China hacker opens window into cyber-espionage

BEIJING — For a 25-year-old computer whiz enlisted in a People’s Liberation Army hacking unit, life was all about low pay, drudgery and social isolation.

Nothing at all like the unkempt hackers of popular imagination, the young man wore a military uniform at work in Shanghai. He lived in a dorm where meals often consisted of instant ramen noodles. The workday ran from 8 a.m. to 5:30 p.m., although hackers were often required to work late into the evening.

With no money and little free time, he found solace on the Internet. He shopped, chatted with friends and courted a girlfriend. He watched movie and television shows. He drew particular inspiration from the Fox series “Prison Break,” and borrowed its name for his blog.

The blog provides a rare peek into the secretive hacking establishment of the Chinese military, which employs thousands of people in what is believed to be by far the world’s largest institutionalized hacking operation.

Concern about computer security has risen sharply in recent weeks. Top U.S. intelligence officials said Tuesday that attacks and espionage now pose a greater potential danger than al-Qaida and other militant organizations. The computers of more than 30 journalists and executives of Western news organizations in China, including The New York Times and The Wall Street Journal, have been hacked.

Mandiant Corp., a U.S. computer security compamy based in Alexandria, Va., said in a report last month that it had traced an epidemic of attacks on dozens of U.S. and Canadian companies to an office building in Shanghai occupied by an espionage unit of the People’s Liberation Army.

Richard Bejtlich, Mandiant’s security chief, said posts written by the blogger, who called himself “Rocy Bird,” provided the most detailed first-person account known to date of life inside the hacking establishment. Although the blog was discontinued four years ago, the techniques described in it remain the same. “It is relevant,” said Bejtlich. “Things have not changed that much.”

The hacker, whose real family name is Wang, posted 625 entries between 2006 and 2009. “Fate has made me feel that I am imprisoned,” he wrote in his first entry on Sina.com. “I want to escape.”

Los Angeles Times reporters tracked down Wang and his blog through an e-mail address that was listed on a published 2006 paper about hacking. A coauthor of the paper was Mei Qiang, identified by Mandiant as a key hacker who operated under the alias “Super Hard” in Unit 61398.

One of many Chinese military units linked to hacking, Unit 61398 falls under the People’s Liberation Army’s General Staff 3rd Department, 2nd Bureau, which is roughly equivalent to the U.S. National Security Agency.

The PLA recruits computer scientists, mathematicians and linguists from China’s top universities for its Internet espionage programs. Not unlike in the U.S., students can continue their education for free in return for their enlistment in military service.

Wang earned his master’s degree in Internet security at age 25 at the Information Engineering University, run by the PLA in Zhengzhou, Henan province.

Immediately after graduating in 2006, he was enlisted in a hacking operation in Shanghai.

In the blog, Wang did not disclose which unit he worked for, but he made it clear that he was wearing a uniform and carrying a military badge. He described his building as being far from the Shanghai city center, one of his many complaints.

“What I can’t understand is why all the work units are located in the most remote areas of the city,” Wang wrote in an entry in 2007. “I really don’t get what those old guys are thinking in the beginning. They should at least take us young people into consideration. How can passionate young people like us handle a prison-like environment like this?”

One of his first tasks was to improve on a Trojan virus known as Back Orifice 2000, which is designed to remotely hijack a computer system to steal information.

In July 2007, he boasted that his virus had successfully escaped detection by three leading detection programs made by McAfee, Symantec and Trend Micro, but that it didn’t get past a fourth, Kaspersky. He also described another assignment: write a virus that would detect any USB storage device attached to a computer and copy its files. The virus was a success and Wang’s boss was pleased.

“If we’re lucky enough, we might be able to complete this year’s target and earn a year-end bonus for everyone,” Wang wrote with enthusiasm.

