Chinese military hacking caught on video? Not so fast

Take it from a security instructor: The Chinese military's instructional video may show training, not hacking

For almost a decade, at least since the days of Titan Rain, we've heard claims that the Chinese government is involved in hacking the United States and other nation states, launching centralized, coordinated government- or military-led attacks. Although I've read lots of articles heavy with innuendo and a few direct claims of evidence, I've yet, personally, to see any real evidence. And I've been looking for years.

Now, there is certainly plenty of hacking coming from China, but I'm not convinced it's a large-scale, staged effort directed by the government or the military. What seems like a coordinated, centralized attack could be the natural outcome of the world's largest population coming into the computer age -- the result of a large number of unrelated campaigns from private people and companies. After all, the United States has been the world's largest producer of spam and malware for nearly two decades, and we don't blame the government or military for that.

The latest Chinese hacking smoking gun is a short military documentary video ("Military Technology: Internet Storm Is Coming") purporting to be evidence of the Chinese military training its citizens to attack and misuse specific private entities. At first blush, it looks quite damning. There appears to be a Chinese military computer using a homegrown tool to attack private targets in China and abroad. The happy accident of finding this "evidence" within a larger video has led viewers to give it more credence than they should.

The reason I don't see this video as proof of anything is that I've been that hacker/instructor. Years ago I worked for Foundstone as a hacking instructor and penetration tester, one of the most enjoyable and educational jobs of my career. I frequently taught advanced hacking to government and military clients, both foreign and domestic.

All the good instructors, if they really wanted to impress the students, would show an unobtrusive, potential hack against a live target on the Internet. We'd demonstrate a particular technique against an intranet target, then prove how it was "real world" relevant against external targets. We didn't hack anyone, but we'd lay out how the technique would work. For example, we did nslookup dumps against Microsoft's DNS servers, until Microsoft closed that hole with the release of Windows Server 2003. (Note: I am a full-time employee of Microsoft.)

Other common examples were cross-site scripting, SQL injection, and code replacement. As instructors, we were told never to hack anything outside the classroom. We agreed, and we always taught our students the same. But it was hard not to introduce a cool technique or tool that could be successful against a particular public target. We knowingly pushed the edge. For instance, we'd often show students how we could change the price of a product on a popular online store from $500 to $5. Examples like these were the difference between a high instructor satisfaction score and the highest.

The urge to push the edge was especially strong early on. As boundaries of ethical hacking became clearer, Foundstone, the corporate entity, and the instructors stayed more and more within the private intranet. Even then, you always had the rogue guest instructor, who'd flout the boundary, get in trouble, and either never do it again or get fired.

Is the "Internet Storm" video evidence of the Chinese military attacking private targets or a rogue penetration testing vendor? In a court of law, this video wouldn't even meet the level of evidence to be called hearsay. I'm more convinced by other evidentiary documents like "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" [PDF] and Richard Clarke's "China's Cyberassault on America." When Richard Clarke, a national security advisor to three presidents, writes that senior U.S. officials know that the government of China is systematically attacking the computer networks of the U.S. government and American corporations, I'm inclined to believe the federal government has hard evidence. Then again, we were also told -- by U.S. officials I trusted, speaking in international forums -- that we had proof of Iraq's weapons of mass destruction and yellow cake uranium.

Before I convict the Chinese government of systematic hacking, I want to see the hard evidence. The "Internet Storm" video isn't it.

This article, "Chinese military hacking caught on video? Not so fast," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.