Lack of Details on China Hacking Claim Puzzles Analysts

A recent cyberattack on China's country-level .cn domain may not be all that it seems, computer experts said this week.

Beijing's China Internet Network Information Center (CNNIC), which maintains the registry for the top-level domain, announced this week that it was crippled by two distributed denial of service (DDoS) attacks on websites using the .cn suffix in the early hours of Sunday morning.

The first started around midnight Beijing time, and service was restored by around 2:00 p.m. local time, CNNIC said in a statement.

The second, which hit at around 4:00 p.m. local time, was the largest ever DDoS attack to hit China's Internet.

Many websites were rendered completely inaccessible or extremely slow to load for an unspecified period of time, it said.

Beijing's Ministry of Industry and Information Technology, which oversees CNNIC, has launched "specific contingency plans" to protect national domain name resolution services.

But no details of the attack or the contingency plans were made public, leading cybersecurity experts to question the point of the announcement.

Call for details

Rutgers University computer scientist Zhou Shiyu called on Beijing to make detailed information about the attack public.

"The problem is that there's no evidence that indicates whether this attack came from within China or from overseas," Zhou said. "They must explain this clearly."

"All we know is that [DDoS] attacks are the commonest method of attack," he said.

He added that China was no stranger to carrying out large-scale cyberattacks itself.

"The Chinese government has spent huge amounts of money and resources on developing its ability to carry out online attacks," he said.

Smokescreen attack?

Meanwhile, U.S.-based Internet security analyst Li Hongkuan said the likelihood of Chinese government-backed attacks against the .cn domain existed, but wasn't large.

Beijing could even have staged the attacks as a smokescreen, given that its standard response to allegations of government-backed cyberattacks overseas is that it, too, is the target of such attacks.

"It's quite possible that the Chinese government is a thief crying 'thief,' or that it's bluffing," Li said.

"It's also possible that these attacks came from hackers within China who are critical of the government."

For the time being, CNNIC has apologized for the disruption promised that more details will be made public as soon as they are discovered.

Mandiant

China has rejected claims that its People's Liberation Army (PLA) was behind a series of hacker attacks on U.S. corporate networks described in February report by the security firm Mandiant.

Beijing's Ministry of National Defense denied claims made in a 74-page report by U.S.-based Mandiant which said it had traced a large number of transnational cyberattacks to IP addresses assigned to a building it said belonged to the PLA in Shanghai.

Mandiant said the building was the home of the PLA's cyberespionage "Unit 61398," which it said had stolen data, including intellectual property, from at least 141 companies since 2006.

Mandiant's report said it was "highly unlikely" the Chinese government was unaware of the hacking attacks, and was possibly supporting the cyberespionage.

New York Times

In the same month, The New York Times newspaper accused hackers traced to China of "persistently" infiltrating its computer networks over the last four months, also sparking an angry denial from Beijing.

The paper had hired a team of computer security experts to trace the attacks and block any back doors through which they were gaining access to the system, it said.

Cybersecurity experts said the report should be taken in the context of widespread cyberespionage carried out by a large number of countries.

Reported by Xi Wang for RFA's Mandarin Service. Translated and written in English by Luisetta Mudie.