2020年6月,中国和印度在边境上出现了冲突,并且有超过20名印度士兵死亡,印度和中国都出现了民族情绪高涨的情况,印度人民选择用焚烧中国国旗和抵制中国商品的方式表达抗议,中国政府官方虽然采用冷处理的方式,但如同之前中国与其他国家的磨擦一样,来自网民的针对他国的透过网络攻击表达的抗议也随之增加。从2001年南海撞机事件引发中美黑客大战到中印边境冲突,这种抗议形式一直存在。我在6月份接受了印度时报(据说是印度最老、也是發行量最大的英文報紙)的记者Chandrima Banerjee的采访,我跟他介绍了我受到的中国政府的APT攻击,以及中国的黑客历史,希望帮助印度人民理解黑客,理解中国共产党。我把印度时报英文报道内容翻译成中文了,以饗读者。
印度时报的标题是: India 6th most targeted by Chinese hackers since 2016 (印度自2016年以来成为中国黑客攻击的第六大目标)
原文: http://timesofindia.indiatimes.com/articleshow/76503656.cms
Chandrima Banerjee / TNN / Updated: Jun 22, 2020, 10:34 IST
Zuola had never fallen in with the party line. He would post translated news about Tibet, assert Taiwan’s sovereignty and call out misuse of government power. In 2010, on December 22, the Hunan-based cyber activist received a mail from a head-hunter offering a 400,000-yuan job ( source: http://mumayoujian.zuo.la/2010/12/fwd.html . About Rs 43 lakh a year. It was too much money. Hours later, he got another mail from the “Taiwan Foundation for Democracy” inviting him to a youth leadership camp. ( source: http://mumayoujian.zuo.la/2010/12/fwd-yda100.html ) It was strange that the mail made it through the Great Firewall.
Both were loaded with Trojans.
佐拉从来没有跟党的路线沾边。他会发布有关西藏的翻译新闻,维护台湾主权,呼吁滥用政府权力。2010年12月22日,这位来自湖南的网络活动家收到一封来自猎头公司的邮件,提供了一份40万元的工作。一年约43万卢比。这钱太多了。几个小时后,他又收到 “台湾民主基金会 “的邮件,邀请他参加一个青年领袖营。奇怪的是,这封邮件竟然能通过长城防火墙。
两封邮件都装了木马病毒。
(佐拉注:以上内容不是科幻情节,是真实的网络钓鱼事件,我把历年来收到的网络钓鱼邮件放在网上展览以证明我是被APT攻击的对象: http://mumayoujian.zuo.la )
“The cyber army exists but within China there are not many reports about them. The cyber army has three kinds of targets — activists they need to shut down, overseas business companies for their IP (intellectual property) and governments for expanding influence,” Zuola told TOI. “Because I wrote about the government, I would keep getting these APT emails.” APT, or advanced persistent threat, is a targeted, sophisticated and prolonged cyberattack. The kind that Indian intelligence agencies have been warning the country could be facing from China-based actors.
“存在网络军队,但在中国内部,关于网络军队的报道并不多。 Zuber告诉印度时报,网络军队有三种目标:監控社会活动家,竊取外国商业公司的知识产权和商业情报以及扩大政府的影响力。 “因为我写过关于批评政府的文章,利用网络和社交媒体卓有成效地报道了很多中国的敏感新闻,所以我总是收到这些APT电子邮件。” APT,是网络安全术语,全称“高级持续威胁”,是有针对性的,复杂的和长期的网络攻击。 印度情报机构一直警告该国可能会面对来自中国的攻击者的攻击。
Since 2016, India has been the sixth most targeted country by China-based hackers — right after the US, South Korea, Hong Kong, Germany and Japan. Government sites came under attack most frequently, followed by telecommunications, media, high tech and transportation, according to a report shared with TOI by US-based cybersecurity firm FireEye. In 2013, FireEye, then Mandiant, had first established the presence of China’s PLA Unit 61398, a “cyber espionage” unit of the Chinese military — the 2nd bureau of the 3rd General Staff Department under PLA General Staff. “We found that APT1 (the name assigned to the unit) maintained access to the victim’s network for an average of 356 days. The longest time … was at least 1,764 days,” the report said. Three victims were from India. IT, aerospace and public administration were the sectors most often targeted. Its last known activity was in early 2015 and by 2018, the US department of justice had indicted at least seven state-backed hackers named by the agency.
自2016年以来,印度已经成为中国黑客攻击最多的第六个国家–紧随美国、韩国、香港、德国和日本之后。根据美国网络安全公司FireEye与TOI分享的一份报告,政府网站受到攻击的频率最高,其次是电信、媒体、高科技和交通。2013年,FireEye(当时的Mandiant)曾首次确定中国解放军61398部队的存在,这是中国军队的 “网络间谍 “单位–解放军总参谋部下属的第三总参谋部第二局。”我们发现,APT1(该单位的名称)对受害者网络的访问平均维持了356天。最长的时间……至少有1764天。”报告说。三名受害者来自印度。IT、航空航天和公共管理部门是最常被攻击的部门。其最后一次已知的活动是在2015年初,到2018年,美国司法部已经起诉了至少7名由该机构命名的国家支持的黑客。
But a change was under way. The report says PLA reform talks began in early 2014 and by September 2015, an official announcement had been made. In December that year, the Strategic Support Force, or SSF, was formally established. That took over network operations under a streamlined Chinese Military Commission, subsuming Unit 61398 and other tech and space units. The focus shifted — the foray into media sites is relatively new. With a reason. The report says the agency “anticipates more aggressive efforts to influence public opinion in the future.” Phishing, the kind Zuola was subjected to, remains the chosen form of attack, followed by server compromise and web compromise. The use of China-specific malware has reduced and hackers have shifted towards “more broadly used malware.”
