An article from Bloomberg published on 23 August 2011 has linked technology, supplied by a business that was part of Nokia Siemens Networks between April 2007 and March 2009, with human rights abuses in Bahrain.

The article alleges that a monitoring center was supplied by a Siemens business that subsequently became part of Nokia Siemens Networks when it was formed in 2007. Nokia Siemens Networks subsequently divested this monitoring center business in March 2009 and no longer provides this technology to any country.

Nokia Siemens Networks is aware of allegations that monitoring centers, used around the world by virtually every government for legitimate law enforcement purposes, have been abused in some countries.

For the full article, see here.

The interrogation of Abdul Ghani Al Khanjar followed a pattern.

First, Bahraini jailers armed with stiff rubber hoses beat the 39-year-old school administrator and human rights activist in a windowless room two stories below ground in the Persian Gulf kingdom’s National Security Apparatus building. Then, they dragged him upstairs for questioning by a uniformed officer armed with another kind of weapon: transcripts of his text messages and details from personal mobile phone conversations, he says.

If he refused to sufficiently explain his communications, he was sent back for more beatings, says Al Khanjar, who was detained from August 2010 to February. “It was amazing,” he says of the messages they obtained. “How did they know about these?”

The answer: Computers loaded with Western-made surveillance software generated the transcripts wielded in the interrogations described by Al Khanjar and scores of other detainees whose similar treatment was tracked by rights activists, Bloomberg Markets magazine reports in its October issue.

The spy gear in Bahrain was sold by Siemens AG (SIE), and maintained by Nokia Siemens Networks and NSN’s divested unit, Trovicor GmbH, according to two people whose positions at the companies gave them direct knowledge of the installations. Both requested anonymity because they have signed nondisclosure agreements. The sale and maintenance contracts were also confirmed by Ben Roome, a Nokia Siemens spokesman based in Farnborough, England.

For the full article, see here.

Targeted malware attacks as a result of advanced persistent threats (APTs) are not new, especially for human rights organizations. One aspect of targeted malware that is becoming much more common is a greater level of research by attackers about their intended targets. While this research, in general, requires more human interaction, there are ways of automating some steps in the process of information gathering, sometimes by using the same techniques as the targeted malware itself.

A Tibetan human rights organization recently received an email claiming to be from a person working for the International Campaign for Tibet, sharing a link about the Dalai Lama’s recent visit to the United States. As the message was unsolicited, and has a few suspicious features, the organization forwarded the email to us for analysis.

The page in the link is a redirect to the legitimate site:

Once the script has collected all of this information, it sends it via another PHP script:

This information can be used in developing and personalizing targeted attacks. By profiling the versions of document readers and the browser version, an attacker would be able to craft a targeted attack that is almost guaranteed to succeed on the first try. The ‘id’ field in the original link can be used to connect the information back to the email address to which the link was sent. As it is very likely that the emails were generated and sent with a script, the attacker could now have a large database of targets and their vulnerabilities. It is interesting to see this sort of information gathering without any exploits; it is a sign that the attacker is more interested in stealth and long-term benefit than immediate compromise.

Human rights and civil society organizations face a growing spectrum of online threats, including Internet filtering, website defacements, denial of service attacks, and targeted malware (malicious software) attacks. Such organizations can be particularly vulnerable to these threats due to limited resources and lack of computer network security support.

Malware attacks in particular are becoming an increasing problem for human rights and civil society groups. Past Information Warfare Monitor research has documented targeted email-based malware attacks on human rights groups  and the use of compromised organizational websites to deliver malware to site visitors (See Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, Nobel Peace Prize, Amensty International HK and Malware).  In this blog post we document another instance of a human rights related website being compromised and used to disseminate malware.

While conducting analysis of OpenNet Initiative¹ Internet filtering test results, we found one site² covering Chinese human rights issues that triggered an anti-virus alert. The AV program identified a file from the website as Trojan.Swifi. Looking into this issue, we were able to determine that the site had been compromised and was being used to distribute malware to its visitors.

