China's Hacker Army

The myth of a monolithic Chinese cyberwar is starting to be dismantled. A look inside the teeming, chaotic world that exists instead -- and that may be far more dangerous.

A flier for a prominent Chinese hacker’s presentation on the how-tos and wherefores of hacking, drawing on sources as diverse as Shakespeare, the Diamond Sutra, and … Google. Click through to view FP's exclusive slideshow. 

The autobiography of hacker SharpWinner opens on a bunch of young men in a high-rise apartment thick with cigarette smoke, in an unnamed city somewhere in China. Hacking is hard work, and this particular group, one of hundreds spread across the country, has been at it for hours. But the alpha male of the group, a "handsome and bright youth" -- throughout The Turbulent Times of the Red Hackers, SharpWinner refers to himself in the third person -- is unflappable. After he completes a backdoor intrusion into a Japanese website, he takes a break to field text messages from female admirers.

It would be easy to dismiss SharpWinner, who has promoted his book on national television, claiming he has a movie deal in the works, as an attention-hungry stuntman. And in fact, the news that Google and dozens of other companies had been hit by a mammoth attack originating in China this past winter evoked the strong arm of the Chinese government -- not SharpWinner's amorphous world of hacker bandits. The Internet giant said the decision to go public with information on Operation Aurora, as the hack has been dubbed, "goes to the heart of a much bigger global debate about freedom of speech." The Chinese government's spying on the email accounts of human rights activists, Google intimated, was behind its threat to pull out of China. (It has yet to make good on that claim.)

But a report released Tuesday by Atlanta security firm Damballa says the Aurora attack looks like work of amateurs working with unsophisticated tools. That revelation, along with a separate story in the Financial Times that a freelancer wrote the Aurora code, is focusing attention on China's loose web of cowboy hackers. And SharpWinner -- the leader of a coalition including anywhere from 50,000 to 100,000 civilian members and, before he disappeared from public view in 2007, a regular participant in international cyberconflicts, including the 2001 hacker war stretching from China to the White House -- is just the beginning.

The Aurora attacks represented an attempt by hackers apparently based in China to steal valuable information from leading U.S. companies. (So far the list of victims includes Adobe Systems and Dow Chemical, in addition to Google.* Over the weekend, a security researcher told Computerworld that Aurora might have penetrated more than 100 firms.) Investigators are still trying to understand where Aurora came from and what it means, but already some surprising clues have emerged. The Financial Times story followed on the heels of a New York Times story reporting that researchers have traced the attacks back to two Chinese universities, one of which has long been a training ground for freelance or "patriotic" hackers. Among the implications of these reports: The U.S. understanding of Chinese hacking is seriously out of date.

Western media accounts typically overlook freelancers in favor of bluster about the Chinese government. Some pair breathy accounts of cyberwar with images dredged up from 1960s People's Liberation Army propaganda, as if to suggest China has some centrally administered cyberbureau housing an army of professional hackers. Others make improbable or unsubstantiated allegations. Two years ago, a National Journal cover story claimed Chinese hackers were responsible for the 2003 blackout that crippled much of the U.S. Northeast, an event repeated investigations have attributed to domestic negligence.

In fact, the hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented -- and sometimes unruly -- patriotic hackers. Since the 1990s, China has had an intelligence program targeting foreign technology, says James A. Lewis, senior fellow for cybersecurity and Internet policy at the Center for Strategic and International Studies. Beyond that, however, things get complicated. "The hacking scene can be chaotic," he says. "There are many actors, some directed by the government and others tolerated by it. These actors can include civilian agencies, companies, and individuals."

To anyone who speaks Chinese, that chaos is obvious. Google the characters for heike -- a transliteration of "hacker" that means, literally, "black guest" -- and you'll come up with pages and pages of results. Sites such as www.chinahacker.com, www.cnhacker.com, and www.hackbase.com contain step-by-step instructions, advertisements for how-to seminars -- become a hacker in a few short weeks! -- and screen shots of foreign casualties. And yet they are clearly not the work of the central government. Read on (or don't -- the sites are packed with malware and users visit at their own peril) and you'll find threads roiling with bitter infighting, foul-mouthed forum posts, and photos of scantily clad women.

"There are literally hundreds of these sites," says Scott J. Henderson, an intelligence contractor and former U.S. Army linguist who has written a book on Chinese hackers. "They all have different agendas and different personnel. It's not as well-coordinated as everyone sitting down in a room and someone saying, 'You, go write this code.' 'You, go write that.'"

Instead, China's hackers spring up organically. Mix together widespread youth nationalism with a highly wired population -- China now boasts the most Internet users in the world, with 384 million people online -- and out comes patriotic hacking. The self-described "red hackers" are the product of the "the fact that we live in a time when our country is moving toward prosperity," SharpWinner once said, quite accurately. Prosperity also ensures a market for abundant hacker memorabilia: hacker magazines, hacker T-shirts, and tell-all books like his. While traveling through rural China once, I stumbled across bins in a village store filled with Hacker brand candy. (It tastes like saltwater taffy.)

Every August, top hackers convene in Beijing for a conference ostensibly about information security but described by one participant as including seminars on common attack techniques. China's hackerati range from flamboyant prima donnas like SharpWinner to Sunwear, a slight, pixie-ish twentysomething who marks his website defacements with the innocuous tag line "just for fun!", to Xiao Tian, the unattainable femme fatale leader of China Girl Security Team. Many of their causes neatly overlap with the interests of the Chinese government. Take one of the events that drove the development of hacker culture in China: the 1999 NATO bombing of the Chinese Embassy in Belgrade. In retaliation, hackers plastered the website of the U.S. Embassy in Beijing with the phrase "Down with the Barbarians!" Or the targeting of email accounts of the Save Darfur Coalition, which opposes Chinese involvement in Sudan, in 2008. Or GhostNet, the cyberspying operation originating in China that was revealed last year to have infected 1,295 computers in 103 countries -- including the Dalai Lama's network in Dharamsala, India. The University of Toronto researchers who uncovered the attack have not yet pinpointed its architects, but in a report on the attack, they noted the operation could easily be the work of patriotic hackers using "do-it-yourself signals intelligence."

But the fact that these hackers' interests overlap with Chinese policy does not mean they are working on behalf of Beijing, and indeed many of their activities suggest no government interference at all. "Governments are not taking over botnets of compromised computers to conduct denial-of-service attacks," says Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. It helps, however, that Beijing turns a blind eye to their attacks. An unwritten rule holds that freelance hackers are left alone as long as they target foreign sites and companies. Once they go after information inside China, the government cracks down. For a hacker interested in self-preservation, the choice is clear.

Another part of the bargain appears to be remaining open to government requests. If the Financial Times report is correct, Operation Aurora was executed with code developed by a thirtysomething freelance Web security consultant working independently, without government prodding. According to the paper's informant, described as a U.S. government researcher, the hacker simply posted a chunk of the code on a hacking forum, where it found its way into Chinese government hands. "He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing," the researcher was quoted as saying.

The rest of the story should become clearer in coming months. But another report traces the attacks to servers at Shanghai Jiao Tong University's School of Information Security Engineering, one of China's top computer science schools and a hotbed for freelance hackers. For years, students there have freely organized hacker groups and traded war stories in forums hosted on the school website. In 2007, Shanghai Jiaotong graduate student and veteran hacker Peng Yinan hosted an information session titled "Hacker in a Nutshell" in a school conference room. The PowerPoint slides he worked off -- which until recently could be downloaded from his group's website, now down -- glorify hacker culture and explain successful techniques that can be tried at home, pointing out that Chicago Tribune reporters once uncovered contact information for thousands of CIA agents using a basic online service. A flier advertising the event described Peng as a consultant for the Shanghai Public Security Bureau.

Another student whose screen name appears on Peng's hacks -- but who told me he wasn't involved -- went on to work for Google.

Could Operation Aurora have been written by a freelancer, picked up by a bureaucrat, and then reassigned to a freelancer with ties to Google? It is a possibility worth entertaining, at least. Some have argued that the Chinese government should have more effective means for securing intelligence than students and online misfits. But others say a decentralized approach suits Beijing just fine. "You can see the benefits of having a blurry line," says Lewis. "The Russians do it all the time with Estonia: 'Of course it wasn't us. Can you prove it was us?'"

Ultimately, a loose connection between Beijing intelligence operatives and patriotic hackers is more troubling than a strong one. Governments operate under constraints. Gangs of young men -- as the United States has learned the hard way -- don't. "Certainly if it's government-sponsored cyberwarfare, I have someone I can deter," says Henderson. "If it's mutually assured online destruction -- OK, I can at least develop a theory on that. But with rogue Internet actors it's very difficult. They're potentially very dangerous."

The thought would flatter SharpWinner. In his TV appearance, he confided his concerns about hacking culture in China. He had witnessed the disintegration of some prominent hacker groups, and he fretted that most patriots simply get on board whenever some international incident flares up and lay off hacking foreign companies once things cool down. But with a little effort these challenges can be overcome, he concluded, saying that he is encouraged by a recent resurgence of interest in hacking. Then he addressed listeners directly. "Brothers," he intoned, "go with me! The future of red hacking is bright!"

*The original version of this article cited reports that RAND Corporation had been hit by Aurora. A RAND spokesman wrote in to say "RAND has not been hit -- we have no evidence of attacks or having been targeted by Aurora."

LIU JIN/AFP/Getty Images


Burma's Oscar Moment

Forget Avatar, The Hurt Locker, and all the rest for a minute. Here's the story of the film that deserves to win big.

Over the next few days we're going to be hearing a lot about big blue aliens and George Clooney and bomb-disposal experts in the Iraq war. But there's another film you should be rooting for when they hand out the little gold statues on March 7.

Burma VJ hasn't been in the headlines much. It has been making its way around the global film-festival circuit, garnering its share of awards. Still, its U.S. box office receipts to date are measured in tens of thousands of dollars, not hundreds of millions.

Let's hope that's about to change. The film is up for best documentary feature, and to be honest, I can't imagine what could possibly compete. You certainly can't beat the story line. In August 2007 a few thousand red-robed Buddhist monks took to the streets of Rangoon, Burma's biggest city, to join a nascent protest against the military dictatorship that has been crushing the life out of their country for nearly the past 50 years. Burmese culture is deeply rooted in traditional Buddhist belief, so the monks' sally represented a particularly potent challenge to the regime. What would happen next?

Ordinary Burmese have risen up before. A student-led nationwide protest back in 1988 had the generals on the run -- until the Burmese Army retaliated with a bloodbath that took thousands of lives. (The exact number will probably never be known.) When the government grudgingly responded to popular pressure by allowing an election in 1990, Burmese voters handed a solid victory to the party of opposition leader Aung San Suu Kyi. The junta suppressed the results, threw Aung San Suu Kyi back into house arrest, and forced the country, at gunpoint, back into decades of stagnation.

News of the 1988 uprising trickled to the outside world in a few snippets of grainy film and a clutch of photographs, all precariously hand-delivered over the border to neighboring countries. The events of 2007 would turn out differently. As the monks' revolt that autumn took off, every moment was being filmed by a small squad of guerrilla video journalists -- the "VJs" of the film's title -- working for an opposition group, Democratic Voice of Burma (DVB), that had spent years training them for just such an occasion. The camera-wielding activists used cell phones and the Web to smuggle out their footage almost as fast as they shot it. The images they recorded didn't only generate international interest by keeping the outside world apprised of events; their video was also beamed back into Burma via satellite, thus adding fuel to the protests.

This is the story told by Burma VJ. Although the Danish filmmakers who crafted the documentary rely primarily on original footage shot by the DVB's on-scene journalists, they don't stop there. We watch events unfold through the vantage point of Joshua, a DVB cameraman who has been forced to leave Burma because he has attracted the attention of government goons. When the monks' protest begins, he's coordinating coverage from Thailand, keeping up with his colleagues back home by online chat and mobile phone. Like us, he's at once involved and remote -- a device that turns the unfolding story into an arresting mix of cinéma vérité and political thriller.

"I feel I want to fight for democracy," Joshua informs us in a voice-over near the start of the film. "But I think we had better make a longer plan. We cannot go out into the streets again and get shot because we have no more people to die." The protesters of 1988, he muses, "were so brave, but sometimes I feel like they died for nothing." He wants, he says, to remind the world that "Burma is still here."

