【商业周刊 20130214】人肉中国黑客
【中文标题】人肉中国黑客
【原文标题】A Chinese Hacker's Identity Unmasked
【登载媒体】商业周刊
【原文作者】Dune Lawrence、Michael Riley
【原文链接】http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked#r=read
Cyb3rsleuth说,当他见到张长河博客中的一张照片时,感觉看到了一张鬼脸。
乔•斯图尔特的一天从美特尔海滩的早晨6点半开始,他的早餐是一份花生酱三明治、一罐无糖红牛,然后开始处理收件箱中5万多封有关恶意软件的邮件。42岁的斯图尔特是戴尔SecureWorks公司恶意软件(malware)研究部总监,他每天的工作是寻找网络间谍。Malware是malicious和software两个词的缩写,它能让黑客控制你的电脑。他的顾客和同事每天都会发给他一些受到网络攻击的可疑样本,他来负责在海量信息中寻找以前从未见过的样本,寻找的目标是让黑客能够入侵数据库、控制监控探头和阅读电子邮件的那些软件。
斯图尔特在业内名声不小。2003年,他发现了一个早期的垃圾邮件僵尸网络,它让黑客可以同时控制数万台电脑,并且让它们的收件箱涌入数百万封垃圾邮件。十年来,他一直在试图阻止网络罪犯入侵银行账户等行为。2011年,斯图尔特把目光转向中国,他说:“我觉得只需要两个月,我就可以把情况搞清楚。”而两年时间里,他一直在做的事情是识别中国的恶意软件、设计应对功能。
来自中国的电脑入侵时常登上各大媒体的头条,就像上个月《纽约时报》的遭遇。更早一次大批媒体的关注发生在2010年,谷歌和英特尔宣称它们被入侵。但是这些报道都没有披露入侵的性质,这不是孤立的事件,而是持续性的入侵行动。
来自中国的恶意软件充斥了网络,它们的目标是财富500强企业、科技创新公司、政府机构、新闻媒体、使馆、律师事务所,以及其它受保护的知识产权机构。《华盛顿邮报》在这个月发布的一份秘密评估报告显示,美国是中国大规模、持久性的网络间谍活动目标,这已经威胁到了美国的经济。除了美国国防部和其它一些三字政府机构(译者注:指中央情报局、联邦调查局等)之外,受害者纷纷被周密筹划、资源丰富的敌人所击败。
斯图尔特说,他遇到越来越多的人在与中国打交道时发现问题,但是绝少有人愿意公开这些问题,原因是这些人的公司都有机会接触保密情报,或者担心中国大陆的反对声音。他的与众不同之处在于,他愿意与其他人分享研究成果。他工作的动力部分来源于对解谜游戏的着迷,部分来源于内心的正义感。“眼看美国经济江河日下,失业率居高不下,而这些伟大的公司还在遭到中国的攻击……我不愿看到这样的局面。如果他们公平竞争,那我应当为他们鼓掌。但窃取信息是错误的行为。”
斯图尔特跟踪了大约2.4万个网络域名,他说这些都是中国间谍租用或者为实施间谍活动而窃取的网站。其中包括得克萨斯的一家营销公司,和华盛顿一位著名政界人物的个人网站。他把找到的恶意软件分别归类,每一类都隶属于中国某一个黑客团队。他说,大约10个黑客团队开发了300种恶意软件,这个数字是10个月前的一倍。“中国一定为此投入了巨大的人力。”
一些商业保安公司的调查人员怀疑,这些黑客中至少大部分人不是军人,就是直接受命于中国情报和监察机构的工作人员。他们认为这些攻击行动的组织性非常强,不可能是自由黑客组织的行为。维基解密透露的秘密外交情报显示,谷歌遭到的网络攻击与政治局官员有关。据前情报部门官员透露,美国政府长期以来要求秘密情报组织追查黑客行踪,发现与人民解放军有关。然而,这些证据都没有被公开,中国当局多年来一直否认与此有关。
到目前为止,像斯图尔特这样的私营机构调查人员从未成功地发现过黑客的真实身份。他们掌握了一些模糊的线索——域名注册时的化名、历史网络档案,或者论坛中透露些许黑客工作内容的罕见发帖,但从未出现过真实的身份。然而,黑客也会犯错误。最近,一名黑客的疏忽把记者带到了他的家门口。
斯图尔特在一栋暗灰色的建筑物里办公,周围有铁丝网围墙,密码锁门前的一小块牌子写着这里是戴尔SecureWorks。斯图尔特和另一位研究人员,在摆满30台电脑的狭小办公室里做他们缝缝补补的工作。在检查恶意软件的过程中,他一会观察显示各类数据的电脑,一会在白板上记录中国情报机构的术语和备注。