Tracing our browsing history, we first found that one of the site’s pages had an embedded IFrame that looks out of place:

The frame points to a HTML file on another site, which loaded a Flash file (SWF):

The Flash file uses CVE-2011-2110 (also described in APSB11-18) to download and run another program hosted on the same website, without the knowledge or consent of the user. Trojan.Swifi is the name that Symantec gives to this threat. Shadowserver has a good writeup on the first appearance of these Flash files being used in the wild, and gives some examples of sites they have found hosting this malware.

The URL of the file to download and run is encoded in the parameter passed to the SWF file in the link:

The file itself is compressed using zlib and XOR encrypted with a one byte key. (The key is easy to determine: look for the zlib two byte header.)

The day after we discovered this issue, the link in the IFrame had been changed. The core of the attack, the Flash file, was still the same. However, the Flash file was hosted on a different server and loaded a slightly different executable program: same functionality, different filename and metadata. The first site was one of the examples listed in the Shadowserver report, which may be the reason why the frame was changed to point to a new location with a new payload.

In both cases, the downloaded program installs Poison Ivy, a remote administration tool (RAT).

The Flash file is the same in both cases, as the two payloads have the same encryption and compression format. The URL of the payload is passed as a parameter outside of the Flash program. The MD5 hashes of the two programs and the Flash file are:

b0b33a68bc9b410b8e58979b0409d466   Flash file

First sample:
 c9c58cab8441c07816727a7d9bb77cda  Encrypted + compressed payload
 8ea8b81afa8928da7a12610dfebc57b2  Payload

Second sample:
 c99129da6460dc27b0c92f84c8e0c3ed  Encrypted + compressed payload
 baff5ea74cb2b55ea124a20dc6037f19  Payload

The two downloaded files are slightly different, and have different icons and program information.

Each program contacts a command and control (C2) server using a different dynamic DNS hostname provided by changeip.org (the first using epac.to, the second jetos.com). Both DNS names stopped working within a day, resolving to 0.0.0.0, while the server continues to operate on an ISP in Singapore. The way both were shut down so quickly suggests that this malware has been sent out by more sites than just the Chinese news site on which we discovered it.

Metadata in the first program identifies it as “s1.exe”, while the second is “s3.exe”. Both use “aaaa” as the company name, and “Chinese (PRC)” as the language. The first uses an information bubble as an icon, the second uses a printer icon. s3 also calls itself “flash2” internally, and uses that reference as the dynamic DNS hostname.

It is likely that this C2 server will continue to operate using different dynamic DNS hostnames until it is taken offline by the ISP (assuming the ISP is able and willing to shut it down. So far, the ISP has not responded to the IWM’s abuse reports beyond automated replies from their support ticketing system.) Searching records of previously reported malware activity does not show anything specific to the IP that these programs are connecting to, although it does show many connections to IPs in the same netblock. From our initial examination, the network that is hosting this C2 server seems to be ripe for abuse.

Despite being a legitimate news site, any user who had not made the recent Flash APSB11-18 update would be infected with the Poison Ivy remote administration tool, allowing an attacker full access to the victim’s computer. Due to the location of the hosting provider and dynamic DNS services, it is likely that the command and control server will remain active and this specific threat will persist. Only one line of the legitimate web page needed to be changed in order to compromise every single visitor to the site.

Just as former IWM researcher Nart Villeneuve mentioned last November, we can expect attacks to continue against the visitors of human rights websites via the legitimate but compromised websites themselves. In this case, the attack was patched very quickly and was not a 0day when discovered. However, the time it takes in general for vulnerabilities such as CVE-2011-2110 to be patched versus the rate of these exploits becoming weaponized and actively deployed is troublesome. This threat is especially a problem for smaller organizations that do not have dedicated IT staff with an extensive security budget.

A number of cyber attacks took place against human rights groups this week; including Armorize’s discovery of a variant of a “drive-by-download” attack on Amnesty International’s Web site. As this Armorize blogpost explains, “A drive-by download attack refers to the process of a user visiting an infected page and subsequently gets installed with malware, without his/her knowledge and without having him/her to click on or to agree to anything.” In the case of this week’s attack on Amnesty International, a “drive-by-cache attack” (term dubbed by Amorize) was launched. John Leyden of the Register explains that in drive-by-caching, “malicious scripts are used to locate the malware which is already sitting in the browser’s cache directory, and executing it. This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicious maneuver many security software packages are liable to detect.” (For a more eloquent and technical write up of drive-by-caching see the Armorize blogpost).

What is interesting is that the compromising of Web sites belonging to human rights groups as vehicles to deliver 0day exploits to visitors is a continuation of a trend that the Infowar Monitor has been actively monitoring—for example, a similar attack launched on users occurred in November 2010 to Amnesty International’s Hong Kong site (see our past Nobel Peace Prize, Amnesty HK and Malware and “0day”: Civil Society and Cyber Security blogposts on such attacks for more).

More generally, attacks launched on the Web sites of human rights groups (and independent Web sites) have become increasingly common. In fact, cyberspace saw two such attacks this week. First, was the DDoS attack launched against the Web site of the alternative new source, Newsnet Scotland, in the lead up to the country’s elections; and second was the DDoS attack launched on Change.org’s Web site this week.

As a major online petitioning platform, Change.org has recently become known for hosting a major petition, signed by over 90,000, calling for the release of famous Chinese dissident Ai Weiwei. The DDoS attack on the site began on Monday and rendered the site inaccessible for a few hours. It has been reported that the attack has been traced to servers in China and Change.org has begun reporting that the attacks were launched by Chinese hackers.

The Chinese state is often believed to be behind attacks on human rights Web sites, as noted in our recent blog here; however, attribution of cyberattacks is an ongoing problem and difficult to make—for instance, although the attacks were traced to China, it is possible that the computers are controlled by attackers in another country. In this CIO article, Verizon points out that the recent introduction of the term “advanced persistent threat attack” (APT) (defined by Verizon as “sophisticated and highly targeted data exfiltration exercises conducted by state-sponsored agents) has led many victims of security breaches to characterize attacks as APT, usually originating from China. Verizon argues that although “China is the source for most online attacks these days, no matter what the motivation,” it must be remembered that “the country has more than 400 million Internet users, and many of them are using computers that don’t have up-to-date patches or security software. Those PCs often get hacked and then used as stepping-stones for further attacks.” Verizon further stated that, “China is like the wild west of source IP addresses that can be taken over to state attacks.” When an attack occurs “everybody looks at it and says, ‘Oh that’s the Chinese government.”

The problem of state attribution was brought up once again this week when Canadian resident and Chinese dissident with protected person status, Maggie Wenzhuo Hou, stepped up to warn against a “’silent cyber war” that was being launched by the Chinese government. Hou stated that she was certain that the Chinese government was monitoring and blocking her communications. Some note that there is evidence that China is involved in the spying of expatriates, and Hou’s own background certainly puts her in a vulnerable category. However, Ron Deibert, Director of the Citizen Lab suggested that such a case requires caution: “There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion.”

Indeed, accusations of China’s involvement in cyber espionage is a regular fixture in cyber news. Last week, a leaked US diplomatic cable revealed that US authorities had traced a series of breaches (in which private information was stolen from US agencies and the private sector)—known as Byzantine Hades—to a unit of the country’s People Liberation Army.

Although attribution is difficult to make, attacks continue against Web sites of human rights organizations and supporters/employees and are part of a continuing trend that has been recently documented by the Berkman Center for Internet and Society in their 2010 report on Distributed Denial of Services Attacks Against Independent Media and Human Rights Sites.

Change.org, an online petitioning platform, has come under an ongoing distributed denial of service (DDoS) attack originating from China after the site hosted a call urging Chinese authorities to release artist Ai Weiwei from custody.

The attacks, which started late Sunday, have nearly brought down the site, according to Change.org founder Ben Rattray.

DDoS attacks work by using hundreds or thousands of hacked computers to send traffic to a website, overwhelming it with data so it becomes inaccessible to normal users.

Change.org said the current attack originates from an expanding group of computers primarily based in China, and has yet to stop. This is the first time the site has been hit with a DDoS attack.

Change.org has been hosting a online petition calling for the release of Chinese artist Ai Weiwei, who is currently under arrest. The petition has attracted almost 100,000 people from 175 countries, making it one of Change.org’s most successful international campaigns, Rattray said.

“It’s pretty clear the attack is in response to the campaign,” he added. “It’s extraordinary that somebody in China with a high-level of technical sophistication can impact the ability for people around the world to organize.”

The online call coincided with demonstrations across the world this past Sunday, which also called for the artist’s release. Ai, who is also known for his activism, has been detained as part of a Chinese government crackdown on political dissidents in the country.

Authorities in the country have arrested other human rights activists and clamped down on the information flow, following previous online postings that began in February calling for a “Jasmine revolution” against the Chinese government.

Change.org is currently blocked in China. Internet censors in the country regularly block sites that are deemed to politically sensitive.

Despite the block, the computers involved in the DDoS attack are managing to find a way around the country’s national Internet firewall, said Rattray.

In the past, other sites have been the victims of cyber attacks coming from China. This March, blog publishing platform WordPress.com also reported being hit with a DDoS attack originating from China.

Chinese hackers have also allegedly launched cyber attacks to steal data from foreign energy accompanies, according to security vendor McAfee. In 2009, Google was also the victim of an attack originating from China that was aimed at accessing the Gmail accounts of human rights activists

The Chinese government has previously responded to these reports by denying it is involved in any cyberattacks, adding that China has also been a victim of hacking attempts.

The true source of DDoS attacks is often unclear. Although Change.org has traced the current attack to servers in China, it is also possible the computers are under the control of hackers based in another country.

Change.org reports that both the FBI and U.S. State Department are looking into the DDoS attack.

“We won’t stop or take down anything because of this DDoS attack,” Rattray said. “We believe in the fundamental right of the people to organize around issues they care about it.”

Miscreants have deployed a subtle variant of the well established drive-by-download attack tactics against the website of human rights organisation Amnesty International.

In traditional drive-by-download attacks malicious code is planted on websites. This code redirects surfers to an exploit site, which relies on browser vulnerabilities or other exploits to download and execute malware onto visiting PCs.

The attack on the Amnesty website, detected by security firm Armorize, relied on a different sequence of events. In this case, malicious scripts are used to locate the malware which is already sitting in the browser’s cache directory, before executing it.

This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicion manoeuvre many security software packages are liable to detect. By bypassing this step dodgy sorts are more likely to slip their wares past security software undetected.

The Amnesty International attack ultimately relied on an Adobe Flash zero-day exploit, patched by Adobe late last week, with the ultimate aim of dropping a backdoor on compromised machines.

A full write-up of the attack, analysing the code involved and explaining the concept of drive-by cache attacks in greater depth, can be found on the Armorize blog here.

It’s at least the second time in six months Amnesty International’s website has attacked its visitors. In November, visitors to the group’s Hong Kong website were bombarded with a host of potent exploits, including one that targeted what was then a critical zero-day vulnerability in Internet Explorer. ®

Chain of commands: Mainland authorities are detaining individuals for perceived crimes committed online. But how do they access such incriminating information?

When Norzin Wangmo used her computer and mobile phone two years ago to communicate with friends about protests in Tibet, she had no idea it would result in her torture and a five-year prison sentence.

Detained soon after sending the messages, the 30-year-old Tibetan government worker and writer was accused by officials of using the technology to inform the outside world about civil unrest in Tibet.

After months in detention, during which her friends said she was tortured, the five-year prison term was handed down. Few other details about Norzin Wangmo, who leaves behind a young son, are known.

No one is sure how Chinese intelligence obtained the details of her communications. But the story is a frightening example of the dark side of internet espionage on the mainland, where people perceived to be a threat to the state are targeted, including ordinary Chinese citizens, scholars, human-rights workers, journalists, diplomats and businesspeople.

