The United States maintains two civil and one military program to provide meteorological imagery and data from spacecraft in polar and geostationary orbits around the Earth. The civil programs are managed by the National Oceanic and Atmospheric Administration (NOAA) and the military program is managed by the Department of Defense. The National Environmental Satellite, Data, and Information Service (NESDIS) is a unit of NOAA and is responsible for operating the civilian weather satellites (GOES and POES), distributing the satellite data and imagery, archiving the data, and planning for future systems. NESDIS also controls the Department of Defense constellation of polar orbiting weather satellites called Defense Meteorological Satellite Program (DMSP), which is similar to the civilian POES program.
...
Due to the classified nature of the DMSP imagery and other data products, the DMSP downlink data is encrypted, and thus the direct readout system is not available to nonmilitary users.
That all comes from this cool-as-hell PDF† about how to build a GOES/POES ground receiving station. Anyways the most obvious target here is probably the DMSP products, rather than, say, a Bruckheimer-esque plot to disrupt NOAA satellite imagery during the height of the Atlantic hurricane season.
Of course if you were an evil genius bent on destroying the US by sending a massive hurricane into the eastern seaboard, your first step would be to disable the ability to see it coming ... :-)
As a Chinese I would prefer to believe our government is behind this. Do you know Beijing (or even the whole country) has a serious smog issue which was first uncovered by American embassy in Beijing? The incident makes the government lose their trust in public, and for quite some time people only want to trust forecast from NOAA in stead of Beijing. If Chinese government hacked NOAA, it would be out of their intention to contain domestic reactions. Actually, our government has greater problems at home than abroad.
I always appreciate how the US are able to pin every network compromise directly back to China. And not just China but the Chinese government in particular.
Almost like VPNs, proxies, TOR, compromised machines, botnets, or similar do not exist in this arena and that a reverse DNS lookup will tell them 1337.mss.gov.cn.
When the US talk about cybersecurity/"cyber wars" in general they're talking about something more akin to a Hollywood movie than anything you see on the ground on either side of the "fight."
I'm extremely sceptical every time they claim Chinese responsibility. I am sceptical not because China wouldn't have the skills or motivation to do so (they do/would) but because they jump to these conclusions unrealistically quickly and if their adversary covered their tracks even modestly pointing fingers like that would be quite hard (e.g. send it through Russia).
There are many details left out that could reasonably pin the attacks on the Chinese. While communication back to the source may be obfuscated and hard to pin on any particular actors the exploits, shellcode, and malware they use can possibly be tied to other breaches. Like regular programmers, hackers tend to reuse modules, code blocks, techniques, etc. from attack to attack. So whereas the NOAA breach may not conclusively point to China something found during the incident response and forensics phases may connect it to the USPS breach, Lockheed Martin breach, or others. A good example of this technique would be how researchers were able to tie Stuxnet, Flame, DuQu, and Guass to the same actors (probably the US and Israel).
I share that skeptical feeling. It's always been a common technique to bounce an attack on US servers through servers in a foreign country that doesn't speak English much and doesn't have the best relationship with the US. China is the ideal one for this, and generally has the best supply of vulnerable servers to do this through.
Having hacked Google, Juniper, Symantic, Morgan Stanley and countless USGOV sites - why not hack NOAA? Its not as if there will be any USGOV response. No sanctions. No demarche of which I'm aware. No counter-attack that has been publicized by China. Turning the other check is not a valid strategy in a prolonged conflict.
Rest assured, they have better methods of attribution than a reverse DNS lookup. It's difficult to attribute a specific attack, but relatively easy to attribute large campaigns.
These articles always make me wish I could see the Chinese equivalent. Are the newspapers in Beijing just full of stories about US "cyber attacks" on Chinese infrastructure?
I also appreciate how the public unquestioningly believes that the Mars rover was in fact really on Mars. Especially, if one is to ask "qui bono", the answer that you'll get is that the administration is trying to direct attention from its police surveillance of Someone1234. I'm not saying that the Mars rover landing was faked, I'm just asking questions.
