Weak evidence links congressmen's cyber-attacks to China

U.S. House of Representatives members who worry that China may have been responsible for attacks on their computers have provided little evidence to back up their claims, according to computer security experts.
The two Republican congressmen, Representatives Frank Wolf and Christopher Smith, disclosed Wednesday that computers in their offices were hacked in late 2006 and early 2007. Both men have been critical of China's human rights record and said that the attacks raised concerns that they were being targeted for their support of Chinese dissidents.

Wolf said that the U.S. Federal Bureau of Investigation had told him that the attackers came from within China. Smith said that the IT professionals who repaired his hacked computers told his staff that the attacks came from Chinese IP addresses and that the hackers had accessed files related to China.

"My suspicion is that I was targeted by Chinese sources because of my long history of speaking out about China's abysmal human rights record," said Wolf in a statement. He is the senior Republican on the State and Foreign Operations subcommittee.

The Chinese Foreign Ministry has denied any connection to the attacks, according to reports. An FBI spokeswoman declined to comment on the matter late Thursday.

However, computer security experts said that the evidence that the two congressmen provided to back up their claims simply does not prove that the Chinese government, or even Chinese nationals, were involved.

"It's so very hard to conclude that something came from someplace if all you're going from is an IP address," said Marcus Sachs, director of the SANS Internet Storm Center, a volunteer-run effort that tracks emerging computer threats. "Those of us who have done this for a living, we know that you can't prove that it was a Chinese person on the keyboard if you have a Chinese IP address," he said. "Without making some of the evidence public … you leave everybody else guessing."

Computer attacks are often launched from Chinese IP addresses because a large number of computer systems in China have been hacked and are being used to redirect online attacks. Also, the country is notorious for providing so-called "bulletproof" hosting services that keep servers running even when international law enforcement tries to take them down.

"For US$1,000 a month or less you can get a bulletproof server in China," said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.

China has been blamed for many intrusions on federal computer systems, including breaches at the U.S. Department of Commerce and the Pentagon, but according to Warner, virtually any computer plugged into the Internet will find itself scanned by probes from China IP addresses. "Anybody who looks at their firewall logs can prove that they're being attacked from China. Does this prove that they're really being attacked by the Chinese? I don't know, "he said.

Nearly 12 percent of all Web servers using China's .cn domain space are considered risky because they may be associated with spam, adware or computer attacks, according to security firm McAfee.

Representative Smith's office did not return a call seeking comment.

A spokeswoman for Congressman Wolf's office refused to provide any more detail on the attacks or to say what evidence linked the attacks to China. "Everything we have to say is in our press release," she said.

That's not good enough for Richard Smith, an Internet security consultant with Boston Software Forensics. "If someone is going to make these kind of charges, they really need to be willing to produce the hard evidence," he said via e-mail. "Perhaps the office is embarrassed that a staffer accidentally shared their C: drive with the entire Internet."