Banner
IMG_4080 pix-01 img_1274124752_594 ChitralTown kk1 Picture 175 Himalayan Monal KalashGirls Formosan Magpie IMG_0399 hunza-1 chhohar_shher_fort-district_pooyal-balawaristan 29191_404868729804_636679804_4209355_1079049_n 06-05-2011 BNF Seminar in Brussels - Gilgit-Baltistan Environmental Destruction and Vanishing Indigenous People-9 pic8b
Chain of commands PDF Print E-mail
Articles

 


Mainland authorities are detaining individuals for perceived crimes
committed online. But how do they access such incriminating
information?

Paul Mooney South China Morning Post Sep 26, 2010

When Norzin Wangmo used her computer and mobile phone two years ago to
communicate with friends about protests in Tibet, she had no idea it
would result in her torture and a five-year prison sentence.Detained
soon after sending the messages, the 30-year-old Tibetan government
worker and writer was accused by officials of using the technology to
inform the outside world about civil unrest in Tibet.

After months in detention, during which her friends said she was
tortured, the five-year prison term was handed down. Few other details
about Norzin Wangmo, who leaves behind a young son, are known.

No one is sure how Chinese intelligence obtained the details of her
communications. But the story is a frightening example of the dark
side of internet espionage on the mainland, where people perceived to
be a threat to the state are targeted, including ordinary Chinese
citizens, scholars, human-rights workers, journalists, diplomats and
businesspeople.Many security experts who study China believe the
government is being fed information by a loose and shadowy network
that includes the hacker community, organised crime and other parts of
government, including security agencies and the People's Liberation
Army (PLA).

"The sheer amount of energy and resources the Chinese government has
thrown at this is enormous," says Lhadon Tethong, director of the
Canada-based Tibet Action Institute, which helps Tibetans fight for
rights, primarily through the safe exchange of information, using
sophisticated technology.

Many victims of internet espionage are quick to point a finger at the
central government."Who else would attack us?" asks Chine Chan, a
researcher for Amnesty International Hong Kong. "It doesn't make sense
unless it's the government."

Security experts, however, are careful to explain that no smoking gun
has yet been found linking the hacking and the use of malware -
malicious software designed to secretly access a computer system - to
Beijing.

Greg Walton, an independent cyber security researcher based in
Britain, believes the attacks are the work of groups of players. He
points to Chongqing, where there is a concentration of internet
espionage control and command centres, as an example.

"Chongqing is interesting in that it's like a nexus of organised
crime, the party, a big computer-hacking scene and all sorts of PLA
installations," he says. "It's a combination of many forces that do
these attacks. It's not a secret that the data is ending up with the
state. Any other explanation is improbable."

Experts say the spying is highly organised and professional, with some
hackers working in shifts, even making note of when targets are having
lunch or taking breaks.

It is also likely that many hackers are working independently and some
targets are being compromised by more than one malware group, says
Nart Villeneuve, a researcher at the Information Warfare Monitor
(IWM), whose members include the Citizen Lab, Munk School of Global
Affairs, the University of Toronto and the SecDev Group, a security
consultancy based in Canada.

Walton says patriotic hackers are probably selling information to the
government, providing it with "another layer of deniability".

Since last year, IWM has published two reports on cyber-espionage
networks: "Tracking GhostNet: Investigating a Cyber Espionage Network"
and "Shadows in the Cloud: An investigation into cyber espionage 2.0."

GhostNet is the name investigators have given to a network of more
than 1,200 compromised computers in 103 countries, including foreign
affairs ministries, embassies, international organisations, news
organisations and a computer in the headquarters of Nato. The
network's command and control centre appears to be on Hainan Island,
home of the Lingshui signals intelligence facility and the Third
Department of the PLA.

In September and October 2008, IWM investigated alleged cyber
espionage on the computer systems in various offices related to the
work of the Tibet government in exile and other Tibetan groups. These
included the Office of His Holiness the Dalai Lama, in Dharamsala,
India, organisations in the United States, Britain, France, Belgium
and Switzerland, and the office of Drewla, an NGO which runs an online
outreach project that uses young Chinese-speaking Tibetans to talk
with people in the mainland about the situation in Tibet.

The GhostNet report said some 70 per cent of the control servers
behind the attacks on Tibetan organisations were located on IP
addresses assigned to the mainland.During an investigation at the
Dalai Lama's private office, Walton observed as documents were being
pilfered from the computer network, including a file containing
thousands of e-mail addresses and another detailing the negotiating
position of the spiritual leader's envoy.

During the investigation into the so-called Shadow Network,
investigators were able to obtain data taken by the attackers,
including some 1,500 letters sent from the Dalai Lama's office between
January and November last year. While the report said many of the
letters did not contain sensitive information, it added that they
allowed the attackers to collect information on anyone contacting the
exiled spiritual leader's office.

The team traced the attacks to hackers apparently in Chengdu, which is
also the location of one of the PLA's technical reconnaissance bureaus
charged with signals intelligence collection. Researchers said one
hacker, who used the cyber name "lost33", had attended the University
of Electronic Science and Technology of China, which publishes manuals
on hacking and offers courses on network attack and defence security.

The authors said an anomaly was detected when analysing traffic from
the offices of the Tibet government in exile: computers in Dharamsala
were checking in with a command and control server situated in
Chongqing. Despite Chongqing Communist Party chief Bo Xilai's
high-profile anti-corruption campaign, the city still has a high
concentration of gangs said to have ties to the government and which
have extended their traditional criminal activities to include cyber
crime.

While Walton admits no direct link to the central government has been
detected, he does not seem to have any doubts about who is behind the
attacks.

"Some people shy away from saying it's the state," he says, "but
there's a growing body of evidence. My own feeling is that sooner or
later someone will be able to prove it."

The "Shadows in the Cloud" report, which Walton contributed to, points
to the existence of a vibrant hacker community in the mainland "that
has been tied to targeted attacks in the past and has been linked,
through informal channels, to elements of the Chinese state, although
the nature and extent of the connections remains unclear".

The authors allude to a "privateering" model in which the government
authorises citizens to carry out attacks against "enemies of the
state". However, the report referred to research by Scott Henderson,
author of The Dark Visitor: Inside the World of Chinese Hackers.
Henderson wrote that there was disagreement about the exact
relationship between hackers and the state, running from "authorise"
to "tacit consent" to "tolerate".The most plausible explanation, the
report said, and the one supported by the evidence, is that the Shadow
Network is based in the mainland and run by one or more people with
close ties to the country's criminal underworld.

The report concluded: "As a result, information that is independently
obtained by the Chinese hacker community is likely to find its way to
elements within the Chinese state."Lhadon Tethong says security
experts she's spoken to consider the cyber war "a lost game" but that
she takes a different approach - trying to remain one step ahead of
the mainland authorities.

"We're looking at new technologies that haven't come out yet and how
they can be used in Tibet," she says. "The Chinese government can
control your BlackBerry or laptop, but let's look beyond that, at
iPads and Android technology [a mobile-phone operating system
developed by Google]. You cannot stop it. The force is just too
strong.

"We worked with young and innovative technical experts and geeks from
the beginning," she says. "The optimistic part is that the advances in
communications technology are happening so quick that the Chinese
bureaucracy can't keep up. Saying you can't do this or that because
they're too good is just not true."

She cites the microblogging service Twitter, which the authorities
managed to block. Before that, Tibetan activists had found it a useful
tool for getting their message across both within and outside the
mainland.

"You can block one site and another will pop up, and it won't take
long before people find it," she says. "You can try to control it but
there's no way to stop it and I think they know that."

Chan agrees. "The trend can't go back. It's important to learn how to
get around [the controls]. If civil society grows faster than the
government controls, then you win."Meanwhile, the attacks are
increasing in number and in sophistication.

On March 18, people on the mailing list of Human Rights in China
(HRIC) received an e-mail that appeared to be from director Sharon
Hom. The subject line - "Microsoft, Stool Pigeon for the Cops and FBI"
- convinced many recipients to take a look at the enclosed attachment.
Within seconds the e-mail was flying around cyberspace, with thousands
receiving it and passing it on to others.

But the e-mail was not from Hom. It was a "spear phishing" e-mail that
lured recipients to visit a compromised website in Taiwan. Those who
clicked on the link unknowingly loaded malware that allowed the
attackers to take control of their computers from a server in Jiangsu
province.