但一场变革正在进行。报道称,解放军改革谈判从2014年初开始,到2015年9月,正式宣布成立。同年12月,战略支援部队,即信息战部队正式成立。这接管了精简后的中国军委下属的网络业务,将61398部队和其他科技和航天单位划归其中。重点转移–进军媒体网站是比较新的。有原因的。报道称,该机构 “预计未来将更加积极地影响舆论”。佐拉受到的那种网络钓鱼,仍然是选择的攻击形式,其次是服务器入侵和网络入侵。中国特有的恶意软件的使用已经减少,黑客已经转向 “使用更广泛的恶意软件”。
The most active groups as of now are APT41 (which has targeted 14 countries including India and operates in keeping with China’s five-year economic development plans), APT 40 (which targets countries central to the Belt and Road Initiative), APT10 (active since 2009, has targeted India, Japan and northern Europe) and APT19 (which attacks legal and investment firms). Another group, APT30, operated for at least 10 years in intelligence gathering from India and southeast Asian countries. But it was last reported in 2015 and it’s not certain if it’s still active.
迄今为止,最活跃的黑客组织是APT41(针对印度等14个国家,并按照中国的五年经济发展计划开展活动),APT 40(针对“一带一路”倡议中的国家),APT10(自 2009年的目标市场是印度,日本和北欧)和APT19(攻击法律和投资公司)。 另一个黑客组织APT30在印度和东南亚国家的情报搜集中运作了至少10年。 但是它的最新报告是在2015年,尚不确定它是否仍在运行。
Indian agencies have come under attack several times. A cyber espionage network from Chengdu compromising government systems in India was reported in 2010 by the Citizen Lab, directly linking it to “the underground hacking community” in China. Then in 2016, the Calypso APT was reported to have targeted government organisations in India and five other countries. By 2018, about 35% of all cyber attacks on Indian sites were from China, Indian Computer Emergency Response (CERT-In) had said. Chinese media, meanwhile, said Indian hackers had been attacking China’s medical organisations during the Covid outbreak.
印度机构多次受到攻击。 公民实验室(Citizen Lab)在2010年报道说,成都的一个网络间谍网络破坏了印度的政府系统,将其直接链接到中国的“地下黑客社区”。 然后在2016年,据报道,黑客组织Calypso APT瞄准了印度和其他五个国家的政府组织。 印度计算机紧急响应中心(CERT-In)表示,到2018年,对印度站点的所有网络攻击中,约35%来自中国。 同时,中国媒体表示,在武汉肺炎爆发期间,印度黑客一直在攻击中国的医疗组织。
But Zuola said there is more to this than just warfare: “The goal of CCP (Communist Party of China) is not cyber warfare but to obtain benefits through propaganda, disinformation, bribery, infiltration, large-scale collection of information to monitor, efforts aimed at undermining or influencing the policies, security or stability of other countries.”
但佐拉说,这不仅仅是战争:“中共的目标不是网络战争,而是通过宣传,虚假信息,贿赂,渗透,大规模收集信息进行监控,努力来获取利益。 旨在破坏或影响其他国家的政策,安全或稳定。”
To do that, it relies on more than just hired hackers. “If the internet is a weapon, top hackers are a nation’s precious wealth,” says a post on a Chinese tech blog, going on to list China’s top hackers. The names Guo Shenghua, goodwell, badboy, Chinese Hawk and coolfire are hallowed here. Hacker communities speak of four “generations” of hackers: the first that began when China logged on to the internet in 1987, the second started around 1998 (considered by many to be the birth of Chinese hacking, in response to the Indonesian riots in which Chinese communities were attacked), the third around 2001 and the “new” generation which has been around for about five years.
为此,它不仅依赖雇用的黑客。 “如果说互联网是一种武器,那么顶级黑客就是一个国家的宝贵财富,”中国科技博客上的一篇文章说,并列出了中国的顶级黑客。 郭胜华,goodwell(龚蔚),hacked,Chinese Hawk和coolrire(林正隆)之类的名字都被放在这里。 黑客社区谈到了四代“黑客”:第一代始于1987年中国登录互联网,第二代始于1998年(许多人认为这是中国黑客的诞生,以应对印度尼西亚的骚乱。 华人社区遭到袭击),大约在2001年发生了第三次袭击,已经出现了大约五年的“新一代”。
“Organisations like Hongke Alliance, Red Hacker Alliance and Chinese Eagle (top hacker groups in China) are not professional ones … When patriots and nationalists use keyboards and international networks to conduct online protests, they find a flag and a slogan to summon support. It becomes a gathering place for protest and distribution of hacking technology and hacking tools,” said Zuola. When their goals align, the government could look the other way. “Hackers recruited by the government will not be full-time ones. They usually act as consultants to provide solutions for the needs of the government … The government-recruited hackers can claim to be database engineers, systems engineers, software developers, project managers or academic researchers. They don’t even need to deliberately cover up their status of working for the government unless they need to work in a foreign company. In that case, they work remotely.”
“像红客,红客联盟和中国鹰(中国的黑客组织)这样的组织不是专业黑客组织……当爱国者和民族主义者使用键盘和国际网络进行在线抗议时,他们会找到旗帜和口号来寻求支持。 它成为抗议和分发黑客技术和黑客工具的聚集地。” 佐拉说。 当他们的目标保持一致时,政府可能会睁一只眼闭一只眼。 “政府招募的黑客将不是专职黑客。 他们通常充当顾问,为政府需求提供解决方案。。。政府招募的黑客可以声称是数据库工程师,系统工程师,软件开发人员,项目经理或学术研究人员。 他们甚至不需要故意掩盖自己在政府工作的身份,除非他们需要在外国公司工作。 在这种情况下,他们可以远程工作。”