Targeted attacks against Tibet organizations
Posted On: 19th of March, 2012, 11:42 AM
Bookmark and Share
 
Posted by jaime.blasco in News:We recently detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others. We believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.

The attacks begin with a simple spear phishing campaign that uses a contaminated Office file to exploit a known vulnerability in Microsoft. The information in the spear phishing email is related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. After further investigation, we discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone. Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.

It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.

Below is a detailed analysis of one of the dozens of campaigns that we’ve been tracking, which illustrates the method used by the attackers and the possible connection to the Nitro attacks.

These latest attacks are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The spear phishing emails are not that sophisticated and feature a Microsoft attachment ( Camp information at Bodhgaya.doc) that exploits a known Office stack overflow vulnerability (CVE-2010-3333).

Here is one of the mails detected:

visit more information on this website alien vault

Found
Found executable at offset 1752
File saved on 1329392127.exe

Just for good measure, the malware is digitally signed, giving it an extra layer of authenticity – even though the certificate is valid as the root authority is not present on the Trusted Root Certification Authorities store of the computer.
 
 
Tibet News
 
Denied passport by China, Tibetan author can't receive US prize for courage
Breaking: Another self-immolation rocks Tibet, Toll reaches 102
Tibetan monk sets himself on fire in Nepal
Chinese Court Issues Severe Sentences in Tibetan Self-Immolations
China transfers Tibetan filmmaker Dhondup Wangchen to a women's prison
Tibetan students protest, as four more self-immolations reported
Tibetan man, 27, dies in protest self-immolation in northwest China’s Qinghai province
Controversial Miss Tibet pageant to shift out of Dharamsala
Tibetan town shaken by six self-immolations in one week
Two Tibetans set themselves alight: rights group
His Holiness the Dalai lamaa visited Mr. George Fernandes:
Chinese state media report 18-year-old Tibetan sets himself on fire, dies in northwest Tibet
More Tibetans Self-Immolate as China's Party Congress Opens
China must urgently address rights violations in Tibet - UN senior official
China powerless to prevent rising tide of Tibetan self-immolationsTibetan burnings reach new level
   
 
Home  |  World  |  Tibet  |  Human Right  |  History  |  Freedom  |  Sports  |  Entertainment  |  Video  |  Photo Gallery  |  Contact Us
2010 Copyright Bodrigpunda.com | All Rights Reserved
Web Design and Website Development by Vuju Design