By Brian Krebs
washingtonpost.com Staff Writer
Friday, March 21, 2008 6:12 PM
Human rights and pro-democracy groups sympathetic to anti-China demonstrators in Tibet are being targeted by sophisticated cyber attacks designed to disrupt their work and steal information on their members and activities.
Alison Reynolds, director of the Tibet Support Network, said organizations affiliated with her group are receiving on average 20 e-mail virus attacks daily. Increasingly, she said, the contents of the messages suggest that someone on one or more of the member groups' mailing lists has an e-mail account or computer that has already been compromised.
On March 18, as protests in Tibet intensified, a technology specialist working with Reynolds's group sent a message to members warning them to expect a sharp increase in e-mail and other cyber attacks against groups rallying the international community against China's crackdown. Less than 24 hours later, Reynolds said, someone sent the exact same message out to the list, urging recipients to review an attached Microsoft Word document for online safety instructions (file-named "cyberattack.doc"). The attachment included a Trojan horse program that opened a "backdoor" on any computer used to open the file, giving the senders remote access over the system.
"If successful, these attacks can impact the safety of the people we work with, but the other part of this is it seems they're trying to make it more difficult for us to function effectively, to disrupt our activities," Reynolds said.
Sharon Hom, executive director of the New York-based Human Rights in China, said the group's 25 staff members have reported a marked upswing in the number and sophistication of e-mail virus attacks. In 2006, the group intercepted just two targeted e-mail attacks, and by the end of last year that number had grown to 40. In the first three months of 2008, the group has received more than 100 such targeted attacks.
Experts say attributing such attacks to any one group or government is extremely difficult, as computer systems that appear to be the source of malicious activity online often are controlled by persons or groups using computers in completely different locations. But Reynolds said these types of sustained, targeted attacks suggest a level of organization, tenacity and degree of commitment not typically seen in attacks by individual hackers.
"They're really trying to disrupt the Tibetan movement, and whoever is perpetrating this is doing it on full-time basis," she said.
A handful of recent targeted attacks shared the same Internet resources and tactics in common with those used in a spate of digital assaults against number of major U.S. defense contractors, said Maarten Van Horenbeeck, an incident handler with the SANS Internet Storm Center, Bethesda, Md.-based organization that tracks online security trends.
According to a January article in Air Force Online, a series of e-mail attacks originating in China targeted 28 defense contractor locations in the United States late last year. The story named specific Beijing-based Internet addresses that the FBI later determined were the origin of the attacks.
Van Horenbeeck, who provides security and technical advice to several Tibetan groups, said he has uncovered evidence that those same numeric Internet addresses were used in targeted attacks against Students For a Free Tibet, another New York-based human rights group.
The attacks on pro-Tibet organizations are not the first to be tied to computers in China. The Washington Post reported March 21 that the FBI is investigating whether hackers in China targeted a group working for human rights in Darfur, the war-torn province of Sudan. China has economic and strategic interests in the African nation's oil fields.
Van Horenbeeck said the danger with the e-mail viruses involved in the attacks is that they are so hand-crafted and new that they usually go undetected by dozens of commercial anti-virus scanners on the market today.
"Last week, I had two of these samples that were detected by two out of 32 different anti-virus scanners, and another that was completely undetected," he said.
The specificity of information sought in the targeted attacks also suggests the attackers are searching for intelligence that might be useful or valuable to a group that wants to keep tabs on human rights groups, said Nathan Dorjee, a graduate student who provides technology support to Students for a Free Tibet.
Dorjee said one recent e-mail attack targeted at the group's members included a virus designed to search victim's computers for encryption keys used to mask online communications. The attackers in this case were searching for PGP keys, a specific technology that group members routinely use to prevent outsiders or eavesdroppers from reading any intercepted messages.
Dorjee said the attacks have been unsettling but ineffective, as the Students for a Free Tibet network mostly operates on more secure platforms, such as Apple computers and machines powered by open source operating systems.
"The fact that we're being attacked with the same resources thrown at multi-billion defense contractors is flattering," said Lhadon Tethong, executive director of Students for a Free Tibet. "It shows that we really are an effective thorn in the side of a repressive regime."