A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation.

The Chinese schools involved are Shanghai Jiaotong University and the Lanxiang Vocational School, according to several people with knowledge of the investigation who asked for anonymity because they were not authorized to discuss the inquiry.

Jiaotong has one of China’s top computer science programs. Just a few weeks ago its students won an international computer programming competition organized by I.B.M. — the “Battle of the Brains” — beating out Stanford and other top-flight universities.

Lanxiang, in east China’s Shandong Province, is a huge vocational school that was established with military support and trains some computer scientists for the military. The school’s computer network is operated by a company with close ties to Baidu, the dominant search engine in China and a competitor of Google.

“We have to understand that they have a different model for computer network exploit operations,” said James C. Mulvenon, a Chinese military specialist and a director at the Center for Intelligence Research and Analysis in Washington. Rather than tightly compartmentalizing online espionage within agencies as the United States does, he said, the Chinese government often involves volunteer “patriotic hackers” to support its policies.

2 Chinese Schools Said to Be Linked to Online Attacks - NYTimes.com

Holy crap, the next Patch Tuesday is going to be major.

# Bulletin 1: Critical (Remote Code Execution), Windows
# Bulletin 2: Critical (Remote Code Execution), Windows
# Bulletin 3: Critical (Remote Code Execution), Windows
# Bulletin 4: Critical (Remote Code Execution), Windows
# Bulletin 5: Critical (Remote Code Execution), Windows
# Bulletin 6: Important (Remote Code Execution), Office
# Bulletin 7: Important (Remote Code Execution), Office
# Bulletin 8: Important (Remote Code Execution), Windows
# Bulletin 9: Important (Denial of Service), Windows
# Bulletin 10: Important (Elevation of Privilege), Windows
# Bulletin 11: Important (Remote Code Execution), Windows
# Bulletin 12: Important (Denial of Service), Windows
# Bulletin 13: Moderate (Elevation of Privilege), Windows

Microsoft Patch Tuesday for February 2010: 13 bulletins

Google is looking into whether employees in its China office were involved in the attacks on its network that led to theft of intellectual property, according to CNET sources.

Sources familiar with the investigation told CNET last week that Google was looking into whether insiders at the company were involved in the attacks, but additional details were not known at the time.

Google China insiders may have helped with attack | InSecurity Complex - CNET News

Decius:

Several rumours from google sources that China accessed google's US-gov intercept system which provides gmail subjects/dates

This was my suspicion when I read that the attackers had accessed "subject lines" from emails but not the content. It sounds like they got access to a system designed for use by law enforcement when they have "trap and trace" authority but not a warrant. Personally, I think email subject lines are not "routing information" and should require a warrant, but the matter hasn't been litigated to my knowledge and of course, law enforcement disagrees.

This is somewhat relevant to my Blackhat DC talk on lawful intercept vulnerabilities, but of course even if this is true, a totally different technology was involved...

Twitter / WikiLeaks: Several rumours from google ...

I'm glad to see this is finally getting some attention. As bad as these articles make the extent of the ongoing Chinese espionage sound, it's actually worse...

Human rights groups as well as Washington-based think tanks that have helped shape the debate in Congress about China were also hit.

sigh...

"Usually it's a group using one type of malicious code per target," said Eli Jellenc, head of international cyber-intelligence for VeriSign's iDefense Labs, a Silicon Valley company helping some firms investigate the attacks. "In this case, they're using multiple types against multiple targets -- but all in the same attack campaign. That's a marked leap in coordination."

The division of labor is what I think stands out the most.

"This is a big espionage program aimed at getting high-tech information and politically sensitive information -- the high-tech information to jump-start China's economy and the political information to ensure the survival of the regime," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "This is what China's leadership is after. This reflects China's national priorities."

Google China cyberattack part of vast espionage campaign, experts say - washingtonpost.com

American presidential campaigns are not the only targets. China is significantly boosting its capabilities in cyberspace as a way to gather intelligence and, in the event of war, hit the U.S. government in a weak spot, U.S. officials and experts say. Outgunned and outspent in terms of traditional military hardware, China apparently hopes that by concentrating on holes in the U.S. security architecture -- its communications and spy satellites and its vast computer networks -- it will collect intelligence that could help it counter the imbalance.

President Obama, who is scheduled to visit China next week, has vowed to improve ties with the Asian giant, especially its military. But according to current and former U.S. officials, China's aggressive hacking has sowed doubts about its intentions.

"This is the way they plan to thwart U.S. supremacy in any potential conflict we get into with them," said Robert K. Knake, a Council on Foreign Relations fellow. "They believe they can deter us through cyber warfare."

Some U.S. cyber policy experts such as James A. Lewis, a senior fellow with the Center for Strategic and International Studies, acknowledge that the problem cannot be solved without international engagement. At the same time, Lewis said, "I'm not going to get upset about China spying on us, because we spy on them."

