Operation Luckycat Targets Tibet, Japan and India

Monday, April 02, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

Recently several targeted attacks against Tibetan activist organizations including the International Campaign for Tibet and the Central Tibet Administration have been detected.

Immediately, suspicions have focused on China and on groups of hackers sponsored by the Beijing government, and on more than one occasion we have seen how the Chinese government also promotes and supports these types of initiatives.

The experts at AlienVault Lab have hypothesized that the group of Chinese hackers was the same as those responsible for the attacks against chemical and defense companies late last year in an operation named 'Nitro'.

The attacks were carried out using a tested scheme starting with a spear phishing campaign that uses an infected Microsoft Office file to exploit a known vulnerability in Microsoft.

As usual, the content of the email refers a topic of interest for the final target, in this case related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The vulnerability that was exploited is known Office stack overflow vulnerability (CVE-2010-3333).

The malware used is a variant of Gh0st RAT, a well know remote access Trojan that enables attackers to acquire total control of the target, allowing document theft. The intent this time was to infiltrate organizations for political reasons.

For this precision attack, the use of free Web hosting services for the command and control servers and five families of malware have been identified, including malware called TROJ_WIMMIE. This malware exploited Rich Text Format Stack Buffer Overflow Vulnerability (CVE-2010-3333) and also Adobe Reader and Flash Player vulnerabilities.

The Chinese Government has always pursued an oppressive policy against Tibet. In April of 2008 protests erupted in some cities in Tibet that had been repressed by the government in Beijing by the use of force.  During last few years in numerous cases have been detected violations of human dignity in Tibet by the Chinese government. According to the Dalai Lama,t we are witnessing cultural genocide.

Security provider Trend Micro has released a research paper that examines the relationship between attacks against the computers of Tibetan activists, companies in Japan and India and the activities performed by group of Chinese hackers.

The operations are known as part of the "Luckycat" cyber campaign began around June 2011, consisting of over 90 attacks against targets in India, Japan and Tibet.

Last week, the New York Times published an article that announced that those responsible for the attacks had been identified - a Chinese former graduate student.

The hacker is named Gu Kaiyuan, who had received government financial support for his computer security studies and currently is an employee at Chinese portal Tencent. Kaiyuan was involved in recruiting students for his school’s computer security and defense research program.

Trend Micro researchers also found that the group also attacked military research institutes, aerospace, energy, engineering, and shipping companies.

"The Trend Micro researchers, led by Nart Villeneuve, traced the hacks to an e-mail address used to register one of the command and control servers the malware accessed. That e-mail address was then found to map to a Chinese instant messaging account belonging to a Chinese hacker, 'dang0102'."

A reconstruction made by Trend Micro's experts revealed that in 2005 the hacker was already operating as a recruiter:

"The same hacker also published a post on a student BBS of the Sichuan University using the nickname, “scuhkr,” in 2005," the report stated. "He wanted to recruit 2-4 students to a network attack and defense research project at the Information Security Institute of the Sichuan University then. Scuhkr also authored articles related to backdoors and shellcode in a hacking magazine that same year."

Of course, the involvement of Gu Kaiyuan doesn't prove the campaigns are officially sponsored by the Chinese government, but the targets chosen leads the experts believe that the Beijing government is behind the attacks.

Former diplomat James A. Lewis, director at the Center for Strategic and International Studies in Washington, declared of the events:

But “(t)he fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement...A private Chinese hacker may go after economic data but not a political organization.” .

Personally, I'm sure of the involvement of the Chinese Government by the nature of the targeted attacked and the way in which the attacks were carried out. The involvement of young hackers is now a known practice of the aggressive cyber strategy of China, which has long invested in youth resources and involving them in cyber espionage and hacking activities.

To conclude on the event in question, I remark that this is just the tip of the iceberg, Similar activities are conducted daily by cyber militia in China and young professionals in the IT sector are often involved... we could probably learn something by this approach.

Cross-posted from Security Affairs

Possibly Related Articles:
15654
Network->General
Military
China Attacks hackers Japan India Cyber Espionage Luckycat Gh0st RAT TROJ_WIMMIE Tibet
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.