Otherwise, Wang poured out his unhappiness. The hackers were required to speak English, the international language of technology, as well as an essential for phishing attacks on mostly U.S. targets. But when Wang tried to hone his English skills by reading magazines such as the Economist and Harvard Business Review, his boss rebuked him for reading too much foreign press.

“The boss doesn’t understand. I’ll have to be more careful,” he complained. Wang was also unhappy that supervisors refused to reimburse him for a $1 bus ticket to attend a business conference, while his boss claimed more than $100 for a bottle of liquor.

A high school reunion left Wang feeling discouraged about his paycheck and prospects.

“They all have a bright future. Some of them became lawyers; some went into property business or finance; some wrote programs for a commercial software company. Compared with their handsome monthly income, I even felt ashamed to say hello to them,” Wang wrote.

Wang never reflected on the pros and cons of hacking for the Chinese government, but he clearly regretted having enlisted. “My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation,” he wrote. With the help of his family, he managed to get out in 2008. He stopped writing the blog a year later.

Wang is believed to be living in Chengdu. One of his last online traces was a comment posted on Dianping, a popular restaurant review site, about an ice cream parlor in that city.

Wang did not return several e-mails and instant messages requesting comment.

The period covered in Wang’s blog coincides with an upsurge in hacking detected by Mandiant. In a report issued last month, the company said hackers had systematically stolen hundreds of terabytes from 141 organizations, most of them American.

Industries targeted included chemicals, technology, financial services, mining, energy, health care, media and international organizations. The data included blueprints, pricing strategies and e-mails, which are suspected of being given to Chinese state-owned enterprises for competitive advantage.

The Chinese government has repeatedly denied hacking and has said it has been the victim of attacks originating from the United States.

“Cyberspace needs rules and cooperation, not war. China is willing to have constructive dialogue and cooperation with the global community, including the United States,” Foreign Ministry spokeswoman Hua Chunying said at a briefing Tuesday.

Last month’s report by Mandiant marked the first time individual hackers were identified by name. More information has trickled out since.

Investigators have unearthed birthdays, photographs, profiles on Kaixin (a Chinese version of Facebook), shopping and dining preferences. One hacker’s user name appeared in a forum for flower-arranging enthusiasts.

They logged on to personal e-mail or social networking sites from work, or used their real phone numbers to register Gmail or Hotmail accounts later used for phishing attacks. Mei Qiang, Wang’s research partner, posted a note on a software developer’s message board looking for extra work.

“I’m good at writing hacking tools, such as Trojan viruses,” read the advertisement posted in 2005. It was taken down last month after it was discovered by an investigator based in India who runs a blog called Cyb3rSleuth.

“These were not elite uber-hackers,” said Richard Mogull, an Internet security consultant and head of the Phoenix-based Securosis. “Some people want to demonize these guys, but they are just frontline soldiers doing their job for their country – not evil people.”

Wang probably never imagined his blog would catch the focus of journalists or Internet security experts, Bejtlich said. “This is really an anguished person who didn’t enjoy his situation, and this is probably just an outlet for him to share his story,” he said.

Because the hackers were operating under military protection, they probably weren’t as intent on concealing their identities as criminals who would face punishment if caught. Bejtlich compared them to members of the U.S. military who inadvertently make disclosures on Facebook or on blogs. “They will get better. That’s how they will learn.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Traffic idles while waiting for the lights to change along 33rd Avenue West on Tuesday, April 2, 2024 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood seeks solutions to Costco traffic boondoggle

Let’s take a look at the troublesome intersection of 33rd Avenue W and 30th Place W, as Lynnwood weighs options for better traffic flow.

A memorial with small gifts surrounded a utility pole with a photograph of Ariel Garcia at the corner of Alpine Drive and Vesper Drive ion Wednesday, April 10, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Death of Everett boy, 4, spurs questions over lack of Amber Alert

Local police and court authorities were reluctant to address some key questions, when asked by a Daily Herald reporter this week.

