Other organizations might learn from recent cyber-spying events—via bogus e-mail, or spear-phishing—at Students for a Free Tibet and Save Darfur
Editor's note: This is the second article in a series on cyber espionage.
When Conall Watson resigned from the board of directors at activist group Students for a Free Tibet UK in June, 2007, someone—not a friend—was watching on the Web. The 25-year-old British pharmacist, who worked for the free-Tibet movement in his spare time, had sent a mass farewell e-mail mentioning his departure and a change in his e-mail address. "I'm stepping down from the SFT UK organizing group," part of the message, reviewed by BusinessWeek, reads.
Nine months later, Conall Watson's name—and parts of that same 2007 sayonara e-mail—returned to haunt the activist organization in the form of a stealthy cyber-attack the group believes was launched from China. On Feb. 19, Students for a Free Tibet Executive Director Lhadon Tethong and other board members found a new message in their in-boxes. The note, addressed from Conall Watson, mentioned that he planned to pass along the résumé of a potential new activist.
"Dear Alex, Ben and all other SFT friends," the message, also reviewed by BusinessWeek reads. "What a pity I can do little for the Tibetan cause, while I know you are all still fighting bravely for it. Yesterday a Tibetan friend came to my office and asked me to recommend his nephew Rinzen Yeshe to join the SFT UK.… I will email his [résumé] very soon. Best wishes, Conall. p.s. He is a Tibetan friend of mine who I trust, so I trust his nephew."
An hour later, the résumé arrived. But suspicious SFT UK members called Watson to ask if he had sent the message. He had not. An alert was sent out, say SFT officials, and nobody opened the résumé. How did the unknown attackers learn so much about Conall Watson? "Either the message was intercepted, or it might have been an inside job," says Watson. SFT UK members have received harassing phone calls in the past, he says. "But the Internet was new."
A Sweep of Spear-Phishing
Students for a Free Tibet is just one of thousands of alleged victims of a growing wave of cyber-spying (BusinessWeek, 4/10/08).
From the U.S. government and defense contractors to big banks and high-profile activist groups, millions of similarly sophisticated e-mails loaded with malicious code are being zapped through the Internet, to penetrate PCs, steal secrets, and report back to their electronic masters. Known as 'spear-phish,' the targeted e-mails are the Web's biggest new cyber-threat.
The digital cunning that goes into spear-phishing attacks is highlighted by the mysterious missive sent in Conall Watson's name. Besides posing as Watson to send the note, the attackers built sympathy by alleging Watson felt bad for resigning ("I missed many great and important actions for the freedom of Tibet in the past few months," the e-mail reads.) And it also built trust by noting that the soon-to-be-sent résumé came from a "Tibetan friend."
"It's part of the psychological game" to persuade recipients of the malicious e-mail to open an attachment or click on a link, enabling malicious code to bypass firewalls and antivirus software, says Matthew Devost, president of Total Intelligence Solutions, a cyber-security firm. These e-mails are "the equivalent of precision-guided missiles in cyberspace," says Paul Kurtz, a former National Security Council official. "Instead of blowing something up, they're sucking data out."
China Denies Involvement
Executives working for Students for a Free Tibet allege the attackers masquerading as Conall Watson are in China. According to a report from a cyber-security specialist who examined the e-mail, the malicious code in the fake résumé phones home to a server identified as scfzf.xicp.net. That server is located at an Internet address assigned to the Jiangsu Province area served by one of China's largest state-owned Internet service providers.
The server could be based in China—or located anywhere in the world, say computer security experts. That's because Chinese PCs with Internet service from China-based ISPs could, themselves, be infected with malicious code. Then hackers in other countries could bounce attacks through the compromised China-based computers. BusinessWeek could not independently confirm the location of server scfzf.xicp.net.
China denies any involvement in or support for hacker attacks on any groups. In an e-mail response to questions from BusinessWeek, Wang Baodong, a spokesman at the Chinese Embassy in Washington, D.C., says: "The Chinese Government always opposes and forbids any cyber crimes including 'hacking' that undermine the security of computer networks." China, he says, does not hire civilian hackers to collect information or intelligence.
Bad "Seeds Sowed"
The analysis by security experts of the malicious code in the fake résumé—named Revzin.doc—sent to SFT UK, shows that it exploits holes in older versions of Microsoft Word. Once inside a PC, the malware first contacts a server at the Web address www.windowsupdata.net. That Chinese-language Web site adds new code to the infection, the analysis says. As of mid-March, only 4 of 32 commercially available antivirus products detected the malicious code when tested by security experts.
The attempted spear-phish intrusion—and other attacks since February—are sparking angst among Students for a Free Tibet activists. They come at a time when tensions are near an all-time high with the Chinese government because of its recent suppression of violent protests in Lhasa, the Tibetan capital, and almost daily disruption of the Olympic torch relay as it travels the world on its way to Beijing, ahead of the Olympic Games that China hosts beginning in August.
"The saddest thing from all of this is seeing all the seeds [Chinese hackers] sowed some time ago. It is a moment of life or death," says Tethong, 32, the group's executive director. "It's just sick; they're just sick."
Other critics of China or its policies have come under attack by mysterious cyber-intruders, too. In late March, analysts from cyber-security firm Total Intelligence Solutions were called in to root out a breach of the computer network at the Save Darfur Coalition, a Washington (D.C.) advocacy group for the war-torn southern region of the African nation Sudan. Save Darfur has been a leading critic of the Chinese government's policies regarding Sudan. The activist group agreed to allow Total Intelligence Solutions to discuss the details of that intrusion with BusinessWeek.
According to Total Intel's Devost, who used to work for the Pentagon testing its computer security, hackers had accessed the Save Darfur computer system via a spear-phishing attack. "Potentially everything on the network was stolen," says Devost. Once inside, the hackers harvested e-mail addresses to send out additional spear-phishing attacks to other organizations. The malicious code embedded inside contacted a computer registered through a domain name service in the U.S. Total Intel analysts contacted the unidentified company, which agreed to shut down the master PC.
"Then, it was like my team crossed the line, and the A-team of hackers stepped in," says Total Intel's Devost. The next day, he says, more aggressive spear-phishing attacks were launched from the Save Darfur network, this time exploiting a vulnerability in PCs that had only been released days before. The hackers didn't try to cover their tracks using a U.S.-registered domain name. The malicious code, Devost says, phoned home straight to "a verified Internet address in China." The FBI, which is investigating the attack, received a detailed briefing from Total Intel analysts on Mar. 27, says Devost.
End In Sight?
Meanwhile, SFT's cyber woes do not appear to have ended. SFT's Tethong says the group was notified by cyber-security consultants around Mar. 26 that someone using an Internet address in the Chinese enclave of Macau had hacked into SFT's main e-mail server, possibly downloading everything inside. Tethong says the group does not know how the intrusion occurred, though she has been advised that her e-mail may have been intercepted and intruders may have monitored SFT's network for unencrypted messages.
"There is just so much happening that we can't keep track of it," says Tethong.