top of page

Hacktivism with Chinese Characteristics and the Google Inc. Cyber Attack Episode


China’s legions of hackers, known as Hongke (Red Guests), hit headlines across the world on Jan 12, 2010 no sooner David Drummond, the senior vice President, Corporate Development and Chief Legal Officer of Google Inc. announced “sophisticated” cyber attack on its infrastructure.[i] Google Inc engineers, as reported in The Washington Post, The New York Times and Market watch, have had suspicion of the mischief right in Dec 2009 and found the location of the attackers in the People’s Republic of China (PRC). According to US Congressional sources, reported subsequently in US print media, the Chinese cyber attacks had then targeted at least 34 US companies including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical. Eli Jellenc of VeriSign’s iDefese Labs, who helped some firms to investigate the attacks, held that the Chinese hackers were after the ‘source code’ of the targeted US companies. They employed multiple types of malicious codes and against multiple targets in their pursuits. Notwithstanding, as the security experts in the field hold, the cyber attacks of the kind constitute part of China’s ‘concerted political and corporate espionage’ against its adversaries.[ii]

Turn of events included a startling rebuff, if not retaliation from Google Inc. and reproaching spat between the US administration and the PRC, which transcended all the past acrimonious exchanges. In its totality, beyond political colours, the development embodies a substantial change in the US threat perception against Chinese ‘hacktivism’.[iii] Amidst China’s denials and counter claims, several countries including India have since raised finger against Chinese hackers.[iv] According to a release of IT Security firm Sophos on Feb 3, 2010, China ranked third with 11.2% share after the US (37.4%) and Russia (12.8%) among the top 10 malware hosting countries on the web across the world during Jan-Dec, 2009. There has been drop in China’s share from 51.4% in 2007 and 27.7% in 2008. Official Chinese denials apart, the ground realities thus testify inscrutable existence and their role in the world of cyber warfare.

The Google Inc. Cyber Attack Episode reveals both defensive and offensive character of China’s computer network operations (CNO) against its targets. ‘Self-Censorship’ stipulation, which Google Inc. refused to comply with and threatened to leave China operation unless otherwise and its Golden Shield (jindungongcheng) Project, some times referred as ‘Great Firewall of China’, operating directly under the command and controls of the Chinese intelligence outfit the Ministry of Public Security (MPS), happened to be the kingpin of all organized defensive efforts.[v] It has been per se official. Cyber force, entrusted with computer network operations (CNO) discernibly holds the charter for offensives. There is then Psychological Operations (PSYOPS) troops, mobilized to provide propaganda covers, to play offensive-defensive role with a difference.

The paper is aimed at getting to discover and understand the ‘distinctive character’ of the ‘Chinese Hacktivism’, if any and whatsoever, both in terms of institutional and individual wherewithal. There is essentially a ‘pre-event hard side’ and ‘post-event soft side’ of the operations. Leaving aside the specific ‘pre-event hard side’ of the Google Inc. episode, the paper would delve into and focus on the basic of basics of the Chinese cyber warfare infrastructure including the doctrine, responsible in part or full for the growth and development Chinese hacker outfits. ‘Post-event soft side’ of the Google Inc. episode has witnessed Chinese media, academic circle and the government machinery speaking just in one voice, characteristic to Chinese kind of political governance. It lends credence to the explicit and/ or implicit culpability of the Chinese state in the outgrowth of the Chinese hacker community. In turn, it arouses academic concern to understand whether the Chinese state could declare a cyber war against its potent adversaries with capability to disguise the origin of so called distribution denial of service’ (DDOS) attacks as Russian government reportedly did in the case of Baltic state of Estonia in April 2007 and Georgia in July 2008.[vi] The study has thus been organized to focus on: the Pool Size and Antecedents of Hacktivists; State Leverage and Synergy; and, Sources and Methods of Attacks. Postulates include: the Chinese hacktivism has grown past as a weapon of future war; the state and non-state hacktivists enjoy favourable policy and technical support ambience for future growth and development even under omnipresent state scanner; and, subject to hi-tech security mechanism in place to deter, prevent, detect and defend, China’s competitors and adversaries including India hold prospects of cyber attacks of different intensities and dimension.

