Four-year study concludes Chinese government backs hacking against civil rights groups
Tue 11 Nov 2014
A new report from Citizen Lab details the persistence and doggedness employed by Chinese hacking entities to disrupt Civil Society Organisations, including human rights groups, activists and journalists. The conclusions [PDF] centre on a new four-year survey in which researchers cooperated with ten CSOs, mainly concerned with Chinese rights, monitoring their networks and analysing malware and attack vectors.
Ron Deibert, director of Citizen Lab said: “There’s no doubt about it. This is something that is, if not carefully orchestrated by the government of China, is certainly tolerated by them and they benefit from it,”
The groups under study were not specifically identified, but include five human rights organisations based in Tibet, two human rights organisations reporting on Chinese rights issues, a news organisation which reports on issues of Chinese human rights, and two other groups focusing on multiple human rights issues in various countries.
Three of the groups under study are based in the under-resourced north Indian city of Dharamsala, the home of the Dalai Lama. Situated near the Himalayas, Dharamsala is a locus for pro-Tibetan activity, and hosts an unusual number of media groups and NGOs. According to the report, the city is inordinately targeted by malware campaigns, and the recipients of this attention are inadequately equipped to repel it, as many of the organisations in question are manned by rolling and transient volunteers, leaving long-term project management a problem.
The survey analysed mails flagged by the organisations as suspicious over a 48-month period, and installed Network Intrusion Detection (NID) software in seven of the ten study groups. It also monitored the organisations’ websites for watering-hole vulnerability, using the public tools Cyberspark and URL Query. Additionally it held a series of ad hoc interviews, usually with senior management among the larger organisations (+100 employees) studied.
Cluster analysis reveals rising patterns of attack, and a sophisticated and methodical campaign which has adapted to changes in the platforms used by the organisations, and to the organisations’ efforts to educate its staff and defend itself.
The study analysed Common Vulnerabilities and Exposures (CVEs) across the groups, and concluded that the most common attack vector was an exploit in the way that Microsoft Word handles Rich Text Format (RTF) documents. These patterns have been seen before in attacks upon Tibetan-based/friendly organisations.
Only one zero-day exploit was identified throughout the four years, the Flash vulnerability CVE-2012-5054.
The researchers found that virus detection rates for the anti-virus solution VirusTotal were disappointing, with 86% of the submitted samples yielding a detection rate below 50%. The report concludes “These results suggest that simply running AV software, although potentially helpful, is not a very effective defence against these attacks.”
Beyond the confines of China, Canada is also highly targeted by attacks from China-based IP addresses. Last month the international human rights organisation Lawyers Without Borders revealed that it is systematically being hacked from a Chinese location, even though it had no ongoing cases in China. In 2013 Canada’s National Research Council asserted that a “highly sophisticated Chinese state-sponsored actor” was behind break-ins to its own security systems.