Chinese spears attack Tibetan activists

News by Dan Raywood

A range of spearphishing attacks against Tibetan organisations have been detected.

A range of spearphishing attacks against Tibetan organisations have been detected.

According to research from security information and event management (SIEM) vendor AlienVault, the attacks are coming from China and signal a serious escalation into cyberwar from the 'cold war' that has existed between the two countries since the occupation by the Chinese army in 1950.

The company claimed that the attacks were targeted at Tibetan activist organisations including the Central Tibet Administration and International Campaign for Tibet.

It said that it believed that these attacks originate from the same group of Chinese hackers that launched the ‘Nitro' attacks against chemical and defence companies late last year, and were aimed at both spying on and stealing sensitive information about these organisations' activities and supporters.

Beginning with a spearphishing message, which included information on the Tibetan religious festival ‘Kalachakra Initiation', it featured a PDF that exploited a known vulnerability in Microsoft. Further investigation discovered that the malware was a variant of Gh0st RAT (a remote-access Trojan) that enables anything from stealing documents to turning on a victim's computer microphone.

This was also a primary tool used in the Nitro attacks last year, and the variant AlienVault uncovered in these attacks seem to come from the same actors.

The malware was digitally signed to give it an extra layer of authenticity, although the certificate was revoked by VeriSign on 12 December 2011.

Jaime Blasco, head of labs at AlienVault, said "The spearphishing emails aren't that sophisticated and feature a Microsoft .doc attachment that exploits a known Office stack overflow vulnerability dating back to last September, which has since been patched by Microsoft.”

He also said that this attack uses command-and-control servers to allow cyber criminals to gain remote control of infected machines as well as let them change the structure and purpose of the malware program code remotely.

This allows the attacker to remotely adapt the infection in response to changing circumstances, such as updates to anti-virus software. VirusTotal found that these obfuscation steps meant the infection was detected by just two anti-virus vendors at the time of the attacks.

The company previously detected Chinese attacks against US government agencies, including the US Department of Defense, which used a new strain of the Sykipot malware to compromise smartcards.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews