recommended reading

It's Not Just You: Chinese Hackers Are Terrible at Making Passwords, Too

Karen Roach/

When The New York Times and other news outlets reported being the victims of a massive, years-long cyberattack, it set off a rash of concerns about online security and personal Internet hygiene, reinforcing plenty of old, enduring lessons: Choose strong passwords; don’t click on links from strangers (or strange links from people you know); consider using different usernames for different online services.

Many Americans still don’t follow these security suggestions that can help protect them from online snooping and identity theft. But, evidently, neither do some Chinese hackers. In a bit of poetic justice, the identities of two of The Times’ hackers have become public, all because they got sloppy.

According to a report by Mandiant, the company The Times hired to investigate its security breach, one hacker who went by the handle "UglyGorilla" went around the Chinese Internet asking plainly whether China had a cyberarmy. In a lapse of personal security, UglyGorilla signed his name on the malware he wrote, on the domains he registered, and on Web forums.

“UG’s consistent use of the username 'UglyGorilla' across various Web accounts has left a thin but strong thread of attribution through many online communities,” the report read.

Investigators learned to identify hackers when the spies logged onto Facebook and Twitter, which are blocked to the rest of China by what has collaquially become known as the Great Firewall of China:

Like many Chinese hackers, APT1 attackers do not like to be constrained by the strict rules put in place by the Communist Party of China (CPC), which deployed the GFWoC as a censorship measure to restrict access to web sites such as,, and Additionally, the nature of the hackers’ work requires them to have control of network infrastructure outside the GFWoC. This creates a situation where the easiest way for them to log into Facebook and Twitter is directly from their attack infrastructure. Once noticed, this is an effective way to discover their real identities.

Another hacker identified by Mandiant went by the name of "DOTA." DOTA also had a tendency to spread his name around, creating Hotmail and Gmail accounts using variations of the same handle. Investigators were able to pinpoint the hacker’s location when, as part of a security check, Google sent DOTA a text message. The message contained a code that DOTA had to plug in on his browser to access his Google services -- a standard identity-protection feature called two-factor authentication. (By the way, if you don’t have two-factor authentication enabled, please do it now.)

DOTA’s big mistake was in telling Google to send the text message to a convenient phone number -- one that told Mandiant both what carrier the hacker was on (China Mobile) and where he was (Shanghai).

“The speed of DOTA’s response also indicates that he had the phone with him at the time,” said the report.

DOTA is also apparently a huge J.K. Rowling fan. In response to security questions like “Who is your favorite teacher?” DOTA’s answer would frequently come up as “Harry” and “Poter” (yes, with one T). Despite his skills at penetrating other people’s systems, DOTA was, it turns out, no wizard at personal or operational security.

It’s no small irony the everyday shortcuts users take and which subsequently open them up to hackers like DOTA and UglyGorilla, are the same traps that the two hackers fell into. Still, there’s another possibility: What if they wanted to be found?

While some countries go to great lengths to hide their attacks, China takes no such precautions, said Yael Shahar, an Israeli cybersecurity expert at the International Institute for Counter-Terrorism.

“They're very careful not to cover their tracks very well,” she told me, adding that it enhanced Chinese self-perceptions of “face” to leave a calling card. “It's a projection of power; it's not that they're trying to hide it.”

(Image via Karen Roach/

Threatwatch Alert

Network intrusion

FBI Warns Doctors, Dentists Their FTP Servers Are Targets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.