A targeted campaign of attacks against Tibetan organisations has taken place over the past months. This paper covers some of the attacks and the media coverage. While the attacks appear to have originated from China, whether they are supported by the Chinese leadership is open for debate.
2. Table of Contents
When Dragons Attack..........................................................................................................................1
Introduction..........................................................................................................................................3
Summary of Attacks and News Links..................................................................................................4
Overview.....................................................................................................................................4
Timeline of Tibetan targeted attacks...........................................................................................5
1.1 China implicated in Dalai Lama hack plot............................................................................5
1.2 Tibetan Historical Pictures Emails contain Malware............................................................5
1.3 Protests in Tibet, Violence follows for the next week...........................................................5
1.4 Multiple documents containing malware distributed details released...................................5
1.5 Tibetan Govt in Exile website hacked...................................................................................6
1.6 Fribet Trojan that steals database information......................................................................6
1.7 Olympic themed cartoon malware spreads malware.............................................................6
Is the Chinese Government involved in the attacks?............................................................................7
Arguments against.......................................................................................................................7
The Chinese are making a splash on the internet........................................................................8
Conclusion............................................................................................................................................9
Appendix A.........................................................................................................................................10
Ubuntu Linux ...........................................................................................................................10
Open Office ..............................................................................................................................10
Firefox ......................................................................................................................................10
ironcove.net – open source security solutions
5. Timeline of Tibetan targeted attacks
Date Attack Type
1.1 Sept 2002 China implicated in Dalai Lama hack plot
1.2 6th March 2008 Tibetan Historical Pictures Emails contain Malware
1.3 10th March 2008 Protests in Tibet, Violence follows for the next week
1.4 21st March 2008 Multiple documents containing malware distributed details released
1.5 10th April 2008 Tibetan Govt. in Exile Web Site Hacked (tibet.net)
1.6 13th April 2008 Fribet Trojan that steals database information
1.7 14th April 2008 Olympic themed cartoon malware spreads malware
1.1 China implicated in Dalai Lama hack plot
As far back as 2002 Computer administrators for the Tibetan Computer Resource Centre have
reported that computer attacks using virus laden emails have been attempted that send information
and documents to servers in China.
The Centre runs Internet Services for the Tibetan Government in exile in Dharmsala, India.
http://www.securityfocus.com/news/884
1.2 Tibetan Historical Pictures Emails contain Malware
Early in March of 2008 reports emerged of a Malware infected Microsoft helpfile attachment that
contained historical Tibetan images. The malicious CHM attachment was spammed out in a targeted
attack against Tibetan supporters.
http://www.sophos.com/security/blog/2008/03/1136.html
http://www.avertlabs.com/research/blog/index.php/2008/03/11/socialengineeringtricksusetibettolurevictims/
1.3 Protests in Tibet, Violence follows for the next week
On Monday, March 10 Five Hundred monks from Drepund monastery march to Lhasa to mark the
49th anniversery of a quashed rebellion against communist rule. Further protests, rioting and
viloence follows.
http://www.reuters.com/article/latestCrisis/idUSSP306110
1.4 Multiple documents containing malware distributed details released
ProTibetan groups are targeted by malware infected documents, in the form of email attachments,
mailing list posts and forums. Some are targeted at individuals in the Tibetan movement. The emails
are carefully crafted and use a high level of Social Engineering to trick even careful computer users
into opening the attachments and becoming infected. The malware is highly customized and not
picked up by most antivirus scanning software.
http://www.theregister.co.uk/2008/03/22/pro_tibetan_groups_targeted/
http://www.fsecure.com/weblog/archives/00001406.html
http://isc.sans.org/diary.html?storyid=4177
http://www.nonprofittechblog.org/protibetnonprofitundercyberattack
ironcove.net – open source security solutions
6. To investigate, it's necessary to find out which commands were submitted (to the trojan). So
far, we have uncovered attacks that specifically searched the file system for Word documents,
email contents and, most interestingly PGP keyrings
http://isc.sans.org/diary.html?storyid=4176
1.5 Tibetan Govt in Exile website hacked
The official web site of the Tibetan Government in exile was attacked and taken down. The method
of attack is unclear at this time. Another domain and server was used to reinstate the site.
quot;It is the intention of the hackers to ensure that our information do not get out,quot; Tenzin
Takla, spokesman of Dalai Lama told AFP but declined to say whom he suspected.