I don't know who this Wolf guy is, but he's absolutely right: if we are in the government, and we have a breach, and we're working on it, we have an obligation to fess up. (Unless there's some kind of counter-intelligence operations underway)
We can all sit back in our comfy chairs and debate whether it really is China or not, whether various networks are secure or not, or how much various agencies can store (and the dangers associated with them storing things). But we can only do that if we have recent and valid information about what's going on. Good public policy decisions depend on an informed electorate. This kind of situation is not the place to be covering up your mistakes.
I think you're right that an open attitude towards security breaches is essential for a healthy security ecosystem. However,
in practice, fessing up in public during an investigation will rarely happen. Security incident responses are some of the most-hushed processes, even inside otherwise open organizations.
That's because you want to find and close the vulnerabilities before publicizing them. Otherwise, by publicizing, you invite attacks that will (a) multiply the noise you have to sift through to complete the investigation and (b) potentially create new incidents, at a time when you are already in a crisis (the current attack & investigation).
So most security departments will only talk about what happened after the fact, when it's all been tidied up again. But even then, the habit of secrecy has already been established. It's a constant struggle to bring openness to a process where secrecy is a short-term advantage. If you want an informative accounting of what happened, I think you need to add it to the incident response process.
For example (simplified for illustration)
1. Notice an intrusion
2. Capture information (logs, vulnerabilities used, etc)
3. Secure systems that have been compromised
4. Prevent future intrusions within the organization
Need to modify 4 (or add 5)
5. Publish to help other orgs also prevent intrusions.
But other orgs may hate you for that, because in the process of publishing, you have exposed their lax practices that (in hindsight) used to be your lax practices ...
I don't know who is really doing this or what the impact will be but let's pretend for a moment that the chinese government is responsible. They are largely funding our government. We need each other.
I wonder if a serious problem with the world is due to secrets that allow some to have power over others. For example, a company with a patent on a drug that costs $80K has power over those who will die without it. If you can't afford it, have you seriously harmed the company if you violate the patent to manufacture it in a 3rd world country for people who could never pay for the drug. When is human life more important that a company's right to a patent (or information)?
The chinese have a serious problem in the form of several hundred million people who need to be moved out of poverty. To help them get there they seem to be mining a precious resource: information in 1st world countries. Is this different (or worse) than 1st world countries mining precious resources in the 3rd world?
What is the net result? China will use this information to make itself wealthy enough to buy more of our goods? China will acquire the ability to make our goods cheaper than we can make them and force us to work harder?
I'm not saying "stealing" is "right" but it seems to be an important way all 1st world countries became richer. The notion of "right" is suspect given that history is written by the winner.
My experience five years ago was that regular African people were not too keen on the Chinese mining companies that had set up shop. But perhaps there was not enough competition to mine more locally.
The article does not discuss much the motivation they might have had for this hack, aside from the fact they're probably looking for gaps in general US systems. But I'm very curious about the economics of hacking another nation's weather service; China could give itself significant (and creepy) economic advantages my MITMing the data from the satellites. I wonder if they're considering things like this?
Edit: Also, if they just wanted weather data, they should've signed up for http://pressurenet.io ;)
> The article does not discuss much the motivation they might have had for this hack, aside from the fact they're probably looking for gaps in general US systems.
NOAA is a branch of the US Department of Commerce - it's likely that is a relatively interesting target. And the NWS probably has data feeds that are based on non-publicly available information: maybe they've got some military satellite feeds out there. Who knows.
But in reality I'd bet this was just a "cast many lines, see what we catch" operation. And most people probably discounted the risks of Chinese attacks against the weather service. I'd further bet that there are plenty of lesser-known government organizations out there that are being actively exploited right now.
It is probably less Hollywood-like, such as predicting cloud cover over areas you'd be interested in using your satellites to look at. Or maybe they had a cyberhacking campaign and broke into as many US orgs as possible simultaneously, but each department discovers it at different times. Or, as others have said, maybe it isn't China at all but some other party?
I never will understand how this spying stuff always is allowed to happen. I know every government does is, but I find it unbelievably dishonest. What kind of relationship is that? I would intuitively see any spying as an act of war, especially if supposedly friendly countries do it.
