Category Archives: Cyber Criminals

Korea – Chinese Hackers Infatuated with Koreans’ Personal Info

Chinese computer hackers are apparently hell-bent on obtaining Korean nationals’ personal information, with the number of thefts growing larger.

Alarmingly, Internet users can easily obtain the credit card details of more than 5,000 Koreans by simply downloading a “Korean resident registration number generator” on a Chinese website.

And when browsing “Korean name and identity number” on Baidu, China’s biggest Web portal, nearly 1.4 million results pop up, many of them containing a database showing the personal details of thousands of Koreans.

via The Chosun Ilbo (English Edition): Daily News from Korea – Chinese Hackers Infatuated with Koreans’ Personal Info.


Cyber Weapons: The New Arms Race – BusinessWeek

The Pentagon, the IMF, Google, and others have been hacked. It’s war out there, and a cyber-weapons industry is exploding to arm the combatants.

Cyber attacks used to be kept quiet. They often went undiscovered until long after the fact, and countries or companies that were hit usually declined to talk about attacks. That’s changed as a steady flow of brazen incursions has been exposed. Last year, for example, Google (GOOG) accused China of spying on the company’s workers and customers. It said at the time that at least 20 other companies were victims of the same attack, nicknamed Operation Aurora by the security firm McAfee. (INTC) The hacked included Adobe Systems (ADBE), Juniper Networks (JNPR), and Morgan Stanley. (MS) Joel F. Brenner, the head of U.S. counterintelligence until 2009, says the same operation that pulled off Aurora has claimed many more victims over several years. “It’d be fair to say that at least 2,000 companies have been hit,” Brenner says. “And that number is on the conservative side.”


via Cyber Weapons: The New Arms Race – BusinessWeek.

China Cyber Attack Fallacies | Flashpoints

Google recently announced a spear phishing campaign that had been going on for over a year and ‘which appears to originate from Jinan, China’ that targeted the personal Gmail accounts of hundreds of various persons of interest, presumably to the Chinese government.


Chinas Blue TeamThe proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman, who reported on the story for the Wall Street Journal, failed to disclose was that other countries IP addresses were used as well, including South Korea and the United States. Copies of the spoofed emails, along with the originating IPs, were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, two were from Hong Kong, two were from Beijing, one was from Seoul, and one was from New York:

1) Hong Kong (PCCW Business Internet Access)

2) Hong Kong (Wharf TT Ltd)

3)  Beijing (China Unicom)

4) Beijing (China Unicom)

5) Seoul (Korea NIC)

6) New York (Nobis Technology Group LLC)

In 2010, Telegeograhy rated China Telecom (55 million customers) and China Unicom (40 million customers) as the two largest ISPs in the world, serving 20 percent of all broadband customers on earth. And neither company restricts its customer base to residents of the People’s Republic of China. Anyone can buy server time on any of these mainstream Chinese ISPs: China Telecom; China Mobile; China Unicom; and HiChina Zhicheng Technology Ltd.

Payment per year ranges from 5,000 yuan to 25,000 yuan ($770 to $3,860), and can be made via bank online transfer, domestic and international wire, Alipay (China’s Paypal), and even cash in certain cities such as Beijing and Guangzhou. In other words, no matter where in the world you live, you can lease server time and set up an email account that will resolve to China. And if you use it to phish the Gmail accounts of your targets, you’ve hit the gold standard of mis-direction because there’s almost no alternative analysis done anymore when it comes to attacks that geolocate to an IP address in China.

Google may have chosen to focus on the two IP addresses that resolved to Jinan, the capital of Shandong Province, because its home to Lanxiang Vocational School, which was associated with the Google attacks of December 2009 to January 2010 and because it has a PLA regional command centre. The problem with this is that Jinan is a high-tech industrial zone with more than 6 million people and more than a dozen universities. Sourcing an email to Jinan is like sourcing a fruit shipment to California’s Central Valley. It wasn’t good evidence back in January, 2010 and it’s no better now.

There are at least a dozen foreign governments that I can think of who have a vested interest in reading the personal email accounts of US China policy makers, military leaders, government officials, etc. and all of them are standing up Cyber Commands and enjoy the benefit of their own nationalistic hacker crews from time to time.

None of this rules China out as the responsible party, of course. I’m simply arguing for a higher bar of evidence before making the leap that China did it. One alternative method, for example, is to try to answer why the spear phishing attack was done. Once you have a clear grasp as to why, you can move on to creating a list of those who would benefit, and then look for reasons that might exclude each member of that list. The discipline of alternative analysis has been a difficult one to adopt even among those who do it for a living within the intelligence community because our individual perceptions are highly biased in favour of something called mirror-imaging; i.e., we imagine that everyone sees things as we do.

