Posted on 03/25/2008 4:31:53 AM PDT by BGHater
Malicious e-mail and other cyberattacks on Tibet advocacy groups in the United States are linked to Internet servers used in past hacker intrusions traced by U.S. law enforcement to China.
The link, made by security experts on the basis of publicly available data, is the first direct evidence the recently intensified attacks against the Tibet groups, reported by United Press International a week ago, were launched from China. But it remains unclear to what extent -- if any -- the Chinese government or military is implicated.
The news follows charges last week from the Save Darfur Coalition, a group opposing Chinese policy in Darfur, they had been the target of intrusion attempts "which appeared to originate in China and seemed intent on subversively monitoring, probing and disrupting coalition activities."
The recent cyberattacks on several Tibet groups were analyzed by a security researcher for the SANS Internet security organization, Maarten Van Horenbeeck, who followed cyberattacks against Tibet organizations, and advocates for other Chinese ethnic groups such as the Uighurs, for many years.
Van Horenbeeck told United Press International that the attacks used e-mails purporting to come from known associates of the victims with attachments containing malicious code -- so-called Trojan horse software -- that stole e-mail and contact data, passwords and other information and covertly sent it on the Internet to special command servers. One domain address that came up as the destination for data stolen from supporters of the Students for a Free Tibet group was familiar to him. Cvnxus.8800.org has been used by hackers "again and again" over the years, he said.
Since earlier this month, the domain has been "moving around," he said. But until March 8, it was based on a server previously identified by the FBI as the source for an e-mail attack aimed at U.S. defense contractors launched in August last year, according to a report from the Air Force Association.
The link, though a narrow one, is significant because of the well-acknowledged difficulty of attributing cyberattacks. Hackers can take control of computers, or even whole servers, without the knowledge of their owners and use them to launch attacks.
China has some of the world's tightest government restrictions on the use of the Internet, which makes many observers skeptical hacker gangs could operate from within China without government approval or acquiescence.
The attacks against the Tibet groups were "very professional and well-coordinated," Van Horenbeeck said, though he said no definitive evidence linked the Chinese government to the attacks.
Some of the e-mails used highly sophisticated "social engineering techniques" to trick their victims into opening the attachment, he said.
Rather than just faking the e-mail address of an associate as the sender of a general message, these e-mails would refer to discussions that the intended victim had conducted with that associate on open Internet bulletin boards or e-mail lists, Van Horenbeeck said, suggesting the hackers had done a great deal of research on individual targets.
"These were very sophisticated," he said, adding that unlike conventional hacker attacks, these were not aimed at defacing the group's Web site or driving it offline with a series of crude denial-of-service bombardments. "These attacks were designed to steal data," he said.
He said they might also be designed to "disrupt (the groups') operations by making people wary of using their e-mail, which is a vital tool for their coordination."
Some of the attacks did seem designed to undermine trust in e-mail. Last week a security professional working with one group posted a message to a Tibet discussion list warning people to expect an increase in e-mail and other attacks. The following day hackers sent another message, faked to look as if it came from the same address, containing a security document as a Word attachment. The attachment contained a Trojan horse malware package, Van Horenbeeck said.
Similarly sophisticated social engineering techniques were noted by security researchers at MessageLabs last month in e-mail malware sent to members of an Olympic committee.
"These are otherwise perfectly valid documents," Maksym Shipka, senior architect at MessageLabs, told SCMagazine, an IT security trade publication. "It's real information. It's a continuation of actual email conversations. Yet the document is bad."
Shipka said the e-mail was so convincing that recipients forwarded it to other members of the committee.
The Trojans and other malicious software used in the Tibet attacks are similar to those used in attacks against the unclassified computer networks of U.S. defense contractors, the Department of Energy's nuclear labs and other sensitive government agencies, but experts caution against reading too much into this, saying that the software is easily available on hacker Web sites.
Let me see.....why are these servers allowed to be operational? Cut off the head and the body dies.......
Oh Come On.
Nothing happens without approval in a totalitarian state.
I am just going to keep on asking why we have to accept packets from this diseased enemy pesthole. Cut them off.
They hack our banks, our Industry, our infrastructure, our R&D, and our Military. What's left?
This one is still up:
http://wikileaks.org/leak/tibet-protest-photos/index.html
Anyone else experiencing problems?
I have had an increase in Porn Spam. Dunno, if it’s from the Chinese. Includes animals, maybe PETA.
I have not checked my yahoo but I will & let you know..
I’ve been having periods of real slow access to FR recently but was wondering if it had to do with network speeds. Might be denial of service attacks but I’m not sure.
I know for a fact that FR was shut down in China for a while after “pganini” was banned. There was a thread about it too from a China-based FReeper (not a chicom troll).
Argh. I get some porn spam and some cheap meds spam and viagra spam. It all gets the axe. This was different because of the sudden volume and the common source.
That is interesting about the FR shutdown in China. FR has always had occasional slowdown problems and recently the Proxy Error problem which was explained as bugs in new server equipment. It may be nothing but after receiving a high volume of probes from SE Asia on my ‘puter in ‘01 when I started posting provocative suggestions on the air crew hostage incident I get suspicious of problems when I start posting on China related threads. The Chicoms are wildly paranoid.
All of the yahoo accounts I have are working fine.
Hey that happened to me with yahoo as well. I sent myself an email from my gmail account and never got it. I get so much spam that i had to abandon the account.
Wow... Pretty interesting. I’m not having problems, but then I have been reading and not really posting much.
I find it kind of hysterical that the Chinese think that H4><0rz are going to stop the protesting... Or, the spread of information!
The photos are just shocking. Thanks for posting.
Yes, I am all of a sudden getting numerous spam mails on my Yahoo account that I have had since 2000. Previously there has been very little. As far as my other problems I should disclose that I run Windoze so it is a little silly to look at outside factors as a source of all of my problems. But some errors are atypical from the usual MicroSoft handicaps.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.