March 24, 2008
By SHAUN WATERMAN
UPI Homeland and National Security Editor
http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/03/24/analysis_cyberattacks_on_tibet_groups/9260/


  WASHINGTON, March 24 (UPI) -- Malicious e-mail and other cyberattacks
  on Tibet advocacy groups in the United States are linked to Internet
  servers used in past hacker intrusions traced by U.S. law enforcement
  to China.

  The link, made by security experts on the basis of publicly available
  data, is the first direct evidence the recently intensified attacks
  against the Tibet groups, reported by United Press International a
  week ago, were launched from China. But it remains unclear to what
  extent -- if any -- the Chinese government or military is implicated.

  The news follows charges last week from the Save Darfur Coalition, a
  group opposing Chinese policy in Darfur, they had been the target of
  intrusion attempts "which appeared to originate in China and seemed
  intent on subversively monitoring, probing and disrupting coalition
  activities."

  The recent cyberattacks on several Tibet groups were analyzed by a
  security researcher for the SANS Internet security organization,
  Maarten Van Horenbeeck, who followed cyberattacks against Tibet
  organizations, and advocates for other Chinese ethnic groups such as
  the Uighurs, for many years.

  Van Horenbeeck told United Press International that the attacks used
  e-mails purporting to come from known associates of the victims with
  attachments containing malicious code -- so-called Trojan horse
  software -- that stole e-mail and contact data, passwords and other
  information and covertly sent it on the Internet to special command
  servers. One domain address that came up as the destination for data
  stolen from supporters of the Students for a Free Tibet group was
  familiar to him. Cvnxus.8800.org has been used by hackers "again and
  again" over the years, he said.

  Since earlier this month, the domain has been "moving around," he
  said. But until March 8, it was based on a server previously
  identified by the FBI as the source for an e-mail attack aimed at U.S.
  defense contractors launched in August last year, according to a
  report from the Air Force Association.

  The link, though a narrow one, is significant because of the
  well-acknowledged difficulty of attributing cyberattacks. Hackers can
  take control of computers, or even whole servers, without the
  knowledge of their owners and use them to launch attacks.

  China has some of the world's tightest government restrictions on the
  use of the Internet, which makes many observers skeptical hacker gangs
  could operate from within China without government approval or
  acquiescence.

  The attacks against the Tibet groups were "very professional and
  well-coordinated," Van Horenbeeck said, though he said no definitive
  evidence linked the Chinese government to the attacks.

  Some of the e-mails used highly sophisticated "social engineering
  techniques" to trick their victims into opening the attachment, he
  said.

  Rather than just faking the e-mail address of an associate as the
  sender of a general message, these e-mails would refer to discussions
  that the intended victim had conducted with that associate on open
  Internet bulletin boards or e-mail lists, Van Horenbeeck said,
  suggesting the hackers had done a great deal of research on individual
  targets.

  "These were very sophisticated," he said, adding that unlike
  conventional hacker attacks, these were not aimed at defacing the
  group's Web site or driving it offline with a series of crude
  denial-of-service bombardments. "These attacks were designed to steal
  data," he said.

  He said they might also be designed to "disrupt (the groups')
  operations by making people wary of using their e-mail, which is a
  vital tool for their coordination."

  Some of the attacks did seem designed to undermine trust in e-mail.
  Last week a security professional working with one group posted a
  message to a Tibet discussion list warning people to expect an
  increase in e-mail and other attacks. The following day hackers sent
  another message, faked to look as if it came from the same address,
  containing a security document as a Word attachment. The attachment
  contained a Trojan horse malware package, Van Horenbeeck said.

  Similarly sophisticated social engineering techniques were noted by
  security researchers at MessageLabs last month in e-mail malware sent
  to members of an Olympic committee.

  "These are otherwise perfectly valid documents," Maksym Shipka, senior
  architect at MessageLabs, told SCMagazine, an IT security trade
  publication. "It's real information. It's a continuation of actual
  email conversations. Yet the document is bad."

  Shipka said the e-mail was so convincing that recipients forwarded it
  to other members of the committee.

  The Trojans and other malicious software used in the Tibet attacks are
  similar to those used in attacks against the unclassified computer
  networks of U.S. defense contractors, the Department of Energy's
  nuclear labs and other sensitive government agencies, but experts
  caution against reading too much into this, saying that the software
  is easily available on hacker Web sites.