Another obstacle to alternative analysis is fear: the feat of being wrong; of looking silly; of taking an unpopular stand and suffering the consequences; and so on. Now that the Pentagon has determined that a cyber attack may be sufficient to justify a kinetic response, it’s imperative that corporate leaders like Google, government leaders like the US Secretary of State, and influential media exercise more due diligence before leaping to conclusions that may have harmful, possibly irreversible, international repercussions.

via China Cyber Attack Fallacies | Flashpoints.

DailyTech – Reports: Hackers Use Stolen RSA Information to Hack Lockheed Martin

– May 30, 2011 10:14 AM

I. RSA Sec. Breach — Prelude to the Lockheed Martin Attack?

II. Damage Control

III. What Was Lost?

IV. Who Attacked Lockheed Martin?

V. One Million Threats–

Company claims fighter project schematics and hosted government information were not leaked

Over a week has passed and Lockheed Martin Corp. (LMT), the U.S. government’s top information technology services provider, was hacked. The attack has been characterized as a “fairly subtle”, yet “significant and tenacious” attack on servers at its massive Gaithersburg, Maryland data center, located not far from the company headquarters in Bethesda.

As details emerge the attack is appearing more and more like it was lifted out of a spy movie or Tom Clancy novel.  The hackers appeared to have gained entry using information stolen in a separate, even more audacious attack of one of the world’s highest profile security firms.

I. RSA Sec. Breach — Prelude to the Lockheed Martin Attack?

Back in March hackers gained access to RSA Security’s servers.  RSA Sec. takes its name from the last initials of founders Ron Rivest, Adi Shamir, and Leonard Adleman, three top cryptographers.  The trio’s popular public-key cryptography algorithm shares the same name — RSA.

At the time of the RSA Sec. intrusion, the company commented that despite the fact that it believed information was stolen, the company did not believe customer information or the security of the company’s software products were not comprised. Yet, they did advise clients to follow online advice to safeguard themselves against possible fallout from the data loss.

The attack on RSA was described as “extremely sophisticated”.

Sources close to Lockheed point to compromised RSA SecurID tokens — USB keychain dongles that generate strings of numbers for cryptography purposes — as playing a pivotal role in the Lockheed Martin hack.

II. Damage Control

Hackers are believed to have entered Lockheed Martin’s servers by gaining illegitimate access to the company’s virtual private network (VPN).  The VPN allowed employees to connect over virtually any public network to the company’s primary servers, using information streams secured by cryptography.

With the RSA tokens hacked, though, those supposedly secure VPN connections were compromised.

Lockheed says that it detected the attack “almost immediately” and warded it off quickly.  The company has since brought the VPN back online, but not before “upgrades” to the RSA tokens and adding new layers of security to the remote login procedure.

III. What Was Lost?

At this point the question on everyone’s mind likely is “What was lost?”

Lockheed has cause for concern — the company is not only safeguarding a wealth of U.S. government military information from external sources, it’s also protecting its own valuable projects — the F-16, F-22 and F-35 fighter aircraft; the Aegis naval combat system; and the THAAD missile defense.

A U.S. Defense Department spokeswoman, Air Force Lieutenant Colonel April Cunninghamtold Reuters Saturday night that the risk from the breach was “minimal and we [the USAF] don’t expect any adverse effect.”

Lockheed Martin claims that no compromise of customer, program or employees’ personal data occurred.  The company has made similar claims about past breaches.

Now that the Pentagon is involved, if anything was stolen, it should be identified shortly.

IV. Who Attacked Lockheed Martin?

After the pressing issue of what was lost, perhaps the second most compelling question is who was behind the breach.  Military officials and security staff at Lockheed are looking for clues in local time stamped information stored on the server and IP logs, trying to find out who accessed the compromised systems from where and when.

The problem is not easy as hackers commonly reroute their malicious traffic through multiple proxies, disguising their location.  That said, given the nature of attack — take down one of the world’s top security firms and then use that information to compromise a top defense contractor — involvement by a foreign government is suspected.

Lockheed posted a job listing last week requesting the services of a “lead computer forensic examiner”.  Requirements included someone who could “attack signatures, tactics, techniques and procedures associated with advanced threats” and “reverse engineer attacker encoding protocols.”  The cyber forensics expert’s first task will likely be to try to pinpoint the identity of the attacker.