That's exactly what Burma VJ manages to do. The generals have kept their hold on Burmese society through the depressingly familiar mix of fear, force, and propaganda -- and there are the handycams of the DVB reporters, cutting through it all. We exult as ordinary citizens overcome their nervousness and join the monk-led processions. We cheer as the crowd swarms in to protect the VJs from the white-shirted government thugs who try to drag them off to jail. We marvel at the demonstrators' unforgettable chant: "May all beings living to the East be free; all beings in the universe be free, free from fear, free from all distress!" And we choke up, with Joshua, when the monks finally dare to march down the road past the home of a certain Nobel Peace Prize laureate. The VJs aren't there, so all we manage to see is a blurry snapshot of Aung San Suu Kyi standing in her gateway, almost unrecognizable as she greets the monks. "It's not a great photo," Joshua muses. "You can only see a small lady. But we couldn't see her for a long time."

Images, in short, aren't just about their literal meanings; they're also powerful conduits of emotion. And, yes, they can also lie -- as we see at the very beginning of the film, as Joshua contemplates government television broadcasts that depict a country happily united under its heroic leaders. No question, the film reminds us of the overwhelming power of the unadulterated image, such as the video footage of a monk's corpse floating in a creek on Rangoon's outskirts, just after the moment when the regime finally decides to crack down on the monasteries. Yet Burma VJ also touches upon the ambiguities that linger behind even the clearest images.

For example: Is the aspiration to objectivity a luxury of people who live in healthy societies? The VJs in the film don't even pretend to be the usual journalistic bystanders. They're perfectly happy to step in and strategize with the demonstrators. We even see one journalist literally issuing marching orders: He recommends a more effective route to a monk who's leading a procession, and the monk happily complies. The fact is that there are no easy choices when you're trying to defy a regime as vicious as the one that rules Burma. Just to take one example: The International Confederation of Free Trade Unions accuses the country's military rulers of forcing hundreds of thousands of people -- men and women, children and the elderly -- to work against their will on government projects: "Refusal to work may lead to being detained, tortured, raped, or killed."

Here's a cell-phone dialogue between Joshua and one of the activists on the other side of the border:

"People have to get arrested. They have to die. Monks, too."

"Don't say that."

"Our country is different from the rest of the world."

"I don't understand politics. But I don't want to see monks and people dying. I can't stand it anymore."

"Be strong, my dear."

That conversation, like many others in the film, is a reconstruction. Jan Krogsgaard, one of the Danish filmmakers behind Burma VJ, explains that certain key moments in the narrative weren't actually captured by the DVB journalists, so scenes were shot to fill in the gaps. He insists that the makers of the film were careful not to stray too far from the bounds of authenticity; some of the phone conversations in the film are based on the saved texts of online chats, for example. In some cases identities had to be protected. Director Anders Ostergaard even used actors in two episodes that are seamlessly presented as part of the DVB journalists' original on-location footage -- a sleight of hand that has generated understandable controversy. Time correspondent Andrew Marshall has taken the filmmakers to task for mixing authentic footage with acted scenes. In an interview with me, Krogsgaard defended the reconstructions as "entirely legitimate," saying they depict events that actually occurred but weren't caught on camera, such as a secret police raid on the DVB's Rangoon headquarters as the government crackdown escalates. (There is a corresponding disclaimer at the beginning of the film.) This is an important discussion. But I don't think it ultimately invalidates the film.

Burma VJ winds down just the way the story did in real life: The regime ultimately succeeded in tamping down the protests by arresting the rebellious monks en masse. Many of them remain in prison today. The rest of the world may have moved on, but Burma continues to suffer. At the end of February, the Burmese Supreme Court refused an appeal by Aung San Suu Kyi, who is struggling to be released in time for next year's scheduled general election. The court's move was criticized even by Singapore, which has often been reluctant to scold the generals. The outlook isn't promising.

Even the small moral victories sometimes come at a depressing cost. As Krogsgaard told me, the regime has been known to use DVB footage as an aid in identifying and arresting members of the opposition: "It's this unpleasant paradox -- that every time you succeed, someone in Burma gets a harder time." For the moment, Burma is silent once again. But the DVB's trainers haven't given up. They're hard at work, in Thailand and elsewhere, preparing the next generation of video journalists. It will take as long as it takes.

Mark Von Holden/Getty Images