Chinese whispers: the year of the rat

Warnings from MI5 of ongoing Internet-based attacks from Chinese state organisations come as the Government is tightening the belt on the investigation of cyber crime.

According to the Chinese Zodiac, 2008 is the year of the rat; which is apt if we are to believe the Director General of MI5. Jonathan Evans recently addressed a confidential letter to some 300 CEOs and senior executives at banks, legal firms and accountancy companies warning them of ongoing Internet-based attacks from Chinese state organisations.

The Centre for the Protection of the National Infrastructure (CPNI), a Government authority providing security advice to reduce the vulnerability of those involved with running national infrastructure organisations from terrorism and other threats, posted a summary of the letter on its website. Although access is restricted to those key national infrastructure bodies, extracts have been leaked to the press. Unfortunately, these do not appear to stretch to the list of known Chinese Trojan signatures and attack launch domain list which I understand also formed part of the MI5 correspondence.

The CPNI summary did, however, reveal that the letter highlights MI5 concerns about possible damage to UK business resulting from what it calls "electronic attack sponsored by Chinese state organisations" and warns these are "designed to defeat best practice IT security systems." According to a report in The Times, the letter goes on to warn that British companies doing business in China are targeted by the Chinese Army which uses the Internet to steal confidential commercial information. This represents an unprecedented alert, and in effect means that the UK Government is openly accusing the Chinese of state-sponsored computer espionage aimed at the heart of the economy.

McAfee is also warning that China poses a major threat as far as cyber espionage is concerned, with primary targets being national infrastructure systems. The Virtual Criminology Report highlights the network systems responsible for air traffic control, electricity supply and financial markets being the main targets along with Government systems. The report drew upon the expertise of the likes of Oxford University's Dr. Ian Brown and Professor Lillian Edwards from the University of Southampton who consulted with security specialists within the FBI, NATO and SOCA in order to avoid accusations of vendor bias.

A key finding was that "many cyber attacks originate from China" and warns that these are often "designed to specifically slip under the radar of government cyber defences." Code that can be traced back to China has already been identified as responsible for attempts to crack passwords within Whitehall as well as probing for weak spots within national IT infrastructure sites according to Dr Brown. And Jeff Green, senior vice president of McAfee Avert Labs, warns that cybercrime is now a global issue with technology being only part of the solution. "Over the next five years we will start to see international governments take action" he said, adding that cybercrime has "evolved significantly and is no longer just a threat to industry and individuals but increasingly to national security."

Researchers at security vendor Finjan's Malicious Code Research Centre have also been following the Chinese threat with some interest, in particular how Trojans distributed from within China carrying data theft payloads. Applying a variety of zero-day exploits, using obfuscated code and a complex network of websites to bypass detection, Finjan nonetheless were able to trace one centralised focus of activity back to a website belonging to a Chinese governmental office.

A US military report, The Military Power of the People's Republic of China 2007, claims that the People's Liberation Army look to information blockades as a method of control that extends beyond the military realm and includes "other elements of state power." Indeed, the November 2006 edition of the PLA's own Liberation Army Daily talks about getting "the upper hand of the enemy" using "various means to obtain information and of ensuring the effective circulation of information" in order to form a combined fighting strength and goes on to mention the need to apply "effective means to weaken the enemy side's information superiority and lower the operational efficiency of enemy information equipment."

However, the Chinese Foreign Minister, Yang Jiechi, speaking at a London press conference with Foreign Secretary David Miliband in December denied that China is involved in any form of cyber-espionage and insisted that "hacking attacks are prohibited by law."

Perhaps the most worrying thing is that while China might be getting all the attention as the most prolific of the cyber-spies, it is certainly not alone. That McAfee report identifies 120 other countries which are using the same kind of techniques to indulge in cyber-espionage. Banking, education and government networks were brought down in Estonia last year during a Denial of Service attack the size of which had never been seen before. Believed to have originated in Russia, security analysts agree that as the attack was halted at source rather than stopped externally it is likely this was just a test to see if the technology was working.

NATO has gone on record to admit that every one of its 26 member countries had been targeted by cyber-attack and it has 10 agencies working to protect against future threats. The US has the Air Force Information Warfare Center to fight the cyber-war, not surprising when you realise that US government and private systems were attacked 37,000 times last year alone - and that's just the known breach attempts. In the UK, despite the concerns of MI5, it would seem that computer-based threats are being taken less seriously considering that the National Hi-Tech Crime Unit has been merged with the Serious Organised Crime Agency in what many see as a money saving exercise. Not only is there now no longer any specific funding for the investigation of computer crime, but in the eyes of the law such crimes are not even defined as 'serious.'

Read more on Regulatory compliance and standard requirements