China Hit by Nearly 500K Trojans in 2010 With U.S. As Largest Culprit

The shoe is on the other foot as the Chinese government said the United States was the biggest source of foreign-based cyber-attacks hitting China in 2010.

Nearly half the cyber-attacks hitting Chinese systems, whether they are botnets, Trojans or Web attacks, originate abroad, and the United States is the source for the largest share, Chinese officials said.

Close to 493,000 Trojan attacks hit Chinese systems in 2010, with nearly half originating from outside the country, China's National Computer Network Emergency Response technical team said Aug. 10, according to a report from the state news service Xinhua. Of the 221,000 attacks identified as originating from outside China, 14.7 percent came from the United States and 8.8 percent from India, CNCERT officials said.

Most of the attacks came in the form of malicious "Trojan" software used by hackers to gain access to target computers, according to Zhou Yonglin, head of the CNCERT/CC's operation and management department. China is facing "serious threats" as various cyber-viruses and worms continuously mushroom, Zhou said.

The government officials said it detected 13,782 IP addresses with botnet viruses in 2010, of which 47 percent, or 6,531 addresses, were receiving instructions from botnets based in foreign countries. The top three countries were the U.S., with 21.7 percent; India, with 7.2 percent; and Turkey, with 5.7 percent.

The agency also found that 35,000 Websites in China had been hacked in 2010, a 67 percent increase from 2009. Of the hacked sites, 13 percent, or 4,635 sites, were government-run Websites and appear to be the work of politically or religiously motivated individuals in Turkey, Xinhua reported.

The domestic attacks targeted mainly financial institutions and online payment platforms by tricking users into giving up their log-in credentials, according to the report.

These figures will be included in CNCERT's upcoming annual report, expected later this week. The report follows a similar CNCERT report from April that found that 10 million PCs in China had been controlled by Trojans in 2010, almost triple the number of infected computers from 2009. CNCERT has said in the past that the Trojans were traced back to the U.S., Taiwan and India.

The Chinese government has steadfastly denied claims from the U.S. security community that it was behind many of the recent high-profile cyber-attacks. Researchers at Dell Secureworks have traced back several large campaigns to two groups in China, and said it found hints that one of the gangs was involved with the attack on RSA Security in March.

Separately, McAfee researchers claimed to have found evidence that a single country may have been behind a massive cyber-operation that hit major companies, nonprofits and government agencies around the world. Even though McAfee didn't name the country, many fingers are being pointed at China.

Chinese government media said the accusation was "irresponsible."

The CNCERT report may be a way for China to fire back at the accusations by pointing out that China was under attack, too, and that many of the attackers were coming from the U.S.

"China needs to join hands with other countries to fight against cyber-attacks as the country has become one of the world's biggest victims of the menace," Xinhua reported.

Practically every time a cyber-attack is revealed, China gets blamed. While it's likely that China uses the Internet to spy on other countries, "just about every country around the world" is doing the same, said Graham Cluley, a security consultant with security technology firm Sophos.

It's also a challenge to say definitely where attacks are coming from, since the malicious perpetrators can easily use proxy servers to hide their tracks. With attacks being launched by compromised machines around the world, it is difficult to find out who the person actually giving commands is, or where the person is based.

"We cannot say for certain that the hackers were located abroad simply because their Internet Protocol addresses were located in other countries," Zhou said, adding that by the same token, CNCERT couldn't say the "Chinese hackers" were actually in China just based on IP addresses.

CNCERT did not provide any details on the Trojan attacks or the kind of systems that had been targeted by the Trojans. It also did not explain the methodology used to calculate the numbers in the report.