Hacked? Don't blame China, blame Denmark

Forget pointing the finger at China when government systems and defence contractors are compromised — it's the dirty work of Danish hackers, says Finnish security researcher, Mikko Hyppönen.

F-Secure chief research officer, Mikko Hyppönen

The security researcher told ZDNet.com.au that although China is often accused of being behind targeted attacks on government agencies, ministries and defence contractors to gain industrial and national secrets, and despite evidence pointing to its involvement, he will never accuse the country of being behind the cyberattacks.

Hyppönen said it's just as likely a country such as Denmark is behind them, after analysing targeted back-door and trojan attacks against governments for the past three years.

"[Targeted attacks] are rare, but when it happens to you it's a nightmare. Normally viruses are bad luck, but in these cases, it wasn't bad luck — it's only you who got infected," he said.

"If I would have a guess, I would say it's Denmark. It could be bunch of Danish hackers doing it for fun and making it look as if it was China," he said.

"Obviously all the evidence would make it easy to connect the dots and say the Chinese did it, but at the end of the day, there is no real evidence linking anything to China," he told ZDNet.com.au.

The evidence pointing to China is that three key groups have been targeted with the same zero day exploits which use information-stealing trojans, says Hyppönen: large multinational companies (mostly defence contractors); governments, ministries, embassies and agencies; and non-profit organisations.

"We have evidence linking these three attack targets and it's the same attacks hitting large defence contractors and small non-profit organisations (NPOs)," he said.

"Most of these trojans are to steal information and are sending it to servers that are always located in China or that operate DNS routers in Chinese," he added.

But it's this last group — non-profit — that raises questions. Why would hackers risk exposing to the world highly-prized zero day exploits on such low-value targets?

"These are very small non-profit organisations in many different counties — organisations which might have five or six employees who are not getting money for their work. These organisations are getting hit with zero day exploits several times a month," Hyppönen said.

The common element to these NPOs is that they all support political irritants to the Chinese government. "They are typically non-profit organisations supporting the independence of Tibet, the liberalisation of Taiwan or supporting the Falun Gong," he said.

But the problem with using these attacks on the NPOs, whose mutual enemy is the Chinese government, to confirm that the Chinese are behind them is that hackers commonly obfuscate the source of an attack, or use already-hacked computers to launch remote attacks.

"If an attacker is clever, they would make it look like the Chinese [but] I will refuse to go on the record saying it's the Chinese," said Hyppönen.