When Dragons Attack - Tibetan hacking

When Dragons Attack A review of recent Tibetan Cyber Attacks and the Ubuntu option 24th April 2008 peter@ironcove.net http://www.ironcove.net ironcove.net – open source security solutions

Table of Contents When Dragons Attack..........................................................................................................................1 Introduction..........................................................................................................................................3 Summary of Attacks and News Links..................................................................................................4 Overview.....................................................................................................................................4 Timeline of Tibetan targeted attacks...........................................................................................5 1.1 China implicated in Dalai Lama hack plot............................................................................5 1.2 Tibetan Historical Pictures Emails contain Malware............................................................5 1.3 Protests in Tibet, Violence follows for the next week...........................................................5 1.4 Multiple documents containing malware distributed details released...................................5 1.5 Tibetan Govt in Exile website hacked...................................................................................6 1.6 Fribet Trojan that steals database information......................................................................6 1.7 Olympic themed cartoon malware spreads malware.............................................................6 Is the Chinese Government involved in the attacks?............................................................................7 Arguments against.......................................................................................................................7 The Chinese are making a splash on the internet........................................................................8 Conclusion............................................................................................................................................9 Appendix A.........................................................................................................................................10 Ubuntu Linux ...........................................................................................................................10 Open Office ..............................................................................................................................10 Firefox ......................................................................................................................................10 ironcove.net – open source security solutions

Introduction The aim of this paper is to review recent Cyber Attacks against ProTibetan groups and to make the reader aware of alernative software options that would provide a more secure operating environment for these groups and individuals. Over the past few years a number of attacks have taken place against various protibetan organistaions and while there is significant circumstantial evidence that these attacks may have origins in the Chinese government it is also possible it is the work of various chinese hacking groups who have nationalist tendancies. With significant end user training and ongoing systems support most operating systems can be made relatively secure, however this is not a realistic prospect for many groups and individuals around the world. It is my recommendation that Ubuntu Linux having just been released in a new version (8.04) is a solid and secure alternative desktop environment that should be promoted and utilized amougnst ngo's and nonprofits to avoid many of these attacks. All of the currently listed attacks in the timeline of attacks against ProTibetan groups and supporters would have had no effect on an Ubuntu Linux Desktop system. ironcove.net – open source security solutions

Summary of Attacks and News Links Overview There has been significant news coverage of a number of attacks against ProTibetan groups, individuals and supporters. While the Tibetan issue has been topical in the media recently with the Beijing Olympics and the recent torch relay debacle, these attacks are remarkable in how focused and professional they have been. This is not the work of a couple of script kiddies, these are highly skilled and well researched attackers who's main motivation seems to be intelligence gathering rather than disruption of service. Sharon Hom, executive director of the New Yorkbased Human Rights in China, said the group's 25 staff members have reported a marked upswing in the number and sophistication of email virus attacks. In 2006, the group intercepted just two targeted email attacks, and by the end of last year that number had grown to 40. In the first three months of 2008, the group has received more than 100 such targeted attacks. quot;The fact that we're being attacked with the same resources thrown at multibillion defense contractors is flattering,quot; said Lhadon Tethong, executive director of Students for a Free Tibet. quot;It shows that we really are an effective thorn in the side of a repressive regime.quot; http://www.washingtonpost.com/wpdyn/content/article/2008/03/21/AR2008032102605.html These attacks have been going on for months, but appear to have grown in intensity in recent days. Alison Reynolds of the International Tibet Support Network told me, quot;There are surges of activity which coincide with our busiest campaign periods and obviously now we are seeing a lot of attacks.quot; http://www.bbc.co.uk/blogs/technology/2008/03/tibet_the_cyber_wars.html quot;We are seeing more and more spying done with Trojans, a shift that has happened in the last two years,quot; Mikko Hyppönen, the chief research officer for software security vendor F Secure, told RSA conference attendees Thursday morning. http://www.wired.com/politics/security/news/2008/04/chinese_hackers ironcove.net – open source security solutions

Timeline of Tibetan targeted attacks Date Attack Type 1.1 Sept 2002 China implicated in Dalai Lama hack plot 1.2 6th March 2008 Tibetan Historical Pictures Emails contain Malware 1.3 10th March 2008 Protests in Tibet, Violence follows for the next week 1.4 21st March 2008 Multiple documents containing malware distributed details released 1.5 10th April 2008 Tibetan Govt. in Exile Web Site Hacked (tibet.net) 1.6 13th April 2008 Fribet Trojan that steals database information 1.7 14th April 2008 Olympic themed cartoon malware spreads malware 1.1 China implicated in Dalai Lama hack plot As far back as 2002 Computer administrators for the Tibetan Computer Resource Centre have reported that computer attacks using virus laden emails have been attempted that send information and documents to servers in China. The Centre runs Internet Services for the Tibetan Government in exile in Dharmsala, India. http://www.securityfocus.com/news/884 1.2 Tibetan Historical Pictures Emails contain Malware Early in March of 2008 reports emerged of a Malware infected Microsoft helpfile attachment that contained historical Tibetan images. The malicious CHM attachment was spammed out in a targeted attack against Tibetan supporters. http://www.sophos.com/security/blog/2008/03/1136.html http://www.avertlabs.com/research/blog/index.php/2008/03/11/socialengineeringtricksusetibettolurevictims/ 1.3 Protests in Tibet, Violence follows for the next week On Monday, March 10 Five Hundred monks from Drepund monastery march to Lhasa to mark the 49th anniversery of a quashed rebellion against communist rule. Further protests, rioting and viloence follows. http://www.reuters.com/article/latestCrisis/idUSSP306110 1.4 Multiple documents containing malware distributed details released ProTibetan groups are targeted by malware infected documents, in the form of email attachments, mailing list posts and forums. Some are targeted at individuals in the Tibetan movement. The emails are carefully crafted and use a high level of Social Engineering to trick even careful computer users into opening the attachments and becoming infected. The malware is highly customized and not picked up by most antivirus scanning software. http://www.theregister.co.uk/2008/03/22/pro_tibetan_groups_targeted/ http://www.fsecure.com/weblog/archives/00001406.html http://isc.sans.org/diary.html?storyid=4177 http://www.nonprofittechblog.org/protibetnonprofitundercyberattack ironcove.net – open source security solutions

To investigate, it's necessary to find out which commands were submitted (to the trojan). So far, we have uncovered attacks that specifically searched the file system for Word documents, email contents and, most interestingly PGP keyrings http://isc.sans.org/diary.html?storyid=4176 1.5 Tibetan Govt in Exile website hacked The official web site of the Tibetan Government in exile was attacked and taken down. The method of attack is unclear at this time. Another domain and server was used to reinstate the site. quot;It is the intention of the hackers to ensure that our information do not get out,quot; Tenzin Takla, spokesman of Dalai Lama told AFP but declined to say whom he suspected. Tibet.net is currently backup and running and a message on the site states that the alternate domain that was created (www.tibetgov.net) will be used as a backup in the case of future problems. http://www.phayul.com/news/article.aspx?article=Website+of+the+Exile+Tibetan+Government+Hacked&id=20608 1.6 Fribet Trojan that steals database information Researches discovered that this trojan was placed on hacked protibet websites, so that visitors running unpatched Microsoft Operating Systems would be infected. The unique aspect of this trojan is that it would attempt to make connections to local databases and steal information contained within them. http://www.theregister.co.uk/2008/04/14/database_trojan/ http://www.avertlabs.com/research/blog/index.php/2008/04/10/friebetattackingyourbackenddatabasefromyour backyard/ quot;These websites appear to have been specifically targeted as this is not a generic Trojan downloader. Someone or some group has gone to great trouble to rewrite the exploit and personalise it to the FreeTibet.org and SaveTibet.org websites,quot; Parker said. http://www.webuser.co.uk/news/226512.html 1.7 Olympic themed cartoon malware spreads malware A multimedia cartoon file that ridiculed the efforts of a Chinese gymnast at the games was aimed at the ProTibetan internet community. This was an attempt at creating a trojan that would be passed around infecting members of the Tibetan community and its supporters. While the Flashbased movie runs, a keystroke logging tool is silently installed on the victim's Windows PC. The malware is hidden by rootkit functionality, making it harder to detect and remove. The malicious cartoon is distributed as an email attachment called quot;RaceForTibet.exequot;. Data captured by the keystroke logger is sent to a computer in China. As usual, the threat affects Windows PCs only. http://www.theregister.co.uk/2008/04/15/pro_tibet_trojan/ http://www.avertlabs.com/research/blog/index.php/2008/04/14/ismalwarewritingthenextolympicevent ironcove.net – open source security solutions

Is the Chinese Government involved in the attacks? So was it the Chinese Government? This is the question everyone wants the answer too and noone can really say definitively. It is well known that China has been developing a comprehensive cyber warfare capability. They certainly have the resources and the expertise, an article from the Taipai Times 26th of June 2002 put the number of Chinese hackers at 300'000. We can only presume the government would have agents and / or assets within the hacker community that they can call on when required at the very least. The Trojans and other malicious software used in the Tibet attacks are similar to those used in attacks against the unclassified computer networks of U.S. defense contractors, the Department of Energy's nuclear labs and other sensitive government agencies, but experts caution against reading too much into this, saying that the software is easily available on hacker Web sites. http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/03/24/analysis_cyberattacks_on_ tibet_groups/9260/ http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm Arguments against Comprehensive information on the Chinese Hacker scene can be found in the book the “Dark Visitor”, the book is well researched and provides a thorough analysis of the Chinese hacker scene over the past 12 years. Ongoing political hacking from China is documented and referenced, including attacks against Government and Corporate systems in Indonesia, Korea, Japan and the United States. A clear line is drawn to the fact that the majority of known Chinese hacking groups are very nationalistic and seemingly launch attacks at will against anyone that seems to be anti chinese and topical in the media. http://www.lulu.com/content/1345238 This indicates that perhaps independent groups and individuals are behind these incidents. The motive is defending the national honour and protecting the government, this is quite normal for Chinese citizens but can be hard to grasp for the average Westerner who sees the most common motivation for Criminal Hackers as the pursuit of wealth. While their appears to be motivation and some circumstantial evidence for the attacks to have been orchestrated by the chinese government it must be remembered that Cyber Warfare can be played in the shadows. It would be a simple matter for any well resourced organization or government anywhere on the planet to be using hacked servers in China to launch these attacks thereby implicating the Chinese in these attacks. Perhaps it is the CIA launching the attacks in a bid to secure greater cyber warfare funding for the Pentagon. ironcove.net – open source security solutions

