If you’ve read my blog for a while you know I’ve been to China a few times, conducting research, doing interviews, giving the occasional speech and hopefully discovering what the Chinese are actually doing about cyberwar and information warfare. Those are my goals, at least. When I’m not in China I research mostly via online articles, online discussion groups, academic articles, phone calls and emails to Chinese experts.
Two weeks ago the Mandiant report was published and like anyone with an interest in the report, I read it and as much online analysis as I could. I never read any reports on any Chinese websites. I did, however, click on one link which showed me the exact location of the 61398 building in the Pudong district of Shanghai (which is quite beautiful, I’ve seen it from across the river) and looked on it using Google, not Google.cn or Google.hk. That was the extent of my computer ‘intrusions’ into China. I do have a few friends in China but I’ve never had an attachment from them. Darn sure I wouldn’t open it either!
Then, two weeks ago, an unusual event happened. First, since I have a Mac running some unusual browsers, I seldom get a pop-up screen. But one popped up. Imagine my surprise when the popup window was an ad for Chinese dating site called ChineseWomenDating.com
I analyzed what I had done to cause such a pop-up window. I wasn’t physically located inside China, so that did not apply. I hadn’t visited any .cn websites in recent history (not in the last six months), so I could probably discount that. I don’t download a lot of documents with a subject of China. I don’t concentrate on Chinese information warfare or cyber espionage in my research, that’s all just dumb luck. Actually, most of the email I receive is about general cyber this and cyber that. But somehow I must have a cookie on my system which indicates I have an interest in dating Chinese women. At least they got it correct that I’m straight! Oh, and just to clear the record, I’m happily married.
I put a screenshot above, I found it fascinating.
What does that leave me? Well… I am one of those folks who always says “I assume I am hacked”. So, five times in the past two weeks this exact same pop-up ad has popped up on my system. I’m now going to assume someone conveniently got onto my system and left me a present. A rootkit, a keyboard logger or some such nonsense. I went through a friend’s system once, about ten years ago, and uncovered a keyboard logger there. It’s time consuming and I’m not sure if it’s worth the effort but I’ll take a run at it this weekend.
But I believe it is some sort of an Advanced Persistent Threat.
Let’s say it was a rootkit. I have a Mac running OS X (one of the new ones, like Cheetah or Cougar or something). How do I find it? I need suggestions from you, gentle readers. Help?
- SURFACE FORCES : China Puts Female Sailors To The Seagoing Test (strategypage.com)
- The Staggering Rebirth of Shanghai (theatlantic.com)
- The Cyber Exploitation Life Cycle (resources.infosecinstitute.com)
- China Cyberwarfare Evidence Now Undeniable – Mandiant (blogs.defensenews.com)
- Netizen Research Bolsters APT1 Attribution (mandiant.com)
- China, U.S. cyberwar escalates (oddonion.com)
- Preparing To Fight A Cyberwar With China (warnewsupdates.blogspot.com)
- China’s Teen Gamers Revealed, From In-Depth Demographics to Deepest Desires [EXCLUSIVE INFOGRAPHIC] (techinasia.com)
- Scurity group suspects Chinese military is behind hacking attacks (news.yahoo.com)
- One in four U.S. firms in China report data theft (wyff4.com)