Enemies at The Firewall
By Simon Elegant/Beijing
Tan Dailin lets out an audible gasp when he is told that he was identified in the U.S. as someone who may have been responsible for recent security breaches at the Pentagon. "Will the FBI send special agents out to arrest me?" he asks. Much as they might want to talk with him, though, FBI agents don't have jurisdiction in Chengdu, the capital of China's Sichuan province, where Tan lives. And given that he has been lauded in China's official press for his triumphs in military-sponsored hacking competitions, Tan is unlikely to have problems with local law enforcement. But Tan and his seven companions, who make up the self-proclaimed Network Crack Program Hacker (NCPH) group, are taking no chances. A couple of weeks after they spoke to TIME, they shuttered the group's website, on which they used to proudly post specially designed hacking programs that could be downloaded for free. Visitors now find only a notice that the page is being redesigned.
Tan and his fellow hackers may be lying low for now. But the controversy over the activities of hundreds of Chinese like them will only continue to grow. Though the evidence remains mostly circumstantial, a picture is emerging of a coordinated effort by Chinese-military authorities to recruit hackers such as Tan and his group to winkle out information from computer systems outside China and launch cyberattacks in future conflicts.
China has long regarded cyberwarfare as a critical component of asymmetrical warfare in any future conflict with the U.S. From China's perspective, it makes sense to use any means possible to counter America's huge technological advantage. A current wave of hacking attacks seems to be aimed mainly at collecting information and probing defenses, but in a real cyberwar, a successful attack would target computer-dependent infrastructure, such as banking and power generation. "Can one nation deliver a crippling blow to another through cyberspace?" asks American Sami Saydjari, head of the private computer-security group Cyber Defense Agency and former president of Professionals for Cyber Defense. "The answer is a definite yes. The Chinese know we are much more dependent on technology, and the more you depend on it, the more vulnerable you are."
Hacking attacks from the Middle Kingdom aren't new. In 1999, after U.S. planes bombed Beijing's embassy in Belgrade, and again in 2001, when a Chinese fighter crashed after a collision with a U.S. surveillance plane, Chinese hackers conducted cyberbattles with their U.S. counterparts. For several years beginning in 2003, U.S. government servers were subjected to a coordinated series of hacker attacks, code-named Titan Rain, which officials said had originated in China.
The scale and sophistication of the activities apparently conducted by Tan and his group--and their alleged ties to the People's Liberation Army (PLA)--are an insight into China's effort to establish a corps of civilian cyberwarriors. A recent series of intrusions into the systems of Western governments and major corporations was blamed on China (though none of the intrusions have been specifically tied to Tan and his group). This month British media reported that the country's top antiespionage official had sent a letter to 300 major corporations warning that they faced attacks from "Chinese state organizations." In May computers in the office of German Chancellor Angela Merkel were compromised by programs that had originated in China. In June U.S. military officials said an attack from China had penetrated a computer system at the Pentagon--though nonclassified, it included a server used by the office of Defense Secretary Robert Gates. Beijing denies that it is behind hacker attacks. Jiang Yu, a spokesman for China's Foreign Ministry, described such reports as "wild accusations" and said they reflected a "cold war mentality."
Outside China, however, the worries continue. "Recent events have made Western governments very nervous that this is just the tip of the iceberg," says Saydjari. "[The Chinese] have launched the equivalent of a Sputnik in cyberspace, and the U.S. and other countries are scrambling to catch up."
Meet the Geek Brigade
Gathered around the table at a restaurant in Chengdu on a recent evening, Tan, a.k.a. Withered Rose, and seven other members of the NCPH workshop don't look as though they could bring the U.S. economy to a halt. All in their early 20s, rail thin and with the prison pallor acquired from long nights spent hunched over monitors, they look like what they are: a bunch of nerds. They refuse to give their real names, referring to one another by nicknames--Blacksmith, Firestarter, Fisherman, Floorsweeper, Chef, Plumber, Pharmacist. All vehemently deny having anything to do with attacks on U.S. government systems. "Messing with the U.S. Department of Defense is no small thing," says Floorsweeper. "We read about arrested terrorists, about GuantĂˇnamo. Who gets away with messing with the U.S. government?"
