The attacks on mailing lists and online forums contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
A shadow war against organizations supporting Tibetan protesters has erupted in cyberspace, mirroring efforts by Chinese authorities to quell unrest in the Tibet.
"Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions," said Mikko H. Hypponen, chief research officer at F-Secure, in a blog post on Friday. "And this is not an isolated incident. Far from it."
The cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization.
But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. "The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe," explains Hypponen. "This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks."
Efforts by Chinese authorities to contain protests in Tibet and limit media access to the country have been widely reported. Reporters Without Borders on Thursday said it had identified more than 40 serious violations of the rights of foreign journalists in Tibet and China since March10. And access to YouTube and mainstream media sites like the BBC, CNN, and Yahoo also has been restricted.
But there's no direct proof that anti-Tibetan cyberattacks are being directed by Chinese authorities.
"These attacks are sophisticated," said Greg Walton, who provides IT support for Tibetans and researches Chinese computer espionage at the University of Sunderland in the United Kingdom. "We can only speculate where they're coming from. We can say the control servers are based in China. But these servers can just be stepping stones."
"Anything coming from China is not necessarily coming from the Chinese," said Marcus Sachs, director of the SANS Institute Internet Storm Center. "It could be coming from literally anyone from the planet."
Maarten Van Horenbeeck, a security researcher and SANS Institute Internet Storm Center handler, said in a Storm Center post Friday that politically motivated attacks have been reported at least since 2002 and that other communities and groups have been targeted, including Falun Gong and the Uyghurs.
"The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community," Horenbeeck said. "In some cases, messages have also been distributed to mailing lists. These messages, however, contain malicious attachments."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.