Earlier today I received my first-ever bona fide piece of fake-Tibetan malware, which appears to have originated in China.
Perhaps my name is on some list somewhere of journalists who've covered stories related to the Tibetan human rights movement.
Screengrab at left, and click for larger size which shows the message in entirety.
Also on this same day, I received an interesting update from Greg Walton, a SecDev Fellow at the Citizen Lab at the University of Toronto who also edits the Infowar Monitor.
He's currently in Hong Kong doing pro bono work for the advocacy group Human Rights in China, briefing them on security issues and monitoring systems during a sensitive time — the Olympics, recent unrest in Tibetan and Uighur regions, and other factors.
Greg has been observing some interesting, troubling malware and internet-attack trends of late, related to the Tibetan independence movement.
He tells Boing Boing:
Later today I head to Dharamsala, India to work with the Dalai Lama's I.T. staff. Both HRIC and the Tibetans have been subjected to sophisticated targeted malware attacks via email attachments on an industrial scale, particularly this year. Attacks on the Tibetans spiked during the uprising in March (increases of 300%) and Chinese human rights NGOs have witnessed an increase in the run up to the Olympics. We've also seen defacements of websites and the injection of malicious code into Tibet.com and press freedom organisation ,Reporters sans frontières web assets in the last few days.
To give you a sense of my client's day-to-day struggle with targeted attacks, I'd like to relate the details of the case I'm investigating today.
Yesterday, at 1000hrs GMT, Human Rights in China released an important press release including an open letter from Beijing house church activist Hua Huiqi (åŽæƒ 棋) concerning his abduction and intimidation because he wanted to attend the same church service that the Chinese government invited U.S. President George Bush and his family to attend.At 0150 GMT – 16 hours later – the following morning, a hacker circulated a slightly altered version of the press release to C-POL [an elite polsci listserver where China-watchers hang out) with a MS Word document attached, the Word document was in fact a trojan, that I identified as Trojan-Dropper.MSWord.Agent.cn [according to FSecure's database].
HRIC contacted SANS researcher, Maarten Van Horenbeeck who promptly analysed the trojan to identify the control server. Maarten found that the sample will drops a trojan that connects to the following control servers: 60.250.139.52, 210.177.225.209 and 58.147.1.42, all using HTTPS.
Although we have found that in 70% of the cases the control server is located in mainland China, in this case the first server was based in Taiwan (Chunghwa Telecom), whereas the second and third were in Hong Kong and Thailand respectively. The last server, hosted in Thailand was also used in previous attacks.
To date, we've kept these attacks to ourselves, but we'd now like to raise awareness about them in the wider Internet community – hence sharing this with Boing Boing.
If you have any information that you think might help our investigations – we'd be very happy to hear from you. If you or your organisation find yourself under attack in this manner, plese get in touch. More updates to follow.
Meanwhile, I'm coordinating monitoring of the Russia-Georgia cyberwar for IWMP. We have tech experts at the Citizen Lab verifying reports of DoS attacks and our research partners on the ground in the region are sending us hourly reports.
(Thanks, Oxblood)
Related: Do official Beijing 2008 Olympics screensavers contain malware?