In a report on the HRIC attack, Villeneuve wrote that the malware
spread via the e-mail was traced to a command and control centre in
Jiangsu. He said the nature of the compromised entities and the data
stolen by the attackers indicated correlations with the mainland's
strategic interests. But he concluded that "we were unable to
determine any direct connection between these attackers and elements
of the Chinese state".

Earlier this year, a foreign journalist was conducting a text
conversation on Skype with Tsering Woeser, a Beijing-based Tibetan
poet and commentator, when the journalist received an article over the
internet service. When the suspicious reporter called Tsering Woeser
to ask about the file, she was not even home. Someone had hijacked her
account and started conversations with 30 of her Skype friends,
several of them journalists. They even imitated the way the poet
spoke. Some were tricked into downloading malware. This was the second
hijacking of her Skype account in two years.

Most cyber attacks rely on a tactic known as "social engineering",
manipulating people to get them to provide computer access through
trickery, rather than technical hacking."At the root it's not
technology," Walton says. "The deeper the penetration, the more
intelligence they can feed into a social engineering attack. If I look
at your computer, I can draft e-mails that you will trust more and
more."

Robbie Barnett, director of the Modern Tibet Studies programme at
Columbia University, in the United States, says the attackers are
getting increasingly sophisticated in their use of social engineering.
They use the names of people you know, refer to an incident over the
past 48 hours, often with a provocative subject, and may even have the
actual sender's real e-mail address. He says no one can be 100 per
cent safe, no matter what precautions are taken.

"Eventually, they hit a bull's eye," Barnett says, "They send you a
letter from a Tibetan who's just written to you and could easily be
sending something to you. Even if you've been careful for years, you
could fall for it."

Typically the target receives an e-mail appearing to be from an
acquaintance. Often it mentions some sensational detail that lures the
victim into opening a file or visiting a website that opens a
backdoor, where malware can be planted.

Control is often maintained through the use of the Chinese Gh0st RAT
(remote access tool). These trojans enable nearly unrestricted access
to the infected system. The attacker can then carry out surveillance
of the attacked computer, pilfer files and e-mails and send data to
other computers, and use the infected computer as a platform to launch
future attacks against computers around the world.

"It's all part of a trend that I've been watching for a decade," says
Walton, "pushing surveillance of the population from the network to
the desktop.

"Everything you can do, they can do - it's like they're sitting in
front of your computer. They can turn on the webcam, the microphone
and access documents. Someone is staring back at you through your
webcam. It's Orwellian."

While much of the activity seems focused on gathering intelligence and
disruption of operations, in some cases the attacks are more
dangerous. In July, the website of Chinese Human Rights Defenders was
shut down several times by direct denial of service (DDOS) attacks. In
April, the Foreign Correspondents' Club of China was forced to take
its website offline temporarily after being repeatedly hit by DDOS
attacks.

In January, Google announced it had found "a highly sophisticated and
targeted attack on our corporate infrastructure originating from China
that resulted in the theft of intellectual property". The attack was
said to have targeted the Google e-mail accounts of Chinese
human-rights activists.

Journalists have also become a target. In April, Andrew Jacobs,
Beijing correspondent for The New York Times, wrote an article
detailing how his computer had been hacked and e-mails redirected to
an unknown address. Jacobs said scores of foreign reporters in the
mainland had experienced similar intrusions.

Last September, several foreign news bureaus in Beijing began
receiving e-mails from "Pam", who said she was an economics editor.
The e-mails, which were in well-written English and included a list of
genuine contact names, detailed a proposed reporting trip. However,
when the attached PDF was opened it unleashed malware.

Walton and Villeneuve, who studied the virus, said in a report that
the file appeared to be a legitimate document that had been stolen
from a compromised computer, which was then modified to include
malware and serve as a lure. While they said the malware could not be
traced back to the central government, the recipients were Chinese
news assistants, whose e-mail addresses were not widely known to the
public, but were to the Ministry of Foreign Affairs.

Richard Baum, moderator of Chinapol, an online community of more than
900 China watchers, including journalists, lawyers and analysts, says
the group has suffered "a certain amount of leakage" of membership
lists and e-mail traffic. Members have also received phishing e-mails.
Recently, an e-mail was sent to some members purporting to be the new
member e-mail list, which had a malware attachment.

Walton says data was being sent back to a computer in Chongqing within
30 seconds of the malware being accepted.

In the HRIC incident, a member of Chinapol sent the e-mail to all its
members, some of whom in turn passed it on to their acquaintances.

What's troubling is anti-virus software used by the general public is
not always effective in catching these viruses. In the case of the
HRIC attack, there was very low anti-virus cover, with only eight out
of 42 anti-virus products detecting the file as malware, the
investigation found. In the case of the news assistants who downloaded
malware, only three of 41 anti-virus products used by VirusTotal, a
service that analyses suspicious files and URLs, detected the
malicious code embedded in the PDF file.

Fake e-mails also create confusion. A human-rights activist in Hong
Kong tells of an e-mail sent out in her name revealing certain
information only known to people she worked closely with.

"This is their way of saying, `We know who you are and what you're
doing', to make you feel scared," she says. "Even if people know the
e-mail is not from me, the damage is already done. The next time
they'll ask if it's really from me."

HRIC's Hom says: "This is seriously raising security issues for us. It
makes every NGO, every journalist, every contact ask if they get an
e-mail from me if it's real. As a small NGO we don't have the
resources, technical expertise and capacity to guard ourselves against
such high-level attacks. It makes it very difficult for us to do our
work.

"How can any organisation, company or government function if
communication with other persons or organisations runs the risk of a
malware attack that undermines the trust in the organisation? The
biggest impact on us is we have to be extremely careful not to
compromise the security of the people we're dealing with."

One example of this, from the GhostNet report, is that of a young
Tibetan woman who was returning to her village after having worked for
two years in India. She was stopped at the Nepal-Tibet border by
Chinese intelligence officers. The woman was taken to a detention
centre, where she was interrogated about her connection with Drewla.

She insisted she had gone to India just to study, denying any
political involvement, but her claims were waved away. The officers
then pulled out a dossier on her activities in India, including
transcripts of her online chats about Tibet. She was held for two
months and then allowed to return to her village.

As a result, many activists are now reluctant to send information over
the internet and even delete e-mails from people they don't know or
that look suspicious. The result is less information is getting
through to the people who need it.

"It's caused a lot of problems for me," says Tsering Woeser, who is
often under police surveillance. "First, because of my situation, I
can only contact my friends through Skype and e-mail, and now some
Tibetan friends are afraid to contact me. I'm getting much less
information than before. It's a huge interference."

Tsering Woeser says her internet activities are constantly probed. In
a recent incident, she received an e-card from dissident writer Yu
Jie, which turned out to be a phishing spear. She says that at least
once a month a person pretending to be a Tibetan attempts to make
contact with her online.

"But what I worry about most is that the people who are in contact
with me may get into trouble and I won't even know about it," she
says.

Barnett also depends on sources to provide him with news from tightly
controlled Tibetan areas. He says he, too, is now receiving far less
information than in previous years. "The deterrent effect on people
sending information is very effective," he says. "This is having a
massive effect on the limitation of outsiders finding out what's
happening in China. A lot of it works by fear, intimidation and
self-censorship. People are worried about interception."Barnett says
this climate of surveillance suggests to anyone considering sending
information "that they should think twice".

The culture of security in China, he says, means the government only
has to go after a few people to have a deterrent effect.

"You only have to pick up three people for passing on information and
that will deter hundreds of thousands of others," he says. "The system
may now be more powerful than us."

Walton says there has been a clear increase in the number of incidents
this year, although he cautions that this may be due to the fact
people are more on the lookout for these things.

"There's more awareness and people are suspicious of links and
e-mails," he says. "In terms of forward trends, I see a continuous
escalation of these attacks. People are being compromised every day
and I'm getting examples on a daily basis."

Experts say that if Beijing is not responsible for the attacks, it has
a responsibility to shut down hackers working within its borders.

"I have never and still don't make the claim that it was the
government," Hom says. "But if China insists on internet sovereignty
and sovereignty over its territory, it has to take responsibility for
these kinds of cyber attacks. It has to show the international
community that it has taken steps to investigate, track down and end
these attacks."


http://ow.ly/2JYDe

Share
< Prev   Next >
 

Add comment


Security code
Refresh

Visitors

Content View Hits : 916325

Translate To

Browse this website in: