This is not about another mythical, horrid Chinese cyber WMD aggression.
Since October 2012 Cryptome has been scraped daily by the IP address 211.94.xxx.xxx, which geolocates to coordinates 39.9075, 116.39723 in central Beijing, China, near the Forbidden City and across the street from the Ministry of Public Security which is geolocated at coordinates 39.903904, 116.399143. As Mandiant alleges the geolocations are close enough to implicate the PRC spooks, or some hacker genius or non-PRC spy pretending to be PRC spooks via IP spoofing.
Log file samples: 22.214.171.124 – – [21/Feb/2013:00:00:07 -0500] “GET /0006/nrc123011.htm HTTP/1.0” 200 186076 “http://cryptome.org/nppw-series.htm” “Wget/1.12 (linux-gnu)”
126.96.36.199 – – [18/Sep/2012:00:00:00 -0400] “HEAD /2012-info/free-syria/pict116.jpg HTTP/1.0” 200 – “http://cryptome.org/2012-info/free-syria/free-syria-05.htm” “Wget/1.12 (linux-gnu)”
The scraper runs overnight during the US Eastern Time Zone for about six to eight hours, cycling through the
entire files on the site, averaging 18 hits per second, checking for new files and downloading them as well as repeated downloads of hundreds of random files with no discernible pattern.
Read more: here