- The Washington Times - Monday, March 24, 2008


Malicious e-mail and other cyber-attacks on Tibet advocacy groups in the United States are linked to Internet servers used in past hacker intrusions that U.S. law enforcement traced to China.

The link, made on the basis of publicly available data, is the first direct evidence that the recently intensified attacks against the Tibet groups, reported by United Press International a week ago, were launched from China. But it is not clear whether or to what extent the Chinese government or military is involved.

The latest claims follow similar charges last week from the Save Darfur Coalition, a group opposing Chinese policy in Darfur, that it had been the target of intrusion attempts “which appeared to originate in China and seemed intent on subversively monitoring, probing and disrupting coalition activities.”

The recent cyber-attacks on several Tibet groups, such as the Free Tibet Campaign and Students for a Free Tibet, were analyzed by a security researcher for the SANS Internet security organization, Maarten Van Horenbeeck, who has followed for many years cyber-attacks against advocates for human rights in China, such as Tibet groups, Uighur activists and the Falun Gung.

Mr. Van Horenbeeck told UPI that the attacks used e-mails purporting to come from known associates of the victims with attachments containing malicious code — so-called Trojan horse software — that stole e-mail and contact data, passwords and other information and covertly sent it on the Internet to special command servers.

One domain address that came up as the destination for data stolen from supporters of the Students for a Free Tibet group was familiar to him. Cvnxus.8800.org has been used by hackers “again and again” over the years, he said.

Since earlier this month, the domain has been “moving around,” he said. But until March 8, it was based on a server previously identified by the FBI as the source for an e-mail attack aimed at U.S. defense contractors launched in August, according to a report from the Air Force Association.

The link, although a narrow one, is significant because of the well-acknowledged difficulty of attributing cyber-attacks. Hackers can take control of computers, or even whole servers, without the knowledge of their owners and use them to launch attacks.

China has some of the world’s tightest government restrictions on the use of the Internet, which makes many observers skeptical that hacker gangs could operate from within China without government approval or acquiescence.

The attacks against the Tibet groups were “very professional and well-coordinated,” Mr. Van Horenbeeck said, although he said no definitive evidence linked the Chinese government to the attacks.

Some of the e-mails used highly sophisticated “social engineering techniques” to trick their victims into opening the attachment, he said.

Rather than just faking the e-mail address of an associate as the sender of a general message, these e-mails would refer to discussions the intended victim had conducted with that associate on open Internet bulletin boards or e-mail lists, Mr. Van Horenbeeck said, suggesting the hackers had done much research on individual targets.

“These were very sophisticated,” he said, adding that unlike conventional hacker attacks, these were not aimed at defacing the group7s Web site, or driving it off-line with a series of crude denial-of-service bombardments. “These attacks were designed to steal data.”

He said they might also be designed to “disrupt [the groups’] operations by making people wary of using their e-mail, which is a vital tool for their coordination.”

Some of the attacks seemed designed to undermine trust in e-mail. Last week, a security professional working with one group posted a message to a Tibet discussion list warning people to expect an uptick in e-mail and other attacks. The following day, hackers sent another mail, faked to look as if it came from the same address, containing a security document as a Word attachment. The attachment contained a Trojan horse malware package.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide