The Snooping Dragon

March 29th, 2009 at 21:44 UTC by Ross Anderson

There’s been much interest today in a report that Shishir Nagaraja and I wrote on Chinese surveillance of the Tibetan movement. In September last year, Shishir spent some time cleaning out Chinese malware from the computers of the Dalai Lama’s private office in Dharamsala, and what we learned was somewhat disturbing.

Later, colleagues from the University of Toronto followed through by hacking into one of the control servers Shishir identified (something we couldn’t do here because of the Computer Misuse Act); their report relates how the attackers had controlled malware on hundreds of other PCs, many in government agencies of countries such as India, Vietnam and the Phillippines, but also in US firms such as AP and Deloittes.

The story broke today in the New York Times; see also coverage in the Telegraph, the BBC, CNN, the Times of India, AP, InfoWorld, Wired and the Wall Street Journal.

Entry filed under: Academic papers, Internet censorship, News coverage, Politics, Security economics

9 comments Add your own

  • 1. Anonymous  |  April 1st, 2009 at 08:00 UTC

    I’m skeptical of these confident claims that the Chinese government has to be behind these attacks. It might be true — but it also might not be. How could we possibly know?

    Just because the attacks are coming from machines with IP addresses assigned to Chinese entities proves nothing: those machines could be controlled from anywhere.

  • 2. Ross Anderson  |  April 1st, 2009 at 09:56 UTC

    Well, Mr Hu Jintao, you’ve organised a lot of people to say that it might not have been China – that it might have been a freelancer, or even the FSB.

    I believe your guys are behind it because (1) your diplomats used the intelligence product (2) there were multiple coordinated penetrations from areas in China associated with intelligence agencies tasked with aspects of the Tibetan movement (3) It has long been Chinese IW doctrine to use civilian auxiliaries – see “Dragon Bytes” (4) when the Canadians later got hold of the contents of your control server they found a pattern of compromise consistent with your strategic intel priorities.

    There’s a lot more, but that should be enough for a jury.

  • 3. anonymous  |  April 3rd, 2009 at 02:10 UTC

    Hmm. …….Each of your points is highly questionable..

    Point (1) could have been sourced from elsewhere than the evidence you provide in your report
    (2) you don’t provide evidence in your report that confirm those agencies were tasked with what you say they were tasked with. No sourcing, or footnotes or anything there.
    (3) Yes China uses auxiliaries, but that hardly proves anything and
    (4) The Canadians issued their report independently from yours. Your evidence doesn’t cite any of their evidence.

    I think there are some serious flaws in your logic here, and lots of other people seem to agree now. Check out the latest Economist. Bad research. I gave the report a C- at best.

  • 4. Jason Levy  |  April 3rd, 2009 at 12:35 UTC

    Not sure if this is relevant, but Bruce Shneier seems to agree with the comments that are critical of this report:

    “There’s another paper, released at the same time on the same topic, from Cambridge University. It makes more pointed claims about the attackers and their origins, claims I’m not sure can be supported from the evidence.”

    http://www.schneier.com/blog/archives/2009/03/massive_chinese.html

  • 5. Ross Anderson  |  April 3rd, 2009 at 17:07 UTC

    We did cite the Canadian paper (reference 2) and they cited ours. The fact remains that China blew it by poor operational security – by using sigint for low-level tactical purposes without taking care to provide plausible deniability. I expect someone will lose their career for that. And despite all China’s news management, the geek community isn’t fooled; read for example the comments on Bruce’s blog.

  • 6. J.A. Lewis  |  April 3rd, 2009 at 20:54 UTC

    Trying to assign causality in intelligence activities is always tricky, but asking who has an interest, who benefits, and who has the capabilities can help. in this case, the Government of China has publicly declared its intent to develop cyberattack capabilities and to use intrusive surveillance measures against those it sees as a political risk . I can’t think of any other government that would care or benefit from hacking into the US Congress’s networks to steal lists of Tibetan dissidents and their supporters. We know there have been objections to China over cyber intrusions from the Government of France, Germany, the UK and the US (made at a time when the Bush administration was not talking to foreigners, so I doubt it was collusion) and in some cases these objections came from very senior officials.

    Against this, we have the denials of the Chinese Foreign Ministry (the same people who denied China had space weapons shortly before the PLA’s anti-satellite weapons test). It’s true that an astute opponent would want to make it look like a third party was responsible, but why would any other nation steal information on Tibet? Each of these points could be expanded, but the conclusion would still be that the trail leads back to Beijing.

  • 7. Clive Robinson  |  April 10th, 2009 at 15:46 UTC

    The Chinese Government has several attributes working in it’s favour that most Western Governments don’t have.

    The first is basic Chinese philosophy of the “long term view”. Their politicians are therfore not fussed or phased by things that would bring the “world down” around a Western politician, who consiquently rarely looks more than a very short way into the future.

    The Chinese society is still effectivly feudal in outlook and has a very strong “patronage” ethos.
    This means that those at the bottom take significant chances to bring favour on themselves. Whilst those at the top do little or no risk taking as that is for others to do.

    Further the patronage system means that those at the bottom will willingly do things to “please” those above irespective of if those above have wished for it or not (think Henry II and Thomas Becket in 1170).

    Of course the punishment for failing to please is loss of status, worse bringing displeasure often results in a termination of relationships in a very permanant way (think Walter Raleigh and his relationships with Elizabeth I and James I).

    So “freelancing” can have significant rewards but the risks can be and often are the loss of status, job, liberty and life even for senior Chinese business persons and officials (see articals on Drug regulator and adulterated milk scandals)…

    Worse it has been reported that those being executed are being broken up for their organs to be sold for transplant etc. Supposadly this is with the consent of the prisoner but this is very unlikley as Chinese custom requires the body to be kept whole…

    Further Chinese “organleging” appears to be becoming a “tourist attraction” with organs offered for cash directly from hospitals for as little as 30,000USD…

    Therefore I suspect that someone has not just lost their status or job but their life as well (such is the way of things with coruption and treason).

    Perhaps “Anonymous” would care to comment.

  • 8. Kate  |  June 23rd, 2009 at 04:21 UTC

    I wonder if it will ever go to court? Did they catch anyone?

  • 9. Thubten Chodzun  |  May 24th, 2010 at 08:33 UTC

    A colleague of mine was writing a book which asserted links between the Chinese Government and a prominent religious organization in the West, a group which is increasingly ingratiating itself with government departments, quangos and NGOs. About a week before your report, she wrote to the Tibetans in Dharamsala. Subsequently, address boxes indicating pages open on her computer began to appear in Chinese characters. When I inquired as to the reasons behind this, she jokingly said that it was probably the Chinese spying on her computer because of her communications with the Tibetans. A week later your report emerged. Moreover, within three days of her book being announced for pre-order copies, it had to be pulled because of legal threats from the organization over ‘content’ though they could not possibly have had a copy of the book since it was not yet published.Conclusions? (PS I dont take acid and I dont have a personality disorder)

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

March 2009
M T W T F S S
« Feb   Apr »
 1
2345678
9101112131415
16171819202122
23242526272829
3031