Pool Size and Antecedents of Hacktivists

Chinese hacktivists tend to multiply fast both in number and skills. They constitute many layers of interest groups: malware tool developers, security researchers, and those in search of training. Through 1997-2010, the notoriety of the Chinese hacktivists has come to encompass quite a large area of cyber warfare activities.

James Mulvenon of the Center for Intelligence Research and Analysis, a consultant to U.S. intelligence agencies, put the number of trained Chinese military hackers at around 50,000 two years back in 2008.[vii] The US Federal Bureau of Investigation had earlier put their number at 30,000 in 2003.[viii] They have had different levels of professional training at People’s Liberation Army (PLA) Communication Command Academy, Wuhan, Hubei Province, National University of Defence Technology (NUDT), Changsha, Hunan Province, PLA University of Science and Engineering, Nanjing, Jiangsu Province, PLA Information Engineering University, Zhengzhou, Henan Province, and the like. China’s People’s Armed Police Force (PAPF), entrusted, inter alia, with the task of ‘preservation of public order and security’, hold ‘several tens of thousands of cyber cops’, who can at will cross the rubric of policing the Chinese web space with impunity in the cyber war with the adversaries.[ix]

There are then quite a few non-state Chinese hacktivist groups, operating across China. Scott J. Henderson has listed as many as 189 hacker groups in his seminal work, the Dark Visitor: Inside the World of Chinese Hackers, on the basis of their websites. Other estimates put the number Chinese non-state hacktivists to 250 groups. One of the prominent groups, called China Red Hacker Alliance (zhongguo hongke lianmeng) has staggering over 400,000 individual hackers as its member.[x] Some of the top Chinese hacker groups known for their proficiency, who collaborate with the Alliance included Xfocus, Black Eagle Honker Base, NSFOCUS, Venus Technology, Evil Octal, and the like. Other prominent Chinese hacker groups, quite frequently making their presence felt in the game included Goodwell, Lonely Swordsman, Glacier, Leaf, Flyingfox, Coolswallow, China Eagle Group, Wicked Rose, the NCPH Hacking Group, and These and hundreds of Chinese hacker groups draw sustenance on one way or the other a large pool of 384 millions internet users, distributed over and sharing some of the 232.446 million IP (Internet Protocol) addresses, 16.818 million domain names and 3.232 million websites.[xi]

State Leverage and Synergy cy

The state leverage of Chinese hacktivists, both within and beyond government fold among non-state elements is discernible at various levels and forms. The same holds good where it relates inter-group synergy. This is, notwithstanding, the PRC, of late making clear cut distinctions between cyber crimes and cyber war, the former to safeguard its interests and the latter to impinge on the interests of the adversaries.[xii]

Over the period, China’s non-state cyber groups have constantly attacked adversaries on issues that stand to impinge on the state policy. They have, accordingly, come to earn the honorific of “patriotic hackers”, whom China’s military or state security departments tend to hire for their operations.[xiii] Elements of present day China Red Hacker Alliance while part of Honker Union engaged US hackers over the Hainan Island Incident, which related to mid-air collision of US Navy EP-3E Aries II signals surveillance aircraft with PLA Navy J-811 Interceptor fighter jet on April 1, 2001. They altered the page of the US government website.[xiv] They altered the page of the US Department of Labour and Department of Health and Human Services to display a picture of Wang Wei, the Chinese pilot who died in the collision. The page was titled “China hack!”, and read in English: “The whole country is sorry for losing the best son of China- Wang Wei for ever. We will miss you until the day”. Chinese hackers, masquerading under pseudonym of “Chinese Honker Team”, quite possibly affiliated to China Red Hacker Alliance showed up and attacked Iranian websites in retaliation to Iranian hackers, pseudonym Iranian Cyber Army, venturing to take over China’s search engine Baidu on Jan 12, 2010.[xv] There are tens of such stories from Taiwan, Japan and other countries including India, involving one or the other Chinese hacker entities.

