Skip links

China: attacks from US IP addresses hit us, moved on to Russia and Ukraine

China’s Cyberspace Administration has claimed that “since late February” it has observed continuous attacks on the Chinese internet and local computers by actors who used the resources they co-opted to target Russia, Belarus, and Ukraine.

The allegation, the title of which translates as “My country’s internet suffers from overseas cyber attacks,” was posted last Friday and include a list of IP addresses that the Administration (CAC) claims as the source or target of the attacks.

“After analysis, these attack addresses are mainly from the United States. There are more than ten attack addresses from New York State alone, and the peak attack traffic reaches 36Gbit/sec,” the CAC asserts. “87 per cent of the attack targets are Russia, and a small number of attack addresses are from Germany, the Netherlands and other countries.”

The Register has indulged in a spot of WHOIS action and can confirm that the IP addresses indeed appear to be owned or tended by US-based carriers or colocation companies.

Which is a long way short of a smoking gun. It is entirely possible that whoever drove this attack co-opted resources at those IP addresses. And while the CAC has named the US, Germany, and the Netherlands as the source of the incidents it has detected, the regulator did not attribute the attacks to any of those nations.

The CAC statement making the allegation states China’s CERT deflected the attacks, but the CERT offers only the same vaguely-worded statement.

The reference to peak attack traffic of 36Gbit/sec may be revealing, as that’s the kind of language used when discussing the volume of rubbish traffic spewed at a target during a distributed denial of service attack.

And as it happens, security firms have already found evidence of DDoS attacks on Ukraine.

But a 36Gbit/sec DDoS is not a big one by contemporary standards. In October 2021 Microsoft claimed it fended off a 2.4Tbit/sec attack and Cloudflare spotted a couple that topped 1Tbit/sec during 2021.

Whoever hit China was not wielding a big stick.

And China has not pointed a finger, but has painted itself as an aggrieved party.

Which makes the announcement curious, because China seldom admits weakness – yet in this case appears to have happily and openly disclosed a DDoS that crossed its borders and bounced through local infrastructure into a war zone.

China and Russia have recently declared an open-ended friendship, so accusations of Russian action are unlikely. But the CAC has campaigned for China’s own businesses to improve their infosec in the interests of the nation and their own fortunes. Sharing news of this incident could be just the prod some Chinese organisations need to get their house in order. And perhaps do the same for whoever has kit at the IP addresses where this incident commenced. ®