A targeted campaign of attacks against Tibetan organisations has taken place over the past months. This paper covers some of the attacks and the media coverage. While the attacks appear to have originated from China, whether they are supported by the Chinese leadership is open for debate.

1. When Dragons Attack
A review of recent Tibetan Cyber Attacks and the Ubuntu option
24th April 2008
peter@ironcove.net
http://www.ironcove.net
ironcove.net – open source security solutions

2. Table of Contents
When Dragons Attack..........................................................................................................................1
Introduction..........................................................................................................................................3
Summary of Attacks and News Links..................................................................................................4
Overview.....................................................................................................................................4
Timeline of Tibetan targeted attacks...........................................................................................5
1.1 China implicated in Dalai Lama hack plot............................................................................5
1.2 Tibetan Historical Pictures Emails contain Malware............................................................5
1.3 Protests in Tibet, Violence follows for the next week...........................................................5
1.4 Multiple documents containing malware distributed details released...................................5
1.5 Tibetan Govt in Exile website hacked...................................................................................6
1.6 Fribet Trojan that steals database information......................................................................6
1.7 Olympic themed cartoon malware spreads malware.............................................................6
Is the Chinese Government involved in the attacks?............................................................................7
Arguments against.......................................................................................................................7
The Chinese are making a splash on the internet........................................................................8
Conclusion............................................................................................................................................9
Appendix A.........................................................................................................................................10
Ubuntu Linux ...........................................................................................................................10
Open Office ..............................................................................................................................10
Firefox ......................................................................................................................................10
ironcove.net – open source security solutions

3. Introduction
The aim of this paper is to review recent Cyber Attacks against Pro­Tibetan groups and to make the
reader aware of alernative software options that would provide a more secure operating environment
for these groups and individuals.
Over the past few years a number of attacks have taken place against various pro­tibetan
organistaions and while there is significant circumstantial evidence that these attacks may have
origins in the Chinese government it is also possible it is the work of various chinese hacking
groups who have nationalist tendancies.
With significant end user training and ongoing systems support most operating systems can be made
relatively secure, however this is not a realistic prospect for many groups and individuals around the
world. It is my recommendation that Ubuntu Linux having just been released in a new version (8.04)
is a solid and secure alternative desktop environment that should be promoted and utilized amougnst
ngo's and nonprofits to avoid many of these attacks.
All of the currently listed attacks in the timeline of attacks against ProTibetan groups and
supporters would have had no effect on an Ubuntu Linux Desktop system.
ironcove.net – open source security solutions

4. Summary of Attacks and News Links
Overview
There has been significant news coverage of a number of attacks against ProTibetan groups,
individuals and supporters. While the Tibetan issue has been topical in the media recently with the
Beijing Olympics and the recent torch relay debacle, these attacks are remarkable in how focused
and professional they have been. This is not the work of a couple of script kiddies, these are highly
skilled and well researched attackers who's main motivation seems to be intelligence gathering
rather than disruption of service.
Sharon Hom, executive director of the New York­based Human Rights in China, said the
group's 25 staff members have reported a marked upswing in the number and sophistication
of e­mail virus attacks. In 2006, the group intercepted just two targeted e­mail attacks, and
by the end of last year that number had grown to 40. In the first three months of 2008, the
group has received more than 100 such targeted attacks.
quot;The fact that we're being attacked with the same resources thrown at multi­billion defense
contractors is flattering,quot; said Lhadon Tethong, executive director of Students for a Free
Tibet. quot;It shows that we really are an effective thorn in the side of a repressive regime.quot;
http://www.washingtonpost.com/wp­dyn/content/article/2008/03/21/AR2008032102605.html
These attacks have been going on for months, but appear to have grown in intensity in recent
days. Alison Reynolds of the International Tibet Support Network told me, quot;There are surges
of activity which coincide with our busiest campaign periods and obviously now we are
seeing a lot of attacks.quot;
http://www.bbc.co.uk/blogs/technology/2008/03/tibet_the_cyber_wars.html
quot;We are seeing more and more spying done with Trojans, a shift that has happened in the last
two years,quot; Mikko Hyppönen, the chief research officer for software security vendor F­
Secure, told RSA conference attendees Thursday morning.
http://www.wired.com/politics/security/news/2008/04/chinese_hackers
ironcove.net – open source security solutions

