Network Crack Program Hacker (NCPH) Group

The Network Crack Program Hacker (NCPH) group is a Chinese hacker group based out of Zigong in Sichuan Province. ^[1] While the group first gained notoriety after hacking 40% of the hacker association websites in China,^[2] their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007. iDefense linked the GinWui rootkit, developed by their leader Tan Dailin (Wicked Rose) with attacks on the US Department of Defense in May and June 2006. iDefense linked the group with many of the 35 zero-day and proof-of-concept codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download. Wicked Rose announced in a blog post that the group is paid for their work, but the group's sponsor is unknown.^[1]

Members

The group had four core members in 2006, Wicked Rose, KuNgBim, Charles, and Rodag, with approximately 10 members in total.^[1] The group's current membership is unknown.

Wicked Rose

Wicked Rose, also known as Meigui (玫瑰), is the pseudonym of the Chinese hacker Tan Dailin.^[3] He is first noted as a hacker during the "patriotic" attacks of 2001.^[4] In 2005, Wicked Rose was contracted by the Sichuan Military Command Communication Department which instructed him to participate in the Chengdu Military Command Network Attack/Defense Competition. After winning the local competition, he received a month of intense training in simulating attacks, designing hacking tools, and drafting network-infiltration strategies. He and his team represented the Sichuan Military Command in a competition with other provinces which they went on to win.^[2] Wicked Rose is also credited with the development of the GinWui rootkit used in attacks on the US Department of Defense in 2006.^[1]

As the group's leader, he is responsible for managing relationships with sponsors and paying NCPH members for their work.^[1] In April 2009 he was arrested after committing distributed denial of service attacks on Hackbase, HackerXFiles, and 3800hk, possibly for the purpose of committing blackmail. the organizations attacked collected information on the attack and turned it in to the public security department. The authorities conducted an investigation and shut down his website.^[5] Hackbase reported Wicked Rose was arrested and faces up to 7^1/2 years in prison.^[6]

Controversy

The group expelled the hacker WZT on 20 May 2006. Although the cause is unknown, the group kicked him out soon after the zero-day attacks were publicly disclosed. WZT was a coding expert within the group.^[1]

Associates

Former NCPH member associates with the Chinese hacker Li0n, the founder of the Honker Union of China (HUC). Wicked Rose credits the Chinese hacker WHG, also known as "fig" as one of the developers of the GinWui rootkit. WHG is an expert in malicious code. Security firms researching Wicked Rose's activities have connected him with the Chinese hacker group Evil Security Team.^[1]

Activities

The group is known for its remote-network-control programs they offer for free on their website^[2] and the exploitation of zero-day vulnerabilities of Microsoft Office suite products.^[1] After their founding in 2004, the group earned a reputation among hacking groups by hacking 40% of the hacker association websites in China.^[2]

GinWui Rootkit

Wicked Rose is the creator of the GinWui rootkit. His code and support posts are on Chinese hacker message boards, and was also available from the NCPH blog.^[1]

Security researchers discovered the rootkit on 18 May 2006 attackers utilized it in attacks on the US and Japan. Attackers introduced it to the US in an attack against a Department of Defense entity. They used two different versions of the rootkit in attacks during May and June 2006.^[1]

According to F-secure, GinWui is "a fully featured backdoor with rootkit characteristics." It is distributed through Word documents. The backdoor GinWui creates allows the controlling hacker control over certain processes of the compromised computer including the ability to,

• Create, read, write, delete, and search for files and directories,
• Access and modify the Registry,
• Manipulate services,
• Start and kill processes,
• Get information about the infected computer,
• and lock, restart, or shutdown Windows, among other activities.^[7]

Microsoft Office Exploits

IDefense links NCPH with many of the 35 zero-day and proof-of-concept codes used in attacks against Microsoft Office products over a period of 90 days during the summer of 2006 due to the use of malware developed by Wicked Rose and not available in the public domain at the time. The group graduated from their early attacks exploiting only Microsoft Word, and by the end of 2006, they were also using Power Point and Excel in attacks. NCPH utilizes these exploits in spear phishing attacks.^[1]

Spear Phishing

On his blog, Wicked Rose discussed his preference for spear phishing attacks. First, during the collection phase information is gathered using open source information or from employee databases or mailboxes of a company's system. He may also conduct analysis on user ids which allows them to track and understand their activities. Finally he conducts the attack using the information collected and someone is likely to open the infected document.^[3]

Spear phishing attacks attributed to NCPH increased in sophistication over time. While their phishing attacks in the beginning of 2006 targeted large numbers of employees, one attack attributed to the group later that year targeted one individual in a US oil company using socially engineered emails and infected Power Point documents.^[1]

Sponsorship

After winning the military network attack/defense competition, the group obtained a sponsor who paid them 2000 RMB per month. IDefense believes their sponsor is likely the People's Liberation Army (PLA) but has no definitive evidence to support this claim. After the 2006 attacks took place, their sponsor increased their pay to 5000 RMB.^[1] The group's current sponsor is unknown.

Media coverage

Time reporter Simon Elegant interviewed eight members of the group in December 2007 as part of an article on Chinese government cyber operations against the US government. During the interview the members referred to each other using code names.^[2] Security firm iDefense has published reports on the group and their exploits^[1] and devoted a webinar to the group, their capabilities, and relationships with other Chinese hackers.^[4] Scott Henderson, Chinese linguistics and Chinese hacker expert, has also devoted several blog posts to the group and their ongoing activities.^[3][5]

Blogging

All four core members of the group have blogged about their activities at one point or another. The group's blog NCPH.net also offered network-infiltration programs for download.^[2] Scott Henderson describes Wicked Rose's early blog posts as "the most revealing and damning thing I have ever seen a Chinese hacker write."^[3] After the interview with Time reporter Wicked Rose took down the group's blog and his blog.^[2] In July 2008 the group's blog returned, but with modified content. Withered Rose also began blogging again, saying he was busy during the time the blog was down, but that his new job allows him more time to blog.^[8] Chinese officials removed both blogs after his arrest in April 2009.^[5] Rodag also blogs, but the most recent post is from August 2008. His last post is on IE vulnerabilities that attackers can used to exploit a user's desktop.^[9]

See also

• Wicked Rose
• Honker Union

References

External links

• link to the iDefense Webcast (Internet Explorer only)
• The Dark Visitor
• Enemies At The Firewall