There is incredible ambience in China for the state and non-state hacktivist groups to evolve and work in rather public private partnership (PPP) model, in particular where it relates to Research and Development (R&D). This is evident from China’s preferential policies, extended to commercial computer and electronic enterprises, who share their resources and data with relevant units in the PLA, the Para-military People’s Armed Police Force (PPF), the Ministry of State Security (MSS), and the Ministry of Public Security (MPS) and others. [xvi] The First Research Institute of the MPS was of late in forefront of recruiting Chinese graduates in areas including computers, engineering, mathematics and foreign language. The same holds good about research units with MSS. The advertisements are being put on government and private websites. The recruitments of all those hackers are being carried out in the guise of software engineers and Net-related security experts. The symbiotic relationship of the Chinese state with the Chinese hacktivists is equally evident in their training programmes, be it formal as part of information warfare (IW) or informal hacking training outfits.[xvii] The Chinese hackers quite often hold seminars and run magazines with names such as Hacker X Files, Hacker Defense and the like and provide tips on how to break into computers and/ or build a Trojan horse step by step. In the ‘pre-event hard side’ of the game, as per Willy Lam, carry direct and/ or indirect role of kin of senior cadres, such as Dr Jiang Mianheng, the eldest son of former Chinese President Jiang Zemin and the vice Principal of the Chinese Academy of Sciences and others.[xviii] The process is bound to gather momentum as the 12th Five Year Plan (2011-2015) of the PLA on net-based combat system, including cyber espionage and counter-espionage, is put in place.

In the ‘post-event soft side’ of the game, the Chinese hacking community draws national mobilization, far exceeding symbiotic relations thus far evident in the course of ‘pre-event hard side’ of the game. It is a sort of battle where the Chinese media, scholarship and officials come out in total denial and try to find even escape goat, where ever and what ever they can find plausible.

The Google Inc. Cyber Attack Episode stands a clear testimony in the living memory, where the Chinese media fired first salvo. Unleashing studied rhetoric, it sought to convince the world that the Google Inc. was working at the behest of the US administration to ‘impose its values on other culture in the name of democracy’. Global Times, a tabloid owned by People’s Daily, the mouthpiece of the communist Party of China (CPC), ran a number of articles including an editorial with the headline: “The world does not welcome the White House’s Google”.[xix] It sought to justify both Chinese censorship of the internet contents and cyber attacks as such with a difference. In calculated defensive offensives, some thing of the order kettle calling the pot black, the Global Times called US as the very first country in the world to have created ‘cyber army of 80,000 people equipped with over 2,000 computer viruses. Even where it could be true, supposedly unscrupulous act of ‘X’ can not juristically justify unscrupulous act of ‘Y’ for all intent and purpose.

Chinese officials and experts stood guard to the media offensives. In a statement, Zhou Yonglin, the Deputy Operations Director of the National Computer Network Emergency Response Centre (NCNERC), said: “Everyone with technical knowledge of computers knows that just because a hacker used an internet protocol address (IP) address in China, the attack was not necessarily launched by a Chinese hacker.” It can be little different from a defence of indefensible. iDefense Labs among other security firms have testified that the that the IP addresses of attack on Google Inc. as much as other targets corresponded to ‘single foreign entity consisting of either of agents of Chinese state or proxies there off’. Chinese Foreign Ministry spokesman Ma Zhaoxu justified the sordid game with a difference. He found gagging of internet contents as being the need of the hour in tandem China’s ‘national conditions and cultural traditions’. As for the offensives of the Chinese hacktivists, Ma preferred a cloak of exiting legal stipulations that renders hacking a punishable crime in China.[xx]