O.K., so what does the NCPH, which Tan founded in 2004 when he was a student at Sichuan University of Science and Engineering, actually do? The answer starts out vague, but eventually pride gets the better of the young men. They acknowledge that the group first got its reputation by hacking 40% of the hacker associations' websites in China. That was during their "young and hotheaded college days," as Fisherman puts it. The NCPH is also famous for the remote-network-control programs they wrote and offered for download. These programs, which allow hackers to take over other computers, are exactly the kind that were used to obtain documents, spreadsheets and other materials from U.S. government offices in the most recent attacks.
But according to two detailed studies by iDefense, a branch of VeriSign, an Internet-security company based in Mountain View, Calif., the NCPH created 35 programs that took advantage of vulnerabilities in Microsoft Office to implant so-called Trojans--programs that take partial control of an infected computer and can be used to send documents, spreadsheets and other files over the Internet. The two iDefense reports say that beginning in May 2006, the Chengdu group "launched a barrage of attacks against multiple U.S. government agencies ... The result of all of this activity is that the NCPH group siphoned thousands--if not millions--of unclassified U.S. government documents back to China." Citing evidence of Tan's close ties to the military and other Chinese hackers' organizations that have been suspected of acting on behalf of the military, the reports conclude that Tan and the NCPH were almost certainly acting on behalf of and funded by the Chinese armed forces. "Most likely," the reports suggest, "hundreds of these groups exist in China." Tan declined to comment on the studies.
In response to questions from TIME, a faxed letter from China's State Council Information Office said accusations that the PLA was involved in hacker attacks against overseas targets were "groundless, irresponsible and also have ulterior motives." The Chinese police, the letter said, had received no requests from overseas governments asking for investigations of Chinese attacks on their websites. But reports in Chinese newspapers suggest that the establishment of a cybermilitia is well under way. In recent years, for example, the military has engaged in nationwide recruiting campaigns to try to discover the nation's most talented hackers. The campaigns are conducted through competitions that feature large cash prizes, with the PLA advertising the challenges in local newspapers.
Tan is a successful graduate of this system. He earned $4,000 in prize money from hacker competitions, enough to make him worthy of a glowing profile in Sichuan University's campus newspaper. Tan told the paper that he was at his happiest "when he succeeds in gaining control of a server" and described a highly organized selection and training process that aspiring cybermilitiamen (no cyberwomen, apparently) undertake. The story details the links between the hackers and the military. "On July 25, 2005," it said, "Sichuan Military Command Communication Department located [Tan] through personal information published online and instructed him to participate in the network attack/defense training organized by the provincial military command, in preparation for the coming Chengdu Military Command Network Attack/Defense Competition in September." (The State Council Information Office didn't respond to questions about Tan, and China's Foreign Ministry denies knowing about him.)
With the help of experts from Sichuan University, the story continued, Tan's team won the competition and then had a month of intense training organized by the provincial military command, simulating attacks, designing hacking tools and drafting network-infiltration strategies. Tan was then chosen to represent the Sichuan Military Command in competition with other provinces. His team won again, after which, the iDefense reports say, he founded the NCPH and acquired an unidentified benefactor ("most likely the PLA") to subsidize the group's activities to the tune of $271 a month.
It's not what you would expect from a bunch of guys drinking beer (lots of it) in the back room of a hotpot restaurant in Chengdu. Suggest that they might hack for cash, and the NCPH crew is outraged. "The real hackers are not doing it for a name or money," says Fisherman, who sports a small diamond-stud earring. "The real hackers keep their heads down, finding network loopholes, write killer programs and live off social security."
Spoken like some grungy geek from Seattle. Except that in China, apparently, the definition of social security might include a stipend from the army.
With reporting by Lin Yang/Chengdu
* Find this article at:
Copyright � 2007 Time Inc.