Ongoing Attacks on Human Rights Websites and the Problem of Attribution
A number of cyber attacks took place against human rights groups this week; including Armorize’s discovery of a variant of a “drive-by-download” attack on Amnesty International’s Web site. As this Armorize blogpost explains, “A drive-by download attack refers to the process of a user visiting an infected page and subsequently gets installed with malware, without his/her knowledge and without having him/her to click on or to agree to anything.” In the case of this week’s attack on Amnesty International, a “drive-by-cache attack” (term dubbed by Amorize) was launched. John Leyden of the Register explains that in drive-by-caching, “malicious scripts are used to locate the malware which is already sitting in the browser’s cache directory, and executing it. This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicious maneuver many security software packages are liable to detect.” (For a more eloquent and technical write up of drive-by-caching see the Armorize blogpost).
What is interesting is that the compromising of Web sites belonging to human rights groups as vehicles to deliver 0day exploits to visitors is a continuation of a trend that the Infowar Monitor has been actively monitoring—for example, a similar attack launched on users occurred in November 2010 to Amnesty International’s Hong Kong site (see our past Nobel Peace Prize, Amnesty HK and Malware and “0day”: Civil Society and Cyber Security blogposts on such attacks for more).
More generally, attacks launched on the Web sites of human rights groups (and independent Web sites) have become increasingly common. In fact, cyberspace saw two such attacks this week. First, was the DDoS attack launched against the Web site of the alternative new source, Newsnet Scotland, in the lead up to the country’s elections; and second was the DDoS attack launched on Change.org’s Web site this week.
As a major online petitioning platform, Change.org has recently become known for hosting a major petition, signed by over 90,000, calling for the release of famous Chinese dissident Ai Weiwei. The DDoS attack on the site began on Monday and rendered the site inaccessible for a few hours. It has been reported that the attack has been traced to servers in China and Change.org has begun reporting that the attacks were launched by Chinese hackers.
The Chinese state is often believed to be behind attacks on human rights Web sites, as noted in our recent blog here; however, attribution of cyberattacks is an ongoing problem and difficult to make—for instance, although the attacks were traced to China, it is possible that the computers are controlled by attackers in another country. In this CIO article, Verizon points out that the recent introduction of the term “advanced persistent threat attack” (APT) (defined by Verizon as “sophisticated and highly targeted data exfiltration exercises conducted by state-sponsored agents) has led many victims of security breaches to characterize attacks as APT, usually originating from China. Verizon argues that although “China is the source for most online attacks these days, no matter what the motivation,” it must be remembered that “the country has more than 400 million Internet users, and many of them are using computers that don’t have up-to-date patches or security software. Those PCs often get hacked and then used as stepping-stones for further attacks.” Verizon further stated that, “China is like the wild west of source IP addresses that can be taken over to state attacks.” When an attack occurs “everybody looks at it and says, ‘Oh that’s the Chinese government.”
The problem of state attribution was brought up once again this week when Canadian resident and Chinese dissident with protected person status, Maggie Wenzhuo Hou, stepped up to warn against a “’silent cyber war” that was being launched by the Chinese government. Hou stated that she was certain that the Chinese government was monitoring and blocking her communications. Some note that there is evidence that China is involved in the spying of expatriates, and Hou’s own background certainly puts her in a vulnerable category. However, Ron Deibert, Director of the Citizen Lab suggested that such a case requires caution: “There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion.”
Indeed, accusations of China’s involvement in cyber espionage is a regular fixture in cyber news. Last week, a leaked US diplomatic cable revealed that US authorities had traced a series of breaches (in which private information was stolen from US agencies and the private sector)—known as Byzantine Hades—to a unit of the country’s People Liberation Army.
Although attribution is difficult to make, attacks continue against Web sites of human rights organizations and supporters/employees and are part of a continuing trend that has been recently documented by the Berkman Center for Internet and Society in their 2010 report on Distributed Denial of Services Attacks Against Independent Media and Human Rights Sites.