Yeah, but what are they going to do about it. Sanctions that hurt you just as much? Retaliate in kind? War? I'm not sure its understood yet what the appropriate response should be, or what the bounds of the consequences are.
A lot of people worry about Government sponsored hacking taking the gloves off, and fucking with commercial infrastructure directly and relentlessly. The amount of leaks and compromises we see today suggests this could be economically catastrophic.
Do we know what kind of data was accessed in these attacks? I wonder what kind of weather data can be so important to be kept secret that they must disrupt the service and seal off everything. Were they storing other data on these servers?
Is it just me, or is this apparently the reaction every time a US government or military system gets hacked by China?
"Yep, we got hacked again. But we're just going to do our best to minimize the damage and pretend it never happened. No meaningful action will be taken against the perpetrators."
China officials would probably deny that it was them if the US publicly accused them, saying it was some isolated hacker acting on its own, or maybe a foreign country routing its traffic through a VPN in China, AND they would point out that the US is doing exactly the same in China and elsewhere (Stuxnet, etc...).
[+] [-] minimax|11 years ago|reply
...
Due to the classified nature of the DMSP imagery and other data products, the DMSP downlink data is encrypted, and thus the direct readout system is not available to nonmilitary users.
That all comes from this cool-as-hell PDF† about how to build a GOES/POES ground receiving station. Anyways the most obvious target here is probably the DMSP products, rather than, say, a Bruckheimer-esque plot to disrupt NOAA satellite imagery during the height of the Atlantic hurricane season.
† http://noaasis.noaa.gov/NOAASIS/pubs/Users_Guide-Building_Re...
[+] [-] ChuckMcM|11 years ago|reply
[+] [-] roylez|11 years ago|reply
[+] [-] freehunter|11 years ago|reply
So no one in the Chinese government or citizens had noticed that they can't see across the street until the Americans mentioned it?
[+] [-] mknits|11 years ago|reply
This one-party autocratic rule will one day make people insane.
[+] [-] Someone1234|11 years ago|reply
Almost like VPNs, proxies, TOR, compromised machines, botnets, or similar do not exist in this arena and that a reverse DNS lookup will tell them 1337.mss.gov.cn.
When the US talk about cybersecurity/"cyber wars" in general they're talking about something more akin to a Hollywood movie than anything you see on the ground on either side of the "fight."
I'm extremely sceptical every time they claim Chinese responsibility. I am sceptical not because China wouldn't have the skills or motivation to do so (they do/would) but because they jump to these conclusions unrealistically quickly and if their adversary covered their tracks even modestly pointing fingers like that would be quite hard (e.g. send it through Russia).
[+] [-] amckenna|11 years ago|reply
[+] [-] SCHiM|11 years ago|reply
tail -n 50 /var/log/auth.log
Nov 12 15:33:28 VPS-3167 sshd[11950]: Connection closed by 122.225.97.110 [preauth] [SNIP]
Nov 12 20:12:51 VPS-3167 sshd[12016]: Connection closed by 61.174.50.164 [preauth] [SNIP]
Nov 12 20:40:44 VPS-3167 sshd[12031]: Connection closed by 122.225.97.72 [preauth]
The list goes on and on, and the ip's in the last fifty lines were all Chinese or Russian, still they could also have been hacked themselves.
[+] [-] kokey|11 years ago|reply
[+] [-] rrggrr|11 years ago|reply
[+] [-] lawnchair_larry|11 years ago|reply
[+] [-] state|11 years ago|reply
[+] [-] internet_arguer|11 years ago|reply
[+] [-] DanielBMarkham|11 years ago|reply
We can all sit back in our comfy chairs and debate whether it really is China or not, whether various networks are secure or not, or how much various agencies can store (and the dangers associated with them storing things). But we can only do that if we have recent and valid information about what's going on. Good public policy decisions depend on an informed electorate. This kind of situation is not the place to be covering up your mistakes.
[+] [-] neolefty|11 years ago|reply
That's because you want to find and close the vulnerabilities before publicizing them. Otherwise, by publicizing, you invite attacks that will (a) multiply the noise you have to sift through to complete the investigation and (b) potentially create new incidents, at a time when you are already in a crisis (the current attack & investigation).
