the volunteer militias to serve next to the professionals.
