Wednesday, January 13, 2010

Minipost: #CNIRcyberwar ? ? ?

Several Chinese hacker groups have decided to retaliate for the "Iranian Cyber Army" attack against the Chinese search engine, Baidu.com, which we reported yesterday in our story Iranian Cyber Army Returns - Target: Baidu.

A few sources (thanks especially @packetninjas), have sent me links to Chinese webpages where their hacker community is expressing outrage by hacking back. One twitter hashtag seen with regards to this effort has been #CNIRcyberwar .

Despite the hashtag, there is no evidence whatsoever that there are GOVERNMENTS involved in this so-called CyberWar. On the Chinese side, this is the action of some patriotic but mis-guided youth who believe they can change world opinion by trashing a few insignificant websites. On the Iranian side, there is no evidence that any malice was intended towards the nation of China - it seemed their objective was to just place their message before a large audience - a goal they seem to have accomplished. I consider it highly unlikely that additional Iranian attacks on Chinese servers will result from this "CyberWar".

A hacker who claims membership in the "Honker Union for China" has posted many defacements of Iranian sites, along with lists of "official Iranian government sites" that he believes should be targeted, on the site:

http://bbs.360.cn/4261899/34063883.html

There is certainly debate going on, even within his own hacker community. One post this morning on "forums.chinesehonker.org" argued that the Iranians may not be behind the attack, but that it might really be the "dark Yankees" trying to stir up trouble. The rationale of that poster was that the attack came the day before a Chinese government missile interception test. ??? really ???

在没有确切证据的情况下,我倒是认为很能是美国佬干的,原因就是在百度背黑前一天我们进行了导弹拦截实验,进而引起了百度的被黑,这事从一件政治事件引起的网络攻击。
(from 自强不息 on forums.chinesehonker.org)

There is also an attempt to improve the image of Chinese hackers in the world with a little grammatical help from their friends. Another "honker" in the room suggests some help with one defacer's wording, suggesting that they replace:

The big national power spurs strong corps!

with

Our nation has internet experts who aren't afraid to fight back.

and

we are Oppose the special prganization of IR

with

We oppose this special organization of IR.


The Iranian attacks are being discussed in a thread on Baidu as well:


http://tieba.baidu.com/f?kz=695043079

This "soldier" is listing stored images of defaced Iranian websites, which he's actually pulling from the posts of "soping" on the site "bbs.360.cn":

room98.ir - Defaced image, including the text:



chinese honker team[H.U.C.]

I'm very sorry for this Testing!
Because of this morning your Iranian Cyber Army
Maybe you haven't konw this thing!
This morning your Iranian Cyber Army intrusion our baidu.com
So i'm very unfortunate for you
Please tell your so-called Iranian Cyber Army
Don't intrusion chinese website about The United States authoritires to intervene
This is a warning!
Khack by toutian from Honker Union For China


Other sites on his list include:

www.iribu.ir - Defacement image

Text:
CHINA Honker
China do not hear any foreign hacker!
The big national power spurs strong corps!
we are Oppose the special prganization of
IR

Another version of the text read:

Anysize
We are Red_hacker
Let the world hear the voice of China
The state is higher than the dignity of all!

f*** ir !
china up !
honker_Anysize@qq.com
(archived image)

That same text, with a different background image, also appeared on www2.mousavian.ir - (archived image)

An earlier version of the text (another hacker probably using the same vulnerability) read:

High-profile work being
Viruses, anti-virus, invasion, the invasion
The darkness of night, slowly permeates the wing?
The third area information security group By: h4ck3ber

The People's Republic of China Long Live
The great Chinese people long live
Domestic safety inspection
Oppose splkitting Safeguarding unity
http://hi.baidu.com/no_hackTime

pankration.gov.ir - Defacement image

www.diabetes.ir/home - Defacement image

Each of these sites is being tagged repeatedly by various hackers, as you can see documented in this thread:

http://bbs.360.cn/4261899/34063883.html?page=3

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!