"The only thing I'm going to get upset about," he said, "is if we don't do better than them."

The DoD hacks get the most media attention, but the Chinese activities expand way beyond DoD. There are compromises all over the place on The Hill, in the think tanks, lobby houses, and key law firms. All the targets in the political/policy space are vastly softer than military and intelligence targets. Most of DC is owned.

China proves to be an aggressive foe in cyberspace - washingtonpost.com

The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.

The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond," the report concludes.

The report highlights several departments of China's military, the People's Liberation Army, responsible for components of cyberspying. Together these divisions oversee electronic spying and attack efforts, as well as research and development.

The PLA has also been creating a number of cyberwarfare militia units, which draw on civilians in the telecommunications and technology sectors, as well as academia, the report found.

The Chinese have proven to be very good at cyber-espionage. They are patient and extremely persistent. Everything they do is carefully targeted and planned. They conduct their activities at times and in a manor that is very hard to detect, effectively blending in with normal user activity. They don't make many mistakes, and they rarely miss mistakes they can take advantage of. They are extremely crafty when it comes to regaining access after being caught.

I highly respect my opponents. They play a good game.

China Expands Cyberspying in U.S., Report Says - WSJ.com

Having certain influence in the world, XCon Information Security Conference is one of the most authoritative and famous information security conference in China, and also one of the largest. Upholding rigorous work style, Xcon invited information security experts and fans, network security consultants from abroad and home for years. XCon commit to create a friendly, harmonious information security platform.

In the summer of this year, XCon2009 will come in time. and meet you in Beijing, the capital city of China. Then, there will be many information security experts, scholars, researchers and related professionals who come from many different countries invited to present and give speeches. The meet will involve application security, intrusion detection and forensic analysis, wireless and Voip security and security in emerging field. So if you have new technologies, new discoveries or successful experiences in some fields, welcome to XCon to share with us; If you want to stay abreast of the latest developments in this rapidly moving technological field, or want to learn somethings you never known, welcome to XCon to be with us!

I will be attending XCon in Beijing next week. This should be interesting...

XCon2009 XFocus Information Security Conference

The ShadowServer crew has released some of their findings on the malware from the DDoS this weekend. First, a snip from their conclusion:

First we have seen no evidence to point a finger at North Korea. How could we tell anyway without an extensive investigation and access to all kinds of logs and other data? Unless someone has a lot of extra information, this has to be pure wild speculation as well. Cyberwar? NO way! The term Cyberwar gets thrown around all the time. It's hard to define and everyone has differing views. However, I would venture to say this is far from what most people would call a Cyberwar. It is a bit closer to Cyber Terrorism but definitely not Cyberwar.

This also includes a list of the targeted sites:

banking.nonghyup.com
blog.naver.com
ebank.keb.co.kr
ezbank.shinhan.com
finance.yahoo.com
mail.daum.net
mail.naver.com
mail.paran.com
travel.state.gov
www.ahnlab.com
www.altools.co.kr
www.amazon.com
www.assembly.go.kr
www.auction.co.kr
www.chosun.com
www.defenselink.mil
www.dhs.gov
www.dot.gov
www.egov.go.kr
www.faa.gov
www.ftc.gov
www.hanabank.com
www.hannara.or.kr
www.ibk.co.kr
www.kbstar.com
www.marketwatch.com
www.mnd.go.kr
www.mofat.go.kr
www.nasdaq.com
www.ncsc.go.kr
www.nsa.gov
www.nyse.com
www.president.go.kr
www.site-by-site.com
www.state.gov
www.usauctionslive.com
www.usbank.com
www.usfk.mil
www.usps.gov
www.ustreas.gov
www.voa.gov
www.voanews.com
www.washingtonpost.com
www.whitehouse.gov
www.wooribank.com
www.yahoo.com

Shadowserver Foundation - Calendar - 2009-07-10

Washingtonpost.com and Security Fix readers may have noticed that our site was a bit slow and occasionally unreachable today. Turns out, the site has been under attack by about 60,000 compromised PCs around the globe for several hours now.

We weren't the only site reportedly picked on, though. According to several security researchers who asked to remain anonymous because they are still helping to investigate the assault, the same attackers targeted Web sites for the White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration, with varying success.

The hit list is hard coded into the malicious software, but it appears the list can be updated. The Federal Trade Commission, which was targeted by this malware yesterday and was offline for at least part of the day, is not on the current list of targets.

Other targets on the current list include the Web sites for the New York Stock Exchange, NASDAQ, the U.S. Treasury and State Department.

This caused me headaches over the weekend. Layer3 had some pretty significant packet loss through all it's DC and Atlanta POPs causing indirect problems for every transit provider I deal with.

The word is that this was either done by or on behalf of North Korea, because only US and South Korean sites were targeted. Not sure what I make of it. I'd be interested in knowing what the malware pedigree is.

DPRK 4th of July Weekend DoS?