Pentagon Hacked by Chinese Miltary

The details are still a bit shaky, but this news has been making the rounds.

Apparently the the hack attack in June on the Pentagon may have been carried out by the Chinese Military (People’s Liberation Army).

One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a “very high level of confidence…trending towards total certainty” that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.

Angela Merkel, Germany’s chancellor, raised reports of Chinese infiltration of German government computers with Wen Jiabao, China’s premier, in a visit to Beijing, after which the Chinese foreign ministry said the government opposed and forbade “any criminal acts undermining computer systems, including hacking”.

Forbade eh? More likely to be encouraged. Cyber terrorism and cross border attacks for information gathering are not restricted to the realms of movies.

These things do happen, people do follow Sun Tzu and gather as much information as they can about their possible enemies.

The PLA regularly probes US military networks – and the Pentagon is widely assumed to scan Chinese networks – but US officials said the penetration in June raised concerns to a new level because of fears that China had shown it could disrupt systems at critical times.

“The PLA has demonstrated the ability to conduct attacks that disable our system…and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who said the PLA had penetrated?the?networks?of US defense companies and think-tanks.

Hackers from numerous locations in China spent several months probing the Pentagon system before overcoming its defenses, according to people familiar with the matter.

China has denied this obviously…but that leaves a lot to be desired still.

Source: Financial Times

Posted in: Hacking News

, ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

18 Responses to Pentagon Hacked by Chinese Miltary

  1. Sandeep nain September 6, 2007 at 11:32 am #

    I have been reading this news since last 2-3 days… and was wondering if china is denying this, why can’t US show them the proof…
    and ofcourse these attacks would have put pentagon information security team to red alert…
    I hope they will hire some big nerds now…

  2. Bogwitch September 6, 2007 at 12:15 pm #

    I’ve been following this one closely. If Chinese military are hacking into [insert country name] defence systems or not, is largely irrelevant. I’m sure most of us see the occasional scan across our IP ranges that come from China, it doesn’t mean it’s the military but it doesn’t mean it’s not.

    There is little information coming forward from those that have been penetrated to indicate that it was the Chinese military and even if the source was a Chiniese military IP range, what’s to say that it wasn’t the Chinese military that have been hacked and are being used as a platform to penetrate other networks?

    Bottom line: Chinese military, Chinese population or John Smith, if your systems are not secure, someone will get in.

    Re: Germany. I have little sympathy. If you remove the tools from the law-abiding security professionals, the only people to have the tools are your enemy.

  3. technobabbler September 6, 2007 at 12:45 pm #

    BTW, do you think ‘Ethical Hacker Kit’ is worth to buy?

    I’m sorry there is no place to ask a general question.

  4. Darknet September 6, 2007 at 3:15 pm #

    technobabbler: Yah, that’s why we link it! If you are just starting out it’s a good grounding with a whole bunch of info and tools to kick you in the right direction. Don’t except to instantly be a great hacker though, you still have to put the work in. It just cuts down the time a lot by giving you all the stuff in one shot.

  5. Torvaun September 7, 2007 at 3:01 am #

    China forbids “criminal hacking.” Clearly, that wouldn’t apply to government sponsored hacking. In any case, who thinks that there’s not going to be some sort of backlash from this from the hacker community. I wouldn’t be overly surprised to see the Storm botnet used to DDoS a bunch of Chinese military servers. I can’t think of a single freelance hacker who has come out in support of censorship and repressive government, and it’s always nice to get good press.

  6. Sandeep Nain September 7, 2007 at 3:18 am #

    Hi darknet

    How about adding this hacker toolkit to the list of prizes to be given to top commenter…

    just a suggestion ;)

  7. Darknet September 7, 2007 at 9:53 am #

    Sandeep: Consider it done :)

  8. Sandeep nain September 7, 2007 at 10:57 am #

    Wowww…. thx for keeping my words darknet…

    Also, have you actually looked into this kit? Does it come with CDs/DVDs of tools or just has information on how to use these tools..

    If it has tools too.. i’m sure its must have.

    and what do you reckon, which one has better set of tools, backtrack or EH Kit..

    and I’m sorry to sidetrack you all from the main article…

  9. Bogwitch September 7, 2007 at 6:58 pm #

    It is interesting to note that the blurb on the Ethical Hacker Kit contains no real information about tools included. I suspect that the tools are simply freely available along with the docs. Now, IANAL but would that not fall foul of the GNU license?
    This is all speculation of course, I don’t know what the contents are!

  10. Zinho September 7, 2007 at 10:22 pm #

    I’m the admin of, powering the ethical hacker kit.

    Let me clarify your doubts.

    Our kit is meant to speed up your learning process (if you want/need to learn it of course) of ethical hacking. It contains a lot of *unpublished* papers along with a selection of the best tools.

    The contents are divided into main areas

    For each areas you have the best selected papers + unpublished papers written by HSC Security group. If you don’t know us just make a search on google. We found holes into Microsoft, eBay, Amazon and so on.

    Along with the papers you have tools and source codes for that area. So, learn the theory and do practice.

    Of course you can browse the web and get random tools or papers but the kit saves you a lot of time, gives you access to unpublished contents and makes your learning process more efficient and faster because it is built from an educational point of view.

    The kit is 1Gb and downloadable into 4 parts for your convenience.

    At first we created this kit, as a gift for the attendants of our hacking courses and conferences. Its success and demand invited us to make it public.

    Darknet will post an unbiased review on the kit soon, he has access to a free copy of the kit just for this purpose :)
    And if he decided to include it among the prizes I’m sure he liked it.

  11. Bogwitch September 8, 2007 at 12:49 am #

    Zinho: Your post raises interesting questions. First, you are offering an ethical hackers pack, yet you cite holes found in Microsoft, Ebay and Amazon (and Yahoo and Paypal, on your site) I seriously doubt you had a contract to perform the testing. Ethical? Not by any definition I know of.
    Your site lists NO software that is loaded into your ethical hacker kit. 1 gig of data barely scratches the surface of the software available and it still leaves the question of GNU licensing violation. As I said before, without knowing what software is in your pack, it is not possible to know for sure but any DECENT hacking toolkit will contain many GNU licensed pieces of software and would be deficient without them.
    Your site, at first viewing, does not contain any REAL information. Your advisories are vague: for example mentions XSS yet talks about delivering URLs via email.
    OK, there is a little useful information in the “HSC Ethical Hacker” section on the right of your page but again, very vague. For example, under “Coding and Buffer Overflows” only a passing mention is made to assembly, yet a serious hacker working with buffer overflows MUST know assembly – it would be difficult creating a NOP sled without it!

    I appreciate that you are in the business of making money but it would be easier to take you seriously, and may increase your sales, if you included some sample whitepapers from HSC.

    As you say, your pack is for beginners and I’m sure that there is much useful information and many useful applications to assist a beginner who wants to learn about hacking. The issue I have is wether your pack will teach ethical hacking.

    It’s not for me, but, and this might be seen as big-headed of me, I do not consider myself to be a beginner.

  12. TheRealDonQuixote September 8, 2007 at 5:24 am #

    “You can’t fight in here! This is the war room!”
    Dr. Strangelove

    I just thought that little quote might help put everything into perspective. Including the China hax the Pentagon article.

  13. Zinho September 8, 2007 at 7:40 am #

    Dear Bogwitch,
    you’re the first one to say that my site doesn’t provide any real information. We have thousands of papers and tools. And we have a research group. Anyway I have no problem if you don’t like it. Just don’t bookmark it.

    First of all, I can send you the reconaissance letters for responsible disclosure by Microsoft, Amazon and so on. So this is called *responsible disclosure* that is something very ethical in my opinion.

