[liberationtech] Local spike in human rights malware attacks from China

Fri Nov 12 20:12:27 PST 2010

I just wanted to point everyone onlist to the recent increase in hacking attacks against (or using as a proxy) human rights groups who do work in China, or who are connected to the Nobel Peace Prize. If you do work in this area, you should be aware that a group or groups are particularly targetting Western NGOs to distribute malware to vulnerable groups (and other NGOs). 

I'm sure you all run anti-virus software on incoming mail and your desktop machines, keep your software up to date, and guard and monitor your websites against the insertion of malware, but if you don't, now might be an excellent time to do so (or make an argument to decision-makers that your organization should).

The chain of incidents so far are:

On October 26th, the Nobel Prize site was hacked, and a new vulnerability used to infect viewers using Firefox on Windows:
http://www.zdnet.com/blog/security/firefox-zero-day-under-attack-at-nobel-peace-prize-site/7550

This weekend, CPJ and others received an email, ostensibly from Alex Gladstein and the Oslo Freedom Forum, with an included PDF attachment with a convincing looking invitation to the Peace Prize Ceremony. The PDF used a Flash exploit from September (fixed in the very latest versions) to infect those opening the attachment on Windows. (AV software scanning incoming mail should have been able to catch this).

These mailed invites were based on a template email that we believe was taken from the incoming mail of a Chinese dissident based in the US, whose computer was previously compromised. There's apparently some evidence to suggest that the distribution list was taken from the same individual, but I'm still checking that out. I wrote a brief summary of the situation here: http://www.cpj.org/internet/2010/11/that-nobel-invite-mr-malware-sent-it.php

Then on Wednesday, the Hong Kong site of Amnesty was hacked to server several 0day exploits, including an unpatched Explorer exploit. http://www.nartv.org/2010/11/12/nobel-peace-prize-amnesty-hk-and-malware/

I imagine if this is anything like what happened around the Beijing Olymptics, that we're going to see similar attempts right up to the award ceremony itself. The malware these attacks deliver has unknown capabilities, It's function is controlled by remote servers, but almost certainly can intercept incoming and outgoing mail, files, keypresses (including passwords) and relay all this information to its controllers. If you let yourself be infected, the security and privacy of your organization and those you work with is at risk, so take care!

(On the brighter side, there's never been a better time to be a malware computer security analyst with an interest in human rights issues. Do get in touch if that's who you are...)

Best,

d.