Malicious e-mail and other cyberattacks on Tibet advocacy groups in the United States are linked to Internet servers used in past hacker intrusions traced by U.S. law enforcement to China.The link, made by security experts on the basis of publicly available data, is the first direct evidence the recently intensified attacks against the Tibet groups, reported by United Press International a week ago, were launched from China. But it remains unclear to what extent -- if any -- the Chinese government or military is implicated.
The news follows charges last week from the Save Darfur Coalition, a group opposing Chinese policy in Darfur, they had been the target of intrusion attempts "which appeared to originate in China and seemed intent on subversively monitoring, probing and disrupting coalition activities."
The recent cyberattacks on several Tibet groups were analyzed by a security researcher for the SANS Internet security organization, Maarten Van Horenbeeck, who followed cyberattacks against Tibet organizations, and advocates for other Chinese ethnic groups such as the Uighurs, for many years.
Van Horenbeeck told United Press International that the attacks used e-mails purporting to come from known associates of the victims with attachments containing malicious code -- so-called Trojan horse software -- that stole e-mail and contact data, passwords and other information and covertly sent it on the Internet to special command servers. One domain address that came up as the destination for data stolen from supporters of the Students for a Free Tibet group was familiar to him. Cvnxus.8800.org has been used by hackers "again and again" over the years, he said.
Since earlier this month, the domain has been "moving around," he said. But until March 8, it was based on a server previously identified by the FBI as the source for an e-mail attack aimed at U.S. defense contractors launched in August last year, according to a report from the Air Force Association.
The link, though a narrow one, is significant because of the well-acknowledged difficulty of attributing cyberattacks. Hackers can take control of computers, or even whole servers, without the knowledge of their owners and use them to launch attacks.
China has some of the world's tightest government restrictions on the use of the Internet, which makes many observers skeptical hacker gangs could operate from within China without government approval or acquiescence.
The attacks against the Tibet groups were "very professional and well-coordinated," Van Horenbeeck said, though he said no definitive evidence linked the Chinese government to the attacks.
Some of the e-mails used highly sophisticated "social engineering techniques" to trick their victims into opening the attachment, he said.
Rather than just faking the e-mail address of an associate as the sender of a general message, these e-mails would refer to discussions that the intended victim had conducted with that associate on open Internet bulletin boards or e-mail lists, Van Horenbeeck said, suggesting the hackers had done a great deal of research on individual targets.
"These were very sophisticated," he said, adding that unlike conventional hacker attacks, these were not aimed at defacing the group's Web site or driving it offline with a series of crude denial-of-service bombardments. "These attacks were designed to steal data," he said.
He said they might also be designed to "disrupt (the groups') operations by making people wary of using their e-mail, which is a vital tool for their coordination."
Some of the attacks did seem designed to undermine trust in e-mail. Last week a security professional working with one group posted a message to a Tibet discussion list warning people to expect an increase in e-mail and other attacks. The following day hackers sent another message, faked to look as if it came from the same address, containing a security document as a Word attachment. The attachment contained a Trojan horse malware package, Van Horenbeeck said.
Similarly sophisticated social engineering techniques were noted by security researchers at MessageLabs last month in e-mail malware sent to members of an Olympic committee.
"These are otherwise perfectly valid documents," Maksym Shipka, senior architect at MessageLabs, told SCMagazine, an IT security trade publication. "It's real information. It's a continuation of actual email conversations. Yet the document is bad."
Shipka said the e-mail was so convincing that recipients forwarded it to other members of the committee.
The Trojans and other malicious software used in the Tibet attacks are similar to those used in attacks against the unclassified computer networks of U.S. defense contractors, the Department of Energy's nuclear labs and other sensitive government agencies, but experts caution against reading too much into this, saying that the software is easily available on hacker Web sites.
No comments:
Post a Comment