Many security experts who study China believe the government is being fed information by a loose and shadowy network that includes the hacker community, organised crime and other parts of government, including security agencies and the People’s Liberation Army (PLA).

“The sheer amount of energy and resources the Chinese government has thrown at this is enormous,” says Lhadon Tethong, director of the Canada-based Tibet Action Institute, which helps Tibetans fight for rights, primarily through the safe exchange of information, using sophisticated technology.

Many victims of internet espionage are quick to point a finger at the central government.

“Who else would attack us?” asks Chine Chan, a researcher for Amnesty International Hong Kong. “It doesn’t make sense unless it’s the government.”

Security experts, however, are careful to explain that no smoking gun has yet been found linking the hacking and the use of malware – malicious software designed to secretly access a computer system – to Beijing.

Greg Walton, an independent cyber security researcher based in Britain, believes the attacks are the work of groups of players. He points to Chongqing, where there is a concentration of internet espionage control and command centres, as an example.

“Chongqing is interesting in that it’s like a nexus of organised crime, the party, a big computer-hacking scene and all sorts of PLA installations,” he says. “It’s a combination of many forces that do these attacks. It’s not a secret that the data is ending up with the state. Any other explanation is improbable.”

Experts say the spying is highly organised and professional, with some hackers working in shifts, even making note of when targets are having lunch or taking breaks.

It is also likely that many hackers are working independently and some targets are being compromised by more than one malware group, says Nart Villeneuve, a researcher at the Information Warfare Monitor (IWM), whose members include the Citizen Lab, Munk School of Global Affairs, the University of Toronto and the SecDev Group, a security consultancy based in Canada.

Walton says patriotic hackers are probably selling information to the government, providing it with “another layer of deniability”.

Since last year, IWM has published two reports on cyber-espionage networks: “Tracking GhostNet: Investigating a Cyber Espionage Network” and “Shadows in the Cloud: An investigation into cyber espionage 2.0.”

GhostNet is the name investigators have given to a network of more than 1,200 compromised computers in 103 countries, including foreign affairs ministries, embassies, international organisations, news organisations and a computer in the headquarters of Nato. The network’s command and control centre appears to be on Hainan Island, home of the Lingshui signals intelligence facility and the Third Department of the PLA.

In September and October 2008, IWM investigated alleged cyber espionage on the computer systems in various offices related to the work of the Tibet government in exile and other Tibetan groups. These included the Office of His Holiness the Dalai Lama, in Dharamsala, India, organisations in the United States, Britain, France, Belgium and Switzerland, and the office of Drewla, an NGO which runs an online outreach project that uses young Chinese-speaking Tibetans to talk with people in the mainland about the situation in Tibet.

The GhostNet report said some 70 per cent of the control servers behind the attacks on Tibetan organisations were located on IP addresses assigned to the mainland.

During an investigation at the Dalai Lama’s private office, Walton observed as documents were being pilfered from the computer network, including a file containing thousands of e-mail addresses and another detailing the negotiating position of the spiritual leader’s envoy.

During the investigation into the so-called Shadow Network, investigators were able to obtain data taken by the attackers, including some 1,500 letters sent from the Dalai Lama’s office between January and November last year. While the report said many of the letters did not contain sensitive information, it added that they allowed the attackers to collect information on anyone contacting the exiled spiritual leader’s office.

The team traced the attacks to hackers apparently in Chengdu, which is also the location of one of the PLA’s technical reconnaissance bureaus charged with signals intelligence collection. Researchers said one hacker, who used the cyber name “lost33″, had attended the University of Electronic Science and Technology of China, which publishes manuals on hacking and offers courses on network attack and defence security.

The authors said an anomaly was detected when analysing traffic from the offices of the Tibet government in exile: computers in Dharamsala were checking in with a command and control server situated in Chongqing. Despite Chongqing Communist Party chief Bo Xilai’s high-profile anti-corruption campaign, the city still has a high concentration of gangs said to have ties to the government and which have extended their traditional criminal activities to include cyber crime.