Going a step forward, the Chinese scholarship in the field has been busy finding escape goat. Spiting fire and spilling scorn, Peter Lee, for example, found it expedient to suggest that the Google Inc. episode was but a help India, the ‘US ally’ and ‘China’s emerging rival’ and borne of two hard realities: US business tycoon Google Inc. not ‘doing well in China’ and US President Barrack Obama not ‘doing well in United States’ in the so to say ‘high profile confrontation with China’.[xxi] Wang Yizhou, deputy chief of the Institute of World Politics and Economy at the Chinese Academy of Social Sciences characteristically tried to turn the table against the US and said: “In the US, a country that boasts its Internet freedom, governmental supervision virtually infiltrates across the nation, and its influence further extends to worldwide servers…The information-searching via Google and the online chatting through Windows Live Messenger are all under stringent surveillance, and the relevant agencies are tasked with compiling backups.” Even if true, it can not justify China’s merit. In fact, Chinese hacktivism of the kind finds justification as being non-kinetic and are in tandem with China’s two strategic doctrines: first, ‘Gaining Information Dominance’ (zhi xinxi quan) against potential adversaries; and the last, adhering to ‘Three Warfare’ (san zhong zhanfa). [xxii] It is then in tandem with one of the 36 strategies of China’s age old wisdom to ‘kill with borrowed sword’.[xxiii]

Sources and Methods of Attacks

While not yet conclusive, Shanghai Jiaotong University and the Lanxiang Vocational School were hand in gloves in the Google Inc. Cyber Attack Episode.[xxiv] In the break-in, as Joe Stewart, a malware specialist with Atlanta based computer security firm SecureWorks, says, the hacktivists, in question, used a programme, based on unusual algorithm, once discovered in a Chinese technical paper, published exclusively on Chinese language websites. The malware was a “Trojan Horse”, capable of opening a backdoor of a computer on the Internet.

Beginning May 1999 when the Chinese hacktivists attacked US government sites in retaliation to accidental bombing of China’s Embassy in Serbia, Belgrade, through much of the 35 well known incidents, spanning all these years until Jan 12, 2010 Google Inc. Cyber Attack Episode, distributed over to scores of countries, in particular the US, Taiwan, Japan, New Zealand, Australia, South Korea, France, Germany and India, the methods, brought to bear upon for the purpose by the state and/ or non-state Chinese hackers community fall into three major categories: the first is the use of e-mails for planting viruses; then phishing and lastly, the introduction of ‘intelligent trojans’ and ‘vacuum trojans’. Tools employed, thus far, range from robotic and simple to brainy and sophisticated. For instance, Chinese hackers have quite frequently used a ‘vacuum Trojan’ to extract information from a pen drive automatically when connected to a USB port. It is also believed that the next step could be planting the targeted sites with the more difficult to detect fake data or partially fake data.

China’s cyber weapon capabilities have come to be considered quite advanced, assessed to be so far the fifth in ranking and making all out efforts to rival the US, the top most in the world of IW capabilities. The arsenal, in order of threats, encompasses and included: large, advanced BotNet for DDos and espionage electromagnetic non-nuclear pulse weapons; compromised counterfeit computer hardware; compromised peripheral devices; compromised counterfeit computer software; zero-day exploitation development framework; advanced dynamic exploitation capabilities; wireless data communication jammers; computer virus and worms; cyber data collection exploits; computer and networks reconnaissance tools; embedded Trojan time bombs; and, compromised micro-processors and other chips. Chinese media reports suggests that the Chinese IW units have been accessing, if not out sourcing R&D for developing viruses to attack the computer systems and networks of the adversaries, and tactics to protect friendly computer systems and networks. In Nanjing, the PLA has developed more than 250 trojans and similar tools. The Chinese Academy of Sciences, which provides suggestions about national information security policy and law, has established the State Lab for Information Security with ‘National Attack Project’ as one of its research programmes. Couples of just held military exercises bear out that the PLA has since increased the role of CNO and have been concentrating on offensive operations, primarily as first strikes against the networks of adversaries. The state and non-state Chinese hacktivist combines thus pose real life threat until technologically matched and surpassed both in defensive and offensive mechanism at hand.

(The writer, Dr. Sheonandan Pandey is an eminent analyst based in New Delhi.Email:

4 views0 comments
bottom of page