Smokey's Security Weblog

veritas odium parit

Cyber attacks against Tibetan communities

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used.

Anti virus is generally not proving effective against these attacks.

SANS have been working with several groups on these attacks since early 2007. If you or your organization has also been targeted, now or in the past, please get in touch. SANS will not publish any data on your specific attacks without your permission.

Full, unmodified article: SANS


March 23, 2008 - Posted by | Malware, News, Recommended External Security Related Links | , , , , , , , ,

1 Comment »

  1. F-Secure Weblog: Groups working for freedom of Tibet all over the world have been targeted. These emails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month.

    The mails are almost always forged to look like they would be coming from trusted persons or organisations, making it more likely they get opened by the recipient.

    Just the filenames of some of the recent malicious attachments tell a lot:

    UNPO Statement of Solidarity.pdf
    Daul-Tibet intergroup meeting.doc
    Updates Route of Tibetan Olympics Torch Relay.doc
    Talk points.chm
    China’s new move on Tibetans.doc
    Support Team Tibet.doc
    Photos of Tibet.chm
    News ReleaseMassArrest.pdf
    Whole Schedule and Routing for Torch Relay.xls

    As you can see there’s a variety of “trusted” filetypes used in these targeted attacks, including DOC, XLS, PPT, PDF, CHM.

    The contents of these bait documents have been crafted very well. Below are some examples of what the user sees after he has been duped into opening one of these files. The content is mostly recycled from real announcments and messages of the pro-Tibet groups.

    Comment by Smokey | March 24, 2008 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: