This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Spearphishing attacks against Tibet impersonate security vendor that raised alarm

Share this article:
Chinese spears attack Tibetan activists
Chinese spears attack Tibetan activists

Following detection of spearphishing attacks against Tibetan organisations, further attacks have been detected that claim to be from AlienVault.

The initial detection by AlienVault of spearphishing attacks from China was announced two weeks ago; the attacks contained a malicious PDF with a variant of Gh0st RAT (a remote-access Trojan) and exploited a known vulnerability in Microsoft.

However, the company's labs have now detected efforts by attackers to spoof AlienVault email addresses in an attempt to make their messages more realistic.

Jamie Blasco, head of labs at AlienVault, called this "a case of imitation being the sincerest form of flattery".

He said: “The fact that the pro-Chinese sympathisers have taken our research seriously enough to start trying to blacken our name indicates that our message about the Chinese cyber attackers has hit home, and the cyber criminal activists are not happy.

“While the pro-Chinese sympathisers are clearly trying to tarnish AlienVault's reputation with their actions, I'm very happy the message is getting through to the media that the ongoing cold war between China and Tibet has spilled over into cyber space.

“We have seen Tibetan sympathisers turn to self-immolation in their quest to bring their plight to the attention of Western governments, so any effect on our reputation pales into insignificance alongside their sacrifices.”

The emails come from ‘admin@alienvault.com' with a subject line of "Targeted attacks against Tibet organisations" and contain a malicious payload that loads a Java applet, which exploits CVE-2011-3544.

Blasco said: “Our research suggests that the attacks we have been tracking over the past month are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The spearphishing emails are quite sophisticated and feature an attachment that exploits a stack overflow vulnerability dating back to last September.

“Yes, AlienVault has effectively been drawn into the cyber conflict itself, but we plan on continuing to report on this humanitarian cause for as long as it takes. Our email spoofing problems are nothing compared with the problems that Tibetans are facing.”

Blasco also said that automated bots are being used to spam Twitter users with hashtags related to the issue, including #tibet and #freetibet; the junk tweets are from automated Twitter accounts controlled by the Chinese government or its sympathisers.

Security researcher and blogger Brian Krebs also spotted this flood of Twitter spam, and said that it was not clear how long ago the bogus tweet campaigns began; he said the hashtags are now so associated with junk tweets from apparently automated Twitter accounts that they have ceased to become a useful way to track the China-Tibet situation.

Krebs said: “Twitter was very responsive to the botted accounts being used to drown out hashtags following the disputed Russian elections, but these anti-Tibetan Twitter bots appear to have flown under the radar so far.

“When I checked the situation on Monday (19 March) evening, the bunk tweets aimed at popular Tibetan hashtags were still going strong. It's not immediately clear how many apparently botted accounts are being used to blast these tweets; most of them have zero, if any, followers, and are following very few other accounts. Twitter has been notified about a couple of dozen accounts that appear to be the source of most of these junk messages.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Microsoft pulls Windows 7 and Windows Server 2008 elements of Patch Tuesday

Microsoft pulls Windows 7 and Windows Server 2008 ...

Microsoft has unexpectedly withdrawn a key element of its Patch Tuesday operating system refresh after discovering a flaw in an update for Windows 7 and Windows Server 2008.

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...