Despite Promises, China Still Targeting US Firms

itwbennett writes: Three weeks after the U.S. and China reached their first ever cybercrime and cyberespionage agreement, a new report from CrowdStrike details intrusions from hackers affiliated with the Chinese government, indicating they almost immediately broke their word. In a blog post, CrowdStrike's Dmitri Alperovich said the first observed intrusion was detected on September 26 – one day after President Obama hosted President Xi Jinping of China for a state visit.

Re:

[Anonymous Coward]

Everyone knows China is the go-to scapegoat for Infosec people. Crowdstrike, in particular, is a well known smoke seller.

It's too bad that the very same people that could be helping build a better society, are trying to get govt. money by war-mongering, spreading bullshit about other countries and hoping the local govts will pick the bait.

Really?

[sycodon]

Did anyone really believe that any agreement was worth a pound of noodles?

Re:

[LifesABeach]

And the Chinese said American Males have really big penises also. Apologies to South Park.

Re:

[ITRambo]

Wikipedia says so also. So, yeah!

Re:

[frovingslosh]

Next thing you know the media will try to convince is that Iran is cheating on the Nuclear deal.

Re:

[frovingslosh]

Yea, those Republicans were just awful in pointing out that America's first Muslim President was making a bad deal with a country that couldn't be trusted and who's "religious" leaders were even saying that they would not honor the deal they were making. How dare they stand in the way of Obama destroying this country?

And before you say it, I know that he claims to not be Muslim any more, even though he certainly was in the past. After all, he even belonged to that Christian church in Chicago. The one wher

Re:

[gweihir]

These people are collectively too stupid. Unfortunately, this stupidity will cost the common person a lot in the end.

Is there a list of IP ranges for this anywhere?

[damn_registrars]

While I don't view my personal website as being valuable to anyone, my server does get hit by a lot of script kiddie type attacks that are coming from Chinese IP addresses. It seems that these "hackers" (who always fail as the overwhelming majority of them do tens of thousands of attempts to ssh in as root) are just hitting my server by IP address without concern for its function (beyond running ssh [yeah, I know there are things I can do to prevent or slow down their attempts but I don't want to]). It wo

Re:Is there a list of IP ranges for this anywhere?

[gstoddart]

I think the more likely answer it pretty much anything facing the internet should probably expect to be under fairly constant attack, from lots of different sources, none of which knows what you are.

Years ago it was true that if you took a brand new Windows machine, put it on the internet, it would probably be hacked within 30 minutes. I very much doubt that has changed for the better.

I suspect a lot of this stuff is just purely automated at this point.

The internet isn't really a safe place. You should pretty much assume that someone on the internet is actively trying to hack into machines. In fact, you should probably assume a lot of someones are.

I suspect they don't know or care the function of your machine. It's just a blanket "attack everything and see what happens".

Re:

[damn_registrars]

I suspect they don't know or care the function of your machine. It's just a blanket "attack everything and see what happens".

I whole-heartedly agree - and apparently did not express that adequately. I don't expect that they give a shit what my server is doing, they just know that ssh is open so they try to get in. Frankly I think of the hackers as being like The Joker's line from The Dark Knight:

if they caught a car, they wouldn't know what to do with it!

So really what I'm wondering is, given a list of X different Chinese IP addresses that tried (and failed) to get in to my web server, can I tell if any of them are from the Chinese government? Obviously a WHOIS will give me some info

Re:Is there a list of IP ranges for this anywhere?

[thoromyr]

The short answer is no.

The longer answer is that an IP address alone tells you almost nothing. For example, any competent agent for the NSA is going to use a compromised system in the EU, Russia or China when attacking Chinese targets. Equally, any competent state-sponsored actor in China is going to use a compromised system in the EU, Russia or the US when attacking US targets.

And the remote IP is not necessarily even compromised. Maybe not so much for Chinese IP addresses, but what the bad guys like for the US IP address space are university virtual private networks. Get the password for an account at an EDU then (bounced through a compromised system) connect to that, *then* attack. Some of them will bounce through multiple EDU VPNs.

Another example is the javascript malware that you get to a browser via: injection from privileged position on the network (e.g., NSA), compromised server, advertising, or any other method. The javascript runs in the browser and does its thing. The user's system is effectively compromised and part of a botnet, but closing the brower "cleans" it. There's no requirement to have anything on the file system making antivirus as helpful as some hand sanitizer.

