1

A question I have stemming from this question, where somebody shows the Terminal history of an attempted hack of their system.

There is a line in the output, that suggests the hack stemmed from China. This claim was made in many answers and nobody thought to doubt it. The line looks like this:

Accept-Language: zh-cn

which means the Chinese language was preffered at the other end. The IP addressed from which some tools are downloaded by the hacker are Chinese. However, analogously to the main question here... Does this tell us the hacker is sitting in China?

Is it conceivable/possible that people include the line simply to make it appear that the attack came from China? Or are there additional clues that point to this?

They could easily still be working in English, or any other language for that matter, at their end.

I imagine, for example an English guy sitting in an internet cafe in Moscow, routed through a VPN in Ecuador...

Are the statistics that are reported in the media or e.g. by the American government that X percentage of all cyber-warfare/hacking originate from China based on more solid information? If so, which?

Community
  • 1
n1k31t4
  • 121
  • 5

2 Answers2

1

I'm happy someone raised this as I thought the same thing when reading that question.

Accept-Language: zh-cn

The first thing I think when I see this is that someone has copied a HTTP request header from their browser without understanding what it does.

Even in normal requests this is generally unnecessary, and in this case the URL is probably being used for downloading binary assets, which don't need to be translated. It's just a waste of space.

The line doesn't necessarily indicate anything, but it could hypothetically indicate the attacker's browser language setting.

What does indicate something is the IP addresses found in the binary, but these don't mean that the attacker is in China, possibly just that they hacked some servers in China.

I'm always sceptical when I see such statistics. I'm not sure what they are based on other than IP addresses.

Bardi Harborow
  • 350
1

In that case, the attacker, it would seem, hid their identity by performing their attack through Microsoft azure cloud servers. As such, the origination of the attack is hard to say without any logs Microsoft may have.

However, the IP addresses the files were being downloaded from originated in China. That, as well as the line mentioned, are the closest we have to knowing without any further logs.

Bear in mind, China isn't particularly well known for it's free and open internet. On the contrary, the last time I ever looked it up, any form of basic hosting there was incredibly expensive. It may have changed, but it seems somewhat unlikely that people outside of China would have gone to too much effort to hire a server there, and go to so much trouble to make it look like it originated from China.

Is it 100% conclusive? No, not at all. But probable? I'd say so.

As for the media, I believe that is too open to opinion and each media outlet and their sources for a conclusive answer in this format.

Jonno
  • 21,643