The attacks on mailing lists and online forums contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
A shadow war against organizations supporting Tibetan protesters has erupted in cyberspace, mirroring efforts by Chinese authorities to quell unrest in the Tibet.
"Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions," said Mikko H. Hypponen, chief research officer at F-Secure, in a blog post on Friday. "And this is not an isolated incident. Far from it."
The cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. "The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe," explains Hypponen. "This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks."
Efforts by Chinese authorities to contain protests in Tibet and limit media access to the country have been widely reported. Reporters Without Borders on Thursday said it had identified more than 40 serious violations of the rights of foreign journalists in Tibet and China since March10. And access to YouTube and mainstream media sites like the BBC, CNN, and Yahoo also has been restricted.
But there's no direct proof that anti-Tibetan cyberattacks are being directed by Chinese authorities.
"These attacks are sophisticated," said Greg Walton, who provides IT support for Tibetans and researches Chinese computer espionage at the University of Sunderland in the United Kingdom. "We can only speculate where they're coming from. We can say the control servers are based in China. But these servers can just be stepping stones."
"Anything coming from China is not necessarily coming from the Chinese," said Marcus Sachs, director of the SANS Institute Internet Storm Center. "It could be coming from literally anyone from the planet."
Maarten Van Horenbeeck, a security researcher and SANS Institute Internet Storm Center handler, said in a Storm Center post Friday that politically motivated attacks have been reported at least since 2002 and that other communities and groups have been targeted, including Falun Gong and the Uyghurs.
"The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community," Horenbeeck said. "In some cases, messages have also been distributed to mailing lists. These messages, however, contain malicious attachments."
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.