The Chinese are making a splash on the internet Additional information related to growing Chinese influence on the internet and some of the current events in the media can be found in the following articiles. Denial of service launched against CNN for coverage of Tibet violence http://edition.cnn.com/2008/TECH/04/18/cnn.websites/index.html China Blocks YouTube during Tibetan Unreset http://www.hackinthebox.org/url.php?url=26133 http://www.theregister.co.uk/2008/03/17/youtube_china/ FBI looks at Chinese role in Darfur site hack In other related news an NGO that has been critical of Chinese influence in Darfur has been attacked including web and email services. The U.S. Federal Bureau of Investigation is looking into a possible China connection in the hack of a nonprofit group created to draw attention to the ongoing genocide in western Sudan's Darfur region. The Save Darfur Coalition called in the FBI earlier this week after discovering that someone had gained unauthorized access to its email and Web server, according to Allyn Brooks LaSure, a spokesman with the group. http://computerworld.com/action/article.do? command=viewArticleBasic&taxonomyName=security&articleId=9070778&taxonomyId=17&intsrc=kc_top Angry Chinese Bloggers making waves Chinese Communist Party commentators are being recruited by various Communist state agencies in attempt to put positive Chinese spin on important political issues. They are reportedly paid half a yuan (US$0.06) per message they write. http://en.epochtimes.com/news/61110/47995.html Previous attacks against Falun Gong and other independence groups in China The following link is a presentation by Maarten Van Horenbeeck who has put together the following presentation on attacks against Falun Gong and other groups independence groups within China. Maarten works with the Sans Institute and has also reported on attacks against Tibetan Groups. http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf http://isc.sans.org/diary.html?storyid=4176 http://isc.sans.org/diary.html?storyid=4177 ironcove.net – open source security solutions

Conclusion There is no conclusive evidence that there is direct Chinese government involvement in these attacks or even that Chinese nationalist hackers are behind the incidents. However definitive conclusions can be drawn as to the motivation and highly targeted nature of the attacks. It is clear that human rights workers are under attack, both in the proTibetan cause and other organizations. With awareness that groups and individuals working for human rights and freedom are under attack more secure measures can be implemented. An easy option for securing desktops against such attacks is putting Ubuntu Linux on desktops in computer centres and offices. ironcove.net – open source security solutions

Appendix A What follows is some information on various Open Source projects that could help your organization stay secure in a hostile internet environment. Use of the following software would have eliminated the threat of all the malware based attacks covered within this paper. Ubuntu Linux The worlds fastest growing Desktop Operating System. Ideal for the Desktop or Server Ubuntu Linux is a drop in replacement for Microsoft Windows. Free yourself from the grip of the Microsoft Corporation. Ubuntu Linux is secure, stable and user friendly. Question: Isn't Linux for Hard Core geeks? He (Mark Shuttleworth) said the French police force was currently deploying 50,000 Ubuntupowered machines, while Spanish education authorities were rolling out 500,000 desktops with the OS. http://news.bbc.co.uk/1/hi/technology/7358483.stm A new version of Ubuntu Linux has been released named the quot;Hardy Heronquot;, go ahead and give it a go you will be pleasantly suprised. Note that there are options for testing Ubuntu that does not involve reloading the Operating System. You can run it straight off the live cd without affecting your Windows environment at all or the new Ubuntu has an option to install it within Windows. http://www.ubuntu.com Open Office Leading office suite similar in many ways to Microsoft Office, the difference being this is free, open and does not carry the same history of security problems that Microsoft Office does. It comes preinstalled in most Linux systems or can be downloaded and installed in Windows. http://www.openoffice.org Firefox Powerful web browser without the malware. Internet explorer is a favorite target of malware writers and spyware infections. Using the open and free Firefox will save you time through its stability and security. http://www.mozilla.org I have barely scratched the surface with these examples, one of the great things about a Linux operating system is the hundreds of free software programs and tools that you can easily install and use for free. ironcove.net – open source security solutions

When Dragons Attack - Tibetan hacking

by Iron Cove on Feb 19, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

When Dragons Attack - Tibetan hacking — Document Transcript