Business Week has an in-depth, cover article on cyber attacks originating from China on top US defense contractors and military and intelligence agencies in the American government. Tibetan support groups like Students for a Free Tibet also receive frequent cyber attacks.
Peng’s 3322.org and sister sites have become a source of concern to the U.S. government and private firms. Cyber security firm Team Cymru sent a confidential report, reviewed by BusinessWeek, to clients on Mar. 7 that illustrates how 3322.org has enabled many recent attacks. In early March, the report says, Team Cymru received “a spoofed e-mail message from a U.S. military entity, and the PowerPoint attachment had a malware widget embedded in it.” The e-mail was a spear-phish. The computer that controlled the malicious code in the PowerPoint? Cybersyndrome.3322.org—the same China-registered computer in the attempted attack on Booz Allen. Although the cybersyndrome Internet address may not be located in China, the top five computers communicating directly with it were—and four were registered with a large state-owned Internet service provider, according to the report.
A person familiar with Team Cymru’s research says the company has 10,710 distinct malware samples that communicate to masters registered through 3322.org. Other groups reporting attacks from computers hosted by 3322.org include activist group Students for a Free Tibet, the European Parliament, and U.S. Bancorp (USB), according to security reports. Team Cymru declined to comment. The U.S. government has pinpointed Peng’s services as a problem, too. In a Nov. 28, 2007, confidential report from Homeland Security’s U.S. CERT obtained by BusinessWeek,
“Cyber Incidents Suspected of Impacting Private Sector Networks,” the federal cyber watchdog warned U.S. corporate information technology staff to update security software to block Internet traffic from a dozen Web addresses after spear-phishing attacks. “The level of sophistication and scope of these cyber security incidents indicates they are coordinated and targeted at private-sector systems,” says the report. Among the sites named: Peng’s 3322.org, as well as his 8800.org, 9966.org, and 8866.org. Homeland Security and U.S. CERT declined to discuss the report.
It’s hard to say whether the Chinese government is organizing these attacks themselves, or if they’re done by intrepid nationalistic Chinese hackers. But one source in the Business Week piece cites the People’s Liberation Army – China’s military – as having “”tens of thousands” of trainees launching attacks on U.S. computer networks.”
The attacks SFT, defense contractors, and the US government get are real. They seek to intimidate, threaten, and disable the targets of the attacks. When the target is a Tibet support group like SFT, the goal is to globalize the oppression found inside Tibet. When the attack is on governmental agencies and defense contractors, the goal may be something with far more deadly repercussions. In both cases this is a serious problem that needs to be addressed. If the Chinese government is organizing or funding these attacks, that should be a matter of international diplomatic debate. If they are done by private citizens, the Chinese government has an obligation to stop the source of the attacks. As there is massive censorship and tens of thousands of full-time Chinese government internet monitors, the continued propagation of attacks, even if done by private citizens, must be assumed to be taking place with at least the tacit approval of the Chinese government.