    And if you say our advisories are vague, then my friend, you talk about being ethical but you should know what you can say in an advisory and what not. We have never shown unpatched exploits. Once again *responsible disclosure*.

    Here you demonstrate you’re confused:
    “a serious hacker working with buffer overflows MUST know assembly”
    but later:
    “As you say, your pack is for beginners and I

  14. Bogwitch September 8, 2007 at 10:21 am #

    Zinho: I understand about responsible disclosure. What I have a problem with is, IMO, unethical vulnerability testing against systems that you do not have the owners permission to scan.
    WRT your advisories being vague; It is a fine line to tread, I’ll admit. With something like XSS you can describe what validation fails OR what input type is vulnerable without opening the vulnerability to a whole slew of skiddies, but suggesting that the vulnerability is open by sending UBE or even spear phishing, with malicious URLs does not neccessarily describe a vulnerability in the site
    On assembly; your pack is aimed at beginners but if you are going to talk about buffer overflows, you must talk about assembly, otherwise you’re not talking about buffer overflows. Are you suggesting that beginners would not understand assembly?
    I agree to be a good ethical hacker you must ‘learn the ways of the dark side’ :) But that does not mean you have to practice unethically. Run up a lab, get virtualisation, hack yourself. That’s the best way to learn. Don’t try to hack live sites without permission.

    Ethics IS a grey area. One persons ethical is anothers unethical.

    Like I said before, if the paid-for content of your Hackers Kit is merely the unpublished copyright content, then I would suggest that providing a sample of said content on your site might be a good idea so that people know what they are paying for.
    I will be interested to learn what software you bundle. I would also be interested to learn what percentage of content is your own copyright content.

    I apologise if I came across as aggresive in my previous post (or this one) I am trying to ascertain if this would be a product I would recommend to the people I have asking me about the best way to learn about IT security.

  15. Bogwitch September 8, 2007 at 12:58 pm #

    Hi again,

    After reviewing your site in much more detail, it is clear that there is a good amount of useful information for beginners. That’s what I get for knee-jerk reactions and posting in the wee small hours. ;)
    To quote from an older network, “Open mouth, insert foot, echo internationally.”

    That said, I would still like to see a sample of the premium content from your Hackers Kit and some idea of how much is premium content vs. open source content.

  16. Zinho September 8, 2007 at 10:31 pm #

    Hi Bogwitch,
    I appreciate your words.
    I wanted to clarify another aspect of our Kit. Our customers will be able to receive all the new updates of the kit for FREE.
    As an example we are investing a lot of time and money in order to hire our friends researchers (people who spoke at black hat that I’m going to name later) to produce valuable contents only for the kit customers. This is an added value to be included in the next kit edition expected within few weeks.
    Rootkit development, new advanced and unexplored attacking techniques to web application (xst,csrf, ajax hacking…) and penetration testing are the topics we are working on.

    At now you find papers written mainly by our researcher Doz, who took the time to write and explain in a very easy way each topic covered in the areas. That is you find 2-3 papers for each area written by us.

    The size and nature of the kit (only available for download at now) forced us to make a selection of only the most intersting and educational tools and papers (you may find even 10 tools/papers) for area. You’re right it scracthes the surface, but it scratches it very well ;)

    I will be discussing with doz if making 1 paper freely available online as a “trial” and I will let you know.

  17. kill July 30, 2008 at 10:34 am #

    never fight with a same enemy for long time then he will know all ur skills

  18. zupakomputer July 30, 2008 at 2:38 pm #

    In the Pentagons case it’s more: of course you’ll get in, but unless you’re behind the Great Wall yourself they’ll probably find out where/who you are.

    Or just go to DC and leave chopsticks cryptically lying around the Pentalawn 2000, in “shapes that could be code”, as if you were Jung throwing a yarrow stick consult from beneath a Bodhi tree.

    Or just astrally-project into the War Room and act like you worked there all along.