The most likely suspect is obviously China, with whom the U.S. government has been waging a “cyberwar” with for a decade now.  China hires freelance hackers and maintains a large military force of official hackers as well.  It uses this force to infiltrate international utilities, businesses, government servers, and defense contractors, looking for valuable information.

China has recently been testing a stealth jet, the J-20, which contains features curiously similar to those found on past Lockheed Martin designs.  China insists, though, that it did not use stolen information to build its new weapon.

V. One Million Threats

Lockheed Martin’s IT staff say they encounter 1 million “incidents” a day.  They have to filter through these, distinguishing “white noise” from serious threats.

The Maryland data center from which information was taken is a state of the art facility, built in 2008.  It covers 25,000 square-feet and cost $17M USD to build.  But even with relatively modern systems and protections, defenses were still not strong enough to hold off the sophisticated and savvy attacker.

The company has a separate back-up data center in Denver, Colorado, which shares some of the company’s contract workload.  That center is not believed to have been breached in the intrusion.

Going ahead, Lockheed Martin will invariably face pressure from the U.S. Military and Congress to do a better job in making its systems breach-proof.  But given the company’s budget versus China’s virtually blank check given to cyber security efforts, one has to wonder how much the company will be able to do with so little.

Sondra Barbour, the company’s chief information officer, reminded employees in an email, “The fact is, in this new reality, we are a frequent target of adversaries around the world.”

via DailyTech – Reports: Hackers Use Stolen RSA Information to Hack Lockheed Martin.

US, China cyber experts agree…on spam | FT Tech Hub | FTtechhub – Industry analysis –

There has been an increasing amount of talk from high places, including the White House, about the urgent need for international  cooperation on cybersecurity. But a proposal to be released tomorrow calling for specific US-China steps shows, more than anything, how far we have to go.

The 79-page document isn’t coming out from the Obama administration but is the product of a year-long joint effort by the prestigious nonprofit EastWest Institute and the Internet Society of China.

With the involvement of many prominent former government officials and industry leaders, the EastWest Institute has played a back-channel role in resolving some major international conflicts before, and it has made cyber issues a priority. It brought Chinese and Russian authorities to a kickoff conference in Dallas a year ago and is convening a new summit in London next week.

The ultimate goal would be treaties that forbid or limit cyberwar. But with the major countries unable to agree about much of anything at this early stage, the institute decided to get the ball rolling by finding out at least what each of the parties would most like to talk about.

From China, seen by US intelligence officials as the most pernicious foe in matters cyber, came the resounding answer: spam. This may have something to do with the fact  that US-based computers churn out far more spam than those in China, and is indeed one of the world’s worst offenders.

The institute gamely plunged ahead, producing with its counterpart in China a reasonable, uncontroversial series of recommendations for things like greater transpacific sharing of information and best practices by professionals, with legislation taking a back seat.

Because it is mostly calling for more discussion, the report isn’t likely to cull much in the short term from the more than 90 per cent of email that is unwanted.

But given what it took to achieve even what it did, the document is a healthy reminder of how much more work lies ahead, coming from people who are actually negotiating.

In any case, you have to start somewhere.

via US, China cyber experts agree…on spam | FT Tech Hub | FTtechhub – Industry analysis –

Hackers Hit U.S. Army Contractors

(Reuters) – Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.

They breached security systems designed to keep out intruders by creating duplicates to “SecurID” electronic keys from EMC Corp’s (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.



It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.

Weapons makers are the latest companies to be breached through sophisticated attacks that have pierced the defenses of huge corporations including Sony (SNE.N), Google Inc (GOOG.O) and EMC Corp (EMC.N). Security experts say that it is virtually impossible for any company or government agency to build a security network that hackers will be unable to penetrate.

The Pentagon, which has about 85,000 military personnel and civilians working on cybersecurity issues worldwide, said it also uses a limited number of the RSA electronic security keys, but declined to say how many for security reasons.

The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.

EMC declined to comment on the matter, as did executives at major defense contractors.

Rick Moy, president of NSS Labs, an information security company, said the original attack on RSA was likely targeted at its customers, including military, financial, governmental and other organizations with critical intellectual property.

He said the initial RSA attack was followed by malware and phishing campaigns seeking specific data that would link tokens to end-users, which meant the current attacks may have been carried out by the same hackers.

“Given the military targets, and that millions of compromised keys are in circulation, this is not over,” he said.

