In David’s earlier post on the possibility of an emerging proto-insurgency in Tibet, he cites the fact that Tibetan activists are effectively exploiting virtual networks to further their cause:
In common with other groups, Tibetans are using some of the cutting edge techniques of post-modern insurgency. These include virtual networks involving a diaspora, alliances with other groups with similar or related aims, global connectivity, and a really rather sophisticated and effective propaganda campaign.
According to a report in Information Week, these techniques of post-modern insurgency David refers to are being countered by opposing techniques of post-modern counterinsurgency. The report claims that ‘A shadow war against organizations supporting Tibetan protesters has erupted in cyberspace, mirroring efforts by Chinese authorities to quell unrest in Tibet.’
Among the techniques being employed is the following:
The cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. “The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe,” explains Hypponen. “This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.”
While the source of the attacks has been traced back to China, this doesn’t necessarily mean the Chinese are responsible. Greg Walton, who researches Chinese computer espionage and provides IT support for Tibetans, states: “These attacks are sophisticated. We can only speculate where they’re coming from. We can say the control servers are based in China. But these servers can just be stepping stones.”
Interestingly, although it is probable that China is indeed the origin of the attacks, it is likely that they are a bottom-up emergent phenomenon rather than a state-controlled initiative. As Marcus Sachs, director of the SANS Institute Internet Storm Center, explains:
Sachs recounted how in 2001, following a collision between a U.S. Navy EP-3 reconnaissance plane and a People’s Liberation Army jet, Chinese hackers attacked U.S. servers. “Best we could tell, there was no Chinese government involvement,” he said.
Sachs believes the cyberattacks directed at Tibetan organizations are similarly the actions of Chinese hackers motivated by nationalism, without national direction.
The massive cyberattack on Estonia last year, in response to Estonia’s decision to move a Russian war memorial, presents an analogous situation. While Russia’s hand in the affair is easy to imagine, cybersecurity experts mostly see the attack as an act of nationalist zeal rather than coordinated, state-sponsored cyberwarfare.
If it is true that the Chinese state is not behind the attacks, it would suggest that what we are witnessing is the evolution of a form of open-source counterinsurgency resulting from the spontaneous mobilisation of a distributed network of self-selecting ‘virtual counter-insurgents’. Conversely, if the Chinese state is responsible, it raises other important questions. As the Information Week piece concludes:
Now that the Internet has evolved from a geeky curiosity to a shared transnational platform of economic, social, and political consequence, the question becomes, what kind of political response is appropriate for such attacks?