Google recently announced a spear phishing campaign that had been going on for over a year and ‘which appears to originate from Jinan, China’ that targeted the personal Gmail accounts of hundreds of various persons of interest, presumably to the Chinese government.
The proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman, who reported on the story for the Wall Street Journal, failed to disclose was that other countries IP addresses were used as well, including South Korea and the United States. Copies of the spoofed emails, along with the originating IPs, were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, two were from Hong Kong, two were from Beijing, one was from Seoul, and one was from New York:
1) 113.28.117.4: Hong Kong (PCCW Business Internet Access)
2) 115.160.146.16: Hong Kong (Wharf TT Ltd)
3) 218.56.241.32: Beijing (China Unicom)
4) 218.56.239.206: Beijing (China Unicom)
5) 61.106.26.226: Seoul (Korea NIC)
6) 69.147.251.108: New York (Nobis Technology Group LLC)
In 2010, Telegeograhy rated China Telecom (55 million customers) and China Unicom (40 million customers) as the two largest ISPs in the world, serving 20 percent of all broadband customers on earth. And neither company restricts its customer base to residents of the People’s Republic of China. Anyone can buy server time on any of these mainstream Chinese ISPs: China Telecom; China Mobile; China Unicom; and HiChina Zhicheng Technology Ltd.
Payment per year ranges from 5,000 yuan to 25,000 yuan ($770 to $3,860), and can be made via bank online transfer, domestic and international wire, Alipay (China's Paypal), and even cash in certain cities such as Beijing and Guangzhou. In other words, no matter where in the world you live, you can lease server time and set up an email account that will resolve to China. And if you use it to phish the Gmail accounts of your targets, you’ve hit the gold standard of mis-direction because there’s almost no alternative analysis done anymore when it comes to attacks that geolocate to an IP address in China.
Google may have chosen to focus on the two IP addresses that resolved to Jinan, the capital of Shandong Province, because its home to Lanxiang Vocational School, which was associated with the Google attacks of December 2009 to January 2010 and because it has a PLA regional command centre. The problem with this is that Jinan is a high-tech industrial zone with more than 6 million people and more than a dozen universities. Sourcing an email to Jinan is like sourcing a fruit shipment to California's Central Valley. It wasn’t good evidence back in January, 2010 and it’s no better now.
There are at least a dozen foreign governments that I can think of who have a vested interest in reading the personal email accounts of US China policy makers, military leaders, government officials, etc. and all of them are standing up Cyber Commands and enjoy the benefit of their own nationalistic hacker crews from time to time.
None of this rules China out as the responsible party, of course. I’m simply arguing for a higher bar of evidence before making the leap that China did it. One alternative method, for example, is to try to answer why the spear phishing attack was done. Once you have a clear grasp as to why, you can move on to creating a list of those who would benefit, and then look for reasons that might exclude each member of that list. The discipline of alternative analysis has been a difficult one to adopt even among those who do it for a living within the intelligence community because our individual perceptions are highly biased in favour of something called mirror-imaging; i.e., we imagine that everyone sees things as we do.
Another obstacle to alternative analysis is fear: the feat of being wrong; of looking silly; of taking an unpopular stand and suffering the consequences; and so on. Now that the Pentagon has determined that a cyber attack may be sufficient to justify a kinetic response, it’s imperative that corporate leaders like Google, government leaders like the US Secretary of State, and influential media exercise more due diligence before leaping to conclusions that may have harmful, possibly irreversible, international repercussions.
This is an edited version of an entry that also appears on Carr's blog. Carr is also the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld' (O'Reilly Media, 2009).