Protecting and Dominating the Cyberspace Domain

 Protecting and Dominating the Cyberspace Domain

Heritage Foundation
April 8, 2008

By John J. Tkacik, Jr.

Just about two hours ago, as luck would have it, I got a very timely telephone call from a very business-like young man at the Pentagon Computer Incident Response Team, known as PENT-CIRT.

At first, I had assumed that he was calling to pass on some information about Major General Lord’s presentation, but he wasted no time on pleasantries. He identified himself and his unit, and informed me that I had a malicious Trojan Horse load in an attachment to one of my e-mails. It was designed to reside in my computer workstation and backchannel any useful documents to, as he put it, “a foreign IP address.” Delink my PC workstation from the network, he instructed me, and have your network security people call me . . . he gave me his telephone number in the “B” Ring.

Let me give you some background – yesterday, I received an e-mail from a Taiwanese Army Major who had worked at the Taiwan office here in Washington which had me, together with about 19 other US Military and security personnel on as addressees. That e-mail simply said “Taiwan CRS Report,” and it had an Acrobat .pdf attachment.

Well, funny thing, that, I had just read a report in the Taipei Times about the Congressional Research Services report on the Taiwan presidential election, by my good friend Kerry Dumbaugh, and so I was in the proper frame of mind to open the attachment. But, after trying twice, and only getting a bare flicker of a response, it began to dawn on me what had happened. I then e-mailed the others on the list and suggested that there might be something dodgy about the attachment, and one of the addressees helpfully e-mailed me back saying “John; Very likely a virus in the attachment. Delete it!” complete with exclamation point. I e-mailed back, immediately, with a perhaps feckless response . . . “too late!” also with exclamation point.

This morning, after the PENT-CIRT officer called, he followed up with the Symantec patch – which had just been issued today, -- version 100408p of April 8, 2008, revision 16. Our Cyber Security people here at The Heritage Foundation sprang into action in an instant. Within 15 minutes, I had a new computer (actually, an upgrade, so it was a net plus for me), and our security walla tracked down the culprit. This is what is known as a “Zero-Day Vulnerability”, that is, a loophole in an extant piece of business software that can be exploited by a hacker and for which no patch exists . . . hence, the Symantec or McAfee or whatever security software you have, does not catch it when it makes its debut on your system, and thereafter it simply lies dormant until it awakens occasionally to perform its mission – in our case, I suspect, to ship our all MS Word documents and all MS Outlook e-mails.

Evidently, the one thing we could see on the virus – a Trojan Horse – was the the Internet Protocol, or IP address that would receive the take.

It was 124.133.252.144 was assigned to the Jinan Chuangheng Xin Keji Company, Ltd. At No. 77 Jingsan Road, Jinan, Shandong, China. Unfortunately, I haven’t had time to load the Chinese language package on my new Workstation, so I am unable to illuminate you as to the nature of the Jinan Chuangheng New Science and technology Company Ltd.

But this wasn’t the first time I’ve received such an e-mail, from a spoofed sender, sent out to a very precisely selected group of target addressees. I myself have been spoofed, sending e-mails to my colleagues in the Asian Studies center here at Heritage, and our network security people have been able to identify the viruses and delete them.

But I would bet large amounts of money that a good many of you in the audience have received such an e-mail, have clicked on the attachment, unsuccessfully, and have forgotten about it. . . . Well, you have a Trojan Horse in your system, and someone in the Jinan Chuangheng S&T Co. Ltd. can, if he or she wants, read all your e-mail, and anything else. Provided, I suppose, that the Chinese Ministry of State Security or the PLA believes it’s worth perusing your computer . . .

But maybe you’ve not come to the attention of the Chinese MSS or PLA just yet. Well, there’s another way to infect your computer. Simply infect it where the PC or notebook is made. Last August, for example, there was a rumor that a Chinese technology company wanted to acquire Seagate – a maker of the Maxtor portable hard drive. Seagate assembles the Maxtors in Thailand . . . Well, Seagate refused to sell, and the unnamed Chinese company apparently gave up.

But not before it figures out another way of getting into the Seagate supply chain. It turns out that a Chinese subcontractor to Seagate infected Maxtor drive components before shipping the components to Thailand. It was a Trojan Horse program that looked for passwords. I surmise it was a sophisticated keystroke program that could identify any username-password combination, store it, and e-mail it to a Chinese address when pinged by an administrator in China.

Seagate issued a recall notice – for Maxtor Basics Personal Storage 3200 hard drives sold after (ahem) August. It seems Seagate identified the Trojan Horse via an antivirus program from Kaspersky Labs. It was also reassuring to learn that in October last year, Kaspersky Labs signed on with the old Huawer-3Com joint venture, H3C, as an original equipment manufacturer (OEM) for H3C servers. Kaspersky is, presumably, working closely with H3C – now wholly owned by the U.S. firm 3Com – to “further enhance the performance of H3C’s security products to quickly respond to malicious software threats and therefore to protect customer’s network to be safe and sound” according to Henry Tso, Chief Technology Officer at H3C. I would simply observe that as late as December 2006, every one of H3C’s Chinese employees remained on the personnel rolls at the Chinese telecom giant, Huawei, even though Huawei no longer owned any H3C shares. One Chinese news report noted that “They retain Huawei personnel employment numbers, Huawei stock ownership, and their internal corporate contacts, job descriptions (zhiwei) and ranks.” Therefore, Huawei likely continues to maintain all security dossiers and to control “work certificates” (gongzuo zheng) for all of H3C’s Chinese citizen employees. Which tells me that H3C’s employees living in China have a divided loyalty between their Chinese parent company that controls their daily lives, and their U.S. owner, which doesn’t seem to control much of anything at H3C in China.

Finally, let me conclude with the observation that data siphoning is perhaps the least of one’s troubles when one lets a foreign state worm its way into all your computer networks. Our electrical power grids are controlled by computer networks. Our power plants, fossil, hydro, nuclear, are run by networked computers – and a malicious code inserted, for example, to run the generators out of phase, could bring them all crashing to a halt. Air Traffic Control, telecommunications, water supplies . . . 

Notes

1. “Seagate tells employees company not for sale,” Reuters, August 28, 2007

2. Robert McMillan, “Seagate ships virus-laden hard drives – info sent to China,” PC World, November 13, 2007http://www.washingtonpost.com/wp-dyn/content/article/2007/11/13/AR2007111300606.html. Also see Lin Ching-lin, “Chinese subcontractors blamed for trojan horses,” Taipei Times, November 12, 2007, p. 2, at http://www.taipeitimes.com/News/taiwan/archives/2007/11/12/2003387447.

3. See Press Release, “Kaspersky Lab signed an OEM agreement with H3C,” September 20, 2007, at http://www.kaspersky.com/news?id=207575567.

4. See Yong Zhongwei, “Huawei 3Com Gu Dan Shang Lu” (Huawei and 3Com walk the road alone), Zhongguo Shiji Wang, December 11, 2006, at www.ccw.com.cn/netprod/dp/htm2006/20061211_228831.shtml (January 28, 2008).