While Walton admits no direct link to the central government has been detected, he does not seem to have any doubts about who is behind the attacks.

“Some people shy away from saying it’s the state,” he says, “but there’s a growing body of evidence. My own feeling is that sooner or later someone will be able to prove it.”

The “Shadows in the Cloud” report, which Walton contributed to, points to the existence of a vibrant hacker community in the mainland “that has been tied to targeted attacks in the past and has been linked, through informal channels, to elements of the Chinese state, although the nature and extent of the connections remains unclear”.

The authors allude to a “privateering” model in which the government authorises citizens to carry out attacks against “enemies of the state”. However, the report referred to research by Scott Henderson, author of The Dark Visitor: Inside the World of Chinese Hackers. Henderson wrote that there was disagreement about the exact relationship between hackers and the state, running from “authorise” to “tacit consent” to “tolerate”.

The most plausible explanation, the report said, and the one supported by the evidence, is that the Shadow Network is based in the mainland and run by one or more people with close ties to the country’s criminal underworld.

The report concluded: “As a result, information that is independently obtained by the Chinese hacker community is likely to find its way to elements within the Chinese state.”

Lhadon Tethong says security experts she’s spoken to consider the cyber war “a lost game” but that she takes a different approach – trying to remain one step ahead of the mainland authorities.

“We’re looking at new technologies that haven’t come out yet and how they can be used in Tibet,” she says. “The Chinese government can control your BlackBerry or laptop, but let’s look beyond that, at iPads and Android technology [a mobile-phone operating system developed by Google]. You cannot stop it. The force is just too strong.

“We worked with young and innovative technical experts and geeks from the beginning,” she says. “The optimistic part is that the advances in communications technology are happening so quick that the Chinese bureaucracy can’t keep up. Saying you can’t do this or that because they’re too good is just not true.”

She cites the microblogging service Twitter, which the authorities managed to block. Before that, Tibetan activists had found it a useful tool for getting their message across both within and outside the mainland.

“You can block one site and another will pop up, and it won’t take long before people find it,” she says. “You can try to control it but there’s no way to stop it and I think they know that.”

Chan agrees. “The trend can’t go back. It’s important to learn how to get around [the controls]. If civil society grows faster than the government controls, then you win.”

Meanwhile, the attacks are increasing in number and in sophistication.

On March 18, people on the mailing list of Human Rights in China (HRIC) received an e-mail that appeared to be from director Sharon Hom. The subject line – “Microsoft, Stool Pigeon for the Cops and FBI” – convinced many recipients to take a look at the enclosed attachment. Within seconds the e-mail was flying around cyberspace, with thousands receiving it and passing it on to others.

But the e-mail was not from Hom. It was a “spear phishing” e-mail that lured recipients to visit a compromised website in Taiwan. Those who clicked on the link unknowingly loaded malware that allowed the attackers to take control of their computers from a server in Jiangsu province.

In a report on the HRIC attack, Villeneuve wrote that the malware spread via the e-mail was traced to a command and control centre in Jiangsu. He said the nature of the compromised entities and the data stolen by the attackers indicated correlations with the mainland’s strategic interests. But he concluded that “we were unable to determine any direct connection between these attackers and elements of the Chinese state”.

Earlier this year, a foreign journalist was conducting a text conversation on Skype with Tsering Woeser, a Beijing-based Tibetan poet and commentator, when the journalist received an article over the internet service. When the suspicious reporter called Tsering Woeser to ask about the file, she was not even home. Someone had hijacked her account and started conversations with 30 of her Skype friends, several of them journalists. They even imitated the way the poet spoke. Some were tricked into downloading malware. This was the second hijacking of her Skype account in two years.

Most cyber attacks rely on a tactic known as “social engineering”, manipulating people to get them to provide computer access through trickery, rather than technical hacking.

