Monday, March 24, 2008

Targeted attacks against Pro-Tibet groups.

"Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions. This cyberattack involves sending e-mail messages to mailing lists, online forums, and people known to be affiliated with pro-Tibet groups. To enhance their legitimacy, the messages contain information related to recent events in Tibet and may appear to come from a trusted person or organization. But the content is simply bait, a social engineering con, to get recipients to open the documents and trigger an exploit. The exploit silently runs a keylogger that collects and sends everything typed on the affected machine to a server running at And is a Chinese DNS-bouncer system that, while not rogue by itself, has been used in various targeted attacks. The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as While these services in themselves are not malicious, they are heavily used in these specific attacks.

Efforts by Chinese authorities to contain protests in Tibet and limit media access to the country have been widely reported. Reporters Without Borders on Thursday said it had identified more than 40 serious violations of the rights of foreign journalists in Tibet and China since March. And access to YouTube and mainstream media sites like the BBC, CNN, and Yahoo has also been restricted.

But there's no direct proof that anti-Tibetan cyberattacks are being directed by Chinese authorities. The cyberattacks directed at Tibetan organizations are similarly the actions of Chinese hackers motivated by nationalism, without national direction.

The massive cyberattack on Estonia last year, in response to Estonia's decision to move a Russian war memorial, presents an analogous situation.

It seems that situations like this are becoming a trend ... another example of a targeted malware attack."

Eddy at the CSO Summit in Moscow