Cyber Blitz

U.S. officials say China behind cyber attacks on Japan

The Senkaku Islands / AP
September 25, 2012

A recent series of cyber attacks on Japanese Internet sites originated in China and were viewed as a possible prelude to military action, according to defense officials familiar with details of the attacks.

Japan’s National Police Agency revealed last week that at least 19 Japanese websites were hit by cyber attacks timed to increase tensions between Tokyo and Beijing over the Senkaku islands.

U.S. officials said the sites affected included Japan’s Defense Ministry, Internal Affairs and Communications Ministry, and the country’s supreme court. Banking and utilities networks also were hit.

Other sites that were attacked included Japan’s Statistics Bureau and the government's Internet TV, which were temporarily blocked. A university hospital network also was hit.

Earlier this month, up to six Chinese military vessels moved into Japanese waters and then withdrew, Japan’s coast guard reported.

Violent government-supported street protests in China erupted in recent weeks against Japanese businesses after the Japanese government purchased three uninhabited islands in the Senkakus chain.

U.S. Ambassador to China Gary Locke had a close call with up to 50 angry Chinese protesters who on Sept. 18 surrounded his car and began chanting "Down with U.S. imperialism!" China's government said it was investigating the incident.

China claims the islands, located west of Okinawa and north of Taiwan, are its territory. Japan has controlled the islands for decades.

According to one U.S. official, the Chinese-origin cyber attacks are considered a preview of how China’s military would conduct the opening phase of a military campaign. The official did not say China is preparing some type of military engagement with Japan over the islands, but warned that one could erupt through miscalculation.

The latest cyber attacks began in mid-September and appeared timed to Beijing’s growing animosity toward Japan over the island dispute.

The Japanese police said in a statement that the cyber attacks were "presumably connected" to the islands dispute. The attack targets were posted on the web site of the Chinese hacker group "Honker Union" and included "government executive agencies and important infrastructure companies."

The National Police Agency stepped up monitoring of websites through the Cyber Force Center and alerted organizations listed as the attack targets. The center was seeking to analyze the attacks and prevent their spread, the statement said.

Tatsuo Kawabata, Internal Affairs and Communications minister, told Kyodo News that the ministry’s network was hit with an intermittent attack for a total of seven-and-a-half hours beginning Sept. 15. The attack was most intense on Sept. 16, when 95 percent of the traffic to the site originated in China.

The recent cyber attacks appeared to be less sophisticated than the kinds of cyber attacks that the Pentagon has detected in recent years and would likely precede a military conflict.

However, the attacks also appeared designed to give China’s government deniability for the digital strikes and could also be multiple purpose strikes for both political and military goals.

Many of the attacked websites were replaced with a Chinese flag and proclamations that China owned the Senkakus.

Japan’s National Police Association reported that the Chinese hackers had targeted 300 organizations in Japan, and that several thousand Chinese had posted notices of the planned attacks and hacker tools to be used on a chat site called "YY Chat."

An official said one Chinese group behind the attacks was identified as a well-known group that is suspected of having ties to the Chinese government.

The group is called the Honker Union and surfaced several months ago after a period of relative quiet, the official said.

The U.S. military closely monitors Chinese hacking and cyber espionage for signs of how they would be used in a future conflict.

The beginning stages of a future conflict are expected to begin with crippling cyber attacks against information systems that control large segments of the U.S. system, including power generation, transportation, financial, and other key infrastructure, the official said.

Chinese Sr. Col. Lin Shishan, a member of China’s Fourth Department of the General Staff, which is in charge of cyber warfare, stated in a 2008 journal article that the military must prepare to destroy enemy information systems in warfare.

"We must establish the information combat concept of ‘attack and destruction of system of systems,’" Lin stated.

Classified State Department cables made public last year revealed that civilian Chinese computer hackers are linked to the military and were behind an aggressive global campaign of economic espionage since 2003.

The hacking and cyber espionage program—known to U.S. intelligence by the code name Byzantine Hades—was linked to the Chinese military’s Chengdu military region’s First Technical Reconnaissance Bureau, one cable stated.

A Chengdu hacker named Chen Xingpeng was tied to the PLA Technical Reconnaissance Bureau. The tie "further emphasizes the idea that this clandestine 'cyber-spying' network may in fact be a state-sponsored intelligence-gathering operation," a cable said.

A March 2009 cable stated that Chinese hacker Yinan Peng, leader of civilian hacker group Javaphile, is suspected of carrying out the major government-sponsored hacking against Google and other U.S. corporations.

Key evidence cited for the connection were Internet Protocol addresses traced to Javaphile, and the use of a customized hacking "command and control tool" called eRACS.

Former military intelligence official Larry Wortzel said China's capacity to conduct cyber attacks against Japan and its self-defense forces parallel what it can do to the United States.

"Chinese military doctrine calls for cyber attacks in any conflict," said Wortzel, a member of the congressional U.S.-China Economic and Security Review Commission.

"Japan's industry also is vulnerable to cyber espionage by China, as is U.S. industry."

A report by the U.S.-China Economic and Security Review Commission said relations between China’s military and civilian hackers remain unclear, although it is believed the People’s Liberation Army is reluctant to use hackers since they could disrupt PLA data collection or sabotage operations.

However, the report said the PLA in 2005 sponsored hacker competitions "to identify talented civilians who could support military [computer network operations] requirements."

One Chinese hacker, identified in the report as Tan Duilin, leader of the hacker group Network Crack Program Hacker, was recruited by the Sichuan military command communications department to "participate in the network attack and defense training event organized by the provincial military command."

Chinese hackers are active in thousands of Internet-based groups and as individuals. They are known to develop malicious software.

"China’s hacker community gained early notoriety for member willingness to engage in large-scale politically motivated denial of service attacks, data destruction, and Web defacements of foreign networks, known as hacktivism," the report said.

The hackers are known to employ "large scale, politically motivated attacks against foreign networks or Websites."

The Honker Union group carried out major cyber attacks on more than 1,000 U.S. Internet sites around the time of the April 2001 incident involving the collision between a U.S. EP-3 surveillance aircraft and a Chinese F-8 jet.

Earlier this year U.S. Cyber Command chief Gen. Keith Alexander said that in the future cyber warfare would transition from "disruptive to destructive attacks."

"Those are coming up, and we have to be ready for that," the four-star general said during remarks to the Center for Strategic and International Studies.

A report made public in October 2011 by the National Counterintelligence Executive stated, "U.S. corporations and cyber security specialists … have reported an onslaught of computer network intrusions originating from Internet Protocol (IP) addresses in China, which private sector specialists call ‘advanced persistent threats.’"

"Some of these reports have alleged a Chinese corporate or government sponsor of the activity, but the [intelligence community] has not been able to attribute many of these private sector data breaches to a state sponsor," the report said.