If you have a remote IP address all that you can really say is that packets were routed to you with that as the identified source (in some attacks they don't even have to come from that IP address at all). Who was at the computer? Who was responsible for the packets? That takes a lot more than an IP address to determine.

Re:

[damn_registrars]

You make a valid point with

If you have a remote IP address all that you can really say is that packets were routed to you with that as the identified source (in some attacks they don't even have to come from that IP address at all). Who was at the computer? Who was responsible for the packets? That takes a lot more than an IP address to determine.

As indeed the IP address that the attack is coming from could be in any of a variety of different states of use or misuse.

I will say though that much of the rest of what you said is assuming a certain degree of competence. I will argue that the behaviors I am seeing in my logs - thousands of failed ssh attempts as root in a 24 hour period from one address - negate any claims of competence. One would expect that "government" hackers would be more competent, but then again t

Re:

[Coren22]

I have done a couple of traces on hacked systems, so I have some experience with this.

One system, they got in through a monitoring application that someone had installed with a default password, they then loaded up a copy of their intrusion software and used the company's high speed connection to search for other exploitable systems.

Another system I worked on, they exploited a FTP server, and started loading the server up with movies that I suppose they were sharing out. They overdid it and crashed the ser

Re:

[phantomfive]

Years ago it was true that if you took a brand new Windows machine, put it on the internet, it would probably be hacked within 30 minutes. I very much doubt that has changed for the better.

It's generally less than 10 minutes [sans.edu].

Re:

[KGIII]

Those appear to be probes, not entirely successful. While an interesting number and nice to have, I'm not sure how well it can be extrapolated to mean infection/invasion. Another surprise was how the Unix attacks looked very similar. I'm assuming they're counting Linux in with Unix. I'd have expected the probes to be even sooner than Windows because, honestly, Unix systems are where the good stuff usually is - considering their prevalence in data centers.

If I were evil and wanting to 'hack' a system then I'

Re:

[phantomfive]

Anyhow, I hate to give Windows any credit but they're much harder to exploit - even unpatched and new installs online, without the user doing something stupid, than they used to be.

Yes. Remember the days of Nimda and Code Red? Windows was an open door, inviting the world to enter.
Now if you want that kind of welcome mat, you need to look at the IoT.

Re:

[fustakrakich]

I'd want stuff in data centers and in business servers.

Sometimes the best way in to a server is by hijacking one of the desktop clients that are probably left turned on all night.

Re:

[dcollins117]

I suspect they don't know or care the function of your machine. It's just a blanket "attack everything and see what happens".

That's what it looks like in my logs, too. When I was running an open http port I would see not targeted attacks, but what looked like scripts looking for an insecure/misconfigured server.

I found it amusing that since switching to https with self-signed certificates, the number of attacks dropped to zero. Even hackers won't accept my certificate :/

Re:Is there a list of IP ranges for this anywhere?

[khasim]

Quick advice: move the port to some random (RANDOM!!!) port above 1024.

It won't help your security but it will stop you log from filling up with notifications.

I see "attacks" from addresses in almost every nation. It isn't that I'm under constant attack. It isn't that I'm particularly valuable.

It's that it is easily scripted.

Re:

[damn_registrars]

I don't believe my system to be valuable. I wholeheartedly agree that my system is being attacked just because some script kiddie is pointing his script at a large range of IP addresses, and mine happens to be in there.

FWIW, just this morning I was attacked by address 117.27.152.55 which belongs to the ISP "Chinanet" (according to WHOIS). According to wikipedia, Chinanet is state-owned, so if we were to get conspiracy-ish I could postulate that this could be government-connected and not just some rand

Re:

[khasim]

Check you logs. Were you "attacked" by any IP's in the USofA? Or Europe?

Just because an "attack" is coming from an ISP owned by someone does not mean that that someone is connected to the attack.

Any minimally competent attacker would have bounced the attack through at least 2 other cracked systems outside of his/her home or government or whatever.

Or, to clarify that, a competent Chinese attacker would connect to a machine in France that would connect to a machine in California that would run the script that

Re:

[jriding]

When speaking of China why does everyone go down this rabbit hole? Does anyone remember the Great firewall of china? Do you really think they block blogs etc but let all potential hacking attempts right on through?