戴尔SecureWorks在美特尔海滩的办公室。
办公室的电脑中所运行的程序大部分都是他自己编写的,用来分析、归类恶意软件,这样他可以知道某一个软件是旧代码的变种,还是全新的软件。在电脑分析代码的同时,斯图尔特会仔细观察软件的签名把戏,以识别这是一个人还是一个团队的作品。软件分析师把笔画的倾斜度和弯曲度做比较,这是一项有条理、枯燥的技术活,大部分人都会感到无趣,或者知难而退,但适合斯图尔特,他喜欢寻找规律。工作之余,他会放松15分钟,用他的鼓一遍又一遍地敲击同样的旋律。
斯图尔特很重要的一项工作是分析恶意软件是如何开发出来的,他在这方面的造诣令人吃惊,他可以查出编写恶意软件的电脑使用哪种语言,这样可以知道某个恶意软件是俄罗斯犯罪团伙还是中国间谍在使用。然而他更重要的一项工作是,找出恶意软件的联络对象。一旦恶意软件进入计算机,它会向位于世界各地的一个或多个服务器发送信号,要求给予进一步行动的指示。在信息安全领域,这被称作“封包回报”。斯图尔特和他的侦探同事们已经发现了数万个这样的服务器,称其为命令控制结点,黑客通过这些结点发动攻击。
说到发现控制结点,斯图尔特的声音明显提高了,就像给来访者展示新发现一样的兴奋。如果一家遭到入侵的公司知道控制结点的IP地址,它就可以关闭与这个地址所有的通讯往来。他说:“我们最高的目标是找到恶意软件所使用的工具和技术,这样我们就可以封锁它们。”
互联网就像一张地图,上面的每一个点——也就是IP——都属于某些人,他们在注册时都需要提供姓名和地址。当然,间谍不会使用真实的姓名,斯图尔特所发现的大部分网络地址所包含的信息明显都是假的。但是,他有办法揭露真相。
2011年3月,斯图尔特在检查一个恶意软件,这个软件与俄罗斯和东欧黑客的作品有明显的不同。当他查询可疑代码所连接的控制节点时,发现从2004年开始,有十几个节点都用相同的一两个姓名注册——Tawnya Grilth或Eric Charles,他们的Hotmail账户都一样,也都使用加利福尼亚的同一个城市名称。而且,其中有几个都同样使用了错误拼写的城市名称——Sin Digoo。
有些地址曾经出现在其他研究人员以前记录下来的档案中,它们是隶属于中国联通——中国最大的互联网服务供应商之一——的2000多个IP地址中的一部分。黑客的足迹一次又一次地把斯图尔特带到这些地址上,他认为这些地址属于中国最顶级的两只数字间谍团队之一,他称其为“北京小组”。斯图尔特和他的侦探们往往只会追查到这一步——一个城市,或者一个可能的团体,从未追查到独立的黑客。但是,接下来的几个月,他的运气来了。
Tawnya Grilth用dellpc.us的网址注册了一个控制节点,这与斯图尔特公司的域名实在太接近了。于是斯图尔特联系了互联网名称与数字地址分配机构(ICANN),这家机构监控全球互联网地址的使用情况,并且负责仲裁域名纠纷。斯图尔特认为,对方使用了“Dell”这个字,属于未经允许使用了自己公司的注册商标。Grilth一直没有给予回应,ICANN同意了斯图尔特的申请,把网站的控制权移交给他。到2011年11月,他可以看到在这个域名下被入侵的电脑从全世界封包回报——他亲眼看到一场正在进行中的间谍活动。
他花了三个月时间观察间谍活动,逐渐发现了一些被入侵的电脑。到2012年1月,斯图尔特已经锁定了全球200台沦陷的电脑。很多都在越南、文莱、缅甸的政府内部,还有石油公司、报社、核安全机构和中国大陆的一家使馆。斯图尔特说他从未见到过如此大规模瞄准东南亚国家的网络间谍活动。他扩大了搜索范围,把用“Tawnya Grilth”名字和“她的”电子邮件jeno_1980@hotmail.com注册的IP地址都包括进来,结果发现了更多被入侵的电脑。其中发现了一个联系人的名字“xxgchappy”。新地址又带出了更多的链接,包括一些讨论恶意软件技术的论坛和一个网址rootkit.com,这里储存了很多恶意软件,全世界的研究人员在这里讨论黑客技术。
之后,斯图尔特发现了更加不同寻常的事情:其中一个域名在经营着一个实体生意——在类似推特和脸书这样的社交网站上提供顶帖和好评的服务,并收取一定的费用。斯图尔特发现一个名为Tawnya的用户在黑客论坛BlackHatWorld上为这个网站做广告,还发现了一个贝宝(译者注:PayPal,电子邮件支付方式服务供应商)账号收取费用,把资金转移到一个Gmail账户中,这个账户的所有者姓“张”。斯图尔特吃惊地发现,这名黑客竟然这样大胆地暴露自己的真实身份。
2012年2月,在旧金山举行的RSA大会是网络安全产业的年度盛会,斯图尔特发表了一份19页的报告,介绍SecureWorks的网站。他用《孙子兵法》的一句名言开头:“不知诸侯之谋者,不能豫交。”
斯图尔特没有继续追查张。他的任务已经完成,手头的信息已经足够保护他的客户了,于是他继续研究那些数不过来的恶意软件了。但是他的报告在信息安全界引发了众人的兴趣,因为查询到一名黑客的真实身份的确很难。另外一名研究人士立即兴味盎然地接手揭开Tawnya Grilth面纱的挑战。这位33岁的研究人士网名是Cyb3rsleuth,现实生活中他经营一家印度的计算机信息公司。他要求保密真实姓名,以免引起不必要的关注,甚至公司电脑被入侵。
Cyb3rsleuth说他曾经查明两位东欧黑客的身份,并且把两个人的信息转交给政府部门。斯图尔特的工作让他觉得有必要把一些发现公之于众,他希望挖掘更多的有关黑客的信息,让政府部门有机会采取一些行动。黑客也是人,也会犯错误,所以关键问题在于追查到与真实身份有关的线索。
随着斯图尔特接班人的工作不断深入,Tawnya Grilth的世界越来越公开了。有汽车论坛上的帖子、中国黑客网站的账号和个人照片,其中一张是一个男人和一个女人在风中站在一起,似乎是一个旅游景点,背景有一座宝塔。
Cyb3rsleuth跟踪黑客的足迹,也发现了到其化名用广告招徕社交网络生意,和用Hotmail账号注册的论坛。他最终发现了黑客的第二笔营生,这次出现了一个真实的地址。河南移动网络是一家手机批发商,公司黄页和网络广告中有相关的介绍。这家商店网站的注册人是Jeno的Hotmail账号和Eric Charles的假名。
Cyb3rsleuth查询了一个在线中国科技公司黄页,不仅发现了一个公司的电话号码,还有一个联系人姓名——张先生,以及一个位于郑州的地址,这是中国中部省份河南的省会,有800万人口。黄页还提供了中国即时通信软件QQ的3个账号,这个软件与MSN类似,每个账号是一串数字。其中一个账号的用户名是xxgchappy,用户的职业是“教育”。
在中国的搜索引擎中查找这个电子邮件地址,Cyb3rsleuth发现它还注册了一个开心网账号,这是一个类似于脸书的网站,用户名是郑州的张长河。张的头像是一朵盛开的莲花,这是传统的佛教象征。再查看他的QQ账号,Cyb3rsleuth发现头像也是一个与佛教有关的图案,用户名是常贺——与开心网的用户名音同字不同。在他的博客中,有一些佛教信仰的思想,其中包括一篇中文题目为“忏悔”的几句话:“今天是2012年1月31日,我皈依佛教已经5个年头了。在这5年里,我破了所有五项大戒——不杀生、不偷盗、不淫邪、不妄语、不饮酒,我非常后悔。”他列举了从缺乏同情心到辩解和说谎等各项罪名,其中第4项是:“我毫无廉耻地一贯偷盗,希望将来可以改邪归正。”
同一个QQ号还出现在爱卡汽车论坛中,用户属于东风标致307车主论坛。这是一辆四门运动轿车,在中国新兴的中产阶级中很受欢迎。这个用户大约在2007年发帖询问有关购买车牌架的问题。
在2009年的一张照片中,张站在海边,眯起眼睛抬头看天,与一个女人搂在一起,照片的标题说这是他的妻子。这个女人和宝塔照片里的女人是同一个人。张留着浓密的短发。
3月份,Cyb3rsleuth在他个人博客中公开了这个发现,期望有人——政府、研究机构或者黑客的受害者——可以采取行动。目前为止他还没有收到任何反馈,但他很兴奋,因为他找到了网络鬼魅的真实面孔。
河南省郑州市位于黄河岸边。市政府网站说它是“中国迅速发展的城市典范”。作为佛教和武术中心的少林寺位于郑州西南56英里,那里吸引着南来北往的功夫迷。这座城市是中国铁路货运和客运的集散地。
中央火车站南500米,是一座棕色的7层楼建筑物,肮脏的正面红色大字是“中原通讯数码城”。建筑物里布满小型店铺,大多销售电子商品。张的手机商店就位于4层,A420房间。
郑州的中原通讯数码城。
在昏暗的荧光灯下,两个年轻的店员告诉记者,他们不认识张长河,也不知道河南移动网络公司。大厦的商务经理王燕说A420的前租户在三年前就搬走了。她不知道这个租户经营了那些生意,只知道老板不经常出现,生意持续的时间不长。
在中文版的谷歌上搜索会发现一个链接,其中有几篇学术论文,作者是张长河。2005年的一篇论文是关于计算机间谍技术。他还致力于研究一种Windows rootkit,这是一项先进的黑客技术。2011年,张与人合作分析了一种计算机内存的安全漏洞,以及可能采取的攻击方式。论文中写明,张在解放军信息工程大学工作。据华盛顿一家智囊团2049研究所的Mark Stokes说,这所大学是中国顶尖的电子信息学术机构,为在全国服役的基层军管提供培训。就好像美国国防部下属的大学。
解放军信息工程大学的校园位于郑州,距张长河的手机商店4英里。大门在一条三车道马路的尽头,身穿军装的人在进进出出,门卫仔细检查进出的车辆和人员的身份证。我们用QQ上的手机号码联系到张,他确认自己是这所大学的教师,还说他目前在外出差。关于河南移动网络公司,他说:“抱歉,已经不做了。”有关黑客行为和控制节点的域名,他说:“我不大清楚。”当被问到他在大学里教授的课程时,他说:“我不方便谈。”他否认自己为政府工作,说不想再回答任何问题,挂断了电话。
解放军信息工程大学的校门。
斯图尔特继续发掘与张有关的计算机网络入侵行为。SecureWorks去年发现了一个绰号为“海市蜃楼”的恶意软件,感染了100多台计算机,大部分位于台湾和菲律宾。其中一个控制域名的所有者是Tawnya Grilth。去年年底,斯图尔特观察到恶意软件袭击了俄罗斯和乌克兰政府部门和一些国防机构,其中一个恶意软件封包回报的控制节点是AlexaUp.info,这个网站的注册人是张长河。斯图尔特说张是北京小组的成员,这个小组共有几十个人,从编程到网站搭建到翻译窃取来的数据。斯图尔特平静地讲述这件事情,他很现实地意识到,干掉黑客小组的一个成员不会阻止中国的网络入侵。张只不过是中国网络大军的一个小卒,中国的网络行动越来越不加掩饰,找到更多的张应该不是难事。斯图尔特认为,只要积累足够的证据,中国政府总有一天无法继续抵赖。
他说:“或许我们还需要几年时间才能积累起足够强大的证据,能让他们老实承认‘啊,这就是我们。’我不知道他们是否会停止这样的行为,但我会让他们越来越难得逞。”
原文:
Cyb3rsleuth said he felt like he’d found the face of a ghost when he saw pictures on a blog linked to Zhang Changhe
Joe Stewart’s day starts at 6:30 a.m. in Myrtle Beach, S.C., with a peanut butter sandwich, a sugar-free Red Bull, and 50,000 or so pieces of malware waiting in his e-mail in-box. Stewart, 42, is the director of malware research at Dell SecureWorks, a unit of Dell (DELL), and he spends his days hunting for Internet spies. Malware is the blanket term for malicious software that lets hackers take over your computer; clients and fellow researchers constantly send Stewart suspicious specimens harvested from networks under attack. His job is to sort through the toxic haul and isolate anything he hasn’t seen before: He looks for things like software that can let hackers break into databases, control security cameras, and monitor e-mail.
Within the industry, Stewart is well-known. In 2003 he unraveled one of the first spam botnets, which let hackers commandeer tens of thousands of computers at once and order them to stuff in-boxes with millions of unwanted e-mails. He spent a decade helping to keep online criminals from breaking into bank accounts and such. In 2011, Stewart turned his sights on China. “I thought I’d have this figured out in two months,” he says. Two years later, trying to identify Chinese malware and develop countermeasures is pretty much all he does.
Computer attacks from China occasionally cause a flurry of headlines, as did last month’s hack on the New York Times (NYT). An earlier wave of media attention crested in 2010, when Google (GOOG) and Intel (INTC) announced they’d been hacked. But these reports don’t convey the unrelenting nature of the attacks. It’s not a matter of isolated incidents; it’s a continuous invasion.
Malware from China has inundated the Internet, targeting Fortune 500 companies, tech startups, government agencies, news organizations, embassies, universities, law firms, and anything else with intellectual property to protect. A recently prepared secret intelligence assessment described this month in the Washington Post found that the U.S. is the target of a massive and prolonged computer espionage campaign from China that threatens the U.S. economy. With the possible exceptions of the U.S. Department of Defense and a handful of three-letter agencies, the victims are outmatched by an enemy with vast resources and a long head start.
Stewart says he meets more and more people in his trade focused on China, though few want that known publicly, either because their companies have access to classified data or fear repercussions from the mainland. What makes him unusual is his willingness to share his findings with other researchers. His motivation is part obsession with solving puzzles, part sense of fair play. “Seeing the U.S. economy go south, with high unemployment and all these great companies being hit by China … I just don’t like that,” he says. “If they did it fair and square, more power to them. But to cheat at it is wrong.”
Stewart tracks about 24,000 Internet domains, which he says Chinese spies have rented or hacked for the purpose of espionage. They include a marketing company in Texas and a personal website belonging to a well-known political figure in Washington. He catalogs the malware he finds into categories, which usually correspond to particular hacking teams in China. He says around 10 teams have deployed 300 malware groups, double the count of 10 months ago. “There is a tremendous amount of manpower being thrown at this from their side,” he says.
Investigators at dozens of commercial security companies suspect many if not most of those hackers either are military or take their orders from some of China’s many intelligence or surveillance organizations. In general, they say the attacks are too organized and the scope too vast to be the work of freelancers. Secret diplomatic cables published by WikiLeaks connected the well-publicized hack of Google to Politburo officials, and the U.S. government has long had classified intelligence tracing some of the attacks to hackers linked to the People’s Liberation Army (PLA), according to former intelligence officials. None of that evidence is public, however, and China’s authorities have for years denied any involvement.
Up to now, private-sector researchers such as Stewart have had scant success putting faces to the hacks. There have been faint clues left behind—aliases used in domain registrations, old online profiles, or posts on discussion boards that give the odd glimpse of hackers at work—but rarely an identity. Occasionally, though, hackers mess up. Recently, one hacker’s mistakes led a reporter right to his door.
Stewart works in a dingy gray building surrounded by a barbed-wire fence. A small sign on a keycode-locked door identifies it as Dell SecureWorks. With one other researcher, Stewart runs a patchwork of more than 30 computers that fill his small office. As he examines malware samples, he shifts between data-filled screens and white boards scribbled with technical terms and notes on Chinese intelligence agencies.
Dell SecureWorks’s Myrtle Beach facility
The computers in his office mostly run programs he wrote himself to dissect and sort the malware and figure out whether he’s dealing with variations of old code or something entirely new. As the computers turn up code, Stewart looks for signature tricks that help him identify the work of an author or a team; software writers compare it with the unique slant and curlicues of individual handwriting. It’s a methodical, technical slog that would bore or baffle most people but suits Stewart. He clearly likes patterns. After work, he relaxes with a 15-minute session on his drum kit, playing the same phrase over and over.
A big part of Stewart’s task is figuring out how malware is built, which he does to an astonishing level of detail. He can tell the language of the computer on which it was coded—helping distinguish the malware deployed by Russian criminal syndicates from those used by Chinese spies. The most important thing he does, however, is figure out who or what the software is talking to. Once inside a computer, malware is set up to signal a server or several servers scattered across the globe, seeking further marching orders. This is known in the information security business as “phoning home.” Stewart and his fellow sleuths have found tens of thousands of such domains, known as command and control nodes, from which the hackers direct their attacks.
Discovery of a command node spurs a noticeable rise in pitch in Stewart’s voice, which is about as much excitement as he displays to visitors. If a company getting hacked knows the Internet Protocol (IP) address of a command node, it can shut down all communication with that address. “Our top objective is to find out about the tools and the techniques and the malware that they’re using, so we can block it,” Stewart says.
The Internet is like a map, and every point—every IP—on that map belongs to someone with a name and an address recorded in its registration. Spies, naturally, tend not to use their real names, and with most of the Internet addresses Stewart examines, the identifying details are patently fake. But there are ways to get to the truth.
In March 2011, Stewart was examining a piece of malware that looked different from the typical handiwork of Russian or Eastern European identity thieves. As he began to explore the command nodes connected to the suspicious code, Stewart noticed that since 2004, about a dozen had been registered under the same one or two names—Tawnya Grilth or Eric Charles—both listing the same Hotmail account and usually a city in California. Several were registered in the wonderfully misspelled city of Sin Digoo.
Some of the addresses had also figured in Chinese espionage campaigns documented by other researchers. They were part of a block of about 2,000 addresses belonging to China Unicom (CHU), one of the country’s largest Internet service providers. Trails of hacks had led Stewart to this cluster of addresses again and again, and he believes they are used by one of China’s top two digital spying teams, which he calls the Beijing Group. This is about as far as Stewart and his fellow detectives usually get—to a place and a probable group, but not to individual hackers. But he got a lucky break over the next few months.
Tawnya Grilth registered a command node using the URL dellpc.us. It was a little too close to the name of Stewart’s employer. So Stewart says he contacted Icann (the Internet Corporation for Assigned Names and Numbers), the organization that oversees Internet addresses and arbitrates disputes over names. Stewart argued that by using the word Dell, the hackers had violated his employer’s trademark. Grilth never responded, and Icann agreed with Stewart and handed over control of the domain. By November 2011 he could see hacked computers phoning home from all over the world—he was watching an active espionage campaign in progress.
He monitored the activity for about three months, slowly identifying victim computers. By January 2012, Stewart had mapped as many as 200 compromised machines across the globe. Many were within government ministries in Vietnam, Brunei, and Myanmar, as well as oil companies, a newspaper, a nuclear safety agency, and an embassy in mainland China. Stewart says he’d never seen such extensive targeting focused on these countries in Southeast Asia. He broadened his search of IP addresses registered either by Tawnya Grilth or “her” e-mail address, jeno_1980@hotmail.com, and found several more. One listed a contact with the handle xxgchappy. The new addresses led to even more links, including discussion board posts on malware techniques and the website rootkit.com, a malware repository where researchers study hacking techniques from all over the world.
Then Stewart discovered something much more unusual: One of the domains hosted an actual business—one that offered, for a fee, to generate positive posts and “likes” on social network sites such as Twitter and Facebook (FB). Stewart found a profile under the name Tawnya on the hacker forum BlackHatWorld promoting the site and a PayPal (EBAY) account that collected fees and funneled them to a Gmail account that incorporated the surname Zhang. Stewart was amazed that the hacker had exposed his or her personal life to such a degree.
In February 2012, Stewart published a 19-page report on SecureWorks’s website to coincide with the RSA Conference in San Francisco, one of the biggest security industry events of the year. He prefaced it with an epigraph from Sun Tzu’s The Art of War: “We cannot enter into informed alliances until we are acquainted with the designs of our neighbors and the plans of our adversaries.”
Stewart didn’t pursue Zhang. His job was done. He learned enough to protect his customers and moved on to the other countless bits of malware. But his report generated interest in the security world, because it’s so difficult to find any traces of a hacker’s identity. In particular, Stewart’s work intrigued another researcher who immediately took up the challenge of unmasking Tawnya Grilth. That researcher is a 33-year-old who blogs under the name Cyb3rsleuth, an identity he says he keeps separate from his job running an India-based computer intelligence company. He asked that his name not be used to avoid unwanted attention, including hacking attempts on his company.
Cyb3rsleuth says he’d already found a calling in outing the identities of Eastern European hackers and claims to have handed over information on two individuals to government authorities. Stewart’s work inspired him to post his findings publicly, and he says he hopes that unearthing more details on individual hackers will give governments the evidence to take action. The hackers are human and make mistakes, so the trick is finding the connection that leads to a real identity, Cyb3rsleuth says.
As Stewart’s new collaborator dug in, the window into Tawnya Grilth’s world expanded. There were posts on a car forum; an account on a Chinese hacker site; and personal photos, including one showing a man and a woman bundled up against the wind at what looked like a tourist site with a pagoda in the background.
Cyb3rsleuth followed the trail of the hacker’s efforts to drum up business for the social media promotion service through aliases and forums tied to the Hotmail account. He eventually stumbled on a second business, this one with a physical location. The company, Henan Mobile Network, was a mobile-phone wholesaler, according to business directories and online promotional posts. The shop’s website was registered using the Jeno Hotmail account and the Eric Charles pseudonym.
Cyb3rsleuth checked an online Chinese business directory for technology companies and turned up not only a telephone number for the company but also a contact name, Mr. Zhang, and an address in Zhengzhou, a city of more than 8 million in the central Chinese province of Henan. The directory listing gave three account numbers for the Chinese instant-messaging service called QQ. The service works along the lines of MSN Messenger, with each account designated by a unique number. One of those accounts used an alternate e-mail that incorporated the handle xxgchappy and listed the user’s occupation as “education.”
Putting that e-mail into Chinese search engines, Cyb3rsleuth found it was also registered on Kaixin001.com, a Chinese Facebook-style site, to a Zhang Changhe in Zhengzhou. Zhang’s profile image on Kaixin is of a blooming lotus, a traditional Buddhist symbol. Going back to the QQ account, Cyb3rsleuth found a blog linked to it, again with a Buddha-themed profile picture, whose user went by Changhe—the same pronunciation as the Kaixin user’s given name, though rendered in different characters. The blog contained musings on Buddhist faith, including this, from a post written in Chinese and titled “repentance”: “It’s Jan. 31, 2012 today, I’ve been a convert to Buddhism for almost five years. In the past five years, I broke all the Five Precepts—no killing living beings, no stealing, no sexual misconduct, no lies, and no alcohol, and I feel so repentant.” Amid his list of sins, from lack of sympathy to defensiveness to lying, is No. 4: “I continuously and shamelessly stole, hope I can stop in the future.”
The same QQ number appears on an auto forum called xCar, where the user is listed as belonging to a club for owners of the Dongfeng Peugeot 307—a sporty four-door popular among China’s emerging middle class—and where the user asked, circa 2007, about places to buy a special license-plate holder.
In a photo taken in 2009, Zhang stands on a beach, squinting into the sun with his back to the waves, arm in arm with a woman the caption says is his wife—the same person as in the pagoda picture. His bushy hair is cut short over a young face.
In March, Cyb3rsleuth published what he found on his personal blog, hoping that someone—governments, the research community, or some of the many hacking victims—would act. He knows of no response so far. Still, he’s excited. He’d found the face of a ghost, he says.
The city of Zhengzhou sprawls near the Yellow River in Henan province. The municipal government website describes it as “an example of a remarkably fast-changing city in China (without minor tourism clutter).” Kung-fu fans pass through on their way to the Shaolin Temple, a center of Buddhism and martial arts, 56 miles to the southwest. The city mostly serves as a gigantic transit hub for people and goods moving by rail to other places all over China.
About a 500-meter walk south from the central railway station is a tan, seven-story building with a dirty facade and red characters that read Central Plains Communications Digital City. The building is full of tiny shops, many selling electronics. The address listed for Zhang’s mobile-phone business is on the fourth floor, room A420.
Central Plains Communications Digital City in Zhengzhou
Under dim fluorescent lights, two young clerks tell a reporter that they don’t know Zhang Changhe or Henan Mobile Network. The commercial manager of the building, Wang Yan, says the previous tenant of A420 moved out three years ago; she says she has no idea what the business had been, except that the proprietors weren’t there very often and that the operation didn’t last long.
A Chinese-language search on Google turns up a link to several academic papers co-authored by a Zhang Changhe. One, from 2005, relates to computer espionage methods. He also contributed to research on a Windows rootkit, an advanced hacking technique, in 2007. In 2011, Zhang co-authored an analysis of the security flaws in a type of computer memory and the attack vectors for it. The papers identified Zhang as working at the PLA Information Engineering University. The institution is one of China’s principal centers for electronic intelligence, where professors train junior officers to serve in operations throughout China, says Mark Stokes of the Project 2049 Institute, a think tank in Washington. It’s as if the U.S. National Security Agency had a university.
The gated campus of the PLA Information Engineering University is in Zhengzhou, about four miles north of Zhang Changhe’s mobile shop. The main entrance is at the end of a tree-lined lane, and uniformed men and women come and go, with guards checking vehicles and identification cards. Reached on a cell-phone number listed on the QQ blog, Zhang confirms his identity as a teacher at the university, adding that he was away from Zhengzhou on a work trip. Asked if he still maintained the Henan Mobile telephone business, he says: “No longer, sorry.” About his links to hacking and the command node domains, Zhang says: “I’m not sure.” About what he teaches at the university: “It’s not convenient for me to talk about that.” He denies working for the government, says he won’t answer further questions about his job, and hangs up.
Gate to the PLA Information Engineering University
Stewart continues to uncover clues that point to Zhang’s involvement in computer network intrusions. A piece of malware SecureWorks discovered last year and dubbed Mirage infected more than 100 computers, mainly in Taiwan and the Philippines. Tawnya Grilth owned one of the command domains. Late last year, Stewart was looking at malware hitting Russian and Ukrainian government and defense targets. The only other sample of that kind of malware he could find in his database was one that phoned home to a command node at AlexaUp.info. The billing name used in the registration: Zhang Changhe. Stewart says Zhang is affiliated with the Beijing Group, which probably involves dozens of people, from programmers to those handling the infrastructure of command centers to those who translate stolen documents and data. As Stewart discusses this, his voice is flat. He’s realistic. Outing one person involved in the hacking teams won’t stop computer intrusions from China. Zhang’s a cog in a much larger machine and, given how large China’s operations have become, finding more Zhangs may get easier. Show enough of this evidence, Stewart figures, and eventually the Chinese government can’t deny its role. “It might take several more years of piling on reports like that to make that weight of evidence so strong that it’s laughable, and they say, ‘Oh, it was us,’ ” says Stewart. “I don’t know that they’ll stop, but I would like to make it a lot harder for them to get away with it.”
额,我深刻怀疑前几天CCAV前主播被捕的事跟黑客有没有关。。。
页:
[1]