Lockheed, which employs 126,000 people worldwide and had $45.8 billion in revenue last year, said it does not discuss specific threats or responses as a matter of principle, but regularly took actions to counter threats and ensure security.

“We have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security,” said Lockheed spokesman Jeffery Adams.

Executives at General Dynamics Corp (GD.N),, Boeing Co (BA.N), Northrop Grumman Corp (NOC.N), Raytheon Co (RTN.N) and other defense companies declined to comment on any security breaches linked to the RSA products.

“We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions,” said Northrop spokesman Randy Belote.


Raytheon spokesman Jonathan Kasle said his company took immediate companywide actions in March when incident information was initially provided to RSA customers.

“As a result of these actions, we prevented a widespread disruption of our network,” he said.

Boeing spokesman Todd Kelley said his company had a “wide range” of systems in place to detect and prevent intrusions of its networks. “We have a robust computing security team that constantly monitors our network,” he said.

Defense contractors’ networks contain sensitive data on sophisticated weapons systems, but all classified information is kept on separate, closed networks managed by the U.S. government, said a former senior defense official, who was not authorized to speak on the record.

SecurIDs are widely used electronic keys to computer systems that work using a two-pronged approach to confirming the identity of the person trying to access a computer system. They are designed to thwart hackers who might use key-logging viruses to capture passwords by constantly generating new passwords to enter the system.

The SecurID generates new strings of digits on a minute-by-minute basis that the user must enter along with a secret PIN (personal identification number) before they can access the network. If the user fails to enter the string before it expires, then access is denied.

RSA and other companies have produced a total of about 250 million security tokens, although it is not clear how many are in use worldwide at present, said the former defense official.

The devices provided additional security at a lower cost than biometrics such as fingerprint readers or iris scanning machines, said the official, noting that the RSA incident could increase demand for greater use of biometric devices.

The RSA breach did raise concerns about any security tokens that had been compromised, and EMC now faced tough questions about whether “they can repair that product line or whether they need to ditch it and start over again,” he said.

EMC disclosed in March that hackers had broken into its network and stolen some information related to its SecurIDs. It said the information could potentially be used to reduce the effectiveness of those devices in securing customer networks.

EMC said it worked with the Department of Homeland Security to publish a note on the March attack, providing Web addresses to help firms identify where the attack might have come from.

It briefed individual customers on how to secure their systems. In a bid to ensure secrecy, the company required them to sign nondisclosure agreements promising not to discuss the advice that it provided in those sessions, according to two people familiar with the briefings..

via Hackers Hit U.S. Army Contractors – The Daily Beast.

Interop: Cyberwar test runs yield information about defenses

Cyber warfare strategy is getting so sophisticated that network attacks suitable for major assaults are being used instead as trial runs meant solely to probe enemies with the aim of figuring out what their defenses are, an audience at an Interop security talk was told.

A distributed denial of service (DDoS) attack against South Korea earlier this year was delivered from a multilayered botnet that persisted for 10 days then halted with command and control servers flushing the bot software out of the zombie machines, according to Brian Contos, director of global security strategy for McAfee

The attack — McAfee called it 10 Days of Rain — came from a difficult to take down, multi-tiered botnet set up by North Korea, he says. Then the botnet suddenly stopped its attack and deleted itself from the systems it had taken over.

via Interop: Cyberwar test runs yield information about defenses.

Canada Becomes Second-Largest Source of Phishing, Malware, Botnet Activity – Security – News & Reviews –

Cyber-criminals appear to be on the move, switching from Chinese and Eastern European IP addresses in favor of Canadian ones, according to securityresearchers.

An increasing number of malicious traffic and botnets is originating from servers based in Canada, Patrik Runald, a senior manager of security research at Websense, wrote May 9 on the Websense Insights blog. This may be because many Web security services and security products scrutinize traffic originating from China and Eastern Europe more carefully for malicious activity, the researchers said.

In contrast, Canada has a better “cyber-reputation,” and traffic from those servers may be regarded with less suspicion.

via Canada Becomes Second-Largest Source of Phishing, Malware, Botnet Activity – Security – News & Reviews –

China’s Spying Seeks Secret US Info | China Digital Times (CDT)

China is ramping up espionage efforts in the United States. One key component of their strategy is to recruit U.S. citizens to join clandestine defense organizations and pass along information to Chinese handlers. From the Associated Press:

via China’s Spying Seeks Secret US Info | China Digital Times (CDT).

Cyber Scam Said Sending Funds to Chinese Banks From CUs, Community Banks

Cyber Scam Said Sending Funds to Chinese Banks From CUs, Community Banks.