9 December 2014

The Boys From Nanjing: The Return of Those Irritating Chinese Cyber Spies

December 7, 2014

Seems appropriate that I post this on the anniversary of the Japanese sneak attack on Pearl Harbor.

For the past two weeks, my computer has been under frequent attack by Chinese cyber spies operating from the city of Nanjing. The silly buggers even tried to penetrate my computer as soon as I logged on this morning. They were waiting for me to wake up and go to work!

Here are the details: As I mentioned above, I have traced all the IP addresses of the Chinese cyber spooks to the city of Nanjing. Theie IP addresses are:

* 222.186.21.203

* 222.186.128.50

* 222.186.128.57

These IP address all go to a single location and/or a single user, probably the Nanjing Military Region’s Technical Reconnaissance Bureau of the massive Chinese SIGINT organizaion, the Third Department.Despite the impression you get reading Glenn Greenwald’s materials, the Russians and Chinese do exactly the same thing as NSA and GCHQ, but not with the same panache or sense of covertness as their American or British counterparts.

Regardless of which IP address the attack comes from, the Chinese cyber trolls either try to insert the NETSPY Trojan Horse or the PROZJACK Trojan Horse malware systems, both of which are very old and probably originated in China. They also use the same operating characteristics and operate on the same time schedule - yes even the Chinese cyber spies operate on rotating shifts and take time off for lunch and dinner.

During the same two week timeframe, my email inbox has been deluged with forged notices from my Internet Service Provider asking me to confirm my password so that they could ‘upgrade my service’„ or informing me that my account was going to be closed if I did not provide them with my login and password information.

The only problem was that the notices were so poorly done (my 11-year old niece has better graphic arts skills) and the grammar and syntax was so incredibly bad that they have proven to be a source of neverending amusement for friends and family.

Remember that the Chinese cyber spies, although relatively well educated by Chinese standards, have never been outside of China in their life (and probably never will be allowed to leave China), and everything they know about us comes from (you guessed it) what they can dredge off the internet.

The ‘Boys from Nanjing’ are also clearly operating on a quota system - i.e. they have to hit so many foreign websites a day in order to fill their quota. It explains why they don’t care if you can trace the attacks back to Nanjing or not. As long as they can check their tasking list and say I hit everything, they can end their shift and go back to their barracks.

It is a huge weakness and makes Chinese SIGINT spear-phishing very easy to spot and combat.

No comments: