» Topic:   China: Hackers and 0day Exploits; Prelude to attack?

» Added by:  Donnie Werner

» Date:  14.6.2006

  The Department of Defense has stated in the past they are worried about China and the dedicated intrusions into thousands of computer systems throughout national infrastructure and private sector networks. Again in 2006 they have released a report that tries to assess the PLA's mechanism and game plan.

The Chinese People's Liberation Army, DOD officials suggest, is the group responsible for this sustained assault and continued attacks.

These are not the typical attacks in a few different ways than traditional techniques, in that they differed in both the method of attack and the type of information that was gathered...

Let us put aside the method of attack for a moment and let us look at the goal. Just like a bank robbery, the goal is not only to get the money, but to get the money and yourself out safely. Obviously seeing a robber carrying sacks of money out of the vault is easy to spot, and so is electronic transactions by traditional means, in that both require the thief to transport something.


The PLA took a different approach to traditional means of targeting systems and capturing and transferring data it found. Also by targeting government subcontractors and smaller niche companies to gather information from much less monitored and secured systems, the success of these attacks was unprecedented.

Here we hypothesize two of the mechanisms that allowed them to do so with impunity:

Method of Attack: The 0day factor

0day exploits seem to be the favored choice for the majority of these successful attacks. Going back to May 2004, news was announced that the Cisco IOS source code has been purloined as well as August 2004, a new Malware called MyFip.a virus discovered.November 2004 USDOD reports mass hacking from Chinese based systems. Coincidentaly Cisco's PIX source code was being offered by hackers in the same month.Forward to July 2005, Michael Lynn of ISS discloses security flaws in Cisco routers. Claiming to have stumbled upon a Chinese forum discussing and using a flaw attributed to Cisco routers (and for which he was promptly prevented from speaking about). Now in 2006 researchers discover a 0day Microsoft Word exploit being used in very targeted attacks, again the info gathered by these attacks is being sent to the far east.Info Gathering: The new malware

They designed a new type of malware that searched for documents and files for software applications that are most likely to be used in the design of things, such as:Adobe PDF, Microsoft Word, AutoCAD, CirCAD circut design files and Microsoft Database files to name a few. Both of these techniques allowed the PLA to compromise systems and peruse data at will, as detection of these methods was not known at the time of the attacks.