Tibet.net is currently backup and running and a message on the site states that the alternate domain
that was created (www.tibetgov.net) will be used as a backup in the case of future problems.
http://www.phayul.com/news/article.aspx?article=Website+of+the+Exile+Tibetan+Government+Hacked&id=20608
1.6 Fribet Trojan that steals database information
Researches discovered that this trojan was placed on hacked protibet websites, so that visitors
running unpatched Microsoft Operating Systems would be infected. The unique aspect of this trojan
is that it would attempt to make connections to local databases and steal information contained
within them.
http://www.theregister.co.uk/2008/04/14/database_trojan/
http://www.avertlabs.com/research/blog/index.php/2008/04/10/friebetattackingyourbackenddatabasefromyour
backyard/
quot;These websites appear to have been specifically targeted as this is not a generic Trojan
downloader. Someone or some group has gone to great trouble to rewrite the exploit and
personalise it to the FreeTibet.org and SaveTibet.org websites,quot; Parker said.
http://www.webuser.co.uk/news/226512.html
1.7 Olympic themed cartoon malware spreads malware
A multimedia cartoon file that ridiculed the efforts of a Chinese gymnast at the games was aimed at
the ProTibetan internet community. This was an attempt at creating a trojan that would be passed
around infecting members of the Tibetan community and its supporters.
While the Flashbased movie runs, a keystroke logging tool is silently installed on the
victim's Windows PC. The malware is hidden by rootkit functionality, making it harder to
detect and remove.
The malicious cartoon is distributed as an email attachment called quot;RaceForTibet.exequot;. Data
captured by the keystroke logger is sent to a computer in China. As usual, the threat affects
Windows PCs only.
http://www.theregister.co.uk/2008/04/15/pro_tibet_trojan/
http://www.avertlabs.com/research/blog/index.php/2008/04/14/ismalwarewritingthenextolympicevent
ironcove.net – open source security solutions
7. Is the Chinese Government involved in the attacks?
So was it the Chinese Government? This is the question everyone wants the answer too and noone
can really say definitively. It is well known that China has been developing a comprehensive cyber
warfare capability. They certainly have the resources and the expertise, an article from the Taipai
Times 26th of June 2002 put the number of Chinese hackers at 300'000. We can only presume the
government would have agents and / or assets within the hacker community that they can call on
when required at the very least.
The Trojans and other malicious software used in the Tibet attacks are similar to those used
in attacks against the unclassified computer networks of U.S. defense contractors, the
Department of Energy's nuclear labs and other sensitive government agencies, but experts
caution against reading too much into this, saying that the software is easily available on
hacker Web sites.
http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/03/24/analysis_cyberattacks_on_
tibet_groups/9260/
http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
Arguments against
Comprehensive information on the Chinese Hacker scene can be found in the book the “Dark
Visitor”, the book is well researched and provides a thorough analysis of the Chinese hacker scene
over the past 12 years. Ongoing political hacking from China is documented and referenced,
including attacks against Government and Corporate systems in Indonesia, Korea, Japan and the
United States. A clear line is drawn to the fact that the majority of known Chinese hacking groups
are very nationalistic and seemingly launch attacks at will against anyone that seems to be anti
chinese and topical in the media.
http://www.lulu.com/content/1345238
This indicates that perhaps independent groups and individuals are behind these incidents. The
motive is defending the national honour and protecting the government, this is quite normal for
Chinese citizens but can be hard to grasp for the average Westerner who sees the most common
motivation for Criminal Hackers as the pursuit of wealth.
While their appears to be motivation and some circumstantial evidence for the attacks to have been
orchestrated by the chinese government it must be remembered that Cyber Warfare can be played in
the shadows. It would be a simple matter for any well resourced organization or government
anywhere on the planet to be using hacked servers in China to launch these attacks thereby
implicating the Chinese in these attacks. Perhaps it is the CIA launching the attacks in a bid to
secure greater cyber warfare funding for the Pentagon.
ironcove.net – open source security solutions