Feds: Chinese Hack Attacks Likely

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A60363-2003Mar31.html

By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 31, 2003

Chinese hacker groups are planning attacks on U.S.- and U.K.-based Web 
sites to protest the war in Iraq, the Department of Homeland Security 
warned in an alert that it unintentionally posted on a government Web 
site today. 

The hackers are planning "distributed denial-of-service" attacks, 
which render Web sites and networks unusable by flooding them with 
massive amounts of traffic. They also are planning to deface selected 
Web sites, according to the alert, though the government said it did 
not know when the attacks would occur. 

The Homeland Security Department said it got the information by 
monitoring an online meeting that the hackers held last weekend to 
coordinate the attacks. 

The department sent the alert to government and industry officials 
over the weekend, but accidentally posted the link this morning on the 
homepage of the National Infrastructure Protection Center (NIPC). The 
alert was pulled early this afternoon. 

Homeland Security Department spokesman David Wray said the information 
was not supposed to be released to the public. "This was an 
inadvertent release and the information -- while not classified -- is 
sensitive," he said. 

The disclosure was an embarrassment for NIPC, which has tried to win 
the trust of private sector companies that share information about 
cyber attacks and vulnerabilities, said Fred Cohen, a security 
researcher and former principal member of the technical staff at 
Sandia National Laboratories. 

"When these groups see this alert, they'll potentially be able to see 
ways that they're being monitored and avoid those forums in the 
future," said Cohen, a pioneer in computer virus defense techniques. 
"All this from an agency that is supposed to be trusted to keep this 
level of information appropriately confidential." 

The messages cited in the NIPC alert were posted on several hacker Web 
sites thought to be affiliated with the "Honker Union of China," a 
cadre of Chinese hackers that launched an assault against dozens of 
U.S. government Web sites in May 2001, after the collision of a 
Chinese fighter jet and a U.S. surveillance plane on April 1, 2001. 
"Honker" is Chinese slang for "hacker." 

The group at that time claimed responsibility for defacements at the 
National Institutes of Health, the U.S. Navy, the California 
Department of Energy, the U.S. Department of Labor and other 
government and business Web sites. 

One Internet security expert said the April 1 anniversary cannot be 
overlooked. 

"Anniversaries are very important to Chinese hackers, and if they're 
planning on something in protest of the war in Iraq and to coincide 
with the anniversary of the April 1 collision, I think we can expect 
to see something fairly soon," said Jim Melnick, director of threat 
intelligence for iDefense, an Internet security firm based in Reston, 
Va. 

Melnick said the Honker group was rumored to be one the top suspects 
behind the "Slammer" worm, a fast-moving Internet virus that spread to 
hundreds of thousands of servers almost instantaneously in January. 

"The exploit code for Slammer was very similar to code they had posted 
on a Web site earlier, but no one was ever able to verify the two were 
related," he said. 

The Homeland Security Department's warning comes amid a flurry of 
antiwar hacking activity. Approximately 10,000 Web sites have been 
marred with digital graffiti by protesters and supporters of U.S.-led 
war in Iraq, according to F-Secure, a Finnish Internet security firm. 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.