“At the root it’s not technology,” Walton says. “The deeper the penetration, the more intelligence they can feed into a social engineering attack. If I look at your computer, I can draft e-mails that you will trust more and more.”

Robbie Barnett, director of the Modern Tibet Studies programme at Columbia University, in the United States, says the attackers are getting increasingly sophisticated in their use of social engineering. They use the names of people you know, refer to an incident over the past 48 hours, often with a provocative subject, and may even have the actual sender’s real e-mail address. He says no one can be 100 per cent safe, no matter what precautions are taken.

“Eventually, they hit a bull’s eye,” Barnett says, “They send you a letter from a Tibetan who’s just written to you and could easily be sending something to you. Even if you’ve been careful for years, you could fall for it.”

Typically the target receives an e-mail appearing to be from an acquaintance. Often it mentions some sensational detail that lures the victim into opening a file or visiting a website that opens a backdoor, where malware can be planted.

Control is often maintained through the use of the Chinese Gh0st RAT (remote access tool). These trojans enable nearly unrestricted access to the infected system. The attacker can then carry out surveillance of the attacked computer, pilfer files and e-mails and send data to other computers, and use the infected computer as a platform to launch future attacks against computers around the world.

“It’s all part of a trend that I’ve been watching for a decade,” says Walton, “pushing surveillance of the population from the network to the desktop.

“Everything you can do, they can do – it’s like they’re sitting in front of your computer. They can turn on the webcam, the microphone and access documents. Someone is staring back at you through your webcam. It’s Orwellian.”

While much of the activity seems focused on gathering intelligence and disruption of operations, in some cases the attacks are more dangerous. In July, the website of Chinese Human Rights Defenders was shut down several times by direct denial of service (DDOS) attacks. In April, the Foreign Correspondents’ Club of China was forced to take its website offline temporarily after being repeatedly hit by DDOS attacks.

In January, Google announced it had found “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property”. The attack was said to have targeted the Google e-mail accounts of Chinese human-rights activists.

Journalists have also become a target. In April, Andrew Jacobs, Beijing correspondent for The New York Times, wrote an article detailing how his computer had been hacked and e-mails redirected to an unknown address. Jacobs said scores of foreign reporters in the mainland had experienced similar intrusions.

Last September, several foreign news bureaus in Beijing began receiving e-mails from “Pam”, who said she was an economics editor. The e-mails, which were in well-written English and included a list of genuine contact names, detailed a proposed reporting trip. However, when the attached PDF was opened it unleashed malware.

Walton and Villeneuve, who studied the virus, said in a report that the file appeared to be a legitimate document that had been stolen from a compromised computer, which was then modified to include malware and serve as a lure. While they said the malware could not be traced back to the central government, the recipients were Chinese news assistants, whose e-mail addresses were not widely known to the public, but were to the Ministry of Foreign Affairs.

Richard Baum, moderator of Chinapol, an online community of more than 900 China watchers, including journalists, lawyers and analysts, says the group has suffered “a certain amount of leakage” of membership lists and e-mail traffic. Members have also received phishing e-mails. Recently, an e-mail was sent to some members purporting to be the new member e-mail list, which had a malware attachment.

Walton says data was being sent back to a computer in Chongqing within 30 seconds of the malware being accepted.

In the HRIC incident, a member of Chinapol sent the e-mail to all its members, some of whom in turn passed it on to their acquaintances.

What’s troubling is anti-virus software used by the general public is not always effective in catching these viruses. In the case of the HRIC attack, there was very low anti-virus cover, with only eight out of 42 anti-virus products detecting the file as malware, the investigation found. In the case of the news assistants who downloaded malware, only three of 41 anti-virus products used by VirusTotal, a service that analyses suspicious files and URLs, detected the malicious code embedded in the PDF file.

Fake e-mails also create confusion. A human-rights activist in Hong Kong tells of an e-mail sent out in her name revealing certain information only known to people she worked closely with.

“This is their way of saying, `We know who you are and what you’re doing’, to make you feel scared,” she says. “Even if people know the e-mail is not from me, the damage is already done. The next time they’ll ask if it’s really from me.”