5. Timeline of Tibetan targeted attacks
Date Attack Type
1.1 Sept 2002 China implicated in Dalai Lama hack plot
1.2 6th March 2008 Tibetan Historical Pictures Emails contain Malware
1.3 10th March 2008 Protests in Tibet, Violence follows for the next week
1.4 21st March 2008 Multiple documents containing malware distributed details released
1.5 10th April 2008 Tibetan Govt. in Exile Web Site Hacked (tibet.net)
1.6 13th April 2008 Fribet Trojan that steals database information
1.7 14th April 2008 Olympic themed cartoon malware spreads malware
1.1 China implicated in Dalai Lama hack plot
As far back as 2002 Computer administrators for the Tibetan Computer Resource Centre have
reported that computer attacks using virus laden emails have been attempted that send information
and documents to servers in China.
The Centre runs Internet Services for the Tibetan Government in exile in Dharmsala, India.
http://www.securityfocus.com/news/884
1.2 Tibetan Historical Pictures Emails contain Malware
Early in March of 2008 reports emerged of a Malware infected Microsoft helpfile attachment that
contained historical Tibetan images. The malicious CHM attachment was spammed out in a targeted
attack against Tibetan supporters.
http://www.sophos.com/security/blog/2008/03/1136.html
http://www.avertlabs.com/research/blog/index.php/2008/03/11/social­engineering­tricks­use­tibet­to­lure­victims/
1.3 Protests in Tibet, Violence follows for the next week
On Monday, March 10 Five Hundred monks from Drepund monastery march to Lhasa to mark the
49th anniversery of a quashed rebellion against communist rule. Further protests, rioting and
viloence follows.
http://www.reuters.com/article/latestCrisis/idUSSP306110
1.4 Multiple documents containing malware distributed details released
Pro­Tibetan groups are targeted by malware infected documents, in the form of email attachments,
mailing list posts and forums. Some are targeted at individuals in the Tibetan movement. The emails
are carefully crafted and use a high level of Social Engineering to trick even careful computer users
into opening the attachments and becoming infected. The malware is highly customized and not
picked up by most antivirus scanning software.
http://www.theregister.co.uk/2008/03/22/pro_tibetan_groups_targeted/
http://www.f­secure.com/weblog/archives/00001406.html
http://isc.sans.org/diary.html?storyid=4177
http://www.nonprofittechblog.org/pro­tibet­non­profit­under­cyber­attack
ironcove.net – open source security solutions

