Network Crack Program Hacker (NCPH) Group
Encyclopedia
The Network Crack Program Hacker (NCPH) group is a Chinese hacker group based out of Zigong
in Sichuan Province.
While the group first gained notoriety after hacking 40% of the hacker association websites in China, their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007. iDefense linked the GinWui rootkit
, developed by their leader Tan Dailin (Wicked Rose) with attacks on the US Department of Defense
in May and June 2006. iDefense linked the group with many of the 35 zero-day and proof-of-concept codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download. Wicked Rose announced in a blog post that the group is paid for their work, but the group's sponsor is unknown.
, also known as Meigui (玫瑰), is the pseudonym of the Chinese hacker Tan Dailin. He is first noted as a hacker during the "patriotic" attacks of 2001. In 2005, Wicked Rose was contracted by the Sichuan Military Command Communication Department which instructed him to participate in the Chengdu Military Command Network Attack/Defense Competition. After winning the local competition, he received a month of intense training in simulating attacks, designing hacking tools, and drafting network-infiltration strategies. He and his team represented the Sichuan Military Command in a competition with other provinces which they went on to win. Wicked Rose is also credited with the development of the GinWui rootkit used in attacks on the US Department of Defense in 2006.
As the group's leader, he is responsible for managing relationships with sponsors and paying NCPH members for their work. In April 2009 he was arrested after committing distributed denial of service attacks on Hackbase, HackerXFiles, and 3800hk, possibly for the purpose of committing blackmail. the organizations attacked collected information on the attack and turned it in to the public security department. The authorities conducted an investigation and shut down his website. Hackbase reported Wicked Rose was arrested and faces up to 71/2 years in prison.
suite products. After their founding in 2004, the group earned a reputation among hacking groups by hacking 40% of the hacker association websites in China.
Security researchers discovered the rootkit on 18 May 2006 attackers utilized it in attacks on the US and Japan. Attackers introduced it to the US in an attack against a Department of Defense entity. They used two different versions of the rootkit in attacks during May and June 2006.
According to F-secure, GinWui is "a fully featured backdoor with rootkit characteristics." It is distributed through Word documents. The backdoor GinWui creates allows the controlling hacker control over certain processes of the compromised computer including the ability to,
developed by Wicked Rose and not available in the public domain at the time. The group graduated from their early attacks exploiting only Microsoft Word, and by the end of 2006, they were also using Power Point and Excel in attacks. NCPH utilizes these exploits in spear phishing attacks.
information or from employee databases or mailboxes of a company's system. He may also conduct analysis on user ids which allows them to track and understand their activities. Finally he conducts the attack using the information collected and someone is likely to open the infected document.
Spear phishing attacks attributed to NCPH increased in sophistication over time. While their phishing attacks in the beginning of 2006 targeted large numbers of employees, one attack attributed to the group later that year targeted one individual in a US oil company using socially engineered
emails and infected Power Point documents.
reporter Simon Elegant interviewed eight members of the group in December 2007 as part of an article on Chinese government cyber operations against the US government. During the interview the members referred to each other using code names. Security firm iDefense has published reports on the group and their exploits and devoted a webinar to the group, their capabilities, and relationships with other Chinese hackers. Scott Henderson
, Chinese linguistics and Chinese hacker expert, has also devoted several blog posts to the group and their ongoing activities.
posts as "the most revealing and damning thing I have ever seen a Chinese hacker write." After the interview with Time reporter Wicked Rose took down the group's blog and his blog. In July 2008 the group's blog returned, but with modified content. Withered Rose also began blogging again, saying he was busy during the time the blog was down, but that his new job allows him more time to blog. Chinese officials removed both blogs after his arrest in April 2009. Rodag also blogs, but the most recent post is from August 2008. His last post is on IE vulnerabilities that attackers can used to exploit a user's desktop.
Zigong
Zigong , ancient name Ziliujing and Gongjing, is a prefecture-level city and the third largest city in Sichuan Province, in southwest China.-Geography:...
in Sichuan Province.
While the group first gained notoriety after hacking 40% of the hacker association websites in China, their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007. iDefense linked the GinWui rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
, developed by their leader Tan Dailin (Wicked Rose) with attacks on the US Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
in May and June 2006. iDefense linked the group with many of the 35 zero-day and proof-of-concept codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download. Wicked Rose announced in a blog post that the group is paid for their work, but the group's sponsor is unknown.
Members
The group had four core members in 2006, Wicked Rose, KuNgBim, Charles, and Rodag, with approximately 10 members in total. The group's current membership is unknown.Wicked Rose
Wicked RoseWicked Rose
Wicked Rose is the pseudonym of a Chinese hacker responsible for developing the GinWui rootkit used in internet attacks during the summer of 2006. It has been suggested that he works for the Chinese Army....
, also known as Meigui (玫瑰), is the pseudonym of the Chinese hacker Tan Dailin. He is first noted as a hacker during the "patriotic" attacks of 2001. In 2005, Wicked Rose was contracted by the Sichuan Military Command Communication Department which instructed him to participate in the Chengdu Military Command Network Attack/Defense Competition. After winning the local competition, he received a month of intense training in simulating attacks, designing hacking tools, and drafting network-infiltration strategies. He and his team represented the Sichuan Military Command in a competition with other provinces which they went on to win. Wicked Rose is also credited with the development of the GinWui rootkit used in attacks on the US Department of Defense in 2006.
As the group's leader, he is responsible for managing relationships with sponsors and paying NCPH members for their work. In April 2009 he was arrested after committing distributed denial of service attacks on Hackbase, HackerXFiles, and 3800hk, possibly for the purpose of committing blackmail. the organizations attacked collected information on the attack and turned it in to the public security department. The authorities conducted an investigation and shut down his website. Hackbase reported Wicked Rose was arrested and faces up to 71/2 years in prison.
Controversy
The group expelled the hacker WZT on 20 May 2006. Although the cause is unknown, the group kicked him out soon after the zero-day attacks were publicly disclosed. WZT was a coding expert within the group.Associates
Former NCPH member associates with the Chinese hacker Li0n, the founder of the Honker Union of China (HUC). Wicked Rose credits the Chinese hacker WHG, also known as "fig" as one of the developers of the GinWui rootkit. WHG is an expert in malicious code. Security firms researching Wicked Rose's activities have connected him with the Chinese hacker group Evil Security Team.Activities
The group is known for its remote-network-control programs they offer for free on their website and the exploitation of zero-day vulnerabilities of Microsoft OfficeMicrosoft Office
Microsoft Office is a non-free commercial office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems, introduced by Microsoft in August 1, 1989. Initially a marketing term for a bundled set of applications, the first version of...
suite products. After their founding in 2004, the group earned a reputation among hacking groups by hacking 40% of the hacker association websites in China.
GinWui Rootkit
Wicked Rose is the creator of the GinWui rootkit. His code and support posts are on Chinese hacker message boards, and was also available from the NCPH blog.Security researchers discovered the rootkit on 18 May 2006 attackers utilized it in attacks on the US and Japan. Attackers introduced it to the US in an attack against a Department of Defense entity. They used two different versions of the rootkit in attacks during May and June 2006.
According to F-secure, GinWui is "a fully featured backdoor with rootkit characteristics." It is distributed through Word documents. The backdoor GinWui creates allows the controlling hacker control over certain processes of the compromised computer including the ability to,
- Create, read, write, delete, and search for files and directories,
- Access and modify the Registry,
- Manipulate services,
- Start and kill processes,
- Get information about the infected computer,
- and lock, restart, or shutdown Windows, among other activities.
Microsoft Office Exploits
IDefense links NCPH with many of the 35 zero-day and proof-of-concept codes used in attacks against Microsoft Office products over a period of 90 days during the summer of 2006 due to the use of malwareMalware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
developed by Wicked Rose and not available in the public domain at the time. The group graduated from their early attacks exploiting only Microsoft Word, and by the end of 2006, they were also using Power Point and Excel in attacks. NCPH utilizes these exploits in spear phishing attacks.
Spear Phishing
On his blog, Wicked Rose discussed his preference for spear phishing attacks. First, during the collection phase information is gathered using open sourceOpen source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
information or from employee databases or mailboxes of a company's system. He may also conduct analysis on user ids which allows them to track and understand their activities. Finally he conducts the attack using the information collected and someone is likely to open the infected document.
Spear phishing attacks attributed to NCPH increased in sophistication over time. While their phishing attacks in the beginning of 2006 targeted large numbers of employees, one attack attributed to the group later that year targeted one individual in a US oil company using socially engineered
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
emails and infected Power Point documents.
Sponsorship
After winning the military network attack/defense competition, the group obtained a sponsor who paid them 2000 RMB per month. IDefense believes their sponsor is likely the People's Liberation Army (PLA) but has no definitive evidence to support this claim. After the 2006 attacks took place, their sponsor increased their pay to 5000 RMB. The group's current sponsor is unknown.Media coverage
TimeTime (magazine)
Time is an American news magazine. A European edition is published from London. Time Europe covers the Middle East, Africa and, since 2003, Latin America. An Asian edition is based in Hong Kong...
reporter Simon Elegant interviewed eight members of the group in December 2007 as part of an article on Chinese government cyber operations against the US government. During the interview the members referred to each other using code names. Security firm iDefense has published reports on the group and their exploits and devoted a webinar to the group, their capabilities, and relationships with other Chinese hackers. Scott Henderson
Scott Henderson
Scott Henderson is a fusion and blues guitarist best known for his work with the band Tribal Tech.-Early days:Born in West Palm Beach, Florida, Henderson began playing guitar at an early age...
, Chinese linguistics and Chinese hacker expert, has also devoted several blog posts to the group and their ongoing activities.
Blogging
All four core members of the group have blogged about their activities at one point or another. The group's blog NCPH.net also offered network-infiltration programs for download. Scott Henderson describes Wicked Rose's early blogBlog
A blog is a type of website or part of a website supposed to be updated with new content from time to time. Blogs are usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in...
posts as "the most revealing and damning thing I have ever seen a Chinese hacker write." After the interview with Time reporter Wicked Rose took down the group's blog and his blog. In July 2008 the group's blog returned, but with modified content. Withered Rose also began blogging again, saying he was busy during the time the blog was down, but that his new job allows him more time to blog. Chinese officials removed both blogs after his arrest in April 2009. Rodag also blogs, but the most recent post is from August 2008. His last post is on IE vulnerabilities that attackers can used to exploit a user's desktop.