Accessibility links

Breaking News

Tibetan Activists Targeted By Spoof European Parliament E-Mail

Individuals active in the pro-Tibetan human rights community have been targeted by malware embedded in a European Parliament document.

A report into the incident has just been published by the Citizen Lab, a University of Toronto research group that focuses on digital media, global security, and human rights.

On June 14, the European Parliament issued a resolution calling on China to reveal the whereabouts of people who have self-immolated and also to allow access to rights monitors in the region.

Since 2009, more than 40 Tibetans have self-immolated to protest what they say are the discriminatory practices of the Chinese government. The authorities have labeled them as terrorists encouraged by the Dalai Lama and the whereabouts of some of those who survived is unknown.

A day after the European Parliament's resolution, which was criticized by China, an e-mail was sent from an account appearing to be a legitimate Tibetan organization to more than 80 Tibetan activists.

The e-mail, with a subject heading "FW: the new decision of EUROPEAN PARLIAMENT about tibetan human right in China,” contained a document purporting to be the European Parliament resolution, which was in fact a malicious .doc file.

According to the Citizen Lab, the "malware utilized in this attack is the same as that described in other reports detailing attacks with Tibet-related themes. Once the malicious code is executed, it starts to communicate with a command and control (C2) server located in Hong Kong." That could give the hackers access to the files on the victims' computers.

The text in the document wasn't, in fact, the resolution, but the European Parliament's joint motion for a resolution, which was issued two days earlier and was freely available for download as a Word document on the parliament's website.

This type of spoofing has been done before -- not just fraudulent phishing attempts but also to target activists:
A common technique used by attackers in crafting malicious e-mails is to repurpose legitimate, authentic content in order to persuade a recipient to click a link or open an attachment that launches a hidden exploit. Often such content is taken from official announcements, websites of nongovernmental organizations, or publicly-available media such as news sites, and repackaged within an e-mail that includes a malicious attachment or link. For example, malicious e-mails have circulated attaching content such as an invitation to the 2010 Nobel Peace Prize ceremony and statements made in international fora.

In March, a security vendor AlienVault released a report about attempts to install a remote access computer Trojan, which could steal information from pro-Tibetan activists' computers, via an e-mail with an infected Word document.

AlienVault believed those attacks were the work of a group of Chinese hackers who, in 2011, launched attacks against chemical companies.

A few days after the AlienVault report, hackers began spoofing AlienVault's e-mail address in a new attack. From Computer World:
Newly intercepted rogue e-mails that use spoofed headers to appear as originating from AlienVault warn recipients that Tibetan activist organizations have been targeted in recent cyberattacks.

The e-mails contain a "more information" link that leads visitors to a web page displaying a copy of AlienVault's March 13 report. However, hidden JavaScript code present on the page launches exploits a known Java vulnerability (CVE-2011-3544) in the background, Blasco said.

In the past, pro-China hackers have also used bots to suffocate discussions around Tibet-related hashtags on Twitter, by spamming them with masses of junk tweets. Similar spamming has been seen on Syria- and Russian-related hashtags during times of crisis.

The most recent European Parliament attack is disturbing, not just because of the potential of the malware to wreak havoc, but as Citizen Lab points out, it results "in a chilling effect whereby the Tibetan community is discouraged from circulating information on the resolution, which is now associated with malware."