If they do let all attempts through then they are approving it. That would make it at least state acknowledged if not state sponsored.

Re:

[khasim]

Do you really think they block blogs etc but let all potential hacking attempts right on through?

Yes. Because to block everything else would be unmanageable.

Blocking certain sites is feasible AND won't ruin their attempts at international commerce.

Blocking ALL sites (except for approved sites) is feasible BUT it would ruin their attempts at international commerce. And require an army of sysadmins. And fail anyway.

If they do let all attempts through then they are approving it. That would make it at least sta

Re:

[waspleg]

I have a CentOS server that I use for nothing but sshd (on a non-standard port, not for security but because it's one that isn't filtered at work) and squid for unfiltered web browsing at work and I have multiple attacks every day, currently:

Oct 18 20:17:41 echo sshd[22226]: Bad protocol version identification '\026\003\001' from 74.82.47.3
Oct 19 03:12:05 echo sshd[23298]: Bad protocol version identification '\026\003\001' from 54.149.243.130
Oct 19 06:33:30 echo sshd[26619]: Bad protocol version identificat

Re:

[Sir_Eptishous]

Years ago(10+) when I was running my site from home I would check the logs daily and see similar to what you describe.
Sure, there were loads of crap ssh attacks from all over the world, but the vast majority were from Chinese and Eastern European ip block ranges.

I blocked whole ranges of ip's(Chinese and Eastern European).

I think the moral of the story, which I can't believe still isn't the reality we live in, is that everything will have only whitelists.
However, have fun whitelisting Office 365 [office.com]

Re:

[fustakrakich]

Whitelisting... It's the reason I still use Hotmail. Nobody else offers it. And Office 2007 still works, even in Win10, no connection needed at all.

Ahh baby,

[burtosis]

That's just what we call pillow talk.

Re:

[thoromyr]

You should read Machiavelli. Definitely western.

Yes, he is criticized, but it started because he was describing the *real* politic and exposing the (then current) dirty laundry. Why did he do it? Because he was under house arrest following a change in government and wanted to be active again. He was trying to demonstrate that he had political savvy. It wasn't a book for general consumption (no such thing existed at the time anyway), but written for the guy in charge.

Even the best known quotation is done mis

Thank you, Captain Obvious

[Jawnn]

Is anyone surprised by this? Even a little bit? I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough, the plainly observable truth will just go away. How else would you explain their straight-faced, utterly disingenuous denials?

Re:Thank you, Captain Obvious

[imgod2u]

If you've ever read Mao's Little Red Book, that's one of the key devices used in it. The thing basically repeats the same philosophy over and over. It's funny because when you read the sentiments on page 1, it sounds fairly ridiculous. By the time you reach page 30, however, it starts to sound more plausible.

Human psychology is interesting that way.

Re:

[Anonymous Coward]

Just like capitalism has become a "normal" thing: repeat once and once again that greed is "human nature" and totally justified, but cooperation isn't.

Re:

[0123456]

Troll rating: 1/10.

Re:

[mark-t]

Just because something is "natural" doesn't necessarily mean it should be acceptable. That's the fundamental difference between a species and civilization.

Re:

[KGIII]

When was capitalism not the norm for humanity - since the advent of evolution to homo-sapien? I'm no expert or anything but I suspect we've engaged in trade and tried to acquire wealth since the dawn of our species. Hell, there are lying, thieving, pebble-collecting penguins who trade and acquire in an attempt to mate. Even some primates engage in some forms of trade. One might even suggest that certain plants trade by giving away their produce in order to spread their seeds.

I'm really only questioning why

Re:

[vandamme]

Did he develop it independently from Islam?

Re:

[ShanghaiBill]

How else would you explain their straight-faced, utterly disingenuous denials?

The same way you explain the straight-faced denials by America, until the Snowden leaks exposed them as utterly disingenuous.

Re:Thank you, Captain Obvious

[harvey the nerd]

Mainland China takes obnoxious, cheating and invasive nonsense to a whole new level, whatever the sins of the US. Just like the island building in the So China sea, grabbing coastal waters from nations a 1000 miles away.

Re:

[thegarbz]

As opposed to building infrastructure and making deals with other countries to intercept internet traffic?

China may be stealing land from it's neighbours, the USA on the other hand is stealing the privacy of people and via treaties the laws that protect people all over the world. Team America the world police are every bit the authority-overreaching bullies that their local department equivalents are.

Fuck China, AND Fuck the USA.

Re:

[thoromyr]

too bad I've already posted or I'd've modded you up

Re:

[ShanghaiBill]

So if the Chinese are going to do it what's wrong with us doing it back?

We are not "doing it back". China is. We started it.

But I don't think it is "wrong". Political espionage and corporate espionage are done by all sides, and in general help to make things more transparent. They are Good Things. What is wrong is the hypocrisy of pretending to be outraged about China, while we do the same thing. Instead of making a big fuss, we should be securing our servers.

Re:

[Mr D from 63]

Is anyone surprised by this? Even a little bit? I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough, the plainly observable truth will just go away. How else would you explain their straight-faced, utterly disingenuous denials?

Based on comments by a few in the original discussion of this topic, the answer seems to be...yes.

http://news.slashdot.org/story... [slashdot.org]

Re:

[dfn5]

I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough...

Yes, because the US government clearly does not do this.

Re:

[Jawnn]

I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough...

Yes, because the US government clearly does not do this.

No, not like that. Even when presented with clear, incontrovertible evidence, the Chinese will still insist that water is not wet. That's the part I don't get; how they expect anyone to take them the least bit seriously.

Re:

[AmiMoJo]

Do you really think that the US ever stopped either? Of course not, spying went on interrupted from both sides.

Re:

[tnk1]

Fair enough, but I don't think the piece was written to inform about the balance or blame of the hacking. Instead, it was to inform the unaware that the agreement wasn't worth the paper it was written on.

An actual Chinese crackdown on hackers (which they could easily do) would have a real effect. So people will want to know if China was serious for reasons other than just trying to prove that they are nefarious or better/worse than the US.

Re:

[Frobnicator]

Fair enough, but I don't think the piece was written to inform about the balance or blame of the hacking. Instead, it was to inform the unaware that the agreement wasn't worth the paper it was written on.

Many international agreements are that way, as are many high-profile acts of congress in the US.

This particular one was a "Joint Statement" that they intend to be nicer in the future. These are usually called resolutions, much like your resolution to lose ten or twenty pounds that you make every year at your new year's party. Politicians resolve that the nations will place nice together but there are no specifics and they have no consequences if the resolutions are broken. The politicians create and sign t

Re:

[loonycyborg]

There's no way Chinese government could control all script kiddies on their territory and make them stop. I don't see any lie on part of Chinese here, US just made a really dumb and nonsensical request to them and they agreed because it's dangerous to argue with a madman.

It's all about Face

[WillAffleckUW]

The only way they will stop is if you publicly humiliate them inside China or at a major event.

Everything else won't work.

Re:

[HiThere]

While true, there's a lot more to it than that. Just because a treaty is signed the laws aren't automatically changed, neither is the behavior of bureaucrats.

And the preceding paragraph assumed that the attacks were coming from Chinese government agents. This has hardly been proven.

Only at this point do we come to the question of "Has the US stopped attacking China?". *PERHAPS* the government has. It's opaque enough so all I can say is "I don't believe it has.". But it's quite clear that no real action

Re:

[Aighearach]

There wasn't a treaty. It was just a joint statement. Reportedly, the US was starting to threaten the public discussion of sanctions, and China hastily came up with the idea of voluntarily agreeing to terms regarding what is and isn't legal espionage.

China would be making announcements if they had intelligence regarding US attacks. It would benefit them very much to have something solid, a named event, in the discussion. The reality is though that the US methods are very different. The US government doesn't

Re:

[HiThere]

You are, of course, correct about it not being a treaty. In fact I suspect that it was entirely a PR move, and no change in action is contemplated by either side. This is the more likely as there's no accurate way of telling where a cyberattack is coming from.

Ooooh ... promises ...

[gstoddart]

Well, if they promised, then it should have stopped by now, right?

I mean, after all, they promised, and everybody knows that's binding.

Or, alternatively, the shit nations tell one another is pretty much meaningless lip service, and China doesn't give a crap what anybody else things.