6. To investigate, it's necessary to find out which commands were submitted (to the trojan). So
far, we have uncovered attacks that specifically searched the file system for Word documents,
e­mail contents and, most interestingly PGP keyrings
http://isc.sans.org/diary.html?storyid=4176
1.5 Tibetan Govt in Exile website hacked
The official web site of the Tibetan Government in exile was attacked and taken down. The method
of attack is unclear at this time. Another domain and server was used to reinstate the site.
quot;It is the intention of the hackers to ensure that our information do not get out,quot; Tenzin
Takla, spokesman of Dalai Lama told AFP but declined to say whom he suspected.
Tibet.net is currently backup and running and a message on the site states that the alternate domain
that was created (www.tibetgov.net) will be used as a backup in the case of future problems.
http://www.phayul.com/news/article.aspx?article=Website+of+the+Exile+Tibetan+Government+Hacked&id=20608
1.6 Fribet Trojan that steals database information
Researches discovered that this trojan was placed on hacked pro­tibet websites, so that visitors
running unpatched Microsoft Operating Systems would be infected. The unique aspect of this trojan
is that it would attempt to make connections to local databases and steal information contained
within them.
http://www.theregister.co.uk/2008/04/14/database_trojan/
http://www.avertlabs.com/research/blog/index.php/2008/04/10/friebet­attacking­your­backend­database­from­your­
backyard/
quot;These websites appear to have been specifically targeted as this is not a generic Trojan
downloader. Someone or some group has gone to great trouble to rewrite the exploit and
personalise it to the FreeTibet.org and SaveTibet.org websites,quot; Parker said.
http://www.webuser.co.uk/news/226512.html
1.7 Olympic themed cartoon malware spreads malware
A multimedia cartoon file that ridiculed the efforts of a Chinese gymnast at the games was aimed at
the Pro­Tibetan internet community. This was an attempt at creating a trojan that would be passed
around infecting members of the Tibetan community and its supporters.
While the Flash­based movie runs, a keystroke logging tool is silently installed on the
victim's Windows PC. The malware is hidden by rootkit functionality, making it harder to
detect and remove.
The malicious cartoon is distributed as an email attachment called quot;RaceForTibet.exequot;. Data
captured by the keystroke logger is sent to a computer in China. As usual, the threat affects
Windows PCs only.
http://www.theregister.co.uk/2008/04/15/pro_tibet_trojan/
http://www.avertlabs.com/research/blog/index.php/2008/04/14/is­malware­writing­the­next­olympic­event
ironcove.net – open source security solutions

7. Is the Chinese Government involved in the attacks?
So was it the Chinese Government? This is the question everyone wants the answer too and noone
can really say definitively. It is well known that China has been developing a comprehensive cyber
warfare capability. They certainly have the resources and the expertise, an article from the Taipai
Times 26th of June 2002 put the number of Chinese hackers at 300'000. We can only presume the
government would have agents and / or assets within the hacker community that they can call on
when required at the very least.
The Trojans and other malicious software used in the Tibet attacks are similar to those used
in attacks against the unclassified computer networks of U.S. defense contractors, the
Department of Energy's nuclear labs and other sensitive government agencies, but experts
caution against reading too much into this, saying that the software is easily available on
hacker Web sites.
http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/03/24/analysis_cyberattacks_on_
tibet_groups/9260/
http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
Arguments against
Comprehensive information on the Chinese Hacker scene can be found in the book the “Dark
Visitor”, the book is well researched and provides a thorough analysis of the Chinese hacker scene
over the past 12 years. Ongoing political hacking from China is documented and referenced,
including attacks against Government and Corporate systems in Indonesia, Korea, Japan and the
United States. A clear line is drawn to the fact that the majority of known Chinese hacking groups
are very nationalistic and seemingly launch attacks at will against anyone that seems to be anti­
chinese and topical in the media.
http://www.lulu.com/content/1345238
This indicates that perhaps independent groups and individuals are behind these incidents. The
motive is defending the national honour and protecting the government, this is quite normal for
Chinese citizens but can be hard to grasp for the average Westerner who sees the most common
motivation for Criminal Hackers as the pursuit of wealth.
While their appears to be motivation and some circumstantial evidence for the attacks to have been
orchestrated by the chinese government it must be remembered that Cyber Warfare can be played in
the shadows. It would be a simple matter for any well resourced organization or government
anywhere on the planet to be using hacked servers in China to launch these attacks thereby
implicating the Chinese in these attacks. Perhaps it is the CIA launching the attacks in a bid to
secure greater cyber warfare funding for the Pentagon.
ironcove.net – open source security solutions