The new Amazon fulfillment center under construction along 172nd Street NE in Arlington, just south of Arlington Municipal Airport. (Chuck Taylor / The Herald) 20210708
Frito-Lay leases massive building at Marysville business park

The company will move next door to Tesla and occupy a 300,0000-square-foot building at the Marysville business park.

A Mukilteo Speedway sign hangs at an intersection along the road on Sunday, April 21, 2024, in Mukilteo, Washington. (Ryan Berry / The Herald)
What’s in a ‘speedway’? Mukilteo considers renaming main drag

“Why would anybody name their major road a speedway?” wondered Mayor Joe Marine. The city is considering a rebrand for its arterial route.

Edmonds City Council members answer questions during an Edmonds City Council Town Hall on Thursday, April 18, 2024 in Edmonds, Washington. (Olivia Vanni / The Herald)
Edmonds fire service faces expiration date, quandary about what’s next

South County Fire will end a contract with the city in late 2025, citing insufficient funds. Edmonds sees four options for its next step.

House Transportation Subcommittee Chairman Rep. Rick Larsen, D-Wash., speaks during a hearing on Capitol Hill in Washington, Wednesday, May 15, 2019, on the status of the Boeing 737 MAX aircraft.(AP Photo/Susan Walsh)
How Snohomish County lawmakers voted on TikTok ban, aid to Israel, Ukraine

The package includes a bill to ban TikTok if it stays in the hands of a Chinese company, which made one Everett lawmaker object.

A grizzly bear is seen on July 6, 2011 while roaming near Beaver Lake in Yellowstone National Park, Wyoming. The National Park and U.S. Fish and Wildlife services have released a draft plan for reintroducing grizzlies into the North Cascades.
Grizzlies to return to North Cascades, feds confirm

Under the final plan announced Thursday, officials will release three to seven bears every year. They anticipate 200 in a century.

ZeroAvia founder and CEO Val Mifthakof, left, shows Gov. Jay Inslee a hydrogen-powered motor during an event at ZeroAvia’s new Everett facility on Wednesday, April 24, 2024, near Paine Field in Everett, Washington. (Ryan Berry / The Herald)
ZeroAvia’s new Everett center ‘a huge step in decarbonizing’ aviation

The British-American company, which is developing hydrogen-electric powered aircraft, expects one day to employ hundreds at the site.

"Unsellable Houses" hosts Lyndsay Lamb (far right) and Leslie Davis (second from right) show homes in Snohomish County to Randy and Gina (at left) on an episode of "House Hunters: All Stars" that airs Thursday. (Photo provided by HGTV photo)
Snohomish twin stars of HGTV’s ‘Unsellable Houses’ are on ‘House Hunters’

Lyndsay Lamb and Leslie Davis show homes in Mountlake Terrace, Everett and Lynnwood in Thursday’s episode.

Logo for news use featuring Snohomish County, Washington. 220118
Oso man gets 1 year of probation for killing abusive father

Prosecutors and defense agreed on zero days in jail, citing documented abuse Garner Melum suffered at his father’s hands.

Everett Mayor Cassie Franklin steps back and takes in a standing ovation after delivering the State of the City Address on Thursday, March 21, 2024, at the Everett Mall in Everett, Washington. (Ryan Berry / The Herald)
In meeting, Everett mayor confirms Topgolf, Chicken N Pickle rumors

This month, the mayor confirmed she was hopeful Topgolf “would be a fantastic new entertainment partner located right next to the cinemas.”

Alan Edward Dean, convicted of the 1993 murder of Melissa Lee, professes his innocence in the courtroom during his sentencing Wednesday, April 24, 2024, at Snohomish County Superior Court in Everett, Washington. (Ryan Berry / The Herald)
Bothell man gets 26 years in cold case murder of Melissa Lee, 15

“I’m innocent, not guilty. … They planted that DNA. I’ve been framed,” said Alan Edward Dean, as he was sentenced for the 1993 murder.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.