Re:

[HiThere]

While true, that ignores the fact that "On the internet, nobody knows you're a dog." You can't tell *where* the attacks you notice are coming from, unless they are so incompetent that you can presume they didn't forge headers, use indirection, etc.

Re:

[HiThere]

MACs can also be changed, though admittedly it's uncommon.

When they start shutting down botnets quickly, then I'll believe that there are reasonably accurate ways to trace an attack.

Re:

[AHuxley]

Get away from any open networks, air gap within a site, encrypt to a better standard than whats floating around as a default.. hire people who understand networks at the site level, who can design/work well with advanced encryption.
Its going back to the walk in vault of past decades :) Just with super computers on site.
Why is all the secure information been open networked in the USA?
The best designers enjoy life in some culturally enriched leafy suburbs and cities. The production lines are in other s

Just who is "China"?

[Tony Isaac]

It's not hard to imagine that there are disagreements and rogue elements within China, even within China's government. There certainly are contradicting practices and policies within the United States! Out of one side of our mouth, we say "torture is horrible and should be banned," while out of the other, we refuse to agree to the Geneva conventions on torture. Why wouldn't we expect China to have similar in-fighting and disagreements? To what extent is this hacking endorsed by their government?

Next up

[tomhath]

Obama is negotiating with North Korea. Any guesses on how that will work out?

XP et al

[ruir]

One of the reasons of some may attacks "from China" is that they have of the largest network of "pirate", not maintained, old XPs...the rest is just political talk. Look, a flying commie that eats baby just went by!

In other news ...

[Alain Williams]

Water is wet.

China? Are that you sure?

[Anonymous Coward]

Quick show of hands. How may people are using a VPN from a different country so they can access Netflix over seas? Uh huh.

If Netflix can't determine the country of origin of a bunch of brainless media consumers, why is everyone so ready to believe that professional hackers can't hide their point of origin an pin it on China? Seams like that would be a no brainer for anyone wanting to cover their tracks.

Or maybe it's just a bunch of Chinese script kiddies having fun with no government involvement at all.

Shame them

[ThatsNotPudding]

Daily State Department press briefings with verifiable evidence of the actions, with the same basic script every time: "Given that our Chinese friends have pledged not be engaging in nor benefitting from such actions, one can only conclude they have lost control of their internal domestic networks."

The Chinese government would hate nothing more than being publicly accused of not having iron control, to the point of possibly even shutting the hacking down for real.

Re:

[harvey the nerd]

A big part of the problem is this BO administration. Worse that Jimmy Carter, this one is frankly, in-your-face anti-American, trying to trash the country.

truth

[ole_timer]

there are only two kinds of organizations in the world: those that know they've been hacked, and those that don't know it yet.

Re:

[pr0fessor]

Do you mean like a Nigerian Prince that needs your help and your bank account information?

Two Words

[Anonymous Coward]

FUCK CHINA!

Your asking stupid to protect stupid

[Anonymous Coward]

The government can't protect us or itself from security threats from China by agreement. Only a bunch of incompetent 'security experts' would even suggest it. These people are playing games trying to be important when they know little to nothing about real security. The only way we can even begin to secure out systems is by reducing the bloat to something manageable for which we can actually audit (and I don't mean the type of audit that was done on Truecrypt- but a real audit) and designing better KISS har

Insert free advert for CrowdStrike Falcon

[nickweller]

Insert free advert for CrowdStrike Falcon

How is this CrowdStrike Falcon immune from hack attacks?

Why aren't these 'Chinese' hackers bouncing their attacks of servers in another country?

This 'Chinese' hacker bogeyman is becoming tedious.

Most people here don't get their tech info from watching CSI: Cyber.

I wonder if US is targeting Chinese firms?

[k6mfw]

Perhaps all countries do this like they do with spies. As written in Mad Magazine decades ago, "When we want to know more about another countries activities, we employ intelligence agents. When another country does the same to us, we accuse them of using spies."

Did you expect anything different?

[TaleSpinner]

Obama is a hopeless wimp and a god-awful "negotiator," and we've no more reason to suppose China will live up to bargains with him than Russia or Iran will. They are laughing their asses off at this putz. Spare us the bewildered tone of surprise, this is exactly what we all wanted when we elected this idiot.

Look out!

[argStyopa]

I'm sure our president will take prompt, strong, effective action based on his long string of foreign-policy successes.