The Chinese Government and PLA’s Use of Information Warfare

Sunday, March 04, 2012

Article by William Hagestad II

With increasing frequency, news of cyber-attacks by the People’s Republic of China (PRC) intrude our daily consciousness in the form of newspaper articles, magazine exposés and even loose attribution by official government sources within many western nations.

However, since 1995, there have been no direct 100% proof positive links of attribution or definitive evidence given to a cyber-hack having originated within or from China.

This Capstone seeks to define what organizations within the PRC may have the motive, opportunity and opportunity for carrying out cyber based hacking attacks against other non-Chinese nation states.

Note: For this paper, the term cyber warfare is defined as the calculated use of both offensive and defensive computer network attacks (CNA) and computer network exploits (CNE) to take advantage of computer network vulnerabilities (CNV) at the geo-political level, nation to nation, fighting in what is now defined as the 5th dimension – cyber space. A military doctrine which includes the use of net centric warfare (NCW), including but not limited to the use of CAN and CNE as a part of computer network operations (CNO) is called information warfare (IW).

Conclusions of the research and accompanying analysis indicate that there is a direct and quantifiable historical linkage between the People’s Republic of China and cyber warfare. This correlation is divided into three sectors as a nation state information warfare initiative; these three separate and distinct aspects are the Communist Party of China (CPC), the People’s Liberation Army (PLA) and commercial corporate entities.

Given current events in the U.S. Department of Defense’s (DoD) 5th domain of warfare, cyber and information warfare, the conclusion can be made that indeed there are clear and present dangers emanating from cyber-space, whether it is an individual acting alone, a non-governmental organization (NGO), a military or even a government sponsored cyber initiative.

However, at some point the research must conclude and a response from the U.S. is imminent. It is fair to say that there is a true danger from the People’s Republic of China from a cyber-warfare perspective. The China cyber threat is omnipresent and is manifested by official Communist Party of China (CPC) edicts, the People’s Liberation Army, commercial enterprise espionage and civilian hacktivists.

Download the full analysis here:

9373
Network->General
Military
China Government Military DoD Espionage Hacktivist National Security hackers Cyber Warfare PLA Information Warfare William Hagestad
Post Rating I Like this!
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Excellent analysis ... my compliments!
SF
Pierluigi
1330942049
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Bill, I started reading your paper but stopped at "Enemies at the Firewall" (pg 21). Just so you know, Kylin OS is nothing like SELinux in fact, it is nothing more than BSD. There is nothing uber to notice and I have a copy if you'd like it. It's akin to saying "Metasploit is used by..." Its used by whom? Anyone doing pentesting. An operating system does nothing unless you tell it to, so unless there is a Kylin variant with uber tools on it, might as well just say: "they used FreeBSD therefore..." Its completely irrelevant. The use of an operating system does not consistute someone's capabilities. For example, I improvise on the fly and there are times when I will use a lowly Windows 2000 machine when performing red-teaming. If you saw this would I be labeled "inexperienced"? On the same token I use a combination of Win7 and OpenBSD does this make me threatening?

Secondly, the heat map (page 18) does nothing but provide eye candy. The reality is, and I have pointed it out time and time again, from my location in the US, I can fire up attacks on your firewall and have you believe they were coming from anywhere in China.

Thirdly, you cross reference a lot of writings from companies which I tend to feel as being biased and tainted. These security companies (McAfee, Symantec) all have a vested interested in selling a product. Their information will be extremely skewed.

Finally, you mention "Facebook Hijacking" on page 40. If you were/are talking about the BGP incident, this was accidental and occurred for a few minutes. HUNDREDS of people who monitor, design and maintain the world's connection were well of what occurred, how it happened and it was resolved quickly. These things (accidents in networking) believe it or not happen more frequent than many people notice. The fact that it was China made it appealing to people to write something "sexy."

In the end, I appreciate the work you've done on the paper and look forward to the book, however, not everything is as it appears, especially for those not involved "in the trenches." It is saddening to see things being written and distorted and right now (cyber-warfare-rhetoric-rising) is the time to get it right before we run around looking for more cyber-yellow-cake.


Respectfully

J.

[1] http://www.gossamer-threads.com/lists/nanog/users/125400
[2] http://www.merit.edu/mail.archives/nanog/msg07825.html
1330976010
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Just a follow up in case you want to re-reference what REALLY occurred:

http://bgpmon.net/blog/?p=282

"Although it seems they have leaked a whole table, only about 10% of these prefixes propagated outside of the Chinese network. These include prefixes for popular websites such as dell.com, cnn.com, www.amazon.de, www.rapidshare.com and www.geocities.jp.
A large number of networks impacted this morning were actually Chinese networks. These include some popular Chinese website such as www.joy.cn , www.pconline.com.cn , www.huanqiu.com, www.tianya.cn and www.chinaz.com
A list of all prefixes that were announced/hijacked can be found here"

In order to truly understand what occurred you need exposure and experience to configuring routers and BGP. These things happen and everyone was watching carefully at what was happening. Based on the addresses that were hijacked, this was likely a fat-finger on an engineers part.

Also noteworthy, is that ROUTES were redirected. To make an impact and actually USE ANY of the information, huge network sniffers would have needed to be in place with falsified, signed and or stolen certs to get by SSL.

Even if this DID occur, do you have any idea of the massive amount of STORAGE necessary to pull this off. We're talking building a sniffer at OC768 speeds with enough storage (Petabytes) perhaps to capture traffic.

Now that you have captured 15 minutes worth of traffic and have filled perhaps 500+ terabytes, good luck processing that information. It would be so costly to do something so monumental to solely affect Facebook and or any other company.
1330976788