The Chinese IP Address Fallacy In Cyber Attribution

Google recently announced a spear phishing campaign that had been going on for over a year and "which appears to originate from Jinan, China" that targeted the personal Gmail accounts of hundreds of various persons of interest presumably to the Chinese government.  The proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman who reported on the story for the Wall Street Journal failed to disclose was that other countries IP addresses were used as well including South Korea and the United States. Copies of the spoofed emails along with the originating IPs were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, 2 were from Hong Kong, 2 were from Beijing, 1 was from Seoul, and 1 was from New York:
  • 113.28.117.4: Hong Kong (PCCW Business Internet Access)
  • 115.160.146.16: Hong Kong (Wharf TT Ltd)
  • 218.56.241.32:  Beijing (China Unicom)
  • 218.56.239.206: Beijing (China Unicom)
  • 61.106.26.226: Seoul (Korea NIC)
  • 69.147.251.108: New York (Nobis Technology Group LLC)


In 2010, Telegeograhy rated China Telecom (55 million customers) and China Unicom (40 million customers) as the two largest ISPs in the world serving 20% of all broadband customers on earth. And neither company restricts its customer base to residents of the Peoples Republic of China. Anyone can buy server time on any of these mainstream Chinese ISPs:
  • China Telecom
  • China Mobile
  • China Unicom
  • HiChina Zhicheng Technology Ltd
  • Beijing Xinnet Digital Information Technology Co. Ltd
Payment per year ranges from 5,000 yuan to 25,000 yuan, and can be made via bank online transfer, domestic and international wire, Alipay (China's Paypal), and even cash in certain cities such as Beijing and Guangzhou. In other words, no matter where in the world you live, you can lease server time and set up an email account that will resolve to the PRC. And if you use it to phish the Gmail accounts of your targets, you've hit the gold standard of mis-direction because there's almost no alternative analysis done anymore when it comes to attacks that geolocate to an IP address in China.

Google probably chose to focus on the two IP addresses that resolved to Jinan, the capital of Shandong province, because its home to Lanxiang Vocational School, which was associated with the Google attacks of December 2009 - January 2010 and because it has a PLA regional command center. The problem with this argument is that Jinan is a high tech industrial zone with over 6 million people and more than a dozen universities. Sourcing an email to Jinan is like sourcing a fruit shipment to California's Central Valley. It wasn't good evidence back in January, 2010 and it's no better now. There are at least a dozen foreign governments that I can think of who have a vested interest in reading the personal email accounts of U.S. China policy makers, military leaders, government officials, etc. and all of them are standing up Cyber Commands and enjoy the benefit of their own nationalistic hacker crews from time to time.

None of this rules China out as the responsible party, of course. I'm simply arguing for a higher bar of evidence before making the leap that China did it. One alternative method, for example, is to try to answer "why" the spear phishing attack was done. Once you have a clear grasp as to why, you can move on to creating a list of those who would benefit and then look for reasons that might exclude each member of that list. The discipline of alternative analysis has been a difficult one to adopt even among those who do it for a living within the intelligence community because our individual perceptions are highly biased in favor of something called mirror-imaging; i.e., we imagine that everyone sees things as we do. Another obstacle to alternative analysis is fear: the feat of being wrong; of looking silly; of taking an unpopular stand and suffering the consequences; and so on. Now that the Pentagon has determined that a cyber attack may be sufficient to justify a kinetic response, it is even more imperative that corporate leaders like Google, government leaders like the U.S. Secretary of State, and influential media like the Wall Street Journal exercise more due diligence before leaping to conclusions that may have harmful, possibly irreversible international repercussions.

Comments