EXCLUSIVE: As part of the Cyber Repression Series, TechWeek reveals campaign to spy on spiritual activists and military bodies
Cyber Repression: Zero-day malware has been seen targeting a wide range of groups in China, including activists supporting the Falun Dafa and military groups in nearby nations, TechWeekEurope can exclusively reveal.
The ongoing campaign appears to have lasted at least a year, with users and entities based in the Philippines and Vietnam also targeted, according to data handed to TechWeek by security company AlienVault Labs. Looking at the targets, the company believes Chinese hackers are behind the hits.
Attackers aimed remote access tools (RATs) and password stealers at supporters of the Falun Dafa (also called the Falun Gong) spiritual movement and military bodies via emails in spear phishing attacks.
One of those payloads was able to show different behaviour if it detected one of many anti-virus products, including Kaspersky, Trend Micro and McAfee, as well as popular AV products used in Asia, such as JiangMin, Tencent and Kingsoft.
Never-seen-before malware, otherwise known as a zero-day threat, was also spotted by AlienVault. It specifically sought to steal Outlook login information and access email contents. No anti-virus solution could block it, AlienVault said.
As soon as the victims clicked on the malicious attachment in the email, Microsoft Word vulnerabilities were exploited, the payload decrypted and then executed.
One of the spear phishing emails, sent to Falun Dafa practitioners, claimed to be fellow members of the movement, asking for help. “We are Falun Gong/Dafa (you may hear about it, it is our religion) practicers [sic], persecuted by the Chinese government,” the email read.
“Our computers and mail systems are attacked by them everyday. They want to find out who are practicing Dafa, what we are going to do next, and so on.”
Members of the Falun Dafa spiritual movement, which is outlawed in China, have faced much online persecution in recent years. Back in 2011, a military documentary programme titled “Military Technology: Internet Storm is Coming” accidentally showed IP addresses belonging to groups associated with the Falun Dafa were being targeted. The video footage was quickly removed.
Now Falun Dafa members are being targeted by the same group that appears to be going after military secrets. Jaime Blasco, who heads up the AlienVault team, said other minorities in China were being hit, but did not go into further detail.
“We have seen similar behaviour in attacks against Tibetans,” Blasco told TechWeek. “Based on the data I see on a daily basis, the number of attacks against activists has been increasing in the last few years.”
Another of the spear phishing emails, dated 16 May 2013, talks of a helicopter crash in the province of Northern Samar in the Philippines, and is directed to workers at the Col Jesus Villamor Air Base, Pasay City, the headquarters of the Philippine Air Force.
Earlier in the month, the mayor of the San Roque municipality in Northern Samar died in a helicopter crash on the day of elections for the district. It is clear the attackers are quick to pick up on recent events in their attempts to ensnare their targets.
“We have seen other attacks in the past where common command and control (C&C) infrastructure was being used to compromise both activists and west companies, whether in the military industry or in other industries such as energy, engineering,” Blasco added.
Having looked at the C&C IP addresses, domain names used by the attackers, shellcode inside the exploits and various pieces of metadata, AlienVault has surmised the attackers are operating out of China.
The Chinese Embassy in London had not responded to a request for comment at the time of publication.
“I doubt China are any better or worse than most other large governments in surveillance and active defence – the PRISM case has clearly shown this to be the case. China have done less to hide their activities, frankly,” said Jason Steer, EMEA product manager at security firm FireEye, which has been tracking activist attacks in recent years.
Fingers have often been pointed at China when such cyber strikes occur. In June, Kaspersky uncovered a massive cyber surveillance operation that appeared to be coming out of China, and Tibetan activists were one of the many targets. Android malware was seen targeting Tibetans earlier this year and again China was the chief suspect.
Recent cases have shown how activists are often hacked by the same group hitting government bodies.
Operation Hangover, recently detailed by security company Norman Shark, showed how attackers’ infrastructure, which appeared to be based out of India, was used to harvest data of various Pakistan government organisations and activists, including the Khalistan and Nagaland movements, both secessionist groups. Mac malware that targeted an Angolan activist was also connected to the operation.
“Activists are probably not prepared yet – there remains across all businesses a mindset that existing tools and processes are sufficient – but as we see daily – the products used are insufficient against true zero-day attacks,” Steer added.
This article forms part of TechWeek’s Cyber Repression series – learn about it here.
What do you know about Internet security? Find out with our quiz!