So most security departments will only talk about what happened after the fact, when it's all been tidied up again. But even then, the habit of secrecy has already been established. It's a constant struggle to bring openness to a process where secrecy is a short-term advantage. If you want an informative accounting of what happened, I think you need to add it to the incident response process.
For example (simplified for illustration)
1. Notice an intrusion
2. Capture information (logs, vulnerabilities used, etc)
3. Secure systems that have been compromised
4. Prevent future intrusions within the organization
Need to modify 4 (or add 5)
5. Publish to help other orgs also prevent intrusions.
But other orgs may hate you for that, because in the process of publishing, you have exposed their lax practices that (in hindsight) used to be your lax practices ...
[+] [-] swframe|11 years ago|reply
I wonder if a serious problem with the world is due to secrets that allow some to have power over others. For example, a company with a patent on a drug that costs $80K has power over those who will die without it. If you can't afford it, have you seriously harmed the company if you violate the patent to manufacture it in a 3rd world country for people who could never pay for the drug. When is human life more important that a company's right to a patent (or information)?
The chinese have a serious problem in the form of several hundred million people who need to be moved out of poverty. To help them get there they seem to be mining a precious resource: information in 1st world countries. Is this different (or worse) than 1st world countries mining precious resources in the 3rd world?
What is the net result? China will use this information to make itself wealthy enough to buy more of our goods? China will acquire the ability to make our goods cheaper than we can make them and force us to work harder?
I'm not saying "stealing" is "right" but it seems to be an important way all 1st world countries became richer. The notion of "right" is suspect given that history is written by the winner.
[+] [-] jzwinck|11 years ago|reply
http://en.starafrica.com/news/mozambique-chinese-firms-clinc...
http://www.ide.go.jp/English/Data/Africa_file/Manualreport/c...
My experience five years ago was that regular African people were not too keen on the Chinese mining companies that had set up shop. But perhaps there was not enough competition to mine more locally.
[+] [-] crimzonrayne|11 years ago|reply
[+] [-] cryptoz|11 years ago|reply
Edit: Also, if they just wanted weather data, they should've signed up for http://pressurenet.io ;)
[+] [-] chiph|11 years ago|reply
http://www.history.com/news/the-weather-forecast-that-saved-...
[+] [-] owenmarshall|11 years ago|reply
NOAA is a branch of the US Department of Commerce - it's likely that is a relatively interesting target. And the NWS probably has data feeds that are based on non-publicly available information: maybe they've got some military satellite feeds out there. Who knows.
But in reality I'd bet this was just a "cast many lines, see what we catch" operation. And most people probably discounted the risks of Chinese attacks against the weather service. I'd further bet that there are plenty of lesser-known government organizations out there that are being actively exploited right now.
[+] [-] cjslep|11 years ago|reply
[+] [-] beachstartup|11 years ago|reply
knowing how much your opponent knows about the weather is also pretty important.
...and so is knowing where they want to know about the weather.
[+] [-] ajmurmann|11 years ago|reply
[+] [-] Redoubts|11 years ago|reply
[+] [-] japaget|11 years ago|reply
[+] [-] sean_grant|11 years ago|reply
[+] [-] healthisevil|11 years ago|reply
[+] [-] coldcode|11 years ago|reply
[+] [-] diminoten|11 years ago|reply
If only there were laws in place that protected companies from things like this...
[+] [-] gesman|11 years ago|reply
[+] [-] thecoolkid|11 years ago|reply
[+] [-] ommunist|11 years ago|reply
[+] [-] dz0ny|11 years ago|reply
[+] [-] Zikes|11 years ago|reply
Is it just me, or is this apparently the reaction every time a US government or military system gets hacked by China?
"Yep, we got hacked again. But we're just going to do our best to minimize the damage and pretend it never happened. No meaningful action will be taken against the perpetrators."
[+] [-] gregschlom|11 years ago|reply
[+] [-] NeverEnough|11 years ago|reply
[+] [-] mikeash|11 years ago|reply