Amid growing US concerns over ongoing Chinese cyber attacks, attribution remains the most complex issue. At the open source level at least, it has been hard to find a ‘smoking cursor.’ That is, until the broadcast of a recent cyber warfare programme on the military channel of China’s state TV network.
The programme appeared to show dated computer screenshots of a Chinese military institute conducting a rudimentary type of cyber attack against a US-based dissident entity. However modest, ambiguous—and, from China’s perspective, defensive—this is possibly the first direct piece of visual evidence from an official Chinese government source to undermine Beijing’s official claims that it never engages in overseas hacking of any kind for government purposes. Clearly, Washington and Beijing have much to discuss candidly here if they are to avoid dangerous strategic tension.
China Central Television 7 (CCTV-7) is China’s official channel for military and agricultural issues. As part of its wide-ranging coverage, every Saturday it runs a 20-minute programme called ‘Military Science and Technology.’ It’s always worth watching, given the range of timely topics covered and the detailed analyses offered by Chinese specialists. The July 16 edition was particularly so.
Entitled ‘The Internet Storm is Coming’ (网络风暴来了), it begins with a broad discussion of cyber attacks. It showcases a statement by then-US Defense Secretary Robert Gates at the Shangri-La Dialogue in Singapore in June. This important international conference was also attended by Gates’ Chinese counterpart Gen. Liang Guanglie. Emphasizing that the United States was extremely concerned about the cyber attacks that it was continually suffering from, Gates suggested that some attacks could rise to the level of an act of war and prompt the United States to respond with force.
Chinese Military expert Du Wenlong then highlights President Barack Obama’s May 2009 remarks in which he emphasized the importance of securing the nation’s digital infrastructure and declared it a strategic national asset. Du explains that Washington would regard some types of cyber attacks as acts of war because modern military operations rely heavily on digital networks and cyberspace: ‘networks have become the basis for military action and for winning a war.’ Du appears to be well acquainted with his subject matter, and provides cogent explanations of complex cyber issues.
But here is where the programme deviated from its typical theoretical coverage of broad military trends for six seconds to offer an unusually-specific Chinese example. An initial screen was labelled ‘Vulnerability Report’ in large letters; a narrator intones that ‘there are many Internet attack methods.’
As the narrator discusses a means of implementing hard and soft cyber/network attacks, footage displays what appears to be a human-operated cursor using a software application with Chinese character labelling to launch a ‘distributed denial-of-service’ (DDOS) attack.
This particular DDOS is against a website formerly affiliated with the dissident religious group Falun Gong. Under large characters reading ‘Select Attack Target,’ the screenshot shows ‘Falun Gong in North America’ being chosen. Here it must be emphasized that DDOS attacks are generally extremely rudimentary. As will be explained later, if the footage in question was real, it’s likely a decade old.
Drawing on a ‘Falun Gong website list’ encoded in the software, the cursor selects the ‘Minghui Website’ from a pull-down menu of Falun Gong websites. Minghui.org is the main website of Falun Gong’s spiritual practice, and hence a logical target.
Hovering over a software window labelled ‘IP Address of a Website Chosen to Attack,’ the cursor selects the IP address 184.108.40.206. This was once linked to the University of Alabama in Birmingham. According to the Falun Gong-supporter-founded Epoch Times, a UAB network administrator ‘recalled that there had been a Falun Gong practitioner at the university some years ago who held informal Falun Gong meetings on campus. They couldn’t confirm whether that individual used the IP address in question, and said it had not been used since 2010.’ PC World added that the site was created ‘by “a former student and was decommissioned in 2001 as it violated our acceptable use policy,” according to Kevin Storr, a UAB spokesman.’
During this sequence, some interesting characters remained at the top of the screen: ‘Attack system…PLA Electronic Engineering Institute.’
The programme then returns to general cyber attack themes.
As this research note went to press, the programme footage remained readily visible and viewable on the CCTV website.