HRIC’s Hom says: “This is seriously raising security issues for us. It makes every NGO, every journalist, every contact ask if they get an e-mail from me if it’s real. As a small NGO we don’t have the resources, technical expertise and capacity to guard ourselves against such high-level attacks. It makes it very difficult for us to do our work.

“How can any organisation, company or government function if communication with other persons or organisations runs the risk of a malware attack that undermines the trust in the organisation? The biggest impact on us is we have to be extremely careful not to compromise the security of the people we’re dealing with.”

One example of this, from the GhostNet report, is that of a young Tibetan woman who was returning to her village after having worked for two years in India. She was stopped at the Nepal-Tibet border by Chinese intelligence officers. The woman was taken to a detention centre, where she was interrogated about her connection with Drewla.

She insisted she had gone to India just to study, denying any political involvement, but her claims were waved away. The officers then pulled out a dossier on her activities in India, including transcripts of her online chats about Tibet.

She was held for two months and then allowed to return to her village.

As a result, many activists are now reluctant to send information over the internet and even delete e-mails from people they don’t know or that look suspicious. The result is less information is getting through to the people who need it.

“It’s caused a lot of problems for me,” says Tsering Woeser, who is often under police surveillance. “First, because of my situation, I can only contact my friends through Skype and e-mail, and now some Tibetan friends are afraid to contact me. I’m getting much less information than before. It’s a huge interference.”

Tsering Woeser says her internet activities are constantly probed. In a recent incident, she received an e-card from dissident writer Yu Jie, which turned out to be a phishing spear. She says that at least once a month a person pretending to be a Tibetan attempts to make contact with her online.

“But what I worry about most is that the people who are in contact with me may get into trouble and I won’t even know about it,” she says.

Barnett also depends on sources to provide him with news from tightly controlled Tibetan areas. He says he, too, is now receiving far less information than in previous years. “The deterrent effect on people sending information is very effective,” he says. “This is having a massive effect on the limitation of outsiders finding out what’s happening in China. A lot of it works by fear, intimidation and self-censorship. People are worried about interception.”

Barnett says this climate of surveillance suggests to anyone considering sending information “that they should think twice”.

The culture of security in China, he says, means the government only has to go after a few people to have a deterrent effect.

“You only have to pick up three people for passing on information and that will deter hundreds of thousands of others,” he says. “The system may now be more powerful than us.”

Walton says there has been a clear increase in the number of incidents this year, although he cautions that this may be due to the fact people are more on the lookout for these things.

“There’s more awareness and people are suspicious of links and e-mails,” he says. “In terms of forward trends, I see a continuous escalation of these attacks. People are being compromised every day and I’m getting examples on a daily basis.”

Experts say that if Beijing is not responsible for the attacks, it has a responsibility to shut down hackers working within its borders.

“I have never and still don’t make the claim that it was the government,” Hom says. “But if China insists on internet sovereignty and sovereignty over its territory, it has to take responsibility for these kinds of cyber attacks. It has to show the international community that it has taken steps to investigate, track down and end these attacks.”

The Islamic Revolution Guards Corps (IRGC) on Sunday announced that its cyber teams have hacked 29 websites affiliated with the US espionage network.

According to a statement released by the Persian-language website, Gerdab, affiliated to the IRGC’s Center for Combating Organized Crimes, the hacked websites acted against Iran’s national security under the cover of human rights activities.

The IRGC has recently set up the new center to detect and combat organized crimes on the internet.

The newly-established center is tasked with monitoring the internet to detect and campaign against organized crimes, espionage, economic and social corruption, money laundering and cultural inroad.

The announcement came after Iran said yesterday that it has arrested 30 individuals on charges of waging a US-backed cyber war against the country.

A statement issued by Tehran’s Public and Revolutionary Court on Saturday said that following a series of complicated security operations in area of information and communication technology, the country’s security forces have identified the most important US-backed organized networks of cyber war launched by the anti-revolutionary groups and arrested 30 suspects.

Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.