Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches

Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches
Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Ryan Singel

SAN FRANCISCO -- Computer intruders targeting pro-Tibetan groups, U.S. 
defense contractors and government agencies slipped in through 
previously unknown security holes in Microsoft Office, prompting 
Microsoft to issue a flurry of patches to the popular software suite in 
2006 and 2007, according to computer security experts.

These attacks, which appeared to have originated in China, began in 
early 2006 when the attackers started sending e-mails to victims with 
booby-trapped Word documents and Excel spreadsheets attached.

"We are seeing more and more spying done with Trojans, a shift that has 
happened in the last two years," Mikko Hypp=C3=B6nen, the chief research 
officer for software security vendor F-Secure, told RSA conference 
attendees Thursday morning.

The Pentagon and pro-Tibet groups have previously acknowledged the 
intrusions, but Hypp=C3=B6nen is the first to link the cyber espionage to a 
series of patches that Microsoft pushed out without explanation. 
Microsoft did not immediately reply to a request for comment.

Hypp=C3=B6nen's colleague Patrik Runald notes that from 2005 through early 
2006, Microsoft issued few patches for its Office suite. But soon after 
there was an explosion of patches for critical bugs that could be used 
to infect a computer, including a record 26 patches in October, 2006, 
that fixed four critical bugs in Microsoft Office applications.

Those fixes, Runald says, appeared contemporaneously with the rise of 
targeted attacks on defense companies, nonprofits and government 
agencies. "They now have an incentive to begin looking for bugs and 
exploiting them," Runald said. "Bad guys are finding these things fast."

The attackers relied on e-mails tempting the victim to open the 
attachments, in some cases by presenting them as r=C3=A9sum=C3=A9s from job 

But when the target opened the attachment, the application would usually 
crash, while the embedded code covertly installed a keylogger and 
data-stealing software that scooped up documents anywhere on the 
organization's network to which the user had access.

The malware then forwards the stolen information to services called DNS 
bouncers in China, such as, that attackers can use to obfuscate 
and rapidly change where stolen documents or passwords are sent. 
Finally, the code opens up what looks to be a legitimate document, in 
the hopes that the target won't know his or her computer was just 

The espionage was highly successful, according to Hypp=C3=B6nen. One 
multi-billion-dollar defense contractor who went to F-Secure for help 
found that a single compromised Windows box had been secretly siphoning 
information to a server in mainland China for 18 months.

"Most attacks go unnoticed and targets don't know they are hit," 
Hypp=C3=B6nen said.

Hypp=C3=B6nen won't declare that the espionage is the work of the Chinese 
government or hackers loyal to it, though all the evidence points that 

"Is it the Chinese?," Hypp=C3=B6nen asked. "It sure looks like it but it 
could be a smokescreen. We don't know."

Warnings about targeted attacks are not new, but the increase in 
espionage against government and nonprofit groups is alarming to 
experts. In the past, security researchers more often dealt with 
financially motivated hackers who are after insider trading information, 
trade secrets or even early copies of movies that could be turned into 
pirate DVDs before its theatrical release.

"We now have to deal with the criminal doing it for money, and the spies 
doing it for information," Hypp=C3=B6nen said.

Though Microsoft's patches have shored up security in the Office suite, 
the attacks continue. A more recent spate of intrusions at government 
agencies and pro-Tibet and Taiwanese groups have resorted to older, 
known vulnerabilities. The attackers are using the classic hacking 
technique of reverse-engineering Microsoft security updates to discover 
the holes they patch.

Since large organizations can take weeks or months to update all of 
their machines, the updates provide intruders with a window of 
opportunity, Runald said.

Such attacks against pro-Tibet groups spiked in recent weeks following 
the riots in Tibet. On March 17, attackers sent a file purporting to be 
a statement from the United Nations to a pro-Tibet mailing list. Once 
opened, the document attempted to install malware that steals PGP 
encryption keys, as part of an attempt to compromise tools used to keep 
communications secure, according to Hypp=C3=B6nen.

Like the 2006 and 2007 attacks, the newer intrusions appear to be the 
work of a single group of hackers: The attack files used on one target 
are sometimes used within weeks on another. "The files have the same 
hash," Hypp=C3=B6nen said. It almost a given it is the same attacker."

The cyberspies also do a lot more homework than your run-of-the-mill 
online criminal, who tries to steal PayPal accounts by sending out 
millions of e-mails, with no idea whether the recipients actually use 
the online payment service.

By contrast, the stealthy attackers will try to test their exploits 
ahead of time by calling the company to quiz a secretary on what kind of 
anti-virus software the organization uses, claiming, for example, that 
an e-mail he sent to the company keeps bouncing.

The spies also forge e-mail headers to fool a recipient into thinking a 
file comes from a co-worker or trusted source. They may even go so far 
to figure out who a C-level executive plans to meet with, in order to 
send a very convincing e-mail.

For protection, Hypp=C3=B6nen suggested that companies use F-Secure's free 
root-kit detection tool, called BlackLight, install security patches 
rapidly, employ layers of security from different vendors, and monitor 
internet traffic headed to "funky hosts."

Adobe's Acrobat has also been targeted, and Hypp=C3=B6nen recommended that 
people use an alternative PDF reader. He also noted that OpenOffice, an 
open source alternative to Microsoft Office, has not been targeted.

It is also possible for users to notice when they get infected, since 
exploits usually crash Microsoft Word or Adobe Acrobat Reader before 
relaunching the application with a real file. That leads to a quick 
screen flash, and sometimes ends up putting the name of the exploit file 
in Word's recovered document's pane.

While one might expect banks to be targeted with these kinds of 
exploits, Hypp=C3=B6nen says he hasn't seen a single one, calling that a clue 
to the motivations of these attackers.

Runald says the message is clear.

"The enemy is changing," he said. "Now we are also fighting spies."

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods