The attacks on mailing lists and online forums contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
A shadow war against organizations supporting Tibetan protesters has erupted in cyberspace, mirroring efforts by Chinese authorities to quell unrest in the Tibet.
"Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions," said Mikko H. Hypponen, chief research officer at F-Secure, in a blog post on Friday. "And this is not an isolated incident. Far from it."
The cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. "The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe," explains Hypponen. "This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks."
Efforts by Chinese authorities to contain protests in Tibet and limit media access to the country have been widely reported. Reporters Without Borders on Thursday said it had identified more than 40 serious violations of the rights of foreign journalists in Tibet and China since March10. And access to YouTube and mainstream media sites like the BBC, CNN, and Yahoo also has been restricted.
But there's no direct proof that anti-Tibetan cyberattacks are being directed by Chinese authorities.
"These attacks are sophisticated," said Greg Walton, who provides IT support for Tibetans and researches Chinese computer espionage at the University of Sunderland in the United Kingdom. "We can only speculate where they're coming from. We can say the control servers are based in China. But these servers can just be stepping stones."
"Anything coming from China is not necessarily coming from the Chinese," said Marcus Sachs, director of the SANS Institute Internet Storm Center. "It could be coming from literally anyone from the planet."
Maarten Van Horenbeeck, a security researcher and SANS Institute Internet Storm Center handler, said in a Storm Center post Friday that politically motivated attacks have been reported at least since 2002 and that other communities and groups have been targeted, including Falun Gong and the Uyghurs.
"The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community," Horenbeeck said. "In some cases, messages have also been distributed to mailing lists. These messages, however, contain malicious attachments."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.