8. The Chinese are making a splash on the internet
Additional information related to growing Chinese influence on the internet and some of the current
events in the media can be found in the following articiles.
Denial of service launched against CNN for coverage of Tibet violence
http://edition.cnn.com/2008/TECH/04/18/cnn.websites/index.html
China Blocks YouTube during Tibetan Unreset
http://www.hackinthebox.org/url.php?url=26133
http://www.theregister.co.uk/2008/03/17/youtube_china/
FBI looks at Chinese role in Darfur site hack
In other related news an NGO that has been critical of Chinese influence in Darfur has been
attacked including web and email services.
The U.S. Federal Bureau of Investigation is looking into a possible China connection in the
hack of a nonprofit group created to draw attention to the ongoing genocide in western
Sudan's Darfur region.
The Save Darfur Coalition called in the FBI earlier this week after discovering that someone
had gained unauthorized access to its e­mail and Web server, according to Allyn Brooks­
LaSure, a spokesman with the group.
http://computerworld.com/action/article.do?
command=viewArticleBasic&taxonomyName=security&articleId=9070778&taxonomyId=17&intsrc=kc_top
Angry Chinese Bloggers making waves
Chinese Communist Party commentators are being recruited by various Communist state agencies
in attempt to put positive Chinese spin on important political issues. They are reportedly paid half a
yuan (US$0.06) per message they write.
http://en.epochtimes.com/news/6­11­10/47995.html
Previous attacks against Falun Gong and other independence groups in China
The following link is a presentation by Maarten Van Horenbeeck who has put together the following
presentation on attacks against Falun Gong and other groups independence groups within China.
Maarten works with the Sans Institute and has also reported on attacks against Tibetan Groups.
http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf
http://isc.sans.org/diary.html?storyid=4176
http://isc.sans.org/diary.html?storyid=4177
ironcove.net – open source security solutions

9. Conclusion
There is no conclusive evidence that there is direct Chinese government involvement in these attacks
or even that Chinese nationalist hackers are behind the incidents.
However definitive conclusions can be drawn as to the motivation and highly targeted nature of the
attacks. It is clear that human rights workers are under attack, both in the pro­Tibetan cause and
other organizations.
With awareness that groups and individuals working for human rights and freedom are under attack
more secure measures can be implemented. An easy option for securing desktops against such
attacks is putting Ubuntu Linux on desktops in computer centres and offices.
ironcove.net – open source security solutions

10. Appendix A
What follows is some information on various Open Source projects that could help your
organization stay secure in a hostile internet environment.
Use of the following software would have eliminated the threat of all the malware based attacks
covered within this paper.
Ubuntu Linux
The worlds fastest growing Desktop Operating System. Ideal for the Desktop or Server Ubuntu
Linux is a drop in replacement for Microsoft Windows. Free yourself from the grip of the Microsoft
Corporation. Ubuntu Linux is secure, stable and user friendly.
Question: Isn't Linux for Hard Core geeks?
He (Mark Shuttleworth) said the French police force was currently deploying 50,000
Ubuntu­powered machines, while Spanish education authorities were rolling out 500,000
desktops with the OS.
http://news.bbc.co.uk/1/hi/technology/7358483.stm
A new version of Ubuntu Linux has been released named the quot;Hardy Heronquot;, go ahead and give it a
go you will be pleasantly suprised. Note that there are options for testing Ubuntu that does not
involve reloading the Operating System. You can run it straight off the live cd without affecting your
Windows environment at all or the new Ubuntu has an option to install it within Windows.
http://www.ubuntu.com
Open Office
Leading office suite similar in many ways to Microsoft Office, the
difference being this is free, open and does not carry the same history of security problems that
Microsoft Office does. It comes preinstalled in most Linux systems or can be downloaded and
installed in Windows.
http://www.openoffice.org
Firefox
Powerful web browser without the malware. Internet explorer is a favorite target
of malware writers and spyware infections. Using the open and free Firefox will save you time
through its stability and security.
http://www.mozilla.org
I have barely scratched the surface with these examples, one of the great things about a Linux
operating system is the hundreds of free software programs and tools that you can easily install and
use for free.
ironcove.net – open source security solutions