03-10-25, 02:23 PM
A new report traces the early wave of Chinese hackers who became a mainstay of the state espionage machine.
In the summer of 2005, 20-year-old Tan Dailin, a graduate student at Sichuan University of Science and Technology, came to the attention of the People's Liberation Army (PLA). Tan was part of a community of hackers known as Honkers —teenagers and students in the late 1990s and early 2000s who formed groups like Green Army and Evil Octal , attacking Western websites deemed anti-Chinese. Initially, the attacks were primitive—mostly website defacements and DDoS attacks on targets in the US, Taiwan, and Japan—but the hackers' skills quickly advanced, and Tan even published reports of his activities on his blogs.
After a series of posts about hacking Japanese websites, the PLA took notice. He and his friends were invited to participate in a hacking competition organized by PLA-affiliated groups. The team won and was soon sent to an intensive month-long training camp. Within weeks, they were creating hacking tools, learning network penetration techniques, and conducting simulated attacks.
Later, Tan, under the pseudonyms Wicked Rose and Withered Rose , founded the Network Crack Program Hacker (NCPH) group , which became known for participating in hacking contests and creating tools, including the GinWui rootkit —one of China's first remote access tools. Experts believe this utility and dozens of zero-day exploits were used in a series of "unprecedented" attacks on American companies and government agencies in the spring and summer of 2006—for the PLA.
According to Tan's team, they earned around $250 per month, and after a successful campaign, $1,000. Tan later joined the Ministry of State Security (MSS), China's civilian intelligence agency, and became a member of the hacking group APT 41 . In 2020, the US Department of Justice brought 41 charges against him and other APT members for hacking more than 100 targets, including US government systems, healthcare organizations, and telecoms.
But Tan is just one of many former Honkers who began their careers as patriotic hackers and later became part of Chinese cyberespionage.
The Honkers ' Early Years
The Honkers community emerged after China's internet connection in 1994. Students with access to university networks began sharing knowledge on bulletin boards. Groups like XFocus , China Eagle Union , and Honker Union of China became the backbone of the movement. The name "Honkers" comes from the words "hong" (red) and "heike" (hacker).
Initially, the community had codes of ethics , inspired by hackers like Lin Zhenglong from Taiwan. He believed that hacking skills should serve defense and published guides explaining the importance of strengthening security. Although there were no real sandboxes for practicing, hackers tested their skills on live networks, bypassing government and academic systems.
However, ethics quickly gave way to patriotic emotions. In 1998, after the massacre of Chinese people in Indonesia, Honkers attacked Indonesian websites. In 1999, following Taiwan's president's declaration of a "two-state theory," they hacked Taiwanese government websites. In 2000, a massive cyberattack on Japanese websites began following the controversy surrounding the events in Nanjing.
These "patriotic cyberwars" united hackers with a common mission—to serve China's interests. The largest group, Honker Union, grew to 80,000 members. Subsequently, according to researcher Eugenio Benincasa of ETH Zurich, the "Red Forty" —the community's most active core—became founders or members of key information security companies and government contractors.
Transition to state
Until 2001, the state turned a blind eye to their activities, sometimes even encouraging them. Eighty-four percent of Chinese internet users supported patriotic hacking. But after the 2001 Hainan incident involving an American spy plane, which triggered a diplomatic crisis, the tone changed. State media labeled hackers "web terrorists." Groups began to disintegrate, and conflicts arose between those who wanted to go into business and those who sought hacking for profit.
Some joined companies such as Baidu , Alibaba , Huawei , and Venustech , while others became criminals or, like Tan, joined the intelligence services.
After the successful NCPH attacks in 2006, hacker recruitment became more organized. By 2009, with the adoption of amendments to the criminal code, hacker forums began to close, and some hackers were arrested. Tan reportedly received a 7.5-year sentence, but likely struck a deal and began working for the MGB. In 2011, he founded the supposed antivirus firm Anvisoft , possibly a front for espionage activities.
The Honkers Legacy
Many modern tools used by Chinese APT groups were created by former Honkers. These include:
Glacier - Trojan (1999),
X-Scan - vulnerability scanner (2000),
HTRAN - IP Hiding Tool (2003)
PlugX and ShadowPad are popular backdoors used by more than 10 APT groups.
i-Soon and Integrity Tech , companies founded by former Honkers, were also involved in espionage campaigns. In 2024, the US indicted their employees for hacking government, media, and foreign targets.
Conclusion
The path of Chinese hackers resembles that of their American counterparts, many of whom also ended up working for the NSA or CIA. However, unlike the US, China operates under the principle of "state as a whole of society," where private companies and individual specialists are obligated to assist the state in intelligence activities.
https://pub1-bjyt.s3.360.cn/bcms/2024%E5...%91%8A.pdf
In the summer of 2005, 20-year-old Tan Dailin, a graduate student at Sichuan University of Science and Technology, came to the attention of the People's Liberation Army (PLA). Tan was part of a community of hackers known as Honkers —teenagers and students in the late 1990s and early 2000s who formed groups like Green Army and Evil Octal , attacking Western websites deemed anti-Chinese. Initially, the attacks were primitive—mostly website defacements and DDoS attacks on targets in the US, Taiwan, and Japan—but the hackers' skills quickly advanced, and Tan even published reports of his activities on his blogs.
After a series of posts about hacking Japanese websites, the PLA took notice. He and his friends were invited to participate in a hacking competition organized by PLA-affiliated groups. The team won and was soon sent to an intensive month-long training camp. Within weeks, they were creating hacking tools, learning network penetration techniques, and conducting simulated attacks.
Later, Tan, under the pseudonyms Wicked Rose and Withered Rose , founded the Network Crack Program Hacker (NCPH) group , which became known for participating in hacking contests and creating tools, including the GinWui rootkit —one of China's first remote access tools. Experts believe this utility and dozens of zero-day exploits were used in a series of "unprecedented" attacks on American companies and government agencies in the spring and summer of 2006—for the PLA.
According to Tan's team, they earned around $250 per month, and after a successful campaign, $1,000. Tan later joined the Ministry of State Security (MSS), China's civilian intelligence agency, and became a member of the hacking group APT 41 . In 2020, the US Department of Justice brought 41 charges against him and other APT members for hacking more than 100 targets, including US government systems, healthcare organizations, and telecoms.
But Tan is just one of many former Honkers who began their careers as patriotic hackers and later became part of Chinese cyberespionage.
The Honkers ' Early Years
The Honkers community emerged after China's internet connection in 1994. Students with access to university networks began sharing knowledge on bulletin boards. Groups like XFocus , China Eagle Union , and Honker Union of China became the backbone of the movement. The name "Honkers" comes from the words "hong" (red) and "heike" (hacker).
Initially, the community had codes of ethics , inspired by hackers like Lin Zhenglong from Taiwan. He believed that hacking skills should serve defense and published guides explaining the importance of strengthening security. Although there were no real sandboxes for practicing, hackers tested their skills on live networks, bypassing government and academic systems.
However, ethics quickly gave way to patriotic emotions. In 1998, after the massacre of Chinese people in Indonesia, Honkers attacked Indonesian websites. In 1999, following Taiwan's president's declaration of a "two-state theory," they hacked Taiwanese government websites. In 2000, a massive cyberattack on Japanese websites began following the controversy surrounding the events in Nanjing.
These "patriotic cyberwars" united hackers with a common mission—to serve China's interests. The largest group, Honker Union, grew to 80,000 members. Subsequently, according to researcher Eugenio Benincasa of ETH Zurich, the "Red Forty" —the community's most active core—became founders or members of key information security companies and government contractors.
Transition to state
Until 2001, the state turned a blind eye to their activities, sometimes even encouraging them. Eighty-four percent of Chinese internet users supported patriotic hacking. But after the 2001 Hainan incident involving an American spy plane, which triggered a diplomatic crisis, the tone changed. State media labeled hackers "web terrorists." Groups began to disintegrate, and conflicts arose between those who wanted to go into business and those who sought hacking for profit.
Some joined companies such as Baidu , Alibaba , Huawei , and Venustech , while others became criminals or, like Tan, joined the intelligence services.
After the successful NCPH attacks in 2006, hacker recruitment became more organized. By 2009, with the adoption of amendments to the criminal code, hacker forums began to close, and some hackers were arrested. Tan reportedly received a 7.5-year sentence, but likely struck a deal and began working for the MGB. In 2011, he founded the supposed antivirus firm Anvisoft , possibly a front for espionage activities.
The Honkers Legacy
Many modern tools used by Chinese APT groups were created by former Honkers. These include:
Glacier - Trojan (1999),
X-Scan - vulnerability scanner (2000),
HTRAN - IP Hiding Tool (2003)
PlugX and ShadowPad are popular backdoors used by more than 10 APT groups.
i-Soon and Integrity Tech , companies founded by former Honkers, were also involved in espionage campaigns. In 2024, the US indicted their employees for hacking government, media, and foreign targets.
Conclusion
The path of Chinese hackers resembles that of their American counterparts, many of whom also ended up working for the NSA or CIA. However, unlike the US, China operates under the principle of "state as a whole of society," where private companies and individual specialists are obligated to assist the state in intelligence activities.
https://pub1-bjyt.s3.360.cn